From 3f36da17095eff714050e84f40cd2e49c3745bed Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 13:22:00 +0400 Subject: [PATCH 01/16] Test the SBOM tool workflow --- .../workflows/sca-integration-sbom-tool.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/sca-integration-sbom-tool.yml diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml new file mode 100644 index 0000000000..0ea0862b89 --- /dev/null +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -0,0 +1,36 @@ +name: Generate SBOM with SBOM tool and load into ScanCode.io + +on: + workflow_dispatch: + pull_request: + push: + branches: + - main + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 8.0.x + + - name: Build + run: dotnet build Sample.sln --output buildOutput + + - name: Generate SBOM + run: | + curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 + chmod +x $RUNNER_TEMP/sbom-tool + $RUNNER_TEMP/sbom-tool generate -b ./buildOutput -bc . -pn Test -pv 1.0.0 -ps MyCompany -nsb https://sbom.mycompany.com -V Verbose + + - name: Upload a Build Artifact + uses: actions/upload-artifact@v4 + with: + path: buildOutput From e75a11677d81b8f9a3319d995d16447058311393 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 15:18:22 +0400 Subject: [PATCH 02/16] DEBUG the SBOM tool workflow --- .../workflows/sca-integration-sbom-tool.yml | 33 ++++++++++++++----- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 0ea0862b89..3ef87b86d3 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -10,27 +10,42 @@ on: permissions: contents: read +env: + IMAGE_REFERENCE: "python:3.13.0-slim" + jobs: - build: + generate-and-load-sbom: runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v4 +# steps: +# - uses: actions/checkout@v4 - name: Setup .NET uses: actions/setup-dotnet@v4 with: dotnet-version: 8.0.x - - name: Build - run: dotnet build Sample.sln --output buildOutput +# - name: Build +# run: dotnet build Sample.sln --output buildOutput - - name: Generate SBOM + - name: Download SBOM Tool run: | curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 chmod +x $RUNNER_TEMP/sbom-tool - $RUNNER_TEMP/sbom-tool generate -b ./buildOutput -bc . -pn Test -pv 1.0.0 -ps MyCompany -nsb https://sbom.mycompany.com -V Verbose - - name: Upload a Build Artifact + - name: Generate SBOM for Docker image + run: | + mkdir -p sbom-output + $RUNNER_TEMP/sbom-tool generate \ + -di ${{ env.IMAGE_REFERENCE }} \ + -pn DockerImage \ + -pv 1.0.0 \ + -ps Company \ + -nsb https://sbom.company.com \ + -m sbom-output \ + -V Verbose + + - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: - path: buildOutput + name: sbom-tool-sbom + path: sbom-output From 53a56bec59a31c1bd3243d5834f3f1244e3f43d7 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 15:23:41 +0400 Subject: [PATCH 03/16] DEBUG the SBOM tool workflow --- .github/workflows/sca-integration-sbom-tool.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 3ef87b86d3..abfffc961e 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -16,9 +16,7 @@ env: jobs: generate-and-load-sbom: runs-on: ubuntu-24.04 -# steps: -# - uses: actions/checkout@v4 - + steps: - name: Setup .NET uses: actions/setup-dotnet@v4 with: @@ -47,5 +45,5 @@ jobs: - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: - name: sbom-tool-sbom + name: sbom-tool-output path: sbom-output From 91f220705d2436ac8baa28e7291c2992646671b0 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 15:35:16 +0400 Subject: [PATCH 04/16] DEBUG the SBOM tool workflow --- .../workflows/sca-integration-sbom-tool.yml | 34 +++++++++++++------ 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index abfffc961e..896b0f79bf 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -17,33 +17,47 @@ jobs: generate-and-load-sbom: runs-on: ubuntu-24.04 steps: - - name: Setup .NET - uses: actions/setup-dotnet@v4 - with: - dotnet-version: 8.0.x - -# - name: Build -# run: dotnet build Sample.sln --output buildOutput +# - name: Setup .NET +# uses: actions/setup-dotnet@v4 +# with: +# dotnet-version: 8.0.x - - name: Download SBOM Tool + - name: Download SBOM tool run: | curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 chmod +x $RUNNER_TEMP/sbom-tool - - name: Generate SBOM