Merge pull request #4599 from owncloud/feature/integrate_sbom

[FEATURE REQUEST] Create SBOM by using cyclonedx

Author: jesmrec

.github/workflows/sbom.yml

@@ -0,0 +1,74 @@
+name: SBOM 
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  pull_request:
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+   
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Caches Gradle dependencies to avoid downloading them on every run
+      - name: Cache Gradle dependencies
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.gradle/caches
+            ~/.gradle/wrapper
+            ~/.gradle/wrapper/dists/
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Install xsltproc
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y xsltproc
+
+      # Use --no-daemon to prevent Gradle from running in the background
+      - name: Generate SBOM (CycloneDX)
+        run: ./gradlew --no-daemon cyclonedxBom  
+
+      - name: Convert SBOM to HTML
+        run: xsltproc sbom/cyclonedx-xml-to-html.xslt build/reports/bom.xml > sbom.html
+
+      # Create a specific artifact name using the branch name and timestamp
+      - name: Set artifact name
+        id: vars
+        run: |
+          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
+          SAFE_BRANCH=$(echo "$BRANCH" | tr '/' '-' | tr '[:upper:]' '[:lower:]')
+          TIMESTAMP=$(date -u +"%Y%m%d-%H%M%S")
+          echo "artifact_name=sbom-${SAFE_BRANCH}-${TIMESTAMP}" >> $GITHUB_OUTPUT
+
+      - name: Rename SBOM XML and HTML files to match artifact name
+        run: |
+          mv sbom.html "${{ steps.vars.outputs.artifact_name }}.html"
+          mv  build/reports/bom.xml "${{ steps.vars.outputs.artifact_name }}.xml"
+          mv  build/reports/bom.json "${{ steps.vars.outputs.artifact_name }}.json"
+
+      - name: ZIP all the files
+        run: |
+          zip "${{ steps.vars.outputs.artifact_name }}.zip" \
+              "${{ steps.vars.outputs.artifact_name }}.html" \
+              "${{ steps.vars.outputs.artifact_name }}.xml" \
+              "${{ steps.vars.outputs.artifact_name }}.json"
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.vars.outputs.artifact_name }}
+          path: ${{ steps.vars.outputs.artifact_name }}.zip

CHANGELOG.md

@@ -52,6 +52,7 @@ ownCloud admins and users.
 * Enhancement - Shares space in Android native file explorer: [#4515](https://github.com/owncloud/android/issues/4515)
 * Enhancement - Accessibility reports in 4.5.1: [#4568](https://github.com/owncloud/android/issues/4568)
 * Enhancement - Support for Kiteworks servers without client secret: [#4588](https://github.com/owncloud/android/issues/4588)
+* Enhancement - SBOM (Software Bill of Materials): [#4598](https://github.com/owncloud/android/issues/4598)
 
 ## Details
 
@@ -186,6 +187,15 @@ ownCloud admins and users.
    https://github.com/owncloud/android/issues/4588
    https://github.com/owncloud/android/pull/4589
 
+* Enhancement - SBOM (Software Bill of Materials): [#4598](https://github.com/owncloud/android/issues/4598)
+
+   SBOM to be generated in every PR via GitHub Actions with the list of all
+   dependencies used in the code. Tool cyclonedx builds it, artifact is exported to
+   xml and finally converted to html with a xlst template.
+
+   https://github.com/owncloud/android/issues/4598
+   https://github.com/owncloud/android/pull/4599
+
 # Changelog for ownCloud Android Client [4.5.1] (2025-04-03)
 
 The following sections list the changes in ownCloud Android Client 4.5.1 relevant to

build.gradle

@@ -22,6 +22,7 @@ plugins {
     alias libs.plugins.sonarqube
     alias libs.plugins.ksp apply false
     alias libs.plugins.detekt
+    alias libs.plugins.cyclonedx
 }
 
 allprojects {

changelog/unreleased/4599

@@ -0,0 +1,7 @@
+Enhancement: SBOM (Software Bill of Materials)
+
+SBOM to be generated in every PR via GitHub Actions with the list of all dependencies used in the code. Tool cyclonedx builds it, artifact is exported to xml and finally converted to html with a xlst template.
+
+https://github.com/owncloud/android/issues/4598
+https://github.com/owncloud/android/pull/4599
+

