NODE-7025: Making SBOM validation more robust

Author: ekovalets

.github/actions/sbom-update/action.yml

@@ -5,23 +5,87 @@ inputs:
     description: "Output filename for the SBOM"
     required: false
     default: "sbom.json"
-
+outputs:
+  HAS_CHANGES:
+    description: "Whether the SBOM has meaningful changes compared to the existing version"
+    value: ${{ steps.check_changes.outputs.HAS_CHANGES }}
 runs:
   using: composite
   steps:
     - name: Generate SBOM
+      id: generate-sbom
       shell: bash
-      working-directory: ${{ inputs.working-directory }}
       run: |
         echo "Generating SBOM for 'node' project..."
-        npx @cyclonedx/cyclonedx-npm --package-lock-only --omit dev --output-file sbom.json --output-format json --spec-version 1.5
+        npx @cyclonedx/cyclonedx-npm --package-lock-only --output-file sbom-new.json --output-format json --spec-version 1.5
+
+    - name: Validate SBOM presence
+      shell: bash
+      run: |
+        if [ ! -f "sbom-new.json" ]; then
+          echo "Error: SBOM file not found"
+          exit 1
+        fi
+        echo "SBOM file generated: sbom-new.json"
+
+    - name: Download CycloneDX CLI
+      shell: bash
+      run: |
+        curl -L -s -o /tmp/cyclonedx "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64"
+        chmod +x /tmp/cyclonedx
 
     - name: Validate SBOM
+      shell: bash
+      run: /tmp/cyclonedx validate --input-file sbom-new.json --fail-on-errors
+
+    - name: Check for SBOM changes
+      id: check_changes
+      if: steps.generate-sbom.outcome == 'success'
+      shell: bash
+      env:
+        SBOM_FILE: ${{ inputs.output-file }}
+      run: |
+        JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)'
+
+        if [ -f "$SBOM_FILE" ]; then
+          echo "Comparing new SBOM with existing $SBOM_FILE..."
+
+          # First try cyclonedx diff for component-level comparison
+          DIFF_OUTPUT=$(/tmp/cyclonedx diff "$SBOM_FILE" sbom-new.json --component-versions 2>/dev/null || true)
+
+          if echo "$DIFF_OUTPUT" | grep -q "^None$"; then
+            echo "No component changes detected via cyclonedx diff"
+
+            # Double-check with jq normalization (excludes metadata like timestamps)
+            if diff -q \
+               <(cat "$SBOM_FILE" | jq -r "$JQ_NORMALIZER") \
+               <(cat sbom-new.json | jq -r "$JQ_NORMALIZER") > /dev/null 2>&1; then
+              echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT
+              echo "No meaningful changes detected in SBOM"
+              rm sbom-new.json
+            else
+              echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
+              echo "Changes detected in SBOM (non-component changes)"
+              mv sbom-new.json "$SBOM_FILE"
+            fi
+          else
+            echo "Component changes detected:"
+            echo "$DIFF_OUTPUT"
+            echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
+            mv sbom-new.json "$SBOM_FILE"
+          fi
+        else
+          echo "No existing $SBOM_FILE found, creating initial version"
+          echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
+          mv sbom-new.json "$SBOM_FILE"
+        fi
+      continue-on-error: true
+
+    - name: Final SBOM validation
       shell: bash
       run: |
         if [ ! -f "${{ inputs.output-file }}" ]; then
-          echo "Error: SBOM file not found"
+          echo "Error: Final SBOM file not found at ${{ inputs.output-file }}"
           exit 1
         fi
-        
         echo "SBOM file validated: ${{ inputs.output-file }}"

.github/workflows/sbom.yml

@@ -1,5 +1,4 @@
 name: Post-Merge SBOM Update
-
 on:
   push:
     branches: 
@@ -8,8 +7,10 @@ on:
       - 'package.json'
       - 'package-lock.json'
   workflow_dispatch:
+
 env:
   SBOM_FILE: "sbom.json"
+
 permissions:
   contents: write
   pull-requests: write
@@ -24,10 +25,10 @@ jobs:
       cancel-in-progress: false
 
     steps:
-      - name: Checkout repository (Base Branch)
+      - name: Checkout repository
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.pull_request.base.ref || github.ref }}
+          ref: ${{ github.ref }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Node and dependencies
@@ -50,41 +51,18 @@ jobs:
         uses: ./.github/actions/setup-sbom
 
       - name: Generate SBOM
+        id: generate_sbom
         uses: ./.github/actions/sbom-update
         with:
-          output-file: ${SBOM_FILE}
-
-      - name: Check for Changes in sbom.json
-        id: git_status
-        run: |
-          # Filter to remove/normalize serialNumber and timestamp fields
-          JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)'
-          
-          # Check if the base file exists in Git (to prevent errors on first commit)
-          if ! git show HEAD:$SBOM_FILE > /dev/null 2>&1; then
-              echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
-              exit 0
-          fi
-          
-          # Compare the normalized committed version vs. the normalized current version
-          if diff -q \
-             <(git show HEAD:$SBOM_FILE | jq -r "$JQ_NORMALIZER") \
-             <(cat $SBOM_FILE | jq -r "$JQ_NORMALIZER"); then
-             
-             echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT
-             echo "No changes detected in sbom.json"
-          else
-             echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
-             echo "Changes detected in sbom.json"
-          fi
+          output-file: ${{ env.SBOM_FILE }}
 
-      - name: "Commit SBOM changes"
-        if: steps.sbom_status.outputs.HAS_CHANGES == 'true'
+      - name: Commit SBOM changes
+        if: steps.generate_sbom.outputs.HAS_CHANGES == 'true'
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git add ${{ env.SBOM_FILE }}
           git commit -m "chore(deps): Update SBOM after dependency changes"
           git push
-          echo "📦 SBOM updated and committed" >> $GITHUB_STEP_SUMMARY
-        continue-on-error: true
+          echo "SBOM updated and committed" >> $GITHUB_STEP_SUMMARY
+        continue-on-error: true