RD-977 Use new API for getting SBOM result (#3)

* RD-977 Use new API for getting SBOM result

* RD-977 Use test env API base URL for testing

* RD-977 Build

* RD-977 Fix aritifact root directory name

* RD-977 Refactor code

* RD-977 Update README.md

* RD-977 Refactor code

* RD-977 Build

* RD-977 Update sample data

* RD-977 Use production config

* RD-977 Cover edge case: no SBOM found after scan finished

* RD-977 Add debugging log

* RD-977 Refactor code

* RD-977 Bump version

---------

Co-authored-by: Clay Sang <[email protected]>

Author: chao-deepbits

README.md

@@ -49,10 +49,19 @@ jobs:
 
 After the scan is complete, an artifact named `DEEPBITS_SCAN_RESULTS` will be generated, which contains two files:
 
-| Output              | Description                                                           |
-| ------------------- | --------------------------------------------------------------------- |
-| sbom.CycloneDX.json | SBOM in CycloneDX format                                              |
-| scanSummary.json    | Scan result contains vulnerability and malware summary in JSON format |
+| Output                                       | Description                                                                                                                                                                                                      |
+| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| deepbits-sbom-{{owner}}-{{repo}}-{{sha}}.zip | A ZIP file consists of the SBOM result, along with the signature of the SBOM and Deepbits’ certificate required for verifying the signature. (For example: deepbits-sbom-DeepBitsTechnology-getsbom-db3bc50.zip) |
+| scanSummary.json                             | Scan result contains vulnerability and malware summary in JSON format                                                                                                                                            |
+
+The structure of the `deepbits-sbom-{{owner}}-{{repo}}-{{sha}}.zip` file is as follows:
+
+| FileName                                  | Description                                                                                |
+| ----------------------------------------- | ------------------------------------------------------------------------------------------ |
+| {{owner}}-{{repo}}-{{sha}}.CycloneDX.json | SBOM in CycloneDX format. (For example: DeepBitsTechnology-getsbom-db3bc50.CycloneDX.json) |
+| CycloneDX.signature.bin                   | The signature of the SBOM                                                                  |
+| deepbits.cert                             | Deepbits’ certificate required for verifying the signature                                 |
+| README.md                                 | Contains instructions on how to verify the signature                                       |
 
 **We have included a sample folder called `sample_scan_results` in the repository [here](./samples/DEEPBITS_SCAN_RESULTS/).**
 
@@ -102,4 +111,4 @@ This project is licensed under the MIT License. Please see the `LICENSE` file fo
 
 ## Support
 
-If you encounter any issues or have any questions about the Deepbits SBOM Scanner GitHub Action, please feel free to contact us at [[email protected]](mailto:[email protected]). We are always happy to help!
+If you encounter any issues or have any questions about the Deepbits SBOM GitHub Action, please feel free to contact us at [[email protected]](mailto:[email protected]). We are always happy to help!

__tests__/main.test.ts

@@ -27,9 +27,12 @@ describe('Main', () => {
     it('should call expected functions with correct parameters if repository is public and scan result exists', async () => {
       jest.spyOn(deepbitsAction, 'isRepoPublic').mockResolvedValueOnce(true);
 
+      const mockScanResultId = 'mockScanResultId';
+
       const mockScanResult = {
         scanResult: [
           {
+            _id: mockScanResultId,
             finalResult: {bom: 'bom'},
             scanEndAt: Date.now().toString(),
           },
@@ -39,19 +42,30 @@ describe('Main', () => {
         .spyOn(deepbitsAction, 'getScanResult')
         .mockResolvedValueOnce(mockScanResult);
 
+      const mockDownloadCommitSbomZipResult =
+        'DEEPBITS_SCAN_RESULTS/mockDownloadCommitSbomZipResult.zip';
+      jest
+        .spyOn(deepbitsAction, 'downloadCommitSbomZip')
+        .mockResolvedValueOnce(mockDownloadCommitSbomZipResult);
+
       // Set up the expected artifact upload parameters
       const expectedUploadParams = [
-        {name: 'sbom.CycloneDX', jsonContent: 'bom'},
-        {name: 'scanSummary', jsonContent: {bom: 'bom'}},
+        [{name: 'scanSummary', jsonContent: {bom: 'bom'}}, ,],
+        [mockDownloadCommitSbomZipResult],
       ];
 
       await run();
 
       expect(core.setFailed).not.toHaveBeenCalled();
 
