Skip to content
Generate or load SBOMs from ORT into ScanCode.io

Add a workflows to test the ORT to ScanCode.io integration #79

Sign in to view logs

Add a workflows to test the ORT to ScanCode.io integration

Add a workflows to test the ORT to ScanCode.io integration #79

Workflow file for this run

.github/workflows/sca-integration-ort.yml at aa8e877
name: Generate or load SBOMs from ORT into ScanCode.io
# This workflow:
# 1. Generates CycloneDX and SPDX SBOM with ORT, or
# 2. Loads ORT SBOM test assests
# 3. Loads the SBOM into ScanCode.io for further analysis.
# 4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
#
# It runs on demand, and once a week (scheduled).
on:
workflow_dispatch:
schedule:
# Run once a week (every 7 days) at 00:00 UTC on Sunday
- cron: "0 0 * * 0"
pull_request:
push:
branches:
- main
permissions:
contents: read
jobs:
checkout-ort-test-assests-from-scancode-io-repo:
runs-on: ubuntu-24.04
steps:
- name: Checkout ScanCode.io repository
uses: actions/checkout@v5
- name: Upload orthw mime types example
uses: actions/upload-artifact@v4
with:
name: npm-mime-types-2.1.26-scan-result.json
path: scanpipe/tests/data/integrations-ort/orthw-example-scan-result/npm-mime-types-2.1.26-scan-result.json
overwrite: true
retention-days: 1
- name: Upload CycloneDX v1.6 ORT test result
uses: actions/upload-artifact@v4
with:
name: ort-cyclonedx-1.6-result.cyclonedx.json
path: scanpipe/tests/data/integrations-ort/ort-reporter-cyclonedx-1.6-funtest-resources/cyclonedx-reporter-expected-result.json
overwrite: true
retention-days: 1
- name: Upload CycloneDX v1.6 ORT test result with findings
uses: actions/upload-artifact@v4
with:
name: ort-cyclonedx-1.6-result-with-findings.cyclonedx.json
path: scanpipe/tests/data/integrations-ort/ort-reporter-cyclonedx-1.6-funtest-resources/cyclonedx-reporter-expected-result-with-findings.json
overwrite: true
retention-days: 1
- name: Upload CycloneDX v1.6 ORT test result without findings
uses: actions/upload-artifact@v4
with:
name: ort-cyclonedx-1.6-result-without-findings.cyclonedx.json
path: scanpipe/tests/data/integrations-ort/ort-reporter-cyclonedx-1.6-funtest-resources/cyclonedx-reporter-expected-result-without-findings.json
overwrite: true
retention-days: 1
- name: Upload SPDX v2.2 ORT test result
uses: actions/upload-artifact@v4
with:
name: ort-spdx-2.2-result.spdx.json
path: scanpipe/tests/data/integrations-ort/ort-reporter-spdx-2.2-funtest-resources/synthetic-scan-result-expected-output.spdx.json
overwrite: true
retention-days: 1
- name: Upload SPDX v2.3 ORT test result
uses: actions/upload-artifact@v4
with:
name: ort-spdx-2.3-result.spdx.json
path: scanpipe/tests/data/integrations-ort/ort-reporter-spdx-2.3-funtest-resources/synthetic-scan-result-expected-output.spdx.json
overwrite: true
retention-days: 1
generate-python-cyclonedx-1-5-sbom-with-ort-load-into-scancode-io:
runs-on: ubuntu-24.04
steps:
- name: Create a Python requirements.txt
run: |
cat << 'EOF' > requirements.txt
click==6.7
Flask==1.0
itsdangerous==0.24
EOF
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@main
with:
ort-cli-report-args: "-O CycloneDX=output.file.formats=json -O CycloneDX=schema.version=1.5"
report-formats: "CycloneDx"
run: >
analyzer,
evaluator,
advisor,
reporter
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 6; assert package_manager.vulnerable().count() >= 1; assert DiscoveredDependency.objects.count() >= 5"
generate-python-cyclonedx-1-6-sbom-with-ort-load-into-scancode-io:
runs-on: ubuntu-24.04
steps:
- name: Create a Python requirements.txt
run: |
cat << 'EOF' > requirements.txt
amqp==5.1.1
appdirs==1.4.4
asgiref==3.5.2
urllib3==1.26.0
EOF
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@main
with:
