Generating the SBOM CycloneDX JSON for JAR file (#2)

Generating the SBOM CycloneDX JSON for a JAR file and sending it to Chainloop

---------
Signed-off-by: Daniel Liszka <daniel@chainloop.dev>
This commit is contained in:
Daniel Liszka 2023-10-05 00:34:30 +02:00 committed by GitHub
parent 299e916257
commit 1446478510
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 1 deletions

View file

@ -2,3 +2,5 @@
attestation: attestation:
- name: binary - name: binary
path: artifacts/spring-petclinic-*.jar path: artifacts/spring-petclinic-*.jar
- name: sbom
path: metadata/sbom.cyclonedx.json

View file

@ -34,12 +34,36 @@ jobs:
name: artifacts name: artifacts
path: target/*.jar path: target/*.jar
collect-metadata:
runs-on: ubuntu-latest
name: "Security and Compliance Checks"
needs: build
steps:
- name: Download all workflow run artifacts
uses: actions/download-artifact@v3
- name: Generate metadata
run: |
mkdir -p metadata
- uses: anchore/sbom-action@v0
with:
file: artifacts/*.jar
format: cyclonedx-json
output-file: ./metadata/sbom.cyclonedx.json
upload-artifact: false
- uses: actions/upload-artifact@v3
with:
name: metadata
path: metadata/*
# Chainloop integration # Chainloop integration
# will run only if the build job is successful # will run only if the build job is successful
chainloop: chainloop:
name: Chainloop name: Chainloop
uses: chainloop-dev/labs/.github/workflows/chainloop.yml@a75dff2ef342a1e5c5e1ec5c42fb99f3d1bc03cb uses: chainloop-dev/labs/.github/workflows/chainloop.yml@a75dff2ef342a1e5c5e1ec5c42fb99f3d1bc03cb
needs: build needs: collect-metadata
# with: # with:
# contract_revision: 3 # contract_revision: 3
secrets: secrets: