-
Notifications
You must be signed in to change notification settings - Fork 3
211 lines (173 loc) · 8.04 KB
/
Copy pathsbom-python.yml
File metadata and controls
211 lines (173 loc) · 8.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
name: SBOMs for Python Apps
on:
push:
branches: [ "master", "v1*", "v2*", "v3*" ]
pull_request:
branches: [ "master", "v1*", "v2*", "v3*" ]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Set up Python 3.x
uses: actions/setup-python@v6
with:
python-version: "3.x"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install cyclonedx-bom
# Liest die Core-Version aus CMakeLists.txt
- name: Get software versions
run: |
MINIMAL_APP_VER=`grep -E -o "version[[:blank:]]*=[[:blank:]]*\"[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" minimal_python/rcapp.xml | sed "s/[^0-9.]*//g"`
MONITOR_APP_VER=`grep -E -o "version[[:blank:]]*=[[:blank:]]*\"[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" monitor_python/rcapp.xml | sed "s/[^0-9.]*//g"`
CONTROL_APP_VER=`grep -E -o "version[[:blank:]]*=[[:blank:]]*\"[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" control_python/rcapp.xml | sed "s/[^0-9.]*//g"`
MATH_TOOLS_APP_VER=`grep -E -o "version[[:blank:]]*=[[:blank:]]*\"[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" MathTools/rcapp.xml | sed "s/[^0-9.]*//g"`
POSITION_LOGGER_APP_VER=`grep -E -o "version[[:blank:]]*=[[:blank:]]*\"[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" PositionLogger/rcapp.xml | sed "s/[^0-9.]*//g"`
echo "Minimal App version '$MINIMAL_APP_VER' detected"
echo "Monitor App version '$MONITOR_APP_VER' detected"
echo "Control App version '$CONTROL_APP_VER' detected"
echo "Math Tools App version '$MATH_TOOLS_APP_VER' detected"
echo "Position Logger App version '$POSITION_LOGGER_APP_VER' detected"
echo "MINIMAL_APP_VER=$MINIMAL_APP_VER" >> $GITHUB_ENV
echo "MONITOR_APP_VER=$MONITOR_APP_VER" >> $GITHUB_ENV
echo "CONTROL_APP_VER=$CONTROL_APP_VER" >> $GITHUB_ENV
echo "MATH_TOOLS_APP_VER=$MATH_TOOLS_APP_VER" >> $GITHUB_ENV
echo "POSITION_LOGGER_APP_VER=$POSITION_LOGGER_APP_VER" >> $GITHUB_ENV
- name: Create output directory
run: |
mkdir ~/sboms
- name: Create SBOM for MinimalApp
uses: sbomify/sbomify-action@master
env:
WORKING_DIR: minimal_python
LOCK_FILE: requirements.txt
OUTPUT_FILE: ../sboms/sbom_minimal_app_python.cdx.json
COMPONENT_NAME: Minimal App Python
COMPONENT_VERSION: ${{ env.MINIMAL_APP_VER }}
# Produkt- und Firmeninfo werden aus sbomify.json geladen
AUGMENT: true
# Metadaten aus Paket-Registry hinzufügen
ENRICH: true
UPLOAD: false
- name: Create SBOM for MonitorApp
uses: sbomify/sbomify-action@master
env:
WORKING_DIR: monitor_python
LOCK_FILE: requirements.txt
OUTPUT_FILE: ../sboms/sbom_monitor_app_python.cdx.json
COMPONENT_NAME: Monitor App Python
COMPONENT_VERSION: ${{ env.MONITOR_APP_VER }}
# Produkt- und Firmeninfo werden aus sbomify.json geladen
AUGMENT: true
# Metadaten aus Paket-Registry hinzufügen
ENRICH: true
UPLOAD: false
- name: Create SBOM for ControlApp
uses: sbomify/sbomify-action@master
env:
WORKING_DIR: control_python
LOCK_FILE: requirements.txt
OUTPUT_FILE: ../sboms/sbom_control_app_python.cdx.json
COMPONENT_NAME: Control App Python
COMPONENT_VERSION: ${{ env.CONTROL_APP_VER }}
# Produkt- und Firmeninfo werden aus sbomify.json geladen
AUGMENT: true
# Metadaten aus Paket-Registry hinzufügen
ENRICH: true
UPLOAD: false
- name: Create SBOM for MathTools
uses: sbomify/sbomify-action@master
env:
WORKING_DIR: MathTools
LOCK_FILE: requirements.txt
OUTPUT_FILE: ../sboms/sbom_math_tools_app.cdx.json
COMPONENT_NAME: Math Tools App
COMPONENT_VERSION: ${{ env.MATH_TOOLS_APP_VER }}