gradle/libs.versions.toml

@@ -22,6 +22,7 @@ androidxTestMonitor = "1.6.1"
 androidxTestUiAutomator ="2.2.0"
 androidxWork = "2.8.1"
 coil = "2.2.2"
+cyclonedx = "2.3.1"
 detekt = "1.23.3"
 dexopener = "2.0.5"
 disklrucache = "2.0.2"
@@ -128,3 +129,4 @@ kotlin = { id = "org.jetbrains.kotlin.android", version.ref = "kotlin" }
 ksp = { id = "com.google.devtools.ksp", version.ref = "ksp" }
 sonarqube = { id = "org.sonarqube", version.ref = "sonarqube" }
 detekt = { id = "io.gitlab.arturbosch.detekt", version.ref = "detekt" }
+cyclonedx = { id = "org.cyclonedx.bom", version.ref = "cyclonedx" }

sbom/README.md

@@ -0,0 +1,40 @@
+# Software Bill of Materials (SBOM)
+
+---
+
+## What is an SBOM?
+
+An **SBOM (Software Bill of Materials)** is a detailed inventory of all software components, libraries, and dependencies included in a project. It provides transparency into its composition.
+
+
+## Why CycloneDX?
+
+[CycloneDX](https://cyclonedx.org/) is a leading open standard for SBOMs that supports rich metadata and is widely supported by tools and ecosystems. It is especially suited for modern DevSecOps workflows and integrates well with build tools.
+
+
+## How to Generate an SBOM
+
+The ownCloud Android app is ready to generate it. The dependency *CycloneDX* is included in the build.gradle file, so, the SBOM file is an easy one via gradlew:
+
+```
+./gradlew cyclonedxBom
+```
+
+that command will generate the sbom file in json and xml formats.
+
+## Preview
+
+Since XML and JSON are not easily human-readable formats, the `xsltproc` tool can be used to transform the SBOM into a more user-friendly and visually readable HTML document, with a XSLT template. 
+
+XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other formats, such as HTML, plain text, or other XML structures. It uses a set of rules defined in an XSLT stylesheet to match and manipulate elements in the source XML, allowing the data to be presented in a more readable or usable format.
+
+Now...
+
+```
+xsltproc cyclonedx-xml-to-html.xslt bom.xml > bom.html
+```
+
+And the `bom.html` file is ready to go.
+
+
+

