Merge branch 'main' into JSON-local-storage

Author: VarshaUN

.github/workflows/sca-integration-depscan.yml

@@ -0,0 +1,59 @@
+name: Generate SBOM with OWASP dep-scan and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using OWASP dep-scan.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install OWASP dep-scan
+        run: |
+          sudo npm install -g @cyclonedx/cdxgen
+          pip install owasp-depscan
+
+      - name: Generate SBOM with OWASP dep-scan
+        run: |
+          depscan \
+            --src ${{ env.IMAGE_REFERENCE }} \
+            --type docker \
+            --reports-dir reports \
+            --explain
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: depscan-sbom
+          path: reports/
+          retention-days: 20
+
+      - name: Uninstall dep-scan to avoid conflicts in the Python env
+        run: pip uninstall --yes owasp-depscan
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "reports/sbom-docker.vdr.json"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 220; assert package_manager.vulnerable().count() > 10; assert DiscoveredDependency.objects.count() > 150"

.github/workflows/sca-integration-ort-package-file.yml

@@ -0,0 +1,66 @@
+name: Generate ORT package-file.yml with ScanCode.io and load into ORT
+
+# This workflow:
+#  1. Analyze a Docker image using ScanCode.io
+#  2. Generates an ORT `package-file.yml` from the SCIO project results
+#  3. Generates an ORT `analyzer-result.yml` using create-analyzer-result-from-package-list
+#  4. Run the ORT report on `analyzer-result.yml` to generate a CycloneDX and SpdxDocument
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  SCIO_IMAGE_INPUT: "docker://osadl/alpine-docker-base-image:v3.22-latest"
+  ORT_VERSION: "68.1.0"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Analyze Docker image with ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "analyze_docker_image"
+          input-urls:
+            "${{ env.SCIO_IMAGE_INPUT }}"
+          scancodeio-repo-branch: "main"
+          output-formats: "ort-package-list spdx:2.2 cyclonedx json xlsx"
+
+      - name: Copy package-list.yml to workspace root
+        run: |
+          FILE=$(ls ${{ env.PROJECT_WORK_DIRECTORY }}/output/*.package-list.yml | head -n 1)
+          sudo mkdir -p ${GITHUB_WORKSPACE}/ort-data/
+          sudo cp "$FILE" "${GITHUB_WORKSPACE}/ort-data/package-list.yml"
+          sudo chmod -R 777 ${GITHUB_WORKSPACE}/ort-data/
+          ls -lh "${GITHUB_WORKSPACE}/ort-data/"
+
+      - name: Generates an ORT analyzer-result.yml file
+        run: |
+          docker run --rm -v ${GITHUB_WORKSPACE}/ort-data:/data \
+            --entrypoint /opt/ort/bin/orth \
+            ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \
+            create-analyzer-result-from-package-list \
+              --package-list-file /data/package-list.yml \
+              --ort-file /data/analyzer-result.yml
+
+      - name: Report as CycloneDX and SPDX using the analyzer-result.yml file
+        run: |
+          docker run --rm -v ${GITHUB_WORKSPACE}/ort-data:/data \
+          ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \
+          report \
+            --ort-file /data/analyzer-result.yml \
+            --output-dir /data/results/ \
+            --report-formats CycloneDX,SpdxDocument
+
+      - name: Upload SBOMs as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ort-report
+          path: "${GITHUB_WORKSPACE}/ort-data/results"
+          retention-days: 20

.github/workflows/sca-integration-ort.yml

@@ -0,0 +1,50 @@
+name: Generate SBOM with ORT and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a requirement.txt file using ORT.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Create a Python requirements.txt
+        run: |
+          cat << 'EOF' > requirements.txt
+          amqp==5.1.1
+          appdirs==1.4.4
+          asgiref==3.5.2
+          urllib3==1.26.0
+          EOF
+
+      - name: Run GitHub Action for ORT
+        uses: oss-review-toolkit/ort-ci-github-action@v1
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json"
+          scancodeio-repo-branch: "main"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 5; assert package_manager.vulnerable().count() >= 1; assert DiscoveredDependency.objects.count() >= 1"