# Produkt- und Firmeninfo werden aus sbomify.json geladen
AUGMENT: true
# Metadaten aus Paket-Registry hinzufügen
ENRICH: true
UPLOAD: false
- name: Create SBOM for PositionLogger
uses: sbomify/sbomify-action@master
env:
WORKING_DIR: PositionLogger
LOCK_FILE: requirements.txt
OUTPUT_FILE: ../sboms/sbom_position_logger_app.cdx.json
COMPONENT_NAME: Position Logger App
COMPONENT_VERSION: ${{ env.POSITION_LOGGER_APP_VER }}
# Produkt- und Firmeninfo werden aus sbomify.json geladen
AUGMENT: true
# Metadaten aus Paket-Registry hinzufügen
ENRICH: true
UPLOAD: false
- name: Export SBOMs
uses: actions/upload-artifact@v7
with:
name: sboms
path: sboms
archive: true
- uses: actions/setup-go@v6
- name: Install SBOM QA tool
run: go install github.com/interlynk-io/sbomqs@latest
- name: SBOM quality score for MinimalApp
run: sbomqs score sboms/sbom_minimal_app_python.cdx.json
- name: SBOM quality score for MonitorApp
run: sbomqs score sboms/sbom_monitor_app_python.cdx.json
- name: SBOM quality score for ControlApp
run: sbomqs score sboms/sbom_control_app_python.cdx.json
- name: SBOM quality score for MathTools
run: sbomqs score sboms/sbom_math_tools_app.cdx.json
- name: SBOM quality score for PositionLogger
run: sbomqs score sboms/sbom_position_logger_app.cdx.json
# Checks compliance with the latest version of BSI TR-03183-2
- name: Check CRA compliance for MinimalApp
run: sbomqs compliance --bsi-v2 --color sboms/sbom_minimal_app_python.cdx.json
# Checks compliance with the latest version of BSI TR-03183-2
- name: Check CRA compliance for MonitorApp
run: sbomqs compliance --bsi-v2 --color sboms/sbom_monitor_app_python.cdx.json
# Checks compliance with the latest version of BSI TR-03183-2
- name: Check CRA compliance for ControlApp
run: sbomqs compliance --bsi-v2 --color sboms/sbom_control_app_python.cdx.json
# Checks compliance with the latest version of BSI TR-03183-2
- name: Check CRA compliance for MathTools
run: sbomqs compliance --bsi-v2 --color sboms/sbom_math_tools_app.cdx.json
# Checks compliance with the latest version of BSI TR-03183-2
- name: Check CRA compliance for PositionLogger
run: sbomqs compliance --bsi-v2 --color sboms/sbom_position_logger_app.cdx.json
- name: List component licenses for MinimalApp
run: sbomqs list --feature comp_with_declared_license --show sboms/sbom_minimal_app_python.cdx.json
- name: List component licenses for MonitorApp
run: sbomqs list --feature comp_with_declared_license --show sboms/sbom_monitor_app_python.cdx.json
- name: List component licenses for Control App
run: sbomqs list --feature comp_with_declared_license --show sboms/sbom_control_app_python.cdx.json
- name: List component licenses for MathTools
run: sbomqs list --feature comp_with_declared_license --show sboms/sbom_math_tools_app.cdx.json
- name: List component licenses for PositionLogger
run: sbomqs list --feature comp_with_declared_license --show sboms/sbom_position_logger_app.cdx.json
# TODO: Nicht CRA-konforme Felder füllen
# Security Audit
- name: Scan for vulnerabilities for MinimalApp
uses: anchore/scan-action@v7
with:
sbom: sboms/sbom_minimal_app_python.cdx.json
- name: Scan for vulnerabilities for MonitorApp
uses: anchore/scan-action@v7
with:
sbom: sboms/sbom_monitor_app_python.cdx.json
- name: Scan for vulnerabilities for ControlApp
uses: anchore/scan-action@v7
with:
sbom: sboms/sbom_control_app_python.cdx.json
- name: Scan for vulnerabilities for MathTools
uses: anchore/scan-action@v7
with:
sbom: sboms/sbom_math_tools_app.cdx.json
- name: Scan for vulnerabilities for PositionLogger
uses: anchore/scan-action@v7
with:
sbom: sboms/sbom_position_logger_app.cdx.json