sbom/cyclonedx-xml-to-html.xslt

@@ -0,0 +1,187 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:bom="http://cyclonedx.org/schema/bom/1.6"
+    exclude-result-prefixes="bom">
+
+  <xsl:output method="html" encoding="UTF-8" indent="yes"/>
+
+  <xsl:template match="/">
+    <html>
+      <head>
+        <title>Software Bill of Materials</title>
+        <style>
+          body {
+            font-family: sans-serif;
+            margin: 20px;
+            background-color: #f0f4fb;
+            color: #000;
+          }
+          h1 {
+            text-align: left;
+            color: #2c3e50;
+            font-size: 2em;
+            margin-bottom: 0.5em;
+          }
+          h2 {
+            color: #3a4f7a;
+            border-bottom: 2px solid #ccc;
+            padding-bottom: 5px;
+            margin-top: 40px;
+            margin-bottom: 15px;
+          }
+          table {
+            border-collapse: collapse;
+            background-color: #fff;
+            color: #000;
+            margin-top: 10px;
+            margin-bottom: 40px;
+            border-radius: 6px;
+            overflow: hidden;
+          }
+          .metadata-table {
+            width: auto;
+            margin: 0;
+            padding: 0;
+          }
+          th, td {
+            padding: 10px 10px;
+            text-align: left;
+            border-bottom: 1px solid #ccc;
+          }
+          tr {
+            line-height: 2;
+          }
+          th {
+            background-color: #d0def0;
+            font-weight: bold;
+            color: #1b2e4b;
+          }
+          a {
+            color: #003366;
+            text-decoration: none;
+          }
+          a:hover {
+            text-decoration: underline;
+          }
+          .footer {
+            margin-top: 50px;
+            font-size: 0.9em;
+            color: #666;
+            text-align: center;
+          }
+          ul {
+            list-style: none;
+            padding: 0;
+            margin: 10px 0 30px 0;
+          }
+          li {
+            margin-bottom: 5px;
+          }
+          .index a {
+            color: #000;
+            text-decoration: underline;
+          }
+          .back-to-top {
+            display: inline-block;
+            margin-top: 20px;
+            font-size: 0.9em;
+            color: #003366;
+            text-decoration: none;
+          }
+          .back-to-top::before {
+            content: "↑ ";
+            font-weight: bold;
+            margin-right: 4px;
+          }
+          .back-to-top:hover {
+            text-decoration: underline;
+          }
+        </style>
+      </head>
+      <body>
+        <h1>Software Bill of Materials - ownCloud Android app</h1>
+
+        <div class="index">
+          <h2>Index</h2>
+          <ul>
+            <li><a href="#metadata">Metadata</a></li>
+            <li><a href="#components">Components</a></li>
+          </ul>
+        </div>
+
+        <!-- Metadata Section -->
+        <h2 id="metadata">Metadata</h2>
+        <table class="metadata-table">
+          <tr><th>Creation Date</th><td><xsl:call-template name="format-date"><xsl:with-param name="timestamp" select="bom:bom/bom:metadata/bom:timestamp"/></xsl:call-template></td></tr>
+          <tr><th>Generated by</th>
+            <td>
+              <xsl:for-each select="bom:bom/bom:metadata/bom:tools/bom:components/bom:component">
+                <xsl:value-of select="bom:name"/> <xsl:text> </xsl:text><xsl:value-of select="bom:version"/>
+              </xsl:for-each>
+            </td>
+          </tr>
+        </table>
+
+        <!-- Components Section -->
+        <h2 id="components">Components</h2>
+        <table style="width: 100%;">
+          <tr>
+            <th style="width: 10%;">Type</th>
+            <th style="width: 15%;">Group</th>
+            <th style="width: 20%;">Name</th>
+            <th style="width: 10%;">Version</th>
+            <th style="width: 10%;">License</th>
+            <th style="width: 35%;">PURL</th>
+          </tr>
+          <xsl:for-each select="bom:bom/bom:components/bom:component">
+            <tr>
+              <td><xsl:value-of select="@type"/></td>
+              <td><xsl:value-of select="bom:group"/></td>
+              <td><xsl:value-of select="bom:name"/></td>
+              <td><xsl:value-of select="bom:version"/></td>
+              <td><xsl:value-of select="bom:licenses/bom:license/bom:id"/></td>
+              <td><xsl:value-of select="bom:purl"/></td>
+            </tr>
+          </xsl:for-each>
+        </table>
+
+        <div><a class="back-to-top" href="#metadata">Back to top</a></div>
+
+        <div class="footer">
+          Document generated from CycloneDX SBOM using XSLT styling.
+        </div>
+      </body>
+    </html>
+  </xsl:template>
+
+  <!-- Helper: Convert ISO timestamp to readable date -->
+  <xsl:template name="format-date">
+    <xsl:param name="timestamp"/>
+    <xsl:variable name="year" select="substring($timestamp, 1, 4)"/>
+    <xsl:variable name="month" select="substring($timestamp, 6, 2)"/>
+    <xsl:variable name="day" select="substring($timestamp, 9, 2)"/>
+    <xsl:variable name="hour" select="substring($timestamp, 12, 2)"/>
+    <xsl:variable name="minute" select="substring($timestamp, 15, 2)"/>
+    <xsl:variable name="monthName">
+      <xsl:choose>
+        <xsl:when test="$month = '01'">January</xsl:when>
+        <xsl:when test="$month = '02'">February</xsl:when>
+        <xsl:when test="$month = '03'">March</xsl:when>
+        <xsl:when test="$month = '04'">April</xsl:when>
+        <xsl:when test="$month = '05'">May</xsl:when>
+        <xsl:when test="$month = '06'">June</xsl:when>
+        <xsl:when test="$month = '07'">July</xsl:when>
+        <xsl:when test="$month = '08'">August</xsl:when>
+        <xsl:when test="$month = '09'">September</xsl:when>
+        <xsl:when test="$month = '10'">October</xsl:when>
+        <xsl:when test="$month = '11'">November</xsl:when>
+        <xsl:when test="$month = '12'">December</xsl:when>
+        <xsl:otherwise>Unknown</xsl:otherwise>
+      </xsl:choose>
+    </xsl:variable>
+    <xsl:value-of select="concat($day, ' ', $monthName, ' ', $year, ', ', $hour, ':', $minute, ' UTC')"/>
+  </xsl:template>
+
+</xsl:stylesheet>
+