ci: integrate Syft and Grype for SBOM management

Signed-off-by: Pierre-Yves Lapersonne <[email protected]>

Author: pylapp

.github/DEVELOP.md

@@ -22,6 +22,7 @@
 - [Linter](#linter)
 - [Formater](#formater)
 - [Dead code](#dead-code)
+- [Software Bill of Materials](#software-bill-of-materials)
 - [CI/CD](#cicd)
 - [Update 3rd parties](#update-3rd-parties)
 
@@ -79,6 +80,14 @@ brew install xcodesorg/made/xcodes
 # For git-cliff (at least 2.8.0)
 brew install git-cliff
 
+
+# For Syft (at least 1.26.1)
+brew install syft
+
+# For Grype (at least 0.92.2)
+brew tap anchore/grype
+brew install grype
+
 # For LicensePlist (at least 3.27.1)
 brew install licenseplist
 ```
@@ -483,6 +492,18 @@ And run:
 bundle exec fastlane check_dead_code
 ```
 
+## Software Bill of Materials
+
+For software quality reasons, intellectual property compliance, users trust and legal oblgitations with Cyber Resilience Act (CRA) and NIS2, it it interesing or mandatory to keep updated a Software Bill Of Materials (SBOM). And with such file listing dependencies in several levels we are able to make scans of them and check if there are known vulnerabilities.
+
+To do these operations, we use [Syft](https://github.com/anchore/syft) to generate a SBOM in CycloneDX format, which will processed by [Grype](https://github.com/anchore/grype) to check if there are known vulnerabilities.
+
+These operations, triggered in CLI, are wrapped in a Fastlane command:
+
+```shell
+bundle exec fastlane update_sbom
+```
+
 ## CI/CD
 
 ### GitHub Action

DesignToolbox/fastlane/Fastfile

@@ -91,7 +91,7 @@ platform :ios do
     # ------------------------------------------------------------
     # RUN PERIPHERY FOR DEAD CODE ANALYSIS
     # ------------------------------------------------------------
-    desc "RUN PERIPHERY FOR DEAD CODE ANALYSIS"
+    desc "Run Periphery to look dor dead code in the code base. Avoid strict mode because some false positive remains and command must be fine-tuned."
     lane :check_dead_code do
         puts "👉 Check dead code with Periphery"
 
@@ -101,7 +101,7 @@ platform :ios do
     # ------------------------------------------------------------
     # RUN SWIFT FORMAT TO FORMAT SOURCES
     # ------------------------------------------------------------
-    desc "RUN SWIFT FORMAT TO FORMAT SOURCES"
+    desc "Run SwiftFormat to format Swift source files according to the local configuration."
     lane :format do
         puts "👉 Run Swift Format to format sources"
 
@@ -112,7 +112,7 @@ platform :ios do
     # ------------------------------------------------------------
     # RUN SWIFT LINT TO CHECK SMELLS
     # ------------------------------------------------------------
-    desc "RUN SWIFT LINT TO CHECK SMELLS"
+    desc "Run SwiftLint in strict mode to detect code smells"
     lane :lint do
         puts "👉 Run Swift Lint for smells"
 
@@ -123,7 +123,7 @@ platform :ios do
     # ------------------------------------------------------------
     # RUN LICENSE-PLSIT FOR 3RD PARTIES UPDATES
     # ------------------------------------------------------------
-    desc "RUN LICENSEPLIST TO UPDATE LIST OF THIRD PARTIES"
+    desc "Run LicensePlist to update list of third-parties"
     lane :update_3rd_parties do
         puts "👉 Run LicensePlist to update list of third-parties"
 
@@ -141,14 +141,34 @@ platform :ios do
     # ------------------------------------------------------------
     # RUN GITLEAKS FOR SECET LEAKS SCAN
     # ------------------------------------------------------------
-    desc "RUN GITLEAKS FOR SECET LEAKS SCAN"
+    desc "Run GitLeaks to look for leaks of secrets in project and Git history"
     lane :check_leaks do
         puts "👉 Run Gitleaks for leaks scan"
 
         # If there are violations, non 0 error be returned by swiftlint, making Fastlane fail (expected)
         sh "cd .. && gitleaks detect -v -l debug --source ."
     end
 
