search

whitesource-ps / ws-sbom-generator

WS SBOM Report Generator in SPDX or CycloneDX format
Apache License 2.0
31 stars 7 forks source link

[Question] [ws-sbom-generator] How to run the ws-sbom-generator task after ws scan task during CI #80

Open adubey8 opened 2 years ago

adubey8 commented 2 years ago

Question
Can you provide a yaml example for running a wss-unified-agent.jar agent for scanning an artifact (published as a new project) and then run sbom generator to get all the dependencies. I am trying it as below, but I have below question when following this approach: How to obtain the project token from wss-unified-agent scan to be further used by another command task to run the ws_sbom_generator?

      # Download and run the unified agent
      - task: CmdLine@2
        displayName: Download the latest Unified Agent
        inputs:
          script: 'curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar'

      - task: CmdLine@2
        displayName: Run Unified Agent Scan
        inputs:
          script: 'java -jar wss-unified-agent.jar -c ./secure-supply-chain/wss.config -apiKey $(WHITE_SOURCE_API_KEY) -product STIC-cloud -project stic-security-sbom-01'

      - task: CmdLine@2
        displayName: Generate WhiteSource SPDX Report
        inputs:
          script: |
            export WS_URL=https://app-eu.whitesourcesoftware.com
            export WS_PROJECTTOKEN=VALUE
            echo WS_PROJECTTOKEN: $WS_PROJECTTOKEN
            export WS_URL=$WS_URL
            export USERKEY=VALUE
            echo USERKEY: $USERKEY
            export WS_ORG_TOKEN=VALUE
            echo === Installing WhiteSource SBOM Generator ===
            pip3 install ws_sbom_generator
            echo === Generating SBOM ===
            python3 -m ws_sbom_generator.sbom_generator -u $USERKEY -k $WS_ORG_TOKEN -s $WS_PROJECTTOKEN -a $WS_URL -t json -o ./whitesource-spdx

Environment Details

rammatzkvosky commented 2 years ago

Hi @adubey8 ,

I would recommend using one of the following Whitesource's API calls :

  1. getOrganizationProjectVitals image

  2. Our Python sdk's get_scopes_from_name method

    ws_conn = ws_sdk.web.WSApp(url='https://app.whitesourcesoftware.com',user_key='123456789',token='987654321')
project_token = ws_conn.get_scopes_from_name('project_name', token_type='project')

In addition, please notice that before running the "Generate WhiteSource SPDX Report" task , you will require to validate that the scan results were uploaded to the the Whitesource organization , otherwise , the sbom report might return empty ( mainly when the scan project has a lot of data and it takes time to be processed by Whitesource application ).

You can do so with the getRequestState API call +You will need to retrieve the support_token for that. Here is a python sample of such implementation : 

def scan_with_unified_agent(dirs_to_scan):
    unified_agent = ws_sdk.web.WSClient(user_key'123456789', token='987654321', url='https://app.whitesourcesoftware.com')
    output = unified_agent.scan(scan_dir=dirs_to_scan,product_token=1a2b3c4d5f6g,project_token='d8ac08821aca430fa8b5e747aef32bdee0f559727ed94140a3a4d7943d68dbee')

    support_token = output[2]  # gets Support Token from scan output

    scan_status = True
    while scan_status:
        new_status = ws_conn.get_last_scan_process_status(support_token)
        logging.info(f"Scan data upload status :{new_status}")
        if new_status in ['UPDATED', 'FINISHED']:
            logging.info('scan upload completed')
            scan_status = False
        elif new_status in ['UNKNOWN', 'FAILED']:
            logging.warning('scan failed to upload...exiting program')
            sys.exit(1)
        else:
            time.sleep(10.0)
rammatzkvosky commented 2 years ago

Hi @adubey8 , did my comment answer your question ?

patspaeth commented 2 years ago

Sorry to say, but this makes no sense because I did not find a way to generate on project level... I would suggest #136