for Docker image + - name: Generate SBOM with SBOM tool run: | mkdir -p sbom-output $RUNNER_TEMP/sbom-tool generate \ -di ${{ env.IMAGE_REFERENCE }} \ - -pn DockerImage \ +# -pn DockerImage \ -pv 1.0.0 \ -ps Company \ -nsb https://sbom.company.com \ -m sbom-output \ -V Verbose + - name: Verify SBOM Analysis Results in ScanCode.io + shell: bash + run: | + ls -la + ls -la sbom-output + - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: name: sbom-tool-output path: sbom-output + + - name: Import SBOM into ScanCode.io + uses: aboutcode-org/scancode-action@main + with: + pipelines: "load_sbom" + inputs-path: "sbom-output/_manifest/spdx_2.2/manifest.spdx.json" + +# - name: Verify SBOM Analysis Results in ScanCode.io +# shell: bash +# run: | +# scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 220; assert package_manager.vulnerable().count() > 10; assert DiscoveredDependency.objects.count() > 150" From 996666e8147d8b8fd2dbd04442231070bbf3e045 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 15:41:16 +0400 Subject: [PATCH 05/16] DEBUG the SBOM tool workflow --- .github/workflows/sca-integration-sbom-tool.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 896b0f79bf..a216414c17 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -32,7 +32,6 @@ jobs: mkdir -p sbom-output $RUNNER_TEMP/sbom-tool generate \ -di ${{ env.IMAGE_REFERENCE }} \ -# -pn DockerImage \ -pv 1.0.0 \ -ps Company \ -nsb https://sbom.company.com \ From 7d41101dd62e6982d582e6057cdcc37af80a8b0d Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 15:42:34 +0400 Subject: [PATCH 06/16] DEBUG the SBOM tool workflow --- .github/workflows/sca-integration-sbom-tool.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index a216414c17..ac0e485d42 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -32,6 +32,7 @@ jobs: mkdir -p sbom-output $RUNNER_TEMP/sbom-tool generate \ -di ${{ env.IMAGE_REFERENCE }} \ + -pn DockerImage \ -pv 1.0.0 \ -ps Company \ -nsb https://sbom.company.com \ From 10bc18290d24075e8faf15f4d148504f80a3d5f0 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 15:45:53 +0400 Subject: [PATCH 07/16] DEBUG the SBOM tool workflow --- .../workflows/sca-integration-sbom-tool.yml | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index ac0e485d42..ef2087a8b4 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -11,17 +11,13 @@ permissions: contents: read env: - IMAGE_REFERENCE: "python:3.13.0-slim" + IMAGE_REFERENCE: "alpine:3.17.0" +# IMAGE_REFERENCE: "python:3.13.0-slim" jobs: generate-and-load-sbom: runs-on: ubuntu-24.04 steps: -# - name: Setup .NET -# uses: actions/setup-dotnet@v4 -# with: -# dotnet-version: 8.0.x - - name: Download SBOM tool run: | curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 @@ -39,23 +35,17 @@ jobs: -m sbom-output \ -V Verbose - - name: Verify SBOM Analysis Results in ScanCode.io - shell: bash - run: | - ls -la - ls -la sbom-output - - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: name: sbom-tool-output - path: sbom-output + path: sbom-tool-output - name: Import SBOM into ScanCode.io uses: aboutcode-org/scancode-action@main with: pipelines: "load_sbom" - inputs-path: "sbom-output/_manifest/spdx_2.2/manifest.spdx.json" + inputs-path: "sbom-tool-output/_manifest/spdx_2.2/manifest.spdx.json" # - name: Verify SBOM Analysis Results in ScanCode.io # shell: bash From 8e417f0aafc5f7ce93ee6676d3331ab9d086ad91 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 15:51:41 +0400 Subject: [PATCH 08/16] DEBUG the SBOM tool workflow --- .github/workflows/sca-integration-sbom-tool.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index ef2087a8b4..93c1686441 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -32,7 +32,7 @@ jobs: -pv 1.0.0 \ -ps Company \ -nsb https://sbom.company.com \ - -m sbom-output \ + -m sbom-tool-output \ -V Verbose - name: Upload SBOM artifact @@ -50,4 +50,4 @@ jobs: # - name: Verify SBOM Analysis Results in ScanCode.io # shell: bash # run: | -# scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 220; assert package_manager.vulnerable().count() > 10; assert DiscoveredDependency.objects.count() > 150" +# scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" From 4c998c2260bef52d5ebed0720dab1c15b2932d1b Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 16:03:31 +0400 Subject: [PATCH 09/16] DEBUG the SBOM tool workflow --- .github/workflows/sca-integration-sbom-tool.