+    # ------------------------------------------------------------
+    # RUN SYFT AND GRYPE TO BUILD AND ANALYSE SBOM
+    # ------------------------------------------------------------
+    desc "Generates a SBOM (Software Bill Of Materials) in CycloneDX format with Syft and analsye it with Grype to as to check for vulnerabilities"
+    lane :update_sbom do
+        puts "👉 Run Syft to generate the SBOM"
+
+        sbomFormat = "cyclonedx-json"
+        # In { negligible, low, medium, high, critical }
+        vulnerabilitiesTolerance = "negligible"
+
+        Dir.chdir "../.." do
+            # Run the command to generate SBOM
+            sh "syft . -o #{sbomFormat} > SBOM.json"
+
+            # Process the SBOM
+            sh "grype sbom:./SBOM.json --fail-on #{vulnerabilitiesTolerance}"
+        end
+    end
+
     # ------------------------------------------------------------
     # UPDATE BUILD NUMBER WITH TIMESTAMP
     # ------------------------------------------------------------
@@ -168,7 +188,7 @@ platform :ios do
     # -------------------
     # RUN SNAPSHOTS TESTS
     # -------------------
-    desc "RUN SNAPSHOTS TESTS BY TRIGGERING THE TESTS PLANS OF THE PROJECT"
+    desc "Run snapshots tests in the demo app to look for visual regressions of components defined in OUDS package"
     lane :test_snapshots do
         puts "👉 Run UI tests"
 
@@ -199,7 +219,7 @@ platform :ios do
     # ------------
     # RUN UI TESTS
     # ------------
-    desc "RUN UI TESTS BY TRIGGERING THE TESTS PLANS OF THE PROJECT"
+    desc "Run UI tests in the demo app to check some specific components behaviors"
     lane :test_ui do
         puts "👉 Run UI tests"
 
@@ -230,7 +250,7 @@ platform :ios do
     # ------------------------------------------------------------
     # BUILD DEBUG APP
     # ------------------------------------------------------------
-    desc "BUILD DEBUG APP"
+    desc "Build locally the demo app in debug mode without upload"
     lane :buildDebugApp do
         puts "👉 Build debug app"
 
@@ -258,7 +278,7 @@ platform :ios do
     # ------------------------------------------------------------
     # BUILD & UPLOAD TO TESTFLIGHT ALPHA APP
     # ------------------------------------------------------------
-    desc "BUILD & UPLOAD TO TESTFLIGHT ALPHA APP"
+    desc "Build the demo app in alpha mode and upload to TestFlight"
     lane :alpha do |params|
         issues_numbers = params[:issueNumber]
         puts "👉 Alpha (commit hash = '#{params[:commitHash]}', issue number = '#{issues_numbers}')"
@@ -298,7 +318,7 @@ platform :ios do
     # ------------------------------------------------------------
     # BUILD & UPLOAD TO TESTFLIGHT BETA APP
     # ------------------------------------------------------------
-    desc "BUILD & UPLOAD TO TESTFLIGHT BETA APP"
+    desc "Build the demo app in neta mode and upload to TestFlight"
     lane :beta do |params|
         puts "👉 Beta (commit hash = '#{params[:commitHash]}')"
         Dir.chdir "../#{OUDS_PROJECT_NAME}/Resources/Assets.xcassets" do
@@ -335,7 +355,7 @@ platform :ios do
     # ------------------------------------------------------------
     # BUILD & UPLOAD TO STORE STABLE APP
     # ------------------------------------------------------------
-    desc "BUILD & UPLOAD TO STORE (if set in options: upload) STABLE APP"
+    desc "Build the demo app in stable mode and, if defined, upload to internal portal for App Store publication"
     lane :stable do |params|
         puts "👉 Stable"
 
@@ -376,6 +396,7 @@ platform :ios do
     # -----------------------------------------------------------------------
     # PRIVATE LANE BUILD & UPLOAD (ALPHA / BETA is set by main lane)
     # -----------------------------------------------------------------------
+    desc "Build the demo app in a defined mode and upload if needed to TestFlight or internal portal for App Store publication"
     private_lane :build_and_upload do |params|
         isAlpha = params[:isAlpha]
 
@@ -420,7 +441,7 @@ platform :ios do
     # -----------------------------------------------------------------------
     # PRIVATE LANE BUILD (ALPHA / BETA / STABLE is set by main lane)
     # -----------------------------------------------------------------------
-    desc "PRIVATE LANE BUILD (ALPHA / BETA / STABLE is set by main lane)"
+    desc "Build the demo app"
     private_lane :build do
         puts "👉 Build"
 
@@ -472,7 +493,7 @@ platform :ios do
     # --------------------------------------------------------------------------
     # PRIVATE LANE UPLOAD TO TESTFLIGHT (ALPHA / BETA is set by main lane)
     # ---------------------------------------------------------------------------
-    desc "PRIVATE LANE UPLOAD TO TESTFLIGHT"
+    desc "Upload the demo app to TestFlight"
     private_lane :upload_2_testflight do |params|
         puts "👉 Upload"
 
@@ -525,7 +546,7 @@ platform :ios do
     # ----------------------------
     # PRIVATE LANE UPLOAD TO STORE
     # ----------------------------
-    desc "PRIVATE LANE UPLOAD TO STORE"
+    desc "Upload the demo app to the internal portal for the App Store publication"
     private_lane :upload_2_store do |params|
         puts "👉 Upload to store"
 

DesignToolbox/fastlane/README.md

@@ -21,39 +21,47 @@ For _fastlane_ installation instructions, see [Installing _fastlane_](https://do
 [bundle exec] fastlane ios check_dead_code
 ```
 
-RUN PERIPHERY FOR DEAD CODE ANALYSIS
+Run Periphery to look dor dead code in the code base. Avoid strict mode because some false positive remains and command must be fine-tuned.
 
 ### ios format
 
 ```sh
 [bundle exec] fastlane ios format
 ```
 
-RUN SWIFT FORMAT TO FORMAT SOURCES
+Run SwiftFormat to format Swift source files according to the local configuration.
 
 ### ios lint
 
 ```sh
 [bundle exec] fastlane ios lint
 ```
 
-RUN SWIFT LINT TO CHECK SMELLS
+Run SwiftLint in strict mode to detect code smells
 
 ### ios update_3rd_parties
 
 ```sh
 [bundle exec] fastlane ios update_3rd_parties
 ```
 
-RUN LICENSEPLIST TO UPDATE LIST OF THIRD PARTIES
+Run LicensePlist to update list of third-parties
 
 ### ios check_leaks
 
 ```sh
 [bundle exec] fastlane ios check_leaks
 ```
 
-RUN GITLEAKS FOR SECET LEAKS SCAN
+Run GitLeaks to look for leaks of secrets in project and Git history
+
+### ios update_sbom
+
+```sh
+[bundle exec] fastlane ios update_sbom
+```
+
+Generates a SBOM (Software Bill Of Materials) in CycloneDX format with Syft and analsye it with Grype to as to check for vulnerabilities
 
 ### ios update_build_number
 
@@ -69,47 +77,47 @@ UPDATE BUILD NUMBER WITH TIMESTAMP
 [bundle exec] fastlane ios test_snapshots
 ```
 
-RUN SNAPSHOTS TESTS BY TRIGGERING THE TESTS PLANS OF THE PROJECT
+Run snapshots tests in the demo app to look for visual regressions of components defined in OUDS package
 
 ### ios test_ui
 
 ```sh
 [bundle exec] fastlane ios test_ui
 ```
 
-RUN UI TESTS BY TRIGGERING THE TESTS PLANS OF THE PROJECT
+Run UI tests in the demo app to check some specific components behaviors
 
 ### ios buildDebugApp
 
 ```sh
 [bundle exec] fastlane ios buildDebugApp
 ```
 
-BUILD DEBUG APP
+Build locally the demo app in debug mode without upload
 
 ### ios alpha
 
 ```sh
 [bundle exec] fastlane ios alpha
 ```
 
-BUILD & UPLOAD TO TESTFLIGHT ALPHA APP
+Build the demo app in alpha mode and upload to TestFlight
 
 ### ios beta
 
 ```sh
 [bundle exec] fastlane ios beta
 ```
 
-BUILD & UPLOAD TO TESTFLIGHT BETA APP
+Build the demo app in neta mode and upload to TestFlight
 
 ### ios stable
 
 ```sh
 [bundle exec] fastlane ios stable
 ```
 
-BUILD & UPLOAD TO STORE (if set in options: upload) STABLE APP
+Build the demo app in stable mode and, if defined, upload to internal portal for App Store publication
 
 ----
 

THIRD_PARTY.md

@@ -104,6 +104,12 @@ Copyright (c) 2019 Zachary Rice
 *gitleaks* is distributed under the terms and conditions of the [MIT License](http://opensource.org/licenses/MIT).
 You may download the source code on the [following website](https://github.com/gitleaks/gitleaks).
 
+#### Grype
+<!-- (CI/CD, tools, etc.) -->
+
+*Grype* is distributed under the terms and conditions of the [Apache 2.0 License](https://opensource.org/license/apache-2-0).
+You may download the source code on the [following website](https://github.com/anchore/grype).
+
 #### Periphery
 <!-- Xcode target -->
 
@@ -143,3 +149,9 @@ Copyright 2024 App Deco Studio Inc.
 
 *SwiftPolyglot* is distributed under the terms and conditions of the [MIT License](http://opensource.org/licenses/MIT).
 You may download the source code on the [following website](https://github.com/appdecostudio/SwiftPolyglot).
+
+### Syft
+<!-- (CI/CD, tools, etc.) -->
+
+*Syft* is distributed under the terms and conditions of the [Apache 2.0 License](https://opensource.org/license/apache-2-0).
+You may download the source code on the [following website](https://github.com/anchore/syft).

docs_release/README.md

@@ -52,6 +52,15 @@ Keep in mind the internal GitLab runners use tricks to check if things evolved t
 bundle exec fastlane update_3rd_parties
 ```
 
+- Update the SBOM
+
+```shell
+bundle exec fastlane update_sbom
+```
+
+>[!IMPORTANT]
+> Keeping up-to-date the SBOM and check for vulnerabilities is important for both software quality, users trust and legal obligations like the Cyber Resilience Act or NIS2.
+
 - Verify the changes mentioned above, then commit and push.
 
 - Create a new pull request named `Prepare release X.Y.Z` on GitHub to merge your branch into `develop`.