Added SBOM

Signed-off-by: Sascha Pfeiffer <sascha.pfeiffer@esaqa.com>
2025-04-18 12:24:05 +03:00 · 2025-04-02 11:44:48 +02:00 · 2025-04-02 11:44:48 +02:00 · 31aa8ea2ef
commit 31aa8ea2ef
parent c63e85ec68
3 changed files with 93 additions and 1 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -158,6 +158,46 @@ run-vulnerability-scan:
    - tags@psono/psono-fileserver


+
+build-sbom:
+  except:
+    - schedules
+  stage: test
+  image: psono-docker.jfrog.io/ubuntu:22.04
+  services:
+    - name: docker:25-dind
+      alias: docker
+      command: ["--tls=false"]
+  variables:
+    DOCKER_DRIVER: overlay2
+    DOCKER_HOST: tcp://docker:2375/
+    DOCKER_TLS_CERTDIR: ""
+  script:
+    - apt-get update || true
+    - apt install -y curl ca-certificates iptables libdevmapper1.02.1 python3 python3-pip
+    - pip3 install requests
+    - curl -fSL "https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/containerd.io_1.6.28-1_amd64.deb" -o containerd.deb && echo "3fcc3e44e6d507c346ae05bbaef8f4bb04dfa8da9f04af658537f7e373c91340 containerd.deb" | sha256sum -c -
+    - curl -fSL "https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-buildx-plugin_0.12.1-1~ubuntu.22.04~jammy_amd64.deb" -o docker-buildx-plugin.deb && echo "3fb7cd11fd9bf7c31d81c1afa96c023519d9e6e17422192aa4d0aa2767ed0776 docker-buildx-plugin.deb" | sha256sum -c -
+    - curl -fSL "https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-ce-cli_25.0.3-1~ubuntu.22.04~jammy_amd64.deb" -o docker-ce-cli.deb && echo "624abe860a3d9dd190c278263b3ae115d54ce1135774a79f84026a6ec6ebafd1 docker-ce-cli.deb" | sha256sum -c -
+    - curl -fSL "https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-ce_25.0.3-1~ubuntu.22.04~jammy_amd64.deb" -o docker-ce.deb && echo "63c7703814558a829ab3cc37c8018c050c9dad56f99c261090500f6c87821fd1 docker-ce.deb" | sha256sum -c -
+    - dpkg -i ./containerd.deb ./docker-ce.deb ./docker-ce-cli.deb ./docker-buildx-plugin.deb
+    - docker info
+    - echo $CI_JOB_TOKEN | docker login --username=gitlab-ci-token --password-stdin registry.gitlab.com
+    - docker pull $CONTAINER_TEST_IMAGE
+    - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+    - syft scan psono/psono-combo-enterprise:latest -o cyclonedx-json > sbom.json
+    - mv /builds/psono/psono-fileserver/sbom.json ../
+    - rm -Rf *
+    - rm -Rf .* 2> /dev/null || true
+    - mv ../sbom.json ./
+  artifacts:
+    name: "sbom_$CI_COMMIT_REF_NAME"
+    paths:
+      - ./*
+  only:
+    - branches@psono/psono-fileserver
+    - /^v[0-9]*\.[0-9]*\.[0-9]*$/
+
 release-docker-jfrog:
  except:
    - schedules
@ -262,4 +302,37 @@ deploy-changelog:
    name: static.psono.com
    url: https://static.psono.com/gitlab.com/psono/psono-fileserver/changelog.json
  only:
-    - /^v[0-9]*\.[0-9]*\.[0-9]*$/
+    - /^v[0-9]*\.[0-9]*\.[0-9]*$/
+
+
+
+deploy-nightlyartifacts:
+  except:
+    - schedules
+  stage: release
+  image: psono-docker.jfrog.io/ubuntu:22.04
+  dependencies:
+    - build-sbom
+  script:
+    - sh ./var/deploy_nightlyartifacts.sh
+  environment:
+    name: static.psono.com
+    url: https://get.psono.com/psono/psono-fileserver/nightly/sbom.json
+  only:
+    - develop@psono/psono-fileserver
+
+
+deploy-releaseartifacts:
+  except:
+    - schedules
+  stage: deploy
+  image: psono-docker.jfrog.io/ubuntu:22.04
+  dependencies:
+    - build-sbom
+  script:
+    - sh ./var/deploy_releaseartifacts.sh
+  environment:
+    name: static.psono.com
+    url: https://get.psono.com/psono/psono-fileserver/latest/sbom.json
+  only:
+    - /^v[0-9]*\.[0-9]*\.[0-9]*$/
--- a/var/deploy_nightlyartifacts.sh
+++ b/var/deploy_nightlyartifacts.sh
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+apt-get update && \
+apt-get install -y lsb-release curl gnupg && \
+echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
+curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg  add - && \
+apt-get update -y && apt-get install google-cloud-cli -y && \
+echo "$GOOGLE_APPLICATION_CREDENTIALS" > "/root/key.json" && \
+gcloud auth activate-service-account --key-file=/root/key.json && \
+gsutil cp sbom.json gs://get.psono.com/$CI_PROJECT_PATH/nightly/sbom.json
--- a/var/deploy_releaseartifacts.sh
+++ b/var/deploy_releaseartifacts.sh
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+apt-get update && \
+apt-get install -y lsb-release curl gnupg && \
+echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
+curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg  add - && \
+apt-get update -y && apt-get install google-cloud-cli -y && \
+echo "$GOOGLE_APPLICATION_CREDENTIALS" > "/root/key.json" && \
+gcloud auth activate-service-account --key-file=/root/key.json && \
+gsutil cp sbom.json gs://get.psono.com/$CI_PROJECT_PATH/latest/sbom.json && \
+gsutil cp sbom.json gs://get.psono.com/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME/sbom.json