clickhouse

juliojimenez · juliojimenez · commit 90eda8dde914 · 2025-06-17T14:26:30.000-04:00
Signed-off-by: Julio Jimenez &lt;julio@clickhouse.com&gt;
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -33,3 +33,7 @@ jobs:
           s3-bucket: clickhouse-sbom
           s3-key: clickbom.json
           repository: ${{ github.repository }}
+          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
+          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
+          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
+          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}
diff --git a/README.md b/README.md
@@ -8,30 +8,31 @@ Downloads SBOMs from GitHub. Uploads to S3 and ClickHouse.
   - [Notes](#notes)
 - [Usage](#usage)
   - [Same Repository](#same-repository)
+  - [Same Repository with ClickHouse](#same-repository-with-clickhouse)
 
 ## Inputs
 
 | Name                  | Description                           | Default        | Required | Sensitive |
 | --------------------- | ------------------------------------- | -------------- | -------- | --------- |
-| github-token          | GitHub token for authentication       |                | false    | true      |
-| ghapp-token           | GitHub App token for authentication   |                | false    | true      |
-| aws-access-key-id     | AWS access key ID for S3 uploads      |                | true     | true      |
-| aws-secret-access-key | AWS secret access key for S3 uploads  |                | true     | true      |
-| aws-region            | AWS region for S3 uploads             | us-east-1      | false    | false     |
-| s3-bucket             | S3 bucket name for uploads            |                | false    | false     |
-| s3-key                | S3 key prefix for uploads             | sbom/sbom.json | false    | false     |
+| github-token          | GitHub Token                          |                | false    | true      |
+| ghapp-token           | GitHub App Token                      |                | false    | true      |
+| aws-access-key-id     | AWS Access Key ID                     |                | true     | true      |
+| aws-secret-access-key | AWS Secret Access Key                 |                | true     | true      |
+| aws-region            | AWS Region                            | us-east-1      | false    | false     |
+| s3-bucket             | S3 Bucket Name                        |                | false    | false     |
+| s3-key                | S3 Key Prefix                         | sbom/sbom.json | false    | false     |
 | repository            | Repository to download SBOM from      |                | true     | false     |
 | sbom-format           | Final SBOM format (spdx or cyclonedx) | cyclonedx      | false    | false     |
-| clickhouse-url        | ClickHouse URL for uploads            |                | false    | true      |
-| clickhouse-port       | ClickHouse port                       | 8123           | false    | false     |
-| clickhouse-database   | ClickHouse database name              | default        | false    | false     |
-| clickhouse-username   | ClickHouse username                   | default        | false    | false     |
-| clickhouse-password   | ClickHouse password                   | (empty)        | false    | true      |
+| clickhouse-url        | ClickHouse URL                        |                | false    | true      |
+| clickhouse-database   | ClickHouse Database Name              | default        | false    | false     |
+| clickhouse-username   | ClickHouse Username                   | default        | false    | false     |
+| clickhouse-password   | ClickHouse Password                   | (empty)        | false    | true      |
 
 ### Notes
 
 - Either `github-token` or `ghapp-token` must be provided for authentication to the GitHub API.
 - `sbom-format` specifies the format you want the final SBOM to be in. For example, GitHub only supports SPDX, settings this input to `cyclonedx` will convert the SBOM to CycloneDX format.
+- At the moment, ClickHouse ingestion is only supported over HTTP.
 
 ## Usage
 
@@ -76,4 +77,51 @@ jobs:
           s3-bucket: my-sbom-bucket
           s3-key: clickbom.json
           repository: ${{ github.repository }}
-```
+```
+
+### Same Repository with ClickHouse
+
+Downloads the SBOM from the same repository and uploads it to S3. Converts the SBOM to CycloneDX format. Also uploads the SBOM to ClickHouse.
+
+```yaml
+name: Upload SBOM
+on:
+  push:
+    branches:
+      - main
+      
+jobs:
+  clickbom:
+    name: ClickBOM
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Configure AWS Credentials
+        id: aws-creds
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::012345678912:role/GitHubOIDCRole
+          role-session-name: clickbom-session
+          aws-region: us-east-1
+
+      - name: Upload SBOM
+        uses: ./
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
+          aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
+          s3-bucket: my-sbom-bucket
+          s3-key: clickbom.json
+          repository: ${{ github.repository }}
+          clickhouse-url: ${{ secrets.CLICKHOUSE_URL }}
+          clickhouse-database: ${{ secrets.CLICKHOUSE_DATABASE }}
+          clickhouse-username: ${{ secrets.CLICKHOUSE_USERNAME }}
+          clickhouse-password: ${{ secrets.CLICKHOUSE_PASSWORD }}
+```
diff --git a/action.yml b/action.yml
@@ -35,10 +35,10 @@ inputs:
   clickhouse-url:
     description: 'ClickHouse URL for storing SBOM components data'
     required: false
-  clickhouse-port:
-    description: 'ClickHouse port'
-    required: false
-    default: '8123'
+  # clickhouse-port:
+  #   description: 'ClickHouse port'
+  #   required: false
+  #   default: '8123'
   clickhouse-database:
     description: 'ClickHouse database name'
     required: false
@@ -65,7 +65,7 @@ runs:
     REPOSITORY: ${{ inputs.repository }}
     SBOM_FORMAT: ${{ inputs.sbom-format }}
     CLICKHOUSE_URL: ${{ inputs.clickhouse-url }}
-    CLICKHOUSE_PORT: ${{ inputs.clickhouse-port }}
+    # CLICKHOUSE_PORT: ${{ inputs.clickhouse-port }}
     CLICKHOUSE_DATABASE: ${{ inputs.clickhouse-database }}
     CLICKHOUSE_USERNAME: ${{ inputs.clickhouse-username }}
     CLICKHOUSE_PASSWORD: ${{ inputs.clickhouse-password }}
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -251,6 +251,134 @@ upload_to_s3() {
     fi
 }
 
+# Create ClickHouse table if it doesn't exist, or truncate if it does
+setup_clickhouse_table() {
+    local table_name="$1"
+    
+    log_info "Setting up ClickHouse table: $table_name"
+    
+    # Build ClickHouse URL
+    local clickhouse_url="${CLICKHOUSE_URL}"
+    local auth_params=""
+    
+    if [[ -n "${CLICKHOUSE_USERNAME:-}" && "${CLICKHOUSE_USERNAME}" != "default" ]]; then
+        auth_params="--user ${CLICKHOUSE_USERNAME}"
+    fi
+    
+    if [[ -n "${CLICKHOUSE_PASSWORD:-}" ]]; then
+        auth_params="${auth_params} --password ${CLICKHOUSE_PASSWORD}"
+    fi
+    
+    # Check if table exists
+    local table_exists
+    if table_exists=$(curl -s ${auth_params} --data "SELECT COUNT(*) FROM system.tables WHERE database='${CLICKHOUSE_DATABASE}' AND name='${table_name}'" "${clickhouse_url}"); then
+        if [[ "$table_exists" == "1" ]]; then
+            log_info "Table $table_name exists, truncating..."
+            if curl -s ${auth_params} --data "TRUNCATE TABLE ${CLICKHOUSE_DATABASE}.${table_name}" "${clickhouse_url}"; then
+                log_success "Table $table_name truncated"
+            else
+                log_error "Failed to truncate table $table_name"
+                exit 1
+            fi
+        else
+            log_info "Creating new table: $table_name"
+            local create_table_sql="
+            CREATE TABLE ${CLICKHOUSE_DATABASE}.${table_name} (
+                name String,
+                version String,
+                license String,
+                inserted_at DateTime DEFAULT now()
+            ) ENGINE = MergeTree()
+            ORDER BY (name, version, license);
+            "
+            
+            if curl -s ${auth_params} --data "$create_table_sql" "${clickhouse_url}"; then
+                log_success "Table $table_name created successfully"
+            else
+                log_error "Failed to create table $table_name"
+                exit 1
+            fi
+        fi
+    else
+        log_error "Failed to check if table exists"
+        exit 1
+    fi
+}
+
+insert_sbom_data() {
+    local sbom_file="$1"
+    local table_name="$2"
+    local sbom_format="$3"
+    
+    log_info "Extracting components from $sbom_format SBOM for ClickHouse"
+    
+    # Build ClickHouse URL
+    local clickhouse_url="${CLICKHOUSE_URL}"
+    local auth_params=""
+    
+    if [[ -n "${CLICKHOUSE_USERNAME:-}" && "${CLICKHOUSE_USERNAME}" != "default" ]]; then
+        auth_params="--user ${CLICKHOUSE_USERNAME}"
+    fi
+    
+    if [[ -n "${CLICKHOUSE_PASSWORD:-}" ]]; then
+        auth_params="${auth_params} --password ${CLICKHOUSE_PASSWORD}"
+    fi
+    
+    # Create temporary file for data
+    local data_file="$temp_dir/clickhouse_data.tsv"
+    
+    # Extract data based on SBOM format
+    case "$sbom_format" in
+        "cyclonedx")
+            # Extract from CycloneDX format
+            jq -r '
+                .components[]? // empty |
+                [
+                    .name // "unknown",
+                    .version // "unknown", 
+                    (.licenses[]?.license.id // .licenses[]?.license.name // .licenses[]?.expression // "unknown")
+                ] | @tsv
+            ' "$sbom_file" > "$data_file"
+            ;;
+        "spdx"|"spdxjson")
+            # Extract from SPDX format
+            jq -r '
+                .packages[]? // empty |
+                select(.name != null) |
+                [
+                    .name // "unknown",
+                    .versionInfo // "unknown",
+                    (.licenseDeclared // .licenseConcluded // "unknown")
+                ] | @tsv
+            ' "$sbom_file" > "$data_file"
+            ;;
+        *)
+            log_error "Unsupported SBOM format for ClickHouse: $sbom_format"
+            exit 1
+            ;;
+    esac
+    
+    # Check if we have data to insert
+    if [[ ! -s "$data_file" ]]; then
+        log_warning "No component data found in SBOM"
+        return
+    fi
+    
+    local component_count=$(wc -l < "$data_file")
+    log_info "Found $component_count components to insert"
+    
+    # Insert data into ClickHouse
+    if curl -s ${auth_params} \
+           -H "Content-Type: text/tab-separated-values" \
+           --data-binary "@$data_file" \
+           "${clickhouse_url}/?query=INSERT%20INTO%20${CLICKHOUSE_DATABASE}.${table_name}%20(name,%20version,%20license)%20FORMAT%20TSV"; then
+        log_success "Inserted $component_count components into ClickHouse table $table_name"
+    else
+        log_error "Failed to insert data into ClickHouse"
+        exit 1
+    fi
+}
+
 # Global variable for temp directory (so cleanup can access it)
 temp_dir=""
 
@@ -317,6 +445,13 @@ main() {
 
     log_success "SBOM processing completed successfully!"
     log_info "SBOM available at: s3://$S3_BUCKET/$s3_key"
+
+    if [[ -n "${CLICKHOUSE_URL:-}" ]]; then
+        local table_name=$(echo "$REPOSITORY" | sed 's|[^a-zA-Z0-9]|_|g' | tr '[:upper:]' '[:lower:]')
+        setup_clickhouse_table "$table_name"
+        insert_sbom_data "$processed_sbom" "$table_name" "$desired_format"
+        log_info "Component data available in ClickHouse table: ${CLICKHOUSE_DATABASE}.${table_name}"
+    fi
 }
 
 # Run main function
