Skip to content
Snippets Groups Projects
Commit 97dda2f4 authored by Abd-Rahim Boumkassar's avatar Abd-Rahim Boumkassar Committed by Pierre Smeyers
Browse files

feat: add a job generating software bill of materials

parent 5d4b6dbe
No related branches found
No related tags found
No related merge requests found
......@@ -154,3 +154,15 @@ More info:
:warning: an [unsolved issue](https://jira.sonarsource.com/browse/SONARSLANG-450) may prevent SonarQube Go plugin from
importing your test reports.
### `php-sbom` job
This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [@cyclonedx/cyclonedx-gomod](https://github.com/CycloneDX/cyclonedx-gomod).
It is bound to the `test` stage, and uses the following variables:
| Name | description | default value |
| --------------------- | -------------------------------------- | ----------------- |
| `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | cyclonedx/cyclonedx-gomod:latest |
| `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `--main .` |
......@@ -114,6 +114,26 @@
"advanced": true
}
]
},
{
"id": "dtsi",
"name": "DTSI",
"description": "Generates SBOM file for [Dependency Track](https://dependencytrack.org/) using [cyclonedx-gomod](https://github.com/CycloneDX/cyclonedx-gomod)",
"target_project": "to-be-continuous/golang",
"template_path": "templates/gitlab-ci-golang-dtsi.yml",
"variables": [
{
"name": "GO_SBOM_IMAGE",
"description": "Image of cyclonedx-gomod used for SBOM analysis",
"default": "cyclonedx/cyclonedx-gomod:latest"
},
{
"name": "GO_SBOM_OPTS",
"description": "Options for cyclonedx-gomod used for SBOM analysis",
"default": "--main .",
"advanced": true
}
]
}
]
}
......@@ -91,6 +91,11 @@ variables:
# Default arguments for golangci-lint command
GO_CI_LINT_ARGS: '-E gosec,goimports ./...'
# Image of cyclonedx-gomod used for SBOM analysis
GO_SBOM_IMAGE: cyclonedx/cyclonedx-gomod:latest
# Options for cyclonedx-gomod used for SBOM analysis
GO_SBOM_OPTS: "-main ."
# default production ref name (pattern)
PROD_REF: '/^(master|main)$/'
# default integration ref name (pattern)
......@@ -465,3 +470,28 @@ go-mod-outdated:
# else manual & non-blocking
- when: manual
allow_failure: true
go-sbom:
extends: .go-base
stage: test
image:
name: $GO_SBOM_IMAGE
entrypoint: [""]
# force no dependency
dependencies: []
needs: []
script:
- mkdir -p -m 777 reports/toto
- cyclonedx-gomod app -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
- chmod a+r reports/go-sbom.cyclonedx.json
rules:
# exclude if disabled
- if: '$GO_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
artifacts:
name: "SBOM for golang from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 week
when: always
paths:
- "$GO_PROJECT_DIR/reports/go-sbom.cyclonedx.json"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment