From: Jessica Wagantall Date: Mon, 7 Feb 2022 23:35:09 +0000 (-0800) Subject: Feat: Add SBOM Generator conditional step X-Git-Tag: v0.75.0^0 X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F87%2F69687%2F14;p=releng%2Fglobal-jjb.git Feat: Add SBOM Generator conditional step This is a conditional step which calls a specific version of SPDX SBOM generator, runs a scan and generates a report of software bill of materials in a specific repo. Issue: RELENG-4104 Signed-off-by: Jessica Wagantall Change-Id: I3433a93efc4141b5e5e1949d7260f7686a015506 --- diff --git a/docs/jjb/lf-maven-jobs.rst b/docs/jjb/lf-maven-jobs.rst index 6302864d..411a7126 100644 --- a/docs/jjb/lf-maven-jobs.rst +++ b/docs/jjb/lf-maven-jobs.rst @@ -109,6 +109,15 @@ Nexus IQ server. :mvn-goals: The maven goals to perform for the build. (default: clean install) +lf-infra-maven-sbom-generator +----------------------------- + +Runs a specific version of SPDX SBOM Generator tool to generate a report. +The calling job template sets the version to run in the SBOM_GENERATOR_VERSION parameter. + +:Optional parameters: + :sbom-flags: SBOM generator options. See https://github.com/opensbom-generator/spdx-sbom-generator + Job Templates ============= @@ -404,6 +413,12 @@ directory is then used later to deploy to Nexus. :mvn-version: Version of maven to use. (default: mvn35) :ossrh-profile-id: Profile ID for project as provided by OSSRH. (default: '') + :sbom-flags: SBOM generator options if using sbom-generator. + See https://github.com/opensbom-generator/spdx-sbom-generator + :sbom-generator: Calls lf-infra-maven-sbom-generator to run the SPDX SBOM generator tool. + (default: false) + :sbom-generator-version: SBOM generator version to download and run if using sbom-generator. + (default: v0.0.10) :sign-artifacts: Sign artifacts with Sigul. (default: false) :stream: Keyword that represents a release code-name. Often the same as the branch. (default: master) diff --git a/jjb/lf-maven-jobs.yaml b/jjb/lf-maven-jobs.yaml index 49d3f3fe..528e1504 100644 --- a/jjb/lf-maven-jobs.yaml +++ b/jjb/lf-maven-jobs.yaml @@ -842,6 +842,9 @@ mvn-version: mvn35 ossrh-profile-id: "" mvn-pom: "" + sbom-flags: "" + sbom-generator: false + sbom-generator-version: "v0.0.10" sign-artifacts: false sign-mode: serial stream: master @@ -889,6 +892,10 @@ name: STAGING_PROFILE_ID default: "{staging-profile-id}" description: Nexus staging profile ID. + - string: + name: SBOM_GENERATOR_VERSION + default: "{sbom-generator-version}" + description: SBOM generator version to download and run. builders: - lf-infra-pre-build @@ -909,6 +916,14 @@ - shell: !include-raw-escape: ../shell/maven-patch-release.sh - lf-maven-build: mvn-goals: "{mvn-goals}" + # With SBOM Generator + - conditional-step: + condition-kind: boolean-expression + condition-expression: "{sbom-generator}" + steps: + - shell: echo 'Running SBOM Generator' + - lf-infra-maven-sbom-generator: + sbom-flags: "{sbom-flags}" - lf-sigul-sign-dir: sign-artifacts: "{sign-artifacts}" sign-dir: "$WORKSPACE/m2repo" @@ -1277,6 +1292,16 @@ mvn-settings: "{mvn-settings}" mvn-version: "{mvn-version}" +- builder: + name: lf-infra-maven-sbom-generator + # Run Maven goals and trigger SPDX SBOM Generator tool + builders: + - inject: + properties-content: | + SBOM_FLAGS={sbom-flags} + - shell: !include-raw-escape: + - ../shell/sbom-generator.sh + - builder: name: lf-infra-maven-sonar # Run a Sonar build with Maven diff --git a/releasenotes/notes/maven-sbom-generator-1c9a937c80ba49d2.yaml b/releasenotes/notes/maven-sbom-generator-1c9a937c80ba49d2.yaml new file mode 100644 index 00000000..8a736665 --- /dev/null +++ b/releasenotes/notes/maven-sbom-generator-1c9a937c80ba49d2.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add new conditional builder step which calls a specific version + of SPDX SBOM generator which runs a scan to generate a software + bill of materials report in a specific repo. diff --git a/shell/sbom-generator.sh b/shell/sbom-generator.sh new file mode 100644 index 00000000..f3e657b0 --- /dev/null +++ b/shell/sbom-generator.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2022 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> sbom-generator.sh" +# This script downloads the specified version of SBOM generator and triggers a run. + +# stop on error or unbound variable +set -eu + +# Add mvn executable into PATH +export PATH=$PATH:${MVN::-4} +SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz" +echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}" +URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\ +spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz" +# Exit if wget fails +if ! wget -nv "${URL}" -O "${SBOM_LOCATION}"; then + echo "wget ${SBOM_GENERATOR_VERSION} failed" + exit 1; +fi +tar -xvf "${SBOM_LOCATION}" +echo "INFO: running spdx-sbom-generator" +./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo +mv spdx-sbom-generator /tmp/ +rm /tmp/spdx* +echo "---> sbom-generator.sh ends"