Skip to content

Commit 6a0a784

Browse files
authored
Merge pull request #1 from shiftleftcyber/feat/initialCommit
feat: initial commit of SBOM verificaiton lib
2 parents 74679e7 + 27ecb71 commit 6a0a784

42 files changed

Lines changed: 3249 additions & 2 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ci.yml

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
name: CI
2+
3+
on:
4+
workflow_dispatch:
5+
push:
6+
branches:
7+
- main
8+
pull_request:
9+
10+
permissions:
11+
contents: read
12+
13+
jobs:
14+
test:
15+
name: Test (${{ matrix.os }})
16+
runs-on: ${{ matrix.os }}
17+
strategy:
18+
fail-fast: false
19+
matrix:
20+
os:
21+
- ubuntu-latest
22+
- macos-latest
23+
- windows-latest
24+
env:
25+
GOEXPERIMENT: jsonv2
26+
steps:
27+
- name: Checkout
28+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
29+
30+
- name: Set up Go
31+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
32+
with:
33+
go-version-file: go.mod
34+
cache: true
35+
36+
- name: Verify module metadata
37+
run: go mod verify
38+
39+
- name: Run tests
40+
run: make test
41+
42+
- name: Build CLI
43+
run: make build-cli
44+
45+
coverage:
46+
name: Coverage
47+
runs-on: ubuntu-latest
48+
env:
49+
GOEXPERIMENT: jsonv2
50+
steps:
51+
- name: Checkout
52+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
53+
54+
- name: Set up Go
55+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
56+
with:
57+
go-version-file: go.mod
58+
cache: true
59+
60+
- name: Run coverage
61+
shell: bash
62+
run: |
63+
GOEXPERIMENT=${GOEXPERIMENT} GOCACHE="${PWD}/.gocache" go test -coverprofile=coverage.out ./...
64+
GOEXPERIMENT=${GOEXPERIMENT} GOCACHE="${PWD}/.gocache" go tool cover -func=coverage.out
65+
66+
- name: Upload coverage artifact
67+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
68+
with:
69+
name: coverage-report
70+
path: coverage.out
71+
retention-days: 7

.github/workflows/lint.yml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
name: Lint
2+
3+
on:
4+
workflow_dispatch:
5+
push:
6+
branches:
7+
- main
8+
pull_request:
9+
10+
permissions:
11+
contents: read
12+
13+
jobs:
14+
golangci:
15+
name: golangci-lint
16+
runs-on: ubuntu-latest
17+
env:
18+
GOEXPERIMENT: jsonv2
19+
steps:
20+
- name: Checkout
21+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
22+
23+
- name: Set up Go
24+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
25+
with:
26+
go-version-file: go.mod
27+
cache: true
28+
29+
- name: golangci-lint
30+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
31+
with:
32+
version: v2.8

.github/workflows/release-cli.yml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
name: Release CLI
2+
3+
on:
4+
workflow_dispatch:
5+
push:
6+
tags:
7+
- "v*.*.*"
8+
9+
permissions:
10+
contents: write
11+
12+
jobs:
13+
release:
14+
name: Goreleaser
15+
runs-on: ubuntu-latest
16+
env:
17+
GOEXPERIMENT: jsonv2
18+
steps:
19+
- name: Checkout
20+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
21+
with:
22+
fetch-depth: 0
23+
24+
- name: Set up Go
25+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
26+
with:
27+
go-version-file: go.mod
28+
cache: true
29+
30+
- name: Run Goreleaser
31+
uses: goreleaser/goreleaser-action@v6
32+
with:
33+
distribution: goreleaser
34+
version: "~> v2"
35+
args: release --clean
36+
env:
37+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/security.yml

