diff --git a/.github/workflows/blackduck-scan.yml b/.github/workflows/blackduck-scan.yml deleted file mode 100644 index 4e8de1473..000000000 --- a/.github/workflows/blackduck-scan.yml +++ /dev/null @@ -1,120 +0,0 @@ -### -## Foundation-security BlackDuck workflow for public repos -# -name: Foundation-Security/Black Duck Scan (PUBLIC) - -on: - push: - tags: - - '**' - workflow_dispatch: - -jobs: - Blackduck-Scan: - runs-on: ubuntu-20.04 - steps: - - name: Check for Secret - run: | - if [ -z "${{ secrets.BLACKDUCK_URL }}" ]; then - echo "Error:blackduck secret not found" - exit 1 - fi - - - name: Checkout source repository - id: checkout-source - uses: actions/checkout@v3 - - - name: Download and Run Detect - id: run-synopsys-detect - env: - detect.blackduck.scan.mode: 'INTELLIGENT' - detect.scan.output.path: '/home/runner/work/_temp/blackduck' - detect.output.path: '/home/runner/work/_temp/blackduck' - detect.project.version.name: ${{ github.ref_type }}/${{ github.ref_name }} - detect.project.name: ${{ github.event.repository.name }} - detect.risk.report.pdf: true - detect.risk.report.pdf.path: /tmp/reports/ - blackduck.url: ${{ secrets.BLACKDUCK_URL }} - blackduck.api.token: ${{ secrets.BLACKDUCK_API_TOKEN }} - shell: bash - run: | - bash <(curl -s -L https://detect.synopsys.com/detect8.sh) - - - name: Run sbom script - id: sbom-report - shell: bash - run: | - chmod +x ./.github/workflows/blackduck/get_bd_sbom.sh - ./.github/workflows/blackduck/get_bd_sbom.sh ${{ secrets.BLACKDUCK_URL }} ${{ secrets.BLACKDUCK_API_TOKEN }} ${{ github.event.repository.name }} ${{ github.ref_type }}/${{ github.ref_name }} - - - name: Set current date as env variable - id: get-date - shell: bash - run: | - echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV; - - - name: get report names - id: get-report-names - shell: bash - run: | - echo "pdf-name=`ls -1 /tmp/reports/*.pdf | sed 's#.*/##'`" >> $GITHUB_ENV; - - - name: Normalize report names - id: normalize-report-names - shell: bash - run: | - cd /tmp/reports/ ; - mv ${{ env.pdf-name }} ${{ env.NOW }}-${{ env.pdf-name }}; - mv sbom.zip ${{ env.NOW }}-${{ github.event.repository.name }}-`echo ${{ github.ref_name }}| sed -e 's/\//-/g'`-sbom.zip; - - - - name: Create report artifact - id: create-report-artifact - uses: actions/upload-artifact@v3 - with: - name: risk-report - path: /tmp/reports/*.pdf - - - - name: Create sbom artifact - id: create-sbom-artifact - uses: actions/upload-artifact@v3 - with: - name: sbom-report - path: /tmp/reports/*-sbom.zip - - - Deploy-to-S3: - needs: Blackduck-Scan - runs-on: ubuntu-20.04 - permissions: # These permissions are needed to interact with GitHub's OIDC Token endpoint. - id-token: write - contents: read - steps: - - - name: Download Artifacts - id: download-artifact - uses: actions/download-artifact@v3 - with: - path: /tmp/reports/ - - - name: Configure AWS Credentials - id: configure-aws-credentials - uses: aws-actions/configure-aws-credentials@v1-node16 - with: - role-to-assume: arn:aws:iam::934964804737:role/github-actions-foundation-security - role-session-name: blackduck-public-repo - role-duration-seconds: 1200 #20 minute TTL - aws-region: us-east-1 - - - name: Upload to results to S3 - id: s3-upload - shell: bash - run: | - if [ "$(ls -A /tmp/reports/)" ