Generate SBOM

rbrayner · rbrayner · commit abc3d933a80b · 2024-11-24T23:24:58.000-03:00
diff --git a/.github/workflows/security_analysis.yml b/.github/workflows/security_analysis.yml
@@ -8,7 +8,7 @@ on:
     branches:
       - main
 
-jobs:   
+jobs:
   grype:
     name: Grype
     runs-on: ubuntu-latest
@@ -40,7 +40,23 @@ jobs:
         with:
           image: "localbuild/todo-app:v1"
           output-format: table
-  
+
+  generate-sbom:
+    name: Generate SBOM
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Download CycloneDX CLI
+        run: |
+          npm install --global @cyclonedx/cyclonedx-npm
+          npx @cyclonedx/cyclonedx-npm --output-file bom.json
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: sbom
+          path: bom.json
+
   bearer:
     name: Bearer
     runs-on: ubuntu-latest
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,4 @@
+*.env
+!template.env
+payload.json
+bom.json
diff --git a/Makefile b/Makefile
@@ -0,0 +1,37 @@
+COMPOSE_FILE = docker-compose.yml
+BUILD_NUMBER = v1.0.1
+PAYLOAD_FILE = $(PWD)/payload.json
+BASE64_FILE= $(PWD)/base64.txt
+
+.DEFAULT_GOAL := help
+
+# Load the .env file
+ifneq (,$(wildcard .env))
+    include .env
+    export $(shell sed 's/=.*//' .env)
+endif
+
+export
+
+all: run open cyclonedx-install cyclonedx-upload-sbom ## Run all
+
+help:
+	@echo "Available targets:"
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' Makefile | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2}'
+
+run: ## Run the app
+	docker compose -f $(COMPOSE_FILE) up --build -d
+
+open: ## Open URLs
+	open http://localhost:3000
+	open http://localhost:8080/login
+
+cyclonedx-install: ## Install CycloneDX
+	npm install --global @cyclonedx/cyclonedx-npm
+
+cyclonedx-upload-sbom: ## Uploads the SBOM to Dependency Track via API
+	@/bin/sh scripts/upload-sbom-to-dependency-track.sh
+
+clean: ## Wipe all data
+	@docker compose down
+	@docker volume rm dtrack
diff --git a/README.md b/README.md
@@ -1,5 +1,58 @@
 # Getting started
 
+- [Getting started](#getting-started)
+  - [1. GitHub](#1-github)
+  - [2. SBOM](#2-sbom)
+    - [2.1 Deploy](#21-deploy)
+    - [2.2 Edit .env](#22-edit-env)
+    - [2.3 Upload SBOM](#23-upload-sbom)
+    - [2.4 Cleanup](#24-cleanup)
+
+
+
+## 1. GitHub
+
 This repository is a sample application for users following the getting started guide at https://docs.docker.com/get-started/.
 
-The application is based on the application from the getting started tutorial at https://github.com/docker/getting-started
+The application is based on the application from the getting started tutorial at https://github.com/docker/getting-started
+
+
+
+## 2. SBOM
+
+### 2.1 Deploy
+
+```shell
+make run
+```
+Then, you should be able to access the application and dependency track:
+
+```shell
+http://localhost:3000/
+http://localhost:8080/login
+```
+
+### 2.2 Edit .env
+
+Use the `template.env` file to create a `.env` file with secrets. These secretes should be created by logging into dependency track, creating a project and obtaining an API token and the project ID. The default username and password are `admin/admin`.
+
+```shell
+http://localhost:8080/login
+```
+
+### 2.3 Upload SBOM
+
+Run the following command and go to the project in dependency track. You should now view SBOM report.
+
+```shell
+make all
+```
+
+### 2.4 Cleanup
+
+```shell
+make clean
+```
+
+
+
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,8 +1,11 @@
 services:
   todoapp:
     image: todoapp:${BUILD_NUMBER}
+    build:
+      context: .
+      dockerfile: Dockerfile
     ports:
-      - 3000:3000
+      - '127.0.0.1:3000:3000'
     deploy:
       restart_policy:
         condition: on-failure
@@ -14,5 +17,25 @@ services:
         source: todo-db
         target: /etc/todos
 
+  dtrack-apiserver:
+    image: dependencytrack/apiserver:4.12.0
+    ports:
+      - '127.0.0.1:8081:8080'
+    volumes:
+      - 'dependency-track:/data'
+    restart: unless-stopped
+
+  dtrack-frontend:
+    image: dependencytrack/frontend:4.12.0
+    depends_on:
+      - dtrack-apiserver
+    environment:
+      - API_BASE_URL=http://localhost:8081
+    ports:
+      - '127.0.0.1:8080:8080'
+    restart: unless-stopped
+
 volumes:
   todo-db:
+  dependency-track:
+    name: dtrack
diff --git a/scripts/upload-sbom-to-dependency-track.sh b/scripts/upload-sbom-to-dependency-track.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+SBOM_FILE="bom.json"
+BASE64_FILE=$(mktemp)
+
+npx @cyclonedx/cyclonedx-npm --output-file ${SBOM_FILE}
+cat ${SBOM_FILE} |base64 > ${BASE64_FILE}
+
+cat <<EOF > ${PAYLOAD_FILE}
+{
+  "project": "${PROJECT_ID}",
+  "bom": "$(cat ${BASE64_FILE})"
+}
+EOF
+
+rm -f ${BASE64_FILE}
+
+curl -X PUT \
+    -H "Content-Type: application/json" \
+    -H "X-API-Key: ${API_TOKEN}" \
+    -d @${PAYLOAD_FILE} \
+    "http://localhost:8081/api/v1/bom"
+
diff --git a/template.env b/template.env
@@ -0,0 +1,3 @@
+
+API_TOKEN=xxx
+PROJECT_ID=xxx

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+`
	`2`	`+API_TOKEN=xxx`
	`3`	`+PROJECT_ID=xxx`