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 93c1686441..1fbd154b91 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -32,20 +32,20 @@ jobs: -pv 1.0.0 \ -ps Company \ -nsb https://sbom.company.com \ - -m sbom-tool-output \ + -m sbom-output \ -V Verbose - name: Upload SBOM artifact uses: actions/upload-artifact@v4 with: - name: sbom-tool-output - path: sbom-tool-output + name: sbom-output + path: sbom-output - name: Import SBOM into ScanCode.io uses: aboutcode-org/scancode-action@main with: pipelines: "load_sbom" - inputs-path: "sbom-tool-output/_manifest/spdx_2.2/manifest.spdx.json" + inputs-path: "sbom-output/_manifest/spdx_2.2/manifest.spdx.json" # - name: Verify SBOM Analysis Results in ScanCode.io # shell: bash From 817aebe8c3356e2e403093ac03060dec9327b7fc Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 16:07:10 +0400 Subject: [PATCH 10/16] DEBUG the SBOM tool workflow --- .github/workflows/sca-integration-sbom-tool.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 1fbd154b91..bf67adf71f 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -11,8 +11,7 @@ permissions: contents: read env: - IMAGE_REFERENCE: "alpine:3.17.0" -# IMAGE_REFERENCE: "python:3.13.0-slim" + IMAGE_REFERENCE: "python:3.13.0-slim" jobs: generate-and-load-sbom: @@ -47,7 +46,7 @@ jobs: pipelines: "load_sbom" inputs-path: "sbom-output/_manifest/spdx_2.2/manifest.spdx.json" -# - name: Verify SBOM Analysis Results in ScanCode.io -# shell: bash -# run: | -# scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" + - name: Verify SBOM Analysis Results in ScanCode.io + shell: bash + run: | + scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" From 1c1658a02e25ecd2a2b18491e620630d6bac1758 Mon Sep 17 00:00:00 2001 From: tdruez Date: Tue, 26 Aug 2025 17:36:38 +0400 Subject: [PATCH 11/16] Add unit test for the SCA SBOM tool support --- .../sbom-tool-alpine-3.17-sbom.spdx.json | 293 ++++++++++++++++++ scanpipe/tests/test_sca_integrations.py | 23 ++ 2 files changed, 316 insertions(+) create mode 100644 scanpipe/tests/data/sca-integrations/sbom-tool-alpine-3.17-sbom.spdx.json diff --git a/scanpipe/tests/data/sca-integrations/sbom-tool-alpine-3.17-sbom.spdx.json b/scanpipe/tests/data/sca-integrations/sbom-tool-alpine-3.17-sbom.spdx.json new file mode 100644 index 0000000000..f2eed21fa9 --- /dev/null +++ b/scanpipe/tests/data/sca-integrations/sbom-tool-alpine-3.17-sbom.spdx.json @@ -0,0 +1,293 @@ +{ + "files": [], + "packages": [ + { + "name": "alpine-baselayout-data", + "SPDXID": "SPDXRef-Package-2FF1344E2849EBD04203DE6480D48AA9DF318FD79C2CF23DEBBF14C63DAD7AD9", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-only", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "3.4.0-r0", + "supplier": "Organization: Natanael Copa " + }, + { + "name": "busybox", + "SPDXID": "SPDXRef-Package-269AF94DD8BFFCFAD5BA8BBC6E82B9365798AE4AF85B49BC3A5FE4F31DDE9488", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-only", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "1.35.0-r29", + "supplier": "Organization: Sören Tempel " + }, + { + "name": "alpine-baselayout", + "SPDXID": "SPDXRef-Package-BC8A0138F4AB887ACBE81B0C5FF1077477DD1F054104C9D28244F3EE1318EF29", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-only", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "3.4.0-r0", + "supplier": "Organization: Natanael Copa " + }, + { + "name": "ca-certificates-bundle", + "SPDXID": "SPDXRef-Package-2471353CCE204889AD89EFCEC030096363B376775C5DFAFBDBEBD99597EEA969", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "MPL-2.0 AND MIT", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "20220614-r2", + "supplier": "Organization: Natanael Copa " + }, + { + "name": "libssl3", + "SPDXID": "SPDXRef-Package-E8FDE8662042A1A73B88F43634ECA413A98DD1B5BA43F46455B024C794272A3C", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "Apache-2.0", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "3.0.7-r0", + "supplier": "Organization: Ariadne Conill " + }, + { + "name": "ssl_client", + "SPDXID": "SPDXRef-Package-A03157DF01BCE5BF4A209E6AAF611D234E1D38DD10136D6F48A0E30D4704DA2E", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-only", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "1.35.0-r29", + "supplier": "Organization: Sören Tempel " + }, + { + "name": "zlib", + "SPDXID": "SPDXRef-Package-00888F6C5F68DF809EB4EBE041A412FFD51276AA402850EECDC1C4A17921C5D3", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "Zlib", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "1.2.13-r0", + "supplier": "Organization: Natanael Copa " + }, + { + "name": "libcrypto3", + "SPDXID": "SPDXRef-Package-342117E26CA6266072A57732213BAA801F51EB280EEF5A1CE4DBB9B3D8F5F5B0", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "Apache-2.0", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "3.0.7-r0", + "supplier": "Organization: Ariadne Conill " + }, + { + "name": "busybox-binsh", + "SPDXID": "SPDXRef-Package-01C3FA070AC7D05FE03422B385F566584B3AF940657764A6748FCD9AACEEB807", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-only", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "1.35.0-r29", + "supplier": "Organization: Sören Tempel " + }, + { + "name": "musl-utils", + "SPDXID": "SPDXRef-Package-E00DB534A00A22C8CE4CA11B1FC76E8BE0E9B819067295BA0575664FC5D97D9C", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "MIT AND BSD-2-Clause AND GPL-2.0-or-later", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "1.2.3-r4", + "supplier": "Organization: Timo Teräs " + }, + { + "name": "apk-tools", + "SPDXID": "SPDXRef-Package-ECA17F56515573DD93ACE781F91516271AC671A1C6A71618E49ED7F26C398AF2", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-only", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "2.12.10-r1", + "supplier": "Organization: Natanael Copa " + }, + { + "name": "musl", + "SPDXID": "SPDXRef-Package-705013B3778D10501271BF617E996011323C4A2E28E57A79D17B6955D6888627", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "MIT", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "1.2.3-r4", + "supplier": "Organization: Timo Teräs " + }, + { + "name": "libc-utils", + "SPDXID": "SPDXRef-Package-275AFBF9CCA335A5E19E25A072FFEFB4E434081793EB7292B98827157A1283A2", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "BSD-2-Clause AND BSD-3-Clause", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "0.7.2-r3", + "supplier": "Organization: Natanael Copa " + }, + { + "name": "alpine-keys", + "SPDXID": "SPDXRef-Package-932F58BF477100E836DA6FFE2DC4AFB017DBF2D0CE6BB04467E4BB26E7EC36FC", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "MIT", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "2.4-r1", + "supplier": "Organization: Natanael Copa " + }, + { + "name": "scanelf", + "SPDXID": "SPDXRef-Package-76DC710B1952C21FCC403CE0DAF2FEA3FB887F06C005D10639E71D7947DE90FB", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "GPL-2.0-only", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "1.3.5-r1", + "supplier": "Organization: Natanael Copa " + }, + { + "name": "DockerImage", + "SPDXID": "SPDXRef-RootPackage", + "downloadLocation": "NOASSERTION", + "packageVerificationCode": { + "packageVerificationCodeValue": "da39a3ee5e6b4b0d3255bfef95601890afd80709" + }, + "filesAnalyzed": true, + "licenseConcluded": "NOASSERTION", + "licenseInfoFromFiles": [ + "NOASSERTION" + ], + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "versionInfo": "1.0.0", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:swid/Company/sbom.company.com/DockerImage@1.0.0?tag_id=60e3f440-f9a8-449e-b516-da3049700fff" + } + ], + "supplier": "Organization: Company", + "hasFiles": [] + } + ], + "externalDocumentRefs": [], + "relationships": [ + { + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-RootPackage", + "spdxElementId": "SPDXRef-DOCUMENT" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-2471353CCE204889AD89EFCEC030096363B376775C5DFAFBDBEBD99597EEA969", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-269AF94DD8BFFCFAD5BA8BBC6E82B9365798AE4AF85B49BC3A5FE4F31DDE9488", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-A03157DF01BCE5BF4A209E6AAF611D234E1D38DD10136D6F48A0E30D4704DA2E", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-E8FDE8662042A1A73B88F43634ECA413A98DD1B5BA43F46455B024C794272A3C", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-275AFBF9CCA335A5E19E25A072FFEFB4E434081793EB7292B98827157A1283A2", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-ECA17F56515573DD93ACE781F91516271AC671A1C6A71618E49ED7F26C398AF2", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-01C3FA070AC7D05FE03422B385F566584B3AF940657764A6748FCD9AACEEB807", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-705013B3778D10501271BF617E996011323C4A2E28E57A79D17B6955D6888627", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-E00DB534A00A22C8CE4CA11B1FC76E8BE0E9B819067295BA0575664FC5D97D9C", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-342117E26CA6266072A57732213BAA801F51EB280EEF5A1CE4DBB9B3D8F5F5B0", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-00888F6C5F68DF809EB4EBE041A412FFD51276AA402850EECDC1C4A17921C5D3", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-76DC710B1952C21FCC403CE0DAF2FEA3FB887F06C005D10639E71D7947DE90FB", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-932F58BF477100E836DA6FFE2DC4AFB017DBF2D0CE6BB04467E4BB26E7EC36FC", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-BC8A0138F4AB887ACBE81B0C5FF1077477DD1F054104C9D28244F3EE1318EF29", + "spdxElementId": "SPDXRef-RootPackage" + }, + { + "relationshipType": "DEPENDS_ON", + "relatedSpdxElement": "SPDXRef-Package-2FF1344E2849EBD04203DE6480D48AA9DF318FD79C2CF23DEBBF14C63DAD7AD9", + "spdxElementId": "SPDXRef-RootPackage" + } + ], + "spdxVersion": "SPDX-2.2", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "DockerImage 1.0.0", + "documentNamespace": "https://sbom.company.com/DockerImage/1.0.0/YuWW1Lwcd0S5vJUf-VhClw", + "creationInfo": { + "created": "2025-08-26T12:03:59Z", + "creators": [ + "Organization: Company", + "Tool: Microsoft.SBOMTool-4.1.1" + ] + }, + "documentDescribes": [ + "SPDXRef-RootPackage" + ] +} \ No newline at end of file diff --git a/scanpipe/tests/test_sca_integrations.py b/scanpipe/tests/test_sca_integrations.py index 166b366cd2..6f0bb0afce 100644 --- a/scanpipe/tests/test_sca_integrations.py +++ b/scanpipe/tests/test_sca_integrations.py @@ -116,3 +116,26 @@ def test_scanpipe_scan_integrations_load_sbom_depscan(self): self.assertEqual(33, project1.discoveredpackages.count()) self.assertEqual(3, project1.discoveredpackages.vulnerable().count()) self.assertEqual(20, project1.discovereddependencies.count()) + + def test_scanpipe_scan_integrations_load_sbom_sbomtool(self): + # Input file generated with: + # $ sbom-tool generate -di alpine:3.17.0 \ + # -pn DockerImage -pv 1.0.0 -ps Company -nsb https://sbom.company.com + input_location = ( + self.data / "sca-integrations" / "sbom-tool-alpine-3.17-sbom.spdx.json" + ) + + pipeline_name = "load_sbom" + project1 = make_project() + project1.copy_input_from(input_location) + + run = project1.add_pipeline(pipeline_name) + pipeline = run.make_pipeline_instance() + + exitcode, out = pipeline.execute() + self.assertEqual(0, exitcode, msg=out) + + self.assertEqual(1, project1.codebaseresources.count()) + self.assertEqual(16, project1.discoveredpackages.count()) + self.assertEqual(0, project1.discoveredpackages.vulnerable().count()) + self.assertEqual(0, project1.discovereddependencies.count()) From aff66bb6a443cc3ca0c3c269aa357e3e32fa6cf3 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 27 Aug 2025 11:57:51 +0400 Subject: [PATCH 12/16] Update test expectations following SPDX dependencies support #1145 --- .github/workflows/sca-integration-sbom-tool.yml | 2 +- scanpipe/tests/test_sca_integrations.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index bf67adf71f..4b9d869725 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -49,4 +49,4 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" + scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90" diff --git a/scanpipe/tests/test_sca_integrations.py b/scanpipe/tests/test_sca_integrations.py index 6f0bb0afce..ff48fcdf91 100644 --- a/scanpipe/tests/test_sca_integrations.py +++ b/scanpipe/tests/test_sca_integrations.py @@ -138,4 +138,4 @@ def test_scanpipe_scan_integrations_load_sbom_sbomtool(self): self.assertEqual(1, project1.codebaseresources.count()) self.assertEqual(16, project1.discoveredpackages.count()) self.assertEqual(0, project1.discoveredpackages.vulnerable().count()) - self.assertEqual(0, project1.discovereddependencies.count()) + self.assertEqual(16, project1.discovereddependencies.count()) From 66fbda41277b38f449f5781f9bf7a0e07798ac18 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 27 Aug 2025 11:57:51 +0400 Subject: [PATCH 13/16] Update test expectations following SPDX dependencies support --- .github/workflows/sca-integration-sbom-tool.yml | 2 +- scanpipe/tests/test_sca_integrations.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index bf67adf71f..4b9d869725 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -49,4 +49,4 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0" + scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90" diff --git a/scanpipe/tests/test_sca_integrations.py b/scanpipe/tests/test_sca_integrations.py index 6f0bb0afce..ff48fcdf91 100644 --- a/scanpipe/tests/test_sca_integrations.py +++ b/scanpipe/tests/test_sca_integrations.py @@ -138,4 +138,4 @@ def test_scanpipe_scan_integrations_load_sbom_sbomtool(self): self.assertEqual(1, project1.codebaseresources.count()) self.assertEqual(16, project1.discoveredpackages.count()) self.assertEqual(0, project1.discoveredpackages.vulnerable().count()) - self.assertEqual(0, project1.discovereddependencies.count()) + self.assertEqual(16, project1.discovereddependencies.count()) From b4eaf975a840cdb78e9a15e9640be0c604c08815 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 27 Aug 2025 12:02:01 +0400 Subject: [PATCH 14/16] DEBUG workflow --- .github/workflows/sca-integration-sbom-tool.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 4b9d869725..be05b6c5f8 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -1,5 +1,13 @@ name: Generate SBOM with SBOM tool and load into ScanCode.io +# This workflow: +# 1. Generates a CycloneDX SBOM for a container image using SBOM tool. +# 2. Uploads the SBOM as a GitHub artifact for future inspection. +# 3. Loads the SBOM into ScanCode.io for further analysis. +# 4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io. +# +# It runs on demand, and once a week (scheduled). + on: workflow_dispatch: pull_request: @@ -49,4 +57,4 @@ jobs: - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90" + scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; print(DiscoveredDependency.objects.count()); assert DiscoveredDependency.objects.count() > 90" From 93045bc7613e8a8e39a06b243afc042bc5dc5317 Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 27 Aug 2025 12:04:55 +0400 Subject: [PATCH 15/16] Use latest scancodeio main branch in workflow --- .github/workflows/sca-integration-sbom-tool.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index be05b6c5f8..78452fba0a 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -53,8 +53,9 @@ jobs: with: pipelines: "load_sbom" inputs-path: "sbom-output/_manifest/spdx_2.2/manifest.spdx.json" + scancodeio-repo-branch: "main" - name: Verify SBOM Analysis Results in ScanCode.io shell: bash run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; print(DiscoveredDependency.objects.count()); assert DiscoveredDependency.objects.count() > 90" + scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90" From 6a8e669aa6f70a0f5646d8f41937e5f2c1cc50ee Mon Sep 17 00:00:00 2001 From: tdruez Date: Wed, 27 Aug 2025 12:08:19 +0400 Subject: [PATCH 16/16] Run the workflow once a week --- .github/workflows/sca-integration-sbom-tool.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sca-integration-sbom-tool.yml b/.github/workflows/sca-integration-sbom-tool.yml index 78452fba0a..125926e7a1 100644 --- a/.github/workflows/sca-integration-sbom-tool.yml +++ b/.github/workflows/sca-integration-sbom-tool.yml @@ -10,10 +10,9 @@ name: Generate SBOM with SBOM tool and load into ScanCode.io on: workflow_dispatch: - pull_request: - push: - branches: - - main + schedule: + # Run once a week (every 7 days) at 00:00 UTC on Sunday + - cron: "0 0 * * 0" permissions: contents: read