.github/workflows/sca-integration-osv-scanner.yml

@@ -0,0 +1,59 @@
+name: Generate SBOM with OSV-Scanner and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using OSV-Scanner.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install OSV-Scanner
+        run: |
+          curl -sLO https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
+          chmod +x osv-scanner_linux_amd64
+          sudo mv osv-scanner_linux_amd64 /usr/local/bin/osv-scanner
+
+      - name: Run OSV Scanner
+        # Using `|| true` as OSV-Scanner exits with code 1 when vulnerabilities are found.
+        run: |
+          osv-scanner scan image ${{ env.IMAGE_REFERENCE }} \
+            --all-packages \
+            --format spdx-2-3 \
+            --output osv-sbom.spdx.json \
+            || true
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: osv-scanner-sbom-report
+          path: osv-sbom.spdx.json
+          retention-days: 20
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "osv-sbom.spdx.json"
+          scancodeio-repo-branch: "main"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 100; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() >= 100"

.github/workflows/sca-integration-sbom-tool.yml

@@ -0,0 +1,60 @@
+name: Generate SBOM with SBOM tool and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using SBOM tool.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Download SBOM tool
+      run: |
+        curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+        chmod +x $RUNNER_TEMP/sbom-tool
+
+    - name: Generate SBOM with SBOM tool
+      run: |
+        mkdir -p sbom-output
+        $RUNNER_TEMP/sbom-tool generate \
+          -di ${{ env.IMAGE_REFERENCE }} \
+          -pn DockerImage \
+          -pv 1.0.0 \
+          -ps Company \
+          -nsb https://sbom.company.com \
+          -m sbom-output \
+          -V Verbose
+
+    - name: Upload SBOM artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: sbom-output
+        path: sbom-output
+
+    - name: Import SBOM into ScanCode.io
+      uses: aboutcode-org/scancode-action@main
+      with:
+        pipelines: "load_sbom"
+        inputs-path: "sbom-output/_manifest/spdx_2.2/manifest.spdx.json"
+        scancodeio-repo-branch: "main"
+
+    - name: Verify SBOM Analysis Results in ScanCode.io
+      shell: bash
+      run: |
+        scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90"

CHANGELOG.rst

@@ -1,6 +1,45 @@
 Changelog
 =========
 
+v35.4.0 (unreleased)
+--------------------
+
+- Use deterministic UID/GID in Dockerfile.
+  A temporary ``chown`` service is now started in the ``docker-compose`` stack
+  to fix the permissions. This process is only fully run once.
+  You may manually run this process using the following:
+  ``$ chown -R 1000:1000 /var/scancodeio/``
+  https://github.com/aboutcode-org/scancode.io/issues/1555
+
+- Resolve and load dependencies from SPDX SBOMs.
+  https://github.com/aboutcode-org/scancode.io/issues/1145
+
+- Display the optional steps in the Pipelines autodoc.
+  https://github.com/aboutcode-org/scancode.io/issues/1822
+
+- Add new ``benchmark_purls`` pipeline.
+  https://github.com/aboutcode-org/scancode.io/issues/1804
+
+- Add a Resources tree view.
+  https://github.com/aboutcode-org/scancode.io/issues/1682
+
+- Improve CycloneDX SBOM support.
+  * Upgrade the cyclonedx-python-lib to 11.0.0
+  * Fix the validate_document following library upgrade.
+  * Add support when the "components" entry is missing.
+  https://github.com/aboutcode-org/scancode.io/issues/1727
+
+- Split the functionality of
+  ``scanpipe.pipes.federatedcode.commit_and_push_changes`` into
+  ``scanpipe.pipes.federatedcode.commit_changes`` and
+  ``scanpipe.pipes.federatedcode.push_changes``. Add
+  ``scanpipe.pipes.federatedcode.write_data_as_yaml``.
+
+- Add ORT ``package-list.yml`` as new downloadable output format.
+  https://github.com/aboutcode-org/scancode.io/pull/1852
+
+- Add support for SPDX as YAML in ``load_sbom`` pipeline.
+
 v35.3.0 (2025-08-20)
 --------------------