[Implementation] Trivy scanning of keycloak java dependencies

idunbarh commented 1 month ago

Objective

Create a workflow that will generate an initial SBOM using Trivy thats based on keycloak source code.
Future work will add metadata, enrich this SBOM, and validate completeness

Recommendations

[ ] Create a .github/workflows/phase_1_keycloak.yml workflow file.
[ ] Do a shallow clone or download released source from latest keycloak release.

[ ] Generate both SPDX and CycloneDX SBOMs using trivy.

# Example commands
trivy fs keycloak/pom.xml   --skip-update --offline-scan --format cyclonedx --output sboms/trivy.java.cdx.json
trivy fs keycloak/pom.xml   --skip-update --offline-scan --format spdx-json --output sboms/trivy.java.spdx.json

[ ] "Stub" next stage to make it easy for the next person to help

Additional Actions

[ ] Determine how to scan all pom.xml files and not just top level
[ ] Determine what should happen with javascript dependencies

douglasdennis commented 3 weeks ago

If nobody has volunteered yet for this task then I'd like to throw my hat in the ring to complete it.

idunbarh commented 3 weeks ago

Thanks @douglasdennis! assigned the issue to you. Let us know if you need anything to assist.

vpetersson commented 3 weeks ago

@douglasdennis Great! I would recommend that we follow the same blueprint as outlined here so that they are consistent between examples. At least big picture.

CISA-SBOM-Community / SBOM-Generation