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
name: Security
2+
3+
on:
4+
workflow_dispatch:
5+
schedule:
6+
- cron: "30 3 * * 1"
7+
push:
8+
branches:
9+
- main
10+
pull_request:
11+
12+
permissions:
13+
contents: read
14+
security-events: write
15+
16+
jobs:
17+
govulncheck:
18+
name: govulncheck
19+
runs-on: ubuntu-latest
20+
env:
21+
GOEXPERIMENT: jsonv2
22+
GOVULNCHECK_SCAN: package
23+
steps:
24+
- name: Checkout
25+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
26+
27+
- name: Set up Go
28+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
29+
with:
30+
go-version-file: go.mod
31+
cache: true
32+
33+
- name: Install govulncheck
34+
run: go install golang.org/x/vuln/cmd/govulncheck@latest
35+
36+
- name: Run govulncheck
37+
shell: bash
38+
run: |
39+
export PATH="$(go env GOPATH)/bin:${PATH}"
40+
set +e
41+
make vulncheck
42+
status=$?
43+
set -e
44+
45+
if [ "${status}" -ne 0 ]; then
46+
echo "::warning title=govulncheck reported issues::govulncheck exited with status ${status}. Review the log output for vulnerabilities or scan errors."
47+
fi
48+
49+
dependency-review:
50+
name: Dependency Review
51+
# Dependency Review works for public repos by default, but private repos need
52+
# GitHub Code Security / Advanced Security enabled at the repo or org level.
53+
if: github.event_name == 'pull_request' && github.event.repository.private == false
54+
runs-on: ubuntu-latest
55+
permissions:
56+
contents: read
57+
pull-requests: write
58+
steps:
59+
- name: Checkout
60+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
61+
62+
- name: Dependency review
63+
uses: actions/dependency-review-action@v4
64+
65+
codeql:
66+
name: CodeQL
67+
# CodeQL works for public repos by default, but private repos need
68+
# GitHub Code Security / Advanced Security enabled at the repo or org level.
69+
if: github.event.repository.private == false
70+
runs-on: ubuntu-latest
71+
permissions:
72+
actions: read
73+
contents: read
74+
security-events: write
75+
strategy:
76+
fail-fast: false
77+
matrix:
78+
language:
79+
- go
80+
steps:
81+
- name: Checkout
82+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
83+
84+
- name: Initialize CodeQL
85+
uses: github/codeql-action/init@v3
86+
with:
87+
languages: ${{ matrix.language }}
88+
89+
- name: Set up Go
90+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
91+
with:
92+
go-version-file: go.mod
93+
cache: true
94+
95+
- name: Autobuild
96+
env:
97+
GOEXPERIMENT: jsonv2
98+
run: make build-cli
99+
100+
- name: Analyze
101+
uses: github/codeql-action/analyze@v3
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
name: Validate Workflow Setup
2+
3+
on:
4+
workflow_dispatch:
5+
pull_request:
6+
paths:
7+
- ".github/workflows/**"
8+
9+
permissions:
10+
contents: read
11+
12+
jobs:
13+
validate:
14+
runs-on: ubuntu-latest
15+
steps:
16+
- name: Checkout
17+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
18+
19+
- name: Confirm workflow directory exists
20+
shell: bash
21+
run: |
22+
test -d .github/workflows
23+
find .github/workflows -maxdepth 1 -type f | sort

.gitignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,3 +30,7 @@ go.work.sum
3030
# Editor/IDE
3131
# .idea/
3232
# .vscode/
33+
34+
# dist directory
35+
dist/
36+

CONTRIBUTING.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
# Contributing
2+
3+
## Development
4+
5+
```bash
6+
go test ./...
7+
go build ./cmd/sbom-offline-verification
8+
```
9+
10+
## Design Intent
11+
12+
- keep transport concerns out of this module
13+
- keep tenancy and infrastructure lookups out of this module
14+
- keep cryptographic verification and canonicalization in this module
15+
16+
## Pull Requests
17+
18+
Please include:
19+
20+
- tests for new verification logic
21+
- fixture or reproduction details for bug fixes
22+
- notes about backwards compatibility when public package APIs change

Dockerfile

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
FROM golang:1.25 AS builder
2+
3+
ARG GOEXPERIMENT=jsonv2
4+
ARG TARGETOS=linux
5+
ARG TARGETARCH=amd64
6+
7+
WORKDIR /src
8+
9+
COPY go.mod go.sum ./
10+
RUN go mod download
11+
12+
COPY . .
13+
14+
RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOEXPERIMENT=${GOEXPERIMENT} \
15+
go build -o /out/sbom-offline-verification ./cmd/sbom-offline-verification
16+
17+
FROM gcr.io/distroless/static-debian12:nonroot
18+
19+
WORKDIR /
20+
COPY --from=builder /out/sbom-offline-verification /usr/local/bin/sbom-offline-verification
21+
22+
ENTRYPOINT ["/usr/local/bin/sbom-offline-verification"]

MIGRATION.md

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Migration Notes
2+
3+
This directory is a first extraction pass. It duplicates the verification logic
4+
so the API repository can keep working while the standalone project is shaped.
5+
6+
## Code That Was Duplicated
7+
8+
From `sbom-signing-api` into this module:
9+
10+
- `api/application/sbom_verify_application.go`
11+
- `api/services/sbom/sbom_formatting.go`
12+
- verification-specific parts of `api/services/digest/*`
13+
- verification-specific parts of `api/services/ecdsa.go`
14+
- `api/utils/key_utils.go`
15+
- `api/cli/offline_verification/*`
16+
- minimal key metadata types required by digest verification
17+
18+
## Code That Should Stay In The API Repo
19+
20+
- `api/handlers/*verify*`
21+
- `api/services/verify/service.go`
22+
- request auth and authorization helpers
23+
- Firestore access and customer/key ownership checks
24+
- HTTP contract models
25+
- usage tracking and rate limiting
26+
27+
## Recommended Next Refactor
28+
29+
1. Introduce this module as a dependency in `api/go.mod`.
30+
2. Update `api/application` usage sites to import the external module.
31+
3. Leave `api/services/verify` in place, but change it to call the imported verifier.
32+
4. Leave handlers unchanged except for import path updates caused by step 2.
33+
5. Keep signing and key-generation logic in the API repo.
34+
6. Remove duplicated verification internals from the API repo only after tests pass.
35+
36+
## Notes
37+
38+
- The package layout here intentionally mirrors the current repo in several areas
39+
to keep the migration low-risk.
40+
- A later cleanup pass can introduce more polished public packages once the
41+
dependency boundary is proven in production.
42+
- GitHub workflows have been staged under `.github/workflows` inside this
43+
extracted project. They are intended for the future standalone repository and
44+
will not run while this project remains nested under `sbom-signing-api`.

0 commit comments

Comments
 (0)