Remove django-DefectDojo from git tracking and add XML BOM generation

Taofeeqib · Taofeeqib · commit 86034d56646d · 2025-09-07T19:35:58.000+02:00
diff --git a/.github/workflows/devsecops-pipeline.yml b/.github/workflows/devsecops-pipeline.yml
@@ -186,15 +186,21 @@ jobs:
       # Create docs/reports directory if it doesn't exist
       - name: Ensure docs/reports directory exists
         run: mkdir -p ./docs/reports
+        
+      # Generate SBOM using direct script
+      - name: Generate XML BOMs using script
+        run: |
+          chmod +x ./.github/workflows/scripts/bom_generate.sh
+          ./.github/workflows/scripts/bom_generate.sh
       
-      # Generate SBOM for Backend (API)
+      # Generate JSON SBOM for Backend (API)
       - name: Generate API SBOM with CycloneDX
         uses: CycloneDX/gh-node-module-generatebom@master
         with:
           path: './xss/api'
           output: './docs/reports/angular-xss-api-sbom.json'
       
-      # Generate SBOM for Frontend
+      # Generate JSON SBOM for Frontend
       - name: Generate Frontend SBOM with CycloneDX
         uses: CycloneDX/gh-node-module-generatebom@master
         with:
@@ -206,9 +212,12 @@ jobs:
         run: |
           # Create a directory for all SBOM files
           mkdir -p ./docs/reports/sbom
-          # Copy the generated SBOMs to this directory
+          # Copy the generated JSON SBOMs to this directory
           cp ./docs/reports/angular-xss-api-sbom.json ./docs/reports/sbom/
           cp ./docs/reports/angular-xss-frontend-sbom.json ./docs/reports/sbom/
+          # Copy the generated XML SBOMs to this directory if they exist
+          [ -f ./docs/reports/api-bom.xml ] && cp ./docs/reports/api-bom.xml ./docs/reports/sbom/
+          [ -f ./docs/reports/frontend-bom.xml ] && cp ./docs/reports/frontend-bom.xml ./docs/reports/sbom/
           
       - name: Upload SBOM as artifact
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/scripts/bom_generate.sh b/.github/workflows/scripts/bom_generate.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Script to generate CycloneDX BOMs for API and Frontend
+echo "===== Generating CycloneDX BOMs for Angular XSS ====="
+
+# Create reports directory
+mkdir -p ./docs/reports
+
+# Generate BOM for API
+echo "Generating BOM for API..."
+cd ./xss/api
+npm install
+npm install -g cyclonedx-bom
+cyclonedx-bom -o api-bom.xml
+cp api-bom.xml ../../docs/reports/
+echo "API BOM generated at docs/reports/api-bom.xml"
+
+# Generate BOM for Frontend
+echo "Generating BOM for Frontend..."
+cd ../frontend
+npm install
+cyclonedx-bom -o frontend-bom.xml
+cp frontend-bom.xml ../../docs/reports/
+echo "Frontend BOM generated at docs/reports/frontend-bom.xml"
+
+# Return to the project root
+cd ../..
+echo "===== BOM generation complete ====="
diff --git a/django-DefectDojo b/django-DefectDojo
diff --git a/import-to-defectdojo.sh b/import-to-defectdojo.sh
@@ -132,6 +132,42 @@ else
   echo "Frontend SBOM file not found or empty: $REPORTS_DIR/angular-xss-frontend-sbom.json"
 fi
 
+# Check for XML API SBOM
+if [ -f "$REPORTS_DIR/api-bom.xml" ] && [ -s "$REPORTS_DIR/api-bom.xml" ]; then
+  echo "Importing XML API SBOM report: $REPORTS_DIR/api-bom.xml"
+  IMPORT_RESPONSE=$(curl -s -X POST \
+    -H "Authorization: Token $API_TOKEN" \
+    -H "Content-Type: multipart/form-data" \
+    -F "file=@$REPORTS_DIR/api-bom.xml" \
+    -F "scan_type=CycloneDX" \
+    -F "engagement=$ENGAGEMENT_ID" \
+    -F "close_old_findings=false" \
+    -F "scan_date=$(date +"%Y-%m-%d")" \
+    "$DEFECTDOJO_URL/api/v2/import-scan/")
+  
+  echo "XML API SBOM Import response: $IMPORT_RESPONSE"
+else
+  echo "XML API SBOM file not found or empty: $REPORTS_DIR/api-bom.xml"
+fi
+
+# Check for XML Frontend SBOM
+if [ -f "$REPORTS_DIR/frontend-bom.xml" ] && [ -s "$REPORTS_DIR/frontend-bom.xml" ]; then
+  echo "Importing XML Frontend SBOM report: $REPORTS_DIR/frontend-bom.xml"
+  IMPORT_RESPONSE=$(curl -s -X POST \
+    -H "Authorization: Token $API_TOKEN" \
+    -H "Content-Type: multipart/form-data" \
+    -F "file=@$REPORTS_DIR/frontend-bom.xml" \
+    -F "scan_type=CycloneDX" \
+    -F "engagement=$ENGAGEMENT_ID" \
+    -F "close_old_findings=false" \
+    -F "scan_date=$(date +"%Y-%m-%d")" \
+    "$DEFECTDOJO_URL/api/v2/import-scan/")
+  
+  echo "XML Frontend SBOM Import response: $IMPORT_RESPONSE"
+else
+  echo "XML Frontend SBOM file not found or empty: $REPORTS_DIR/frontend-bom.xml"
+fi
+
 # Check for combined/old format SBOM as fallback
 if [ -f "$REPORTS_DIR/angular-xss-sbom.json" ] && [ -s "$REPORTS_DIR/angular-xss-sbom.json" ]; then
   echo "Importing combined SBOM report: $REPORTS_DIR/angular-xss-sbom.json"
diff --git a/verify-reports.sh b/verify-reports.sh
@@ -23,6 +23,8 @@ declare -a EXPECTED_REPORTS=(
     "dependency-check-*.sarif"
     "angular-xss-api-sbom.json"
     "angular-xss-frontend-sbom.json"
+    "api-bom.xml"
+    "frontend-bom.xml"
     "report_json.json"
     "report_xml.xml"
     "report_html.html"