ort-cli-report-args: "-O CycloneDX=output.file.formats=json -O CycloneDX=schema.version=1.6"
report-formats: "CycloneDx"
run: >
analyzer,
evaluator,
advisor,
reporter
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 5; assert package_manager.vulnerable().count() >= 1; assert DiscoveredDependency.objects.count() >= 1"
generate-mime-types-sboms-from-ort-from-scan-result:
needs: checkout-ort-test-assests-from-scancode-io-repo
runs-on: ubuntu-24.04
steps:
- name: Download mime-type-2.1.26-scan-result file
uses: actions/download-artifact@v5
with:
name: npm-mime-types-2.1.26-scan-result.json
- name: Move mime-types scan result expected location by GitHub Action for ORT
run: |
mkdir -p $HOME/.ort/ort-results/
mv npm-mime-types-2.1.26-scan-result.json \
$HOME/.ort/ort-results/current-result.json
cat $HOME/.ort/ort-results/current-result.json
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@main
with:
report-formats: "CycloneDx,SpdxDocument"
run: >
evaluator,
advisor,
reporter
- name: Upload orthw mime type example
- uses: actions/upload-artifact@v4
with:
name: npm-mime-types-2.1.26-ort-sboms
path: |
${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json
${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.xml
${{ env.ORT_RESULTS_PATH }}/bom.spdx.json
${{ env.ORT_RESULTS_PATH }}/bom.spdx.yml
overwrite: true
retention-days: 1
load-ort-cyclonedx-1-6-json-into-scancode-io:
needs: checkout-ort-test-assests-from-scancode-io-repo
runs-on: ubuntu-24.04
steps:
- name: Download ORT CycloneDX JSON SBOM
uses: actions/download-artifact@v5
with:
name: ort-cyclonedx-1.6-result.cyclonedx.json
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "cyclonedx-reporter-expected-result.json"
output-formats: "cyclonedx"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
# FIXME ScanCode.io incorrectly flag CVE-2021-1234 as applicable to this scan.
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 5; assert package_manager.vulnerable().count() >= 1; assert DiscoveredDependency.objects.count() >= 0"
load-ort-cyclonedx-1-6-json-sbom-with-findings-into-scancode-io:
needs: checkout-ort-test-assests-from-scancode-io-repo
runs-on: ubuntu-24.04
steps:
- name: Download ORT CycloneDX v1.6 JSON SBOM
uses: actions/download-artifact@v5
with:
name: ort-cyclonedx-1.6-result-with-findings.cyclonedx.json
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "cyclonedx-reporter-expected-result-with-findings.json"
output-formats: "cyclonedx"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >=5; assert package_manager.vulnerable().count() >= 0; assert DiscoveredDependency.objects.count() >= 0"
load-ort-cyclonedx-1-6-json-sbom-without-findings-into-scancode-io:
needs: checkout-ort-test-assests-from-scancode-io-repo
runs-on: ubuntu-24.04
steps:
- name: Download ORT CycloneDX v1.6 JSON SBOM
uses: actions/download-artifact@v5
with:
name: ort-cyclonedx-1.6-result-without-findings.cyclonedx.json
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "cyclonedx-reporter-expected-result-without-findings.json"
output-formats: "cyclonedx"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() == 0; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0"
load-ort-spdx-2-2-json-sbom-into-scancode-io:
needs: checkout-ort-test-assests-from-scancode-io-repo
runs-on: ubuntu-24.04
steps:
- name: Download ORT SPDX v2.2 JSON SBOM
uses: actions/download-artifact@v5
with:
name: ort-spdx-2.2-result.spdx.json
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "synthetic-scan-result-expected-output.spdx.json"
output-formats: "spdx"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 12; assert package_manager.vulnerable().count() >= 0; assert DiscoveredDependency.objects.count() >= 11"
load-ort-spdx-2-3-json-sbom-into-scancode-io:
needs: checkout-ort-test-assests-from-scancode-io-repo
runs-on: ubuntu-24.04
steps:
- name: Download ORT SPDX v2.3 JSON SBOM
uses: actions/download-artifact@v5
with:
name: ort-spdx-2.3-result.spdx.json
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "synthetic-scan-result-expected-output.spdx.json"
output-formats: "spdx"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 12; assert package_manager.vulnerable().count() >= 0; assert DiscoveredDependency.objects.count() >= 11"
load-ort-mime-types-cyclonedx-json-sbom-into-scancode-io:
needs: generate-mime-types-sboms-from-ort-from-scan-result
runs-on: ubuntu-24.04
steps:
- name: Download ORT CycloneDX JSON SBOM for mime-types 2.1.26
uses: actions/download-artifact@v5
with:
name: npm-mime-types-2.1.26-ort-sboms
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "bom.cyclonedx.json"
output-formats: "cyclonedx"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
# FIXME Number of packages and dependencies detected is wrong
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 380; assert package_manager.vulnerable().count() >= 0; assert DiscoveredDependency.objects.count() >= 628"
# FIXME: Loading CycloneDX SBOM in YAML format fails for unclear reasons.
#
# load-ort-mime-types-cyclonedx-xml-sbom-into-scancode-io:
# needs: generate-mime-types-sboms-from-ort-from-scan-result
# runs-on: ubuntu-24.04
# steps:
# - name: Download ORT CycloneDX JSON SBOM for mime-types 2.1.26
# uses: actions/download-artifact@v5
# with:
# name: npm-mime-types-2.1.26-ort-sboms
# - name: Import SBOM into ScanCode.io
# uses: aboutcode-org/scancode-action@main
# with:
# pipelines: "load_sbom"
# inputs-path: "bom.cyclonedx.xml"
# output-formats: "cyclonedx"
# scancodeio-repo-branch: "main"
# - name: Verify SBOM analysis results in ScanCode.io
# shell: bash
# run: |
# # FIXME Number of packages and dependencies detected is wrong
# scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 405; assert package_manager.vulnerable().count() >= 0; assert DiscoveredDependency.objects.count() >= 0"
load-mime-types-spdx-json-sbom-into-scancode-io:
needs: generate-mime-types-sboms-from-ort-from-scan-result
runs-on: ubuntu-24.04
steps:
- name: Download ORT SPDX JSON SBOM for mime-types 2.1.26
uses: actions/download-artifact@v5
with:
name: npm-mime-types-2.1.26-ort-sboms
- name: Cat SPDX JSON - for debugging purposes only, remove ASAP
run: |
cat bom.spdx.json
- name: Import SBOM into ScanCode.io
uses: aboutcode-org/scancode-action@main
with:
pipelines: "load_sbom"
inputs-path: "bom.spdx.json"
output-formats: "spdx"
scancodeio-repo-branch: "main"
- name: Verify SBOM analysis results in ScanCode.io
shell: bash
run: |
scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 1141; assert package_manager.vulnerable().count() >= 0; assert DiscoveredDependency.objects.count() >= 1,397"
# Loading SPDX SBOM in YAML format is not yet supported.
#
# load-mime-types-spdx-yml-sbom-into-scancode-io:
# needs: generate-mime-types-sboms-from-ort-from-scan-result
# runs-on: ubuntu-24.04
# steps:
# - name: Download ORT SPDX YAML SBOM for mime-types 2.1.26
# uses: actions/download-artifact@v5
# with:
# name: npm-mime-types-2.1.26-ort-sboms
# - name: Cat SPDX YAML - for debugging purposes only, remove ASAP
# run: |
# cat bom.spdx.yml
# - name: Import SBOM into ScanCode.io
# uses: aboutcode-org/scancode-action@main
# with:
# pipelines: "load_sbom"
# inputs-path: "bom.spdx.yml"
# output-formats: "spdx"
# scancodeio-repo-branch: "main"
# - name: Verify SBOM analysis results in ScanCode.io
# shell: bash
# run: |
# scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 1141; assert package_manager.vulnerable().count() >= 0; assert DiscoveredDependency.objects.count() >= 1,397"