SBOM file generation.

Adds new steps in the build and release workflow to generate, sign and publish a SBOM file for Policy Server.
kubewarden · Aug 31, 2022 · e916777 · e916777
1 parent 965b714
commit e916777
Show file tree

Hide file tree

Showing 8 changed files with 97 additions and 18 deletions.
diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
@@ -1,4 +1,4 @@
-name: Build container image
+name: Build policy server
 on:
   push:
     branches:
@@ -28,6 +28,9 @@ jobs:
     needs:
       - ci
     steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+
       - name: Configure Ubuntu repositories
         run: |
           sudo dpkg --add-architecture arm64
@@ -82,11 +85,36 @@ jobs:
           cargo build --release --target ${{ matrix.targetarch }}-unknown-linux-musl
           mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/policy-server policy-server-${{ matrix.targetarch }}
 
-      - name: Upload policy-server
+      - name: Generate SBOM
+        run: |
+          make download-spdx-sbom-generator sbom
+          # SBOM files should have "sbom" in the name due the CLO monitor
+          # https://clomonitor.io/docs/topics/checks/#software-bill-of-materials-sbom
+          mv bom-cargo.json policy-server-${{ matrix.targetarch }}-sbom.spdx.json
+
+      - name: Sign BOM file
+        run: |
+          cosign sign-blob --output-certificate policy-server-${{ matrix.targetarch }}-sbom.spdx.cert \
+            --output-signature policy-server-${{ matrix.targetarch }}-sbom.spdx.sig \
+            policy-server-${{ matrix.targetarch }}-sbom.spdx.json
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Upload policy-server binary
         uses: actions/upload-artifact@v2
         with:
           name: policy-server-${{ matrix.targetarch }}
-          path: policy-server-${{ matrix.targetarch }}
+          path: |
+            policy-server-${{ matrix.targetarch }}
+
+      - name: Upload policy-server SBOM files
+        uses: actions/upload-artifact@v2
+        with:
+          name: policy-server-${{ matrix.targetarch }}-sbom
+          path: |
+            policy-server-${{ matrix.targetarch }}-sbom.spdx.json
+            policy-server-${{ matrix.targetarch }}-sbom.spdx.cert
+            policy-server-${{ matrix.targetarch }}-sbom.spdx.sig
 
   build-container-image:
     name: Build policy server container image

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,23 +1,49 @@
-name: policy-server release
+name: Release policy server
 on:
-  push:
-    tags:
-    - 'v*'
+  workflow_run:
+    workflows: ["Build policy server"]
+    types:
+      - completed
+    branches:
+      - "v*"
 jobs:
-  ci:
-    uses: kubewarden/policy-server/.github/workflows/tests.yml@main
   release:
     name: Create release
     runs-on: ubuntu-latest
-    needs:
-      - ci
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
+      - name: Download build artifacts
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            const matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name.startsWith("policy-server")
+            });
+            for (const artifact of matchArtifact) {
+              let download = await github.rest.actions.downloadArtifact({
+                 owner: context.repo.owner,
+                 repo: context.repo.repo,
+                 artifact_id: artifact.id,
+                 archive_format: 'zip',
+              });
+              let fs = require('fs');
+              file_path = `${process.env.GITHUB_WORKSPACE}/${artifact.name}.zip`;
+              fs.writeFileSync(file_path, Buffer.from(download.data));
+            }
+
       - name: Create release
-        uses: actions/create-release@v1
+        uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release policy-server ${{ github.ref }}
+          tag_name: ${{ github.event.workflow_run.head_branch }}
+          name: Release policy-server ${{ github.event.workflow_run.head_branch }}
           draft: false
-          prerelease: ${{ contains(github.ref, '-alpha') || contains(github.ref, '-beta') || contains(github.ref, '-rc') }}
+          prerelease: ${{ contains(github.event.workflow_run.head_branch, '-alpha') || contains(github.event.workflow_run.head_branch, '-beta') || contains(github.event.workflow_run.head_branch, '-rc') }}
+          files: |
+            policy-server*
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
-/target
+/target
+bom-cargo.json
+/bin
diff --git a/Cargo.toml b/Cargo.toml
@@ -2,9 +2,11 @@
 name = "policy-server"
 version = "1.1.2"
 authors = [
+  "Kubewarden Developers <kubewarden@suse.de>",
   "Flavio Castelli <fcastelli@suse.com>",
   "Rafael Fernández López <rfernandezlopez@suse.com>",
-  "Víctor Cuadrado Juan <vcuadradojuan@suse.de>"
+  "Víctor Cuadrado Juan <vcuadradojuan@suse.de>",
+  "José Guilherme Vanz <jguilhermevanz@suse.com>"
 ]
 edition = "2018"
 

diff --git a/Makefile b/Makefile
@@ -1,5 +1,6 @@
-HYPERFINE := $(shell command -v hyperfine 2> /dev/null)
 IMG ?= policy-server:latest
+BINDIR ?= bin
+SBOM_GENERATOR_TOOL_VERSION ?= v0.0.15
 
 .PHONY: build
 build:
@@ -31,3 +32,16 @@ tag:
 .PHONY: docker-build
 docker-build: test ## Build docker image with the manager.
 	docker build -t ${IMG} .
+
+bin:
+	mkdir $(BINDIR)
+
+.PHONY: download-spdx-sbom-generator
+download-spdx-sbom-generator: bin
+	curl -L -o $(BINDIR)/spdx-sbom-generator-$(SBOM_GENERATOR_TOOL_VERSION)-linux-amd64.tar.gz https://github.com/opensbom-generator/spdx-sbom-generator/releases/download/$(SBOM_GENERATOR_TOOL_VERSION)/spdx-sbom-generator-$(SBOM_GENERATOR_TOOL_VERSION)-linux-amd64.tar.gz
+	tar -xf ./$(BINDIR)/spdx-sbom-generator-$(SBOM_GENERATOR_TOOL_VERSION)-linux-amd64.tar.gz --directory $(BINDIR)
+
+
+.PHONY: sbom
+sbom:
+	./$(BINDIR)/spdx-sbom-generator -f json
diff --git a/README.md b/README.md
@@ -119,3 +119,10 @@ Alternatively, the `policy-server` binary can be built in this way:
 ```shell
 $ make build
 ```
+
+# Software bill of materials
+
+Policy server has its software bill of materials (SBOM) published every release.
+It follows the [SPDX](https://spdx.dev/) version 2.2 format and it can be found
+together with the signature and certificate used to signed it in the
+[release assets](https://github.com/kubewarden/policy-server/releases)
diff --git a/spdx-sbom-generator b/spdx-sbom-generator
diff --git a/spdx-sbom-generator-v0.0.15-linux-amd64.tar.gz b/spdx-sbom-generator-v0.0.15-linux-amd64.tar.gz