Clean up SBOM

githedgehog · Nov 8, 2024 · da0cf47 · da0cf47
1 parent 4f68a88
commit da0cf47
Show file tree

Hide file tree

Showing 3 changed files with 108 additions and 54 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -118,26 +118,35 @@ jobs:
       id-token: "write"
     steps:
       - uses: "actions/checkout@v4"
+
       - name: "install nix"
         uses: "cachix/install-nix-action@v30"
+
       - name: "login to ghcr.io"
         uses: "docker/login-action@v3"
         with:
           registry: "ghcr.io"
           username: "${{ github.actor }}"
           password: "${{ secrets.GITHUB_TOKEN }}"
+
       - uses: "dtolnay/rust-toolchain@stable"
+
       - uses: "cargo-bins/cargo-binstall@main"
+
       - run: |
           cargo binstall --no-confirm just
+
       - name: "nix cache"
         uses: "DeterminateSystems/magic-nix-cache-action@main"
+
       - name: "confirm sources"
         run: |
           ./scripts/confirm-sources.sh
+
       - name: "build + push"
         run: |
           just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
+
       - name: "Install SBOM generator dependencies"
         run: |
           for f in /tmp/dpdk-sys/builds/*; do
@@ -146,50 +155,26 @@ jobs:
           cargo binstall --no-confirm csview
           sudo apt-get update
           sudo apt-get install --yes --no-install-recommends graphviz
+
       - name: "Generate SBOM"
         run: |
           ./scripts/sbom.sh
-      - name: "SBOM upload"
-        # if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: "advanced-security/[email protected]"
-        with:
-          filePattern: '/tmp/dpdk-sys/builds/*.spdx.json'
+
       - name: "step summary"
         continue-on-error: true # might fail due to $GITHUB_STEP_SUMMARY size limit of 1MB
         run: |
-          {
-            echo "# Outdated packages (gnu64):";
-            echo "";
-            cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md;
-            echo "";
-            echo "# Outdated packages (musl64):";
-            echo "";
-            cat /tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md;
-            echo "";
-            echo "# Vuln scan (gnu64):";
-            echo "";
-            cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md;
-            echo "";
-            echo "# Vuln scan (musl64):";
-            echo "";
-            cat /tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md;
-            echo "";
-          } >> $GITHUB_STEP_SUMMARY
+          cat "/tmp/dpdk-sys/builds/env.sysroot.summary.md" >> "${GITHUB_STEP_SUMMARY}"
+
       - name: "remove links from /tmp/dpdk-sys/builds"
         run: |
           for f in /tmp/dpdk-sys/builds/*; do
               [ -h "$f" ] && rm "$f"
           done
+
       - uses: "actions/upload-artifact@v4"
         with:
           name: "builds-${{ matrix.toolchain.key }}"
           path: "/tmp/dpdk-sys/builds"
-      - name: "Setup tmate session for debug"
-        if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
-        uses: "mxschmitt/action-tmate@v3"
-        timeout-minutes: 60
-        with:
-          limit-access-to-actor: true
 
       - name: "outdated packages (gnu64)"
         uses: "actions/github-script@v7"
@@ -199,8 +184,12 @@ jobs:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
             let fs = require('fs');
-            let body = "# Outdated packages (gnu64):\n";
+            let body = "<details>\n";
+            body += "<summary>\n\n";
+            body += "## Outdated packages (gnu64):\n\n";
+            body += "</summary>\n\n";
             body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md');
+            body += "\n</details>\n";
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -216,8 +205,12 @@ jobs:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
             let fs = require('fs');
-            let body = "# Outdated packages (musl64):\n";
+            let body = "<details>\n";
+            body += "<summary>\n\n";
+            body = "## Outdated packages (musl64):\n";
+            body += "</summary>\n\n";
             body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.outdated.md');
+            body += "\n</details>\n";
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -233,8 +226,12 @@ jobs:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
             let fs = require('fs');
-            let body = "# Vulnerable packages (gnu64):\n";
+            let body = "<details>\n";
+            body += "<summary>\n\n";
+            body = "## Vulnerable packages (gnu64):\n";
+            body += "</summary>\n\n";
             body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md');
+            body += "\n</details>\n";
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -250,15 +247,27 @@ jobs:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
             let fs = require('fs');
-            let body = "# Vulnerable packages (musl64):\n";
+            let body = "<details>\n";
+            body += "<summary>\n\n";
+            body = "## Vulnerable packages (musl64):\n";
+            body += "</summary>\n\n";
             body += fs.readFileSync('/tmp/dpdk-sys/builds/env.sysroot.musl64.vulns.triage.md');
+            body += "\n</details>\n";
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: body
             });
 
+      - name: "Setup tmate session for debug"
+        if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
+        uses: "mxschmitt/action-tmate@v3"
+        timeout-minutes: 60
+        with:
+          limit-access-to-actor: true
+
+
   summary:
     name: "summary"
     if: ${{ always() }}

diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml
@@ -7,7 +7,7 @@
 
 # Production artifacts are produced in a sterile environment (in another CI workflow).
 
-name: "bump"
+name: "bump.yml"
 on:
   workflow_dispatch:
     inputs:

diff --git a/scripts/sbom.sh b/scripts/sbom.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -euxo pipefail
+set -euo pipefail
 
 declare -r sbomnix="github:tiiuae/sbomnix"
 
@@ -12,8 +12,20 @@ declare -r package="env.sysroot"
 
 nix build "${sbomnix}" --out-link /tmp/sbomnix
 
+declare -a cleanup_cmds=()
+cleanup() {
+  declare cmd
+  for cmd in "${cleanup_cmds[@]}"; do
+    ${cmd}
+  done
+}
+trap cleanup EXIT
+
+declare summary="${builds}/${package}.summary.md"
+truncate --size 0 "${summary}"
+
 for libc in "gnu64" "musl64"; do
-  cd "$(mktemp -d)"
+  pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
   nix run \
     "${sbomnix}#sbomnix" \
     -- \
@@ -22,47 +34,80 @@ for libc in "gnu64" "musl64"; do
     --spdx "${builds}/${package}.${libc}.sbom.spdx.json" \
     --verbose=1 \
     --include-vulns \
-    "${builds}/${package}.${libc}.release" &
-  cd "$(mktemp -d)"
+    "${builds}/${package}.${libc}.release"
+  pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
   nix run \
     "${sbomnix}#vulnxscan" \
     -- \
     --out "${builds}/${package}.${libc}.vulns.csv" \
     --triage \
     --verbose=1 \
-    "${builds}/${package}.${libc}.release" &
-  cd "$(mktemp -d)"
+    "${builds}/${package}.${libc}.release"
+  pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
   nix run \
     "${sbomnix}#nix_outdated" \
     -- \
     --out "${builds}/${package}.${libc}.outdated.csv" \
     --verbose=1 \
-    "${builds}/${package}.${libc}.release" &
-  cd "$(mktemp -d)"
+    "${builds}/${package}.${libc}.release"
+  pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
   nix run \
     "${sbomnix}#provenance" \
     -- \
     --out "${builds}/${package}.${libc}.provenance.json" \
     --verbose=1 \
     --recursive \
-    "${builds}/${package}.${libc}.release" &
-  cd "$(mktemp -d)"
+    "${builds}/${package}.${libc}.release"
+  pushd "$(mktemp -d)" && cleanup_cmds+=("rm -rf $(pwd)")
   nix run \
     "${sbomnix}#nixgraph" \
     -- \
     --out "${builds}/${package}.${libc}.nixgraph.dot" \
-    --depth=15 \
+    --depth=99 \
     --verbose=1 \
-    "${builds}/${package}.${libc}.release" &
-done
+    "${builds}/${package}.${libc}.release"
 
-wait
+  for file in "${builds}/${package}.${libc}."*".csv"; do
+    csview --style markdown "$file" > "${file%.csv}.md"
+  done
 
-for file in "${builds}/"*.csv; do
-  csview --style markdown "$file" > "${file%.csv}.md"
-done
+  for file in "${builds}/${package}.${libc}."*".dot"; do
+    dot -Tsvg "$file" > "${file%.dot}.svg"
+  done
 
-for file in "${builds}/"*.dot; do
-  dot -Tsvg "$file" > "${file%.dot}.svg"
-  dot -Gdpi=300 -Tpng "$file" > "${file%.dot}.png"
+  {
+    echo "<details>";
+    echo "<summary>";
+    echo "";
+    echo "## Vuln scan (${libc}):";
+    echo "";
+    echo "</summary>";
+    echo "";
+    cat ${builds}/${package}.${libc}.vulns.triage.md;
+    echo "";
+    echo "</details>";
+    echo "";
+    echo "<details>";
+    echo "<summary>";
+    echo "";
+    echo "## Outdated packages (${libc}):";
+    echo "";
+    echo "</summary>";
+    echo "";
+    cat ${builds}/${package}.${libc}.outdated.md;
+    echo "";
+    echo "</details>";
+    echo "";
+    echo "<details>";
+    echo "<summary>";
+    echo "";
+    echo "## SBOM (${libc}):";
+    echo "";
+    echo "</summary>";
+    echo "";
+    cat ${builds}/${package}.${libc}.sbom.md;
+    echo "";
+    echo "</details>";
+    echo "";
+  } >> "${summary}"
 done