Update build.yml (#370)

* Update release.yaml use new release pattern and to provide the upload url to attach the SBOM to the release.
* Add the files needed to generate the SBOM.

Author: MartinWheelerMT

.github/workflows/release.yml

@@ -1,18 +1,22 @@
 on:
-  push:
-    tags: "*"
+  release:
+    types: [published]
 
 jobs:
   push_to_dockerhub:
-    name: "Push Docker Images to DockerHub"
     strategy:
       matrix:
-        image:
-          - {folder: service, dockerhub_name: nia-111-adaptor}
-          - {folder: nginx, dockerhub_name: nia-111-nginx-adaptor}
+        config:
+          - folder: docker/service
+            dockerhub_name: nia-111-adaptor
+            upload_url: ${{ github.event.release.upload_url }}
+          - folder: docker/nginx
+            dockerhub_name: nia-111-nginx-adaptor
+            upload_url: ${{ github.event.release.upload_url }}
     uses: NHSDigital/integration-adaptor-actions/.github/workflows/release-adaptor-container-image.yml@main
     with:
-      dockerhub_name: ${{matrix.image.dockerhub_name}}
-      folder: ${{matrix.image.folder}}
-
+      folder: ${{ matrix.config.folder }}
+      dockerhub_name: ${{ matrix.config.dockerhub_name }}
+      upload_url: ${{ matrix.config.upload_url }}
     secrets: inherit
+

scripts/config/.syft.yaml

@@ -0,0 +1,83 @@
+# a list of globs to exclude from scanning. same as --exclude ; for example:
+# exclude:
+#   - "/etc/**"
+#   - "./out/**/*.json"
+exclude:
+  - ./.git/**
+
+# maximum number of workers used to process the list of package catalogers in parallel
+parallelism: 3
+
+# cataloging packages is exposed through the packages and power-user subcommands
+package:
+  # search within archives that do contain a file index to search against (zip)
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
+  search-indexed-archives: true
+  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
+  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
+  search-unindexed-archives: true
+  cataloger:
+    # enable/disable cataloging of packages
+    # SYFT_PACKAGE_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for packages (options: all-layers, squashed)
+    # same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+# cataloging file contents is exposed through the power-user subcommand
+file-contents:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_FILE_CONTENTS_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_FILE_CONTENTS_CATALOGER_SCOPE env var
+    scope: "squashed"
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+  # file globs for the cataloger to match on
+  # SYFT_FILE_CONTENTS_GLOBS env var
+  globs: []
+
+# cataloging file metadata is exposed through the power-user subcommand
+file-metadata:
+  cataloger:
+    # enable/disable cataloging of file metadata
+    # SYFT_FILE_METADATA_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for file metadata (options: all-layers, squashed)
+    # SYFT_FILE_METADATA_CATALOGER_SCOPE env var
+    scope: "squashed"
+  # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1")
+  # SYFT_FILE_METADATA_DIGESTS env var
+  digests: ["sha256"]
+
+# cataloging secrets is exposed through the power-user subcommand
+secrets:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_SECRETS_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_SECRETS_CATALOGER_SCOPE env var
+    scope: "all-layers"
+  # show extracted secret values in the final JSON report
+  # SYFT_SECRETS_REVEAL_VALUES env var
+  reveal-values: false
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+  # name-regex pairs to consider when searching files for secrets. Note: the regex must match single line patterns
+  # but may also have OPTIONAL multiline capture groups. Regexes with a named capture group of "value" will
+  # use the entire regex to match, but the secret value will be assumed to be entirely contained within the
+  # "value" named capture group.
+  additional-patterns: {}
+  # names to exclude from the secrets search, valid values are: "aws-access-key", "aws-secret-key", "pem-private-key",
+  # "docker-config-auth", and "generic-api-key". Note: this does not consider any names introduced in the
+  # "secrets.additional-patterns" config option.
+  # SYFT_SECRETS_EXCLUDE_PATTERN_NAMES env var
+  exclude-pattern-names: []

scripts/sbom-generator.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -e
+
+# Script to generate SBOM (Software Bill of Materials) for the repository
+# content and any artefact created by the CI/CD pipeline.
+#
+# Usage:
+#   $ ./generate-sbom.sh
+#
+# Options:
+#   VERBOSE=true  # Show all the executed commands, default is `false`
+
+# ==============================================================================
+
+# SEE: https://github.com/anchore/syft/pkgs/container/syft, use the `linux/amd64` os/arch
+image_version=v0.84.1@sha256:9a8f80eee3984d4a3f9a86e4d66e739e30dfc34564d76d3574f98798db5d5b35
+
+# ==============================================================================
+
+function main() {
+  echo $BUILD_SOURCESIRECTORY
+  create-sbom
+  enrich-sbom
+}
+
+function create-sbom() {
+
+  docker run --rm --platform linux/amd64 \
+    --volume $PWD:/scan \
+    --workdir /scan \
+    ghcr.io/anchore/syft:$image_version \
+      packages dir:/scan \
+      --config /scan/scripts/config/.syft.yaml \
+      --output spdx-json=/scan/sbom-spdx.tmp.json
+}
+
+function enrich-sbom() {
+
+  git_url=$(git config --get remote.origin.url)
+  git_branch=$(git rev-parse --abbrev-ref HEAD)
+  git_commit_hash=$(git rev-parse HEAD)
+  git_tags=$(echo \"$(git tag | tr '\n' ',' | sed 's/,$//' | sed 's/,/","/g')\" | sed 's/""//g')
+  pipeline_run_id=${BUILD_BUILDID:-0}
+  pipeline_run_number=${BUILD_BUILDNUMBER:-0}
+  pipeline_run_attempt=${GITHUB_RUN_ATTEMPT:-0}
+  echo "pipeline_run_attempt: ${pipeline_run_id}"
+  docker run --rm --platform linux/amd64 \
+    --volume $PWD:/repo \
+    --workdir /repo \
+    ghcr.io/make-ops-tools/jq:latest \
+      '.creationInfo |= . + {"repository":{"url":"'${git_url}'","branch":"'${git_branch}'","tags":['${git_tags}'],"commitHash":"'${git_commit_hash}'"},"pipeline":{"id":'${pipeline_run_id}',"number":'${pipeline_run_number}',"attempt":'${pipeline_run_attempt}'}}' \
+      sbom-spdx.tmp.json \
+        > sbom-spdx.json
+  rm -f sbom-spdx.tmp.json
+}
+
+function is_arg_true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is_arg_true "$VERBOSE" && set -x
+
+main $*
+
+exit 0