feat: generate SBOM via kubernetes-sigs/bom (#69)

As blackduck is still not stable - let's generate the SBOM with `kubernetes-sigs/bom`
mercedes-benz · Jan 18, 2024 · 085265a · 085265a
1 parent a01dea9
commit 085265a
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -31,3 +31,11 @@ jobs:
 
       - name: make test
         run: make test
+
+      - name: make sbom
+        run: make sbom
+
+      - uses: actions/upload-artifact@v3
+        with:
+         name: sbom 
+         path: tmp/garm-operator.bom.spdx
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -48,6 +48,9 @@ jobs:
       #     BLACKDUCK_PROJECT_NAME: ${{ secrets.BLACKDUCK_PROJECT_NAME }}
       #     BLACKDUCK_TOKEN: ${{ secrets.BLACKDUCK_TOKEN }}
 
+      - name: SBOM
+        run: make sbom
+
       - name: release
         run: make release
         env:

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -61,6 +61,7 @@ release:
     - glob: tmp/garm_operator_all.yaml
     - glob: tmp/garm_operator_crds.yaml
     - glob: tmp/garm_operator.yaml
+    - glob: tmp/garm-operator.bom.spdx
     # - glob: tmp/3RD_PARTY_LICENSES.txt
     # - glob: tmp/BlackDuck_RiskReport.pdf
   header: |

diff --git a/Makefile b/Makefile
@@ -127,6 +127,16 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
 	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 
+##@ SBOM
+
+.PHONY: sbom
+sbom: kbom sbom-generate
+
+.PHONY: sbom-generate
+sbom-generate: kbom ## Generate SBOM
+	mkdir -p tmp
+	$(KBOM) generate --output tmp/garm-operator.bom.spdx --format json .
+
 ##@ Release
 
 .PHONY: release
@@ -160,6 +170,7 @@ MDTOC ?= $(LOCALBIN)/mdtoc
 SLICE ?= $(LOCALBIN)/kubectl-slice
 NANCY ?= $(LOCALBIN)/nancy
 GOVULNCHECK ?= $(LOCALBIN)/govulncheck
+KBOM ?= $(LOCALBIN)/bom
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.0.1
@@ -170,6 +181,7 @@ GORELEASER_VERSION ?= v1.21.0
 MDTOC_VERSION ?= v1.1.0
 SLICE_VERSION ?= v1.2.6
 NANCY_VERSION ?= v1.0.42
+KBOM_VERSION ?= v0.5.1
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
@@ -233,6 +245,12 @@ $(GOVULNCHECK): $(LOCALBIN)
 	test -s $(LOCALBIN)/govulncheck || \
 	GOBIN=$(LOCALBIN) go install golang.org/x/vuln/cmd/govulncheck@latest
 
+.PHONY: kbom
+kbom: $(KBOM) ## Download nancy locally if necessary. If wrong version is installed, it will be overwritten.
+$(KBOM): $(LOCALBIN)
+	test -s $(LOCALBIN)/bom && $(LOCALBIN)/bom version | grep -q $(KBOM_VERSION) || \
+	GOBIN=$(LOCALBIN) go install sigs.k8s.io/bom/cmd/bom@$(KBOM_VERSION)
+
 ##@ Lint / Verify
 .PHONY: lint
 lint: $(GOLANGCI_LINT) ## Run linting.