+      expect(deepbitsAction.downloadCommitSbomZip).toHaveBeenCalledTimes(1);
+      expect(deepbitsAction.downloadCommitSbomZip).toHaveBeenCalledWith(
+        mockScanResultId
+      );
+
       expect(deepbitsAction.uploadArtifacts).toHaveBeenCalledTimes(1);
       expect(deepbitsAction.uploadArtifacts).toHaveBeenCalledWith(
-        expectedUploadParams
+        ...expectedUploadParams
       );
 
       expect(deepbitsAction.setInfo).toHaveBeenCalledTimes(1);
@@ -65,17 +79,18 @@ describe('Main', () => {
         .mockResolvedValueOnce(undefined);
 
       const expectedUploadParams = [
-        {name: 'sbom.CycloneDX', jsonContent: {}},
-        {name: 'scanSummary', jsonContent: {}},
+        [{name: 'scanSummary', jsonContent: {}}],
+        undefined,
       ];
 
       await run();
 
       expect(core.setFailed).not.toHaveBeenCalled();
+      expect(deepbitsAction.downloadCommitSbomZip).not.toHaveBeenCalled();
 
       expect(deepbitsAction.uploadArtifacts).toHaveBeenCalledTimes(1);
       expect(deepbitsAction.uploadArtifacts).toHaveBeenCalledWith(
-        expectedUploadParams
+        ...expectedUploadParams
       );
 
       expect(deepbitsAction.setInfo).toHaveBeenCalledTimes(1);

__tests__/utils/DeepbitsGitHubAction.test.ts

@@ -2,18 +2,32 @@ import * as artifact from '@actions/artifact';
 import * as core from '@actions/core';
 import * as github from '@actions/github';
 import {afterEach, describe, expect, it, jest} from '@jest/globals';
+import axios from 'axios';
 import * as fs from 'fs';
 import {GitHubCommitDefWithPopulatedScanResult} from '../../src/types/deepbitsApi';
-import * as deepbitsApi from '../../src/utils/api';
 import {
+  downloadCommitSbomZip,
   getScanResult,
   isRepoPublic,
   setInfo,
   uploadArtifacts,
 } from '../../src/utils/DeepbitsGitHubAction';
+import * as deepbitsApi from '../../src/utils/api';
 
 const testToken = 'test-token';
 
+jest.mock('axios', () => {
+  return {
+    get: jest.fn(),
+    create: jest.fn(() => ({
+      interceptors: {
+        request: {use: jest.fn(), eject: jest.fn()},
+        response: {use: jest.fn(), eject: jest.fn()},
+      },
+    })),
+  };
+});
+
 jest.mock('@actions/artifact');
 jest.mock('@actions/core');
 jest.mock('@actions/github', () => ({
@@ -202,4 +216,119 @@ describe('DeepbitsGitHubAction', () => {
       expect(result).toEqual({success: false});
     });
   });
+
+  describe('downloadCommitSbomZip', () => {
+    const rootDirectory = 'DEEPBITS_SCAN_RESULTS';
+
+    const mkdirSyncMock = jest.spyOn(fs, 'mkdirSync');
+    const writeFileSyncMock = jest.spyOn(fs, 'writeFileSync');
+
+    it('should return the zip file location correctly', async () => {
+      const existsSyncMock = jest
+        .spyOn(fs, 'existsSync')
+        .mockReturnValueOnce(false);
+
+      const sbomId = 'mock_sbom_id';
+
+      const MOCK_FILE_NAME = 'mock_file.zip';
+      const MOCK_CONTENT_DISPOSITION = `attachment; filename="${MOCK_FILE_NAME}"`;
+      const MOCK_ARRAY_BUFFER = new ArrayBuffer(8);
+      const MOCK_FILE_BUFFER = Buffer.from(MOCK_ARRAY_BUFFER);
+
+      const expectedUrl = `${deepbitsApi.BASE_URL}/gh/test-owner/test-repo/test-sha/sbom/${sbomId}`;
+      const expectedFileLocation = `${rootDirectory}/${MOCK_FILE_NAME}`;
+
+      jest.spyOn(axios, 'get').mockResolvedValueOnce({
+        data: MOCK_ARRAY_BUFFER,
+        headers: {
+          'content-disposition': MOCK_CONTENT_DISPOSITION,
+        },
+      });
+
+      const result = await downloadCommitSbomZip(sbomId);
+
+      expect(existsSyncMock).toHaveBeenCalledWith(rootDirectory);
+      expect(mkdirSyncMock).toHaveBeenCalledWith(rootDirectory);
+
+      expect(axios.get).toHaveBeenCalledWith(expectedUrl, {
+        responseType: 'arraybuffer',
+      });
+
+      expect(writeFileSyncMock).toHaveBeenCalledWith(
+        expectedFileLocation,
+        MOCK_FILE_BUFFER
+      );
+
+      expect(result).toEqual(expectedFileLocation);
+    });
+
+    it('should return undefined if no SBOM content found', async () => {
+      const existsSyncMock = jest
+        .spyOn(fs, 'existsSync')
+        .mockReturnValueOnce(false);
+
+      const sbomId = 'mock_sbom_id';
+
+      const expectedUrl = `${deepbitsApi.BASE_URL}/gh/test-owner/test-repo/test-sha/sbom/${sbomId}`;
+
+      const noBomContentFoundError = {
+        response: {
+          status: 404,
+          data: {
+            meta: {
+              code: 404,
+              message: 'Not Found',
+            },
+            data: {
+              errorReason: 'No bom content found',
+            },
+          },
+        },
+      };
+
+      jest.spyOn(axios, 'get').mockRejectedValueOnce(noBomContentFoundError);
+
+      const result = await downloadCommitSbomZip(sbomId);
+
+      expect(existsSyncMock).toHaveBeenCalledWith(rootDirectory);
+      expect(mkdirSyncMock).toHaveBeenCalledWith(rootDirectory);
+
+      expect(axios.get).toHaveBeenCalledWith(expectedUrl, {
+        responseType: 'arraybuffer',
+      });
+
+      expect(writeFileSyncMock).not.toHaveBeenCalled();
+
+      expect(core.info).toHaveBeenCalledWith('No SBOM found');
+
+      expect(result).toEqual(undefined);
+    });
+
+    it('should throw error if get SBOM ZIP failed', async () => {
+      const existsSyncMock = jest
+        .spyOn(fs, 'existsSync')
+        .mockReturnValueOnce(false);
+
+      const sbomId = 'mock_sbom_id';
+
+      const expectedUrl = `${deepbitsApi.BASE_URL}/gh/test-owner/test-repo/test-sha/sbom/${sbomId}`;
+
+      const error = new Error('Request failed with status code 500');
+
+      jest.spyOn(axios, 'get').mockRejectedValueOnce(error);
+
+      await expect(downloadCommitSbomZip(sbomId)).rejects.toThrow();
+
+      expect(existsSyncMock).toHaveBeenCalledWith(rootDirectory);
+      expect(mkdirSyncMock).toHaveBeenCalledWith(rootDirectory);
+
+      expect(axios.get).toHaveBeenCalledWith(expectedUrl, {
+        responseType: 'arraybuffer',
+      });
+
+      expect(writeFileSyncMock).not.toHaveBeenCalled();
+
+      expect(core.setFailed).toHaveBeenCalledWith('Failed to download SBOM');
+    });
+  });
 });

dist/index.js

@@ -1,6 +1,6 @@
 {
   "name": "@deepbits/getsbom",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "private": true,
   "description": "GitHub Action for creating and analyzing SBOM for your project to find vulnerabilities and license issues",
   "main": "lib/main.js",

dist/index.js.map

@@ -1,5 +1,6 @@
 import * as core from '@actions/core';
 import {
+  downloadCommitSbomZip,
   getScanResult,
   isRepoPublic,
   setInfo,
@@ -15,14 +16,20 @@ export async function run(): Promise<void> {
       return;
     }
 
-    const scanResult = await getScanResult();
+    const scanResult = (await getScanResult())?.scanResult?.[0];
 
-    const {finalResult} = scanResult?.scanResult?.[0] ?? {};
+    let sbomZipFileLocation: string | undefined;
 
-    await uploadArtifacts([
-      {name: 'sbom.CycloneDX', jsonContent: finalResult?.bom || {}},
-      {name: 'scanSummary', jsonContent: finalResult || {}},
-    ]);
+    if (scanResult?._id) {
+      sbomZipFileLocation = await downloadCommitSbomZip(scanResult._id);
+    }
+
+    const {finalResult} = scanResult ?? {};
+
+    await uploadArtifacts(
+      [{name: 'scanSummary', jsonContent: finalResult || {}}],
+      sbomZipFileLocation ? [sbomZipFileLocation] : undefined
+    );
 
     await setInfo();
   } catch (error) {