feat: add a job generating software bill of materials

97dda2f4 · Abd-Rahim Boumkassar · Pierre Smeyers · 5d4b6dbe · 97dda2f4 · 97dda2f4
Commit 97dda2f4 authored 2 years ago by Abd-Rahim Boumkassar Committed by Pierre Smeyers 2 years ago
--- a/README.md
+++ b/README.md
@@ -154,3 +154,15 @@ More info:

 :warning: an [unsolved issue](https://jira.sonarsource.com/browse/SONARSLANG-450) may prevent SonarQube Go plugin from
 importing your test reports.
+
+### `php-sbom` job
+
+This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [@cyclonedx/cyclonedx-gomod](https://github.com/CycloneDX/cyclonedx-gomod).
+
+It is bound to the `test` stage, and uses the following variables:
+
+| Name                  | description                            | default value     |
+| --------------------- | -------------------------------------- | ----------------- |
+| `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | cyclonedx/cyclonedx-gomod:latest |
+| `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `--main .` |
--- a/kicker.json
+++ b/kicker.json
@@ -114,6 +114,26 @@
          "advanced": true
        }
      ]
+    },
+    {
+      "id": "dtsi",
+      "name": "DTSI",
+      "description": "Generates SBOM file for [Dependency Track](https://dependencytrack.org/) using [cyclonedx-gomod](https://github.com/CycloneDX/cyclonedx-gomod)",
+      "target_project": "to-be-continuous/golang",
+      "template_path": "templates/gitlab-ci-golang-dtsi.yml",
+      "variables": [
+        {
+          "name": "GO_SBOM_IMAGE",
+          "description": "Image of cyclonedx-gomod used for SBOM analysis",
+          "default": "cyclonedx/cyclonedx-gomod:latest"
+        },
+        {
+          "name": "GO_SBOM_OPTS",
+          "description": "Options for cyclonedx-gomod used for SBOM analysis",
+          "default": "--main .",
+          "advanced": true
+        }
+      ]
    }
  ]
 }
--- a/templates/gitlab-ci-golang.yml
+++ b/templates/gitlab-ci-golang.yml
@@ -91,6 +91,11 @@ variables:
  # Default arguments for golangci-lint command
  GO_CI_LINT_ARGS: '-E gosec,goimports ./...'

+  # Image of cyclonedx-gomod used for SBOM analysis
+  GO_SBOM_IMAGE: cyclonedx/cyclonedx-gomod:latest
+  # Options for cyclonedx-gomod used for SBOM analysis
+  GO_SBOM_OPTS: "-main ."
+
  # default production ref name (pattern)
  PROD_REF: '/^(master|main)$/'
  # default integration ref name (pattern)
@@ -465,3 +470,28 @@ go-mod-outdated:
    # else manual & non-blocking
    - when: manual
      allow_failure: true
+
+go-sbom:
+  extends: .go-base
+  stage: test
+  image:
+    name: $GO_SBOM_IMAGE
+    entrypoint: [""]
+  # force no dependency
+  dependencies: []
+  needs: []
+  script:
+    - mkdir -p -m 777 reports/toto
+    - cyclonedx-gomod app -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
+    - chmod a+r reports/go-sbom.cyclonedx.json
+  rules:
+    # exclude if disabled
+    - if: '$GO_SBOM_DISABLED == "true"'
+      when: never
+    - !reference [.test-policy, rules]
+  artifacts:
+    name: "SBOM for golang from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    expire_in: 1 week
+    when: always
+    paths:
+      - "$GO_PROJECT_DIR/reports/go-sbom.cyclonedx.json"