From 085265a004d058f6ba8665e374cdaba824315af0 Mon Sep 17 00:00:00 2001 From: Mario Constanti Date: Thu, 18 Jan 2024 11:02:36 +0100 Subject: [PATCH] feat: generate SBOM via kubernetes-sigs/bom (#69) As blackduck is still not stable - let's generate the SBOM with `kubernetes-sigs/bom` --- .github/workflows/build.yml | 8 ++++++++ .github/workflows/release.yml | 3 +++ .goreleaser.yaml | 1 + Makefile | 18 ++++++++++++++++++ 4 files changed, 30 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 520407b1..85a7415f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,3 +31,11 @@ jobs: - name: make test run: make test + + - name: make sbom + run: make sbom + + - uses: actions/upload-artifact@v3 + with: + name: sbom + path: tmp/garm-operator.bom.spdx diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4050495a..886ede7d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,6 +48,9 @@ jobs: # BLACKDUCK_PROJECT_NAME: ${{ secrets.BLACKDUCK_PROJECT_NAME }} # BLACKDUCK_TOKEN: ${{ secrets.BLACKDUCK_TOKEN }} + - name: SBOM + run: make sbom + - name: release run: make release env: diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c76b24f2..a52504b0 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -61,6 +61,7 @@ release: - glob: tmp/garm_operator_all.yaml - glob: tmp/garm_operator_crds.yaml - glob: tmp/garm_operator.yaml + - glob: tmp/garm-operator.bom.spdx # - glob: tmp/3RD_PARTY_LICENSES.txt # - glob: tmp/BlackDuck_RiskReport.pdf header: | diff --git a/Makefile b/Makefile index b19caa4e..92715dfd 100644 --- a/Makefile +++ b/Makefile @@ -127,6 +127,16 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f - +##@ SBOM + +.PHONY: sbom +sbom: kbom sbom-generate + +.PHONY: sbom-generate +sbom-generate: kbom ## Generate SBOM + mkdir -p tmp + $(KBOM) generate --output tmp/garm-operator.bom.spdx --format json . + ##@ Release .PHONY: release @@ -160,6 +170,7 @@ MDTOC ?= $(LOCALBIN)/mdtoc SLICE ?= $(LOCALBIN)/kubectl-slice NANCY ?= $(LOCALBIN)/nancy GOVULNCHECK ?= $(LOCALBIN)/govulncheck +KBOM ?= $(LOCALBIN)/bom ## Tool Versions KUSTOMIZE_VERSION ?= v5.0.1 @@ -170,6 +181,7 @@ GORELEASER_VERSION ?= v1.21.0 MDTOC_VERSION ?= v1.1.0 SLICE_VERSION ?= v1.2.6 NANCY_VERSION ?= v1.0.42 +KBOM_VERSION ?= v0.5.1 .PHONY: kustomize kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. @@ -233,6 +245,12 @@ $(GOVULNCHECK): $(LOCALBIN) test -s $(LOCALBIN)/govulncheck || \ GOBIN=$(LOCALBIN) go install golang.org/x/vuln/cmd/govulncheck@latest +.PHONY: kbom +kbom: $(KBOM) ## Download nancy locally if necessary. If wrong version is installed, it will be overwritten. +$(KBOM): $(LOCALBIN) + test -s $(LOCALBIN)/bom && $(LOCALBIN)/bom version | grep -q $(KBOM_VERSION) || \ + GOBIN=$(LOCALBIN) go install sigs.k8s.io/bom/cmd/bom@$(KBOM_VERSION) + ##@ Lint / Verify .PHONY: lint lint: $(GOLANGCI_LINT) ## Run linting.