Add CycloneDX SBOM to ortelius-ms-dep-pkg-cud

ortelius / ortelius

The mission of the Ortelius community is to expose weak links in the software supply chain by continuously gathering and analyzing software supply chain intelligence introduced across the DevOps pipeline and connected to your deployed environments.

https://ortelius.io

Apache License 2.0

347 stars 125 forks source link

Add CycloneDX SBOM to ortelius-ms-dep-pkg-cud #434

Closed sbtaylor15 closed 2 years ago

sbtaylor15 commented 2 years ago

As part of the Google Cloud Build we need to generate the SBOM/SPDX files and store them somewhere for reference. https://github.com/opensbom-generator/spdx-sbom-generator

sbtaylor15 commented 2 years ago

Add sytf to our cloubbuild.yaml to produde the Cyclonedx SBOM.

sbtaylor15 commented 2 years ago

We need to update the cloudbuild.yaml to run https://github.com/anchore/syft after the docker build has been completed. Syft should scan the docker image and produce a cyclone-dx json file. The cyclone-dx json file should be uploaded using the existing dh updatecomp command line call. This upload is done by adding the --deppkg 'cyclonedx@/workspace/cyclonedx.json' to the dh updatecomp parameters.

Update need for microservice - ortelius-ms-dep-pkg-cud

hamidgholami commented 2 years ago

Hi @sbtaylor15, I have committed the changes in deploy branch. https://github.com/ortelius/ortelius-ms-dep-pkg-cud/commit/029a64aec80caaf3ad0cb4d5066815a8e1d293de