Skip to content

Trim dotnet sbom by tracking resolved versions #1446

Trim dotnet sbom by tracking resolved versions

Trim dotnet sbom by tracking resolved versions #1446

Workflow file for this run

name: Repo tests
on:
push:
branches:
- master
workflow_dispatch:
pull_request:
jobs:
build:
strategy:
fail-fast: false
matrix:
node-version: [18.x]
os: ['ubuntu-latest', 'windows-latest']
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '19'
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- name: Install bazelisk - linux
if: matrix.os == 'ubuntu-latest'
run: |
curl -LO "https://github.com/bazelbuild/bazelisk/releases/download/v1.15.0/bazelisk-linux-amd64"
sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel
- name: Install bazelisk - windows
if: matrix.os == 'windows-latest'
run: choco install -y bazel
- name: npm install, build and test
run: |
npm install
npm run build --if-present
npm run lint
npm test
mkdir -p repotests
mkdir -p bomresults
mkdir -p denoresults
env:
CI: true
- name: Setup Android SDK
uses: android-actions/setup-android@v2
- uses: swift-actions/setup-swift@v1
if: matrix.os == 'ubuntu-latest'
- uses: actions/checkout@v4
with:
repository: 'ShiftLeftSecurity/shiftleft-java-example'
path: 'repotests/shiftleft-java-example'
- uses: actions/checkout@v4
with:
repository: 'ShiftLeftSecurity/shiftleft-ts-example'
path: 'repotests/shiftleft-ts-example'
- uses: actions/checkout@v4
with:
repository: 'ShiftLeftSecurity/shiftleft-go-example'
path: 'repotests/shiftleft-go-example'
- uses: actions/checkout@v4
with:
repository: 'prabhu/shiftleft-scala-example'
path: 'repotests/shiftleft-scala-example'
- uses: actions/checkout@v4
with:
repository: 'HooliCorp/vulnerable_net_core'
path: 'repotests/vulnerable_net_core'
- uses: actions/checkout@v4
with:
repository: 'HooliCorp/Goatly.NET'
path: 'repotests/Goatly.NET'
- uses: actions/checkout@v4
with:
repository: 'HooliCorp/DjanGoat'
path: 'repotests/DjanGoat'
- uses: actions/checkout@v4
with:
repository: 'prabhu/Vulnerable-Web-Application'
path: 'repotests/Vulnerable-Web-Application'
- uses: actions/checkout@v4
with:
repository: 'prabhu/railsgoat'
path: 'repotests/railsgoat'
- uses: actions/checkout@v4
with:
repository: 'bazelbuild/examples'
path: 'repotests/bazel-examples'
- uses: actions/checkout@v4
with:
repository: 'flutter/gallery'
path: 'repotests/gallery'
- uses: actions/checkout@v4
with:
repository: 'gojek/ziggurat'
path: 'repotests/ziggurat'
- uses: actions/checkout@v4
with:
repository: 'apple/swift-markdown'
path: 'repotests/swift-markdown'
- uses: actions/checkout@v4
with:
repository: 'GoogleCloudPlatform/microservices-demo'
path: 'repotests/microservices-demo'
- uses: actions/checkout@v4
with:
repository: 'zoom/meetingsdk-vuejs-sample'
path: 'repotests/meetingsdk-vuejs-sample'
- uses: actions/checkout@v4
with:
repository: 'sveltejs/examples'
path: 'repotests/sveltejs-examples'
- uses: actions/checkout@v4
with:
repository: 'openpbs/openpbs'
path: 'repotests/openpbs'
- uses: actions/checkout@v4
with:
repository: 'home-assistant/android'
path: 'repotests/ha-android'
- uses: actions/checkout@v4
with:
repository: 'rust-lang/rust'
path: 'repotests/rs-rust'
- uses: actions/checkout@v4
with:
repository: 'rust-lang/cargo'
path: 'repotests/rs-cargo'
- uses: actions/checkout@v4
with:
repository: 'Keats/validator'
path: 'repotests/rs-validator'
- uses: actions/checkout@v4
with:
repository: 'tokio-rs/axum'
path: 'repotests/rs-axum'
- uses: actions/checkout@v4
with:
repository: 'fsprojects/FAKE'
path: 'repotests/dotnet-paket'
- uses: actions/checkout@v4
with:
repository: 'appthreat/blint'
path: 'repotests/blint'
- uses: dtolnay/rust-toolchain@stable
- name: repotests
run: |
bin/cdxgen.js -p -r -t java repotests/shiftleft-java-example -o bomresults/bom-java.json --generate-key-and-sign
node bin/evinse.js -i bomresults/bom-java.json -o bomresults/bom-java.evinse.json -l java --with-data-flow -p repotests/shiftleft-java-example
SBOM_SIGN_ALGORITHM=RS512 SBOM_SIGN_PRIVATE_KEY=bomresults/private.key SBOM_SIGN_PUBLIC_KEY=bomresults/public.key bin/cdxgen.js -p -r -t github repotests/shiftleft-java-example -o bomresults/bom-github.json
FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/shiftleft-ts-example -o bomresults/bom-ts.json --validate
node bin/evinse.js -i bomresults/bom-ts.json -o bomresults/bom-ts.evinse.json -l javascript --with-data-flow -p repotests/shiftleft-ts-example
FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/meetingsdk-vuejs-sample -o bomresults/bom-vue.json
node bin/evinse.js -i bomresults/bom-vue.json -o bomresults/bom-vue.evinse.json -l javascript --with-data-flow -p repotests/meetingsdk-vuejs-sample
CDXGEN_DEBUG_MODE=debug ASTGEN_IGNORE_DIRS="" FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/sveltejs-examples -o bomresults/bom-svelte.json
CDXGEN_DEBUG_MODE=debug ASTGEN_IGNORE_DIRS="" node bin/evinse.js -i bomresults/bom-svelte.json -o bomresults/bom-svelte.evinse.json -l javascript --with-data-flow -p repotests/sveltejs-examples
FETCH_LICENSE=1 bin/cdxgen.js -p -t js repotests/shiftleft-ts-example --required-only -o bomresults/bom-ts.json --validate
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/bom-go.json --validate
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --validate
FETCH_LICENSE=0 bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/bom-csharp3.json --validate
FETCH_LICENSE=true bin/cdxgen.js -p -r -t python repotests/DjanGoat -o bomresults/bom-python.json --validate
bin/cdxgen.js -p -t php repotests/Vulnerable-Web-Application -o bomresults/bom-php.json --validate
bin/cdxgen.js -p -t php --no-recurse repotests/Vulnerable-Web-Application -o bomresults/bom-php.json --validate
bin/cdxgen.js -p -r -t ruby repotests/railsgoat -o bomresults/bom-ruby.json --validate
bin/cdxgen.js -p -r -t java repotests/bazel-examples/java-maven -o bomresults/bom-bazel.json --validate
bin/cdxgen.js -p -r -t dart repotests/gallery -o bomresults/bom-pub.json --validate
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t clojure repotests/ziggurat -o bomresults/bom-clj.json --validate
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -r -t swift repotests/swift-markdown -o bomresults/bom-swift.json --validate
bin/cdxgen.js --no-recurse repotests/microservices-demo -o bomresults/bom-msd.json --validate
bin/cdxgen.js -r repotests/microservices-demo -o bomresults/bom-msd.json --validate
bin/cdxgen.js -r -t yaml-manifest repotests/microservices-demo -o bomresults/bom-yaml.json --validate
FETCH_LICENSE=true bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/bom-ts.json --validate
bin/cdxgen.js -r -t c repotests/openpbs -o bomresults/bom-openpbs.json
cd repotests/ha-android && ./gradlew assembleDebug || true && cd ../..
bin/cdxgen.js -r -t java repotests/ha-android -o bomresults/bom-android.json
CDXGEN_DEBUG_MODE=debug bin/evinse.js -i bomresults/bom-android.json -o bomresults/bom-android.evinse.json -l java repotests/ha-android
bin/cdxgen.js -r -t rust repotests/rs-rust -o bomresults/bom-rs-rust.json --validate
bin/cdxgen.js -r -t rust repotests/rs-cargo -o bomresults/bom-rs-cargo.json --validate
cargo generate-lockfile --manifest-path repotests/rs-validator/validator/Cargo.toml
bin/cdxgen.js -r -t rust repotests/rs-validator -o bomresults/bom-rs-validator.json --validate
bin/cdxgen.js -r -t rust repotests/rs-axum -o bomresults/bom-rs-axum.json --validate
bin/cdxgen.js -p -r -t dotnet repotests/dotnet-paket -o bomresults/bom-dotnet-paket.json --validate
bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint.json
bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint-deep.json --deep
# mkdir -p jenkins
# wget https://updates.jenkins.io/download/plugins/sonar/2.14/sonar.hpi
# wget https://updates.jenkins.io/download/plugins/bouncycastle-api/2.26/bouncycastle-api.hpi
# wget https://updates.jenkins.io/download/plugins/jsch/0.1.55.61.va_e9ee26616e7/jsch.hpi
# wget https://updates.jenkins.io/download/plugins/momentjs/1.1.1/momentjs.hpi
# mv *.hpi jenkins
# CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t jenkins jenkins -o bomresults/bom-jenkins.json --validate
ls -ltr bomresults
shell: bash
- name: repotests 1.4
run: |
bin/cdxgen.js -p -r -t java repotests/shiftleft-java-example -o bomresults/bom-java.json --generate-key-and-sign --spec-version 1.4
SBOM_SIGN_ALGORITHM=RS512 SBOM_SIGN_PRIVATE_KEY=bomresults/private.key SBOM_SIGN_PUBLIC_KEY=bomresults/public.key bin/cdxgen.js -p -r -t github repotests/shiftleft-java-example -o bomresults/bom-github.json --spec-version 1.4
FETCH_LICENSE=false bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/bom-ts.json --validate --spec-version 1.4
FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example --required-only -o bomresults/bom-ts.json --validate --spec-version 1.4
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/bom-go.json --validate --spec-version 1.4
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --validate --spec-version 1.4
FETCH_LICENSE=0 bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/bom-csharp3.json --validate --spec-version 1.4
FETCH_LICENSE=true bin/cdxgen.js -p -r -t python repotests/DjanGoat -o bomresults/bom-python.json --validate --spec-version 1.4
bin/cdxgen.js -p -r -t php repotests/Vulnerable-Web-Application -o bomresults/bom-php.json --validate --spec-version 1.4
shell: bash
- name: denotests
if: github.ref == 'refs/heads/master' && matrix.os == 'ubuntu-latest'
run: |
docker build -t ghcr.io/cyclonedx/cdxgen-deno -f ci/Dockerfile-deno .
docker run --rm -t -e "CDXGEN_DEBUG_MODE=debug" -v $(pwd):/app ghcr.io/cyclonedx/cdxgen-deno -p -r -t java /app/repotests/shiftleft-java-example -o /app/denoresults/bom-java.json
docker run --rm -t -e "CDXGEN_DEBUG_MODE=debug" -v $(pwd):/app ghcr.io/cyclonedx/cdxgen-deno -p -r -t python /app/repotests/DjanGoat -o /app/denoresults/bom-python.json
ls -ltr denoresults
- uses: actions/upload-artifact@v3
with:
name: bomresults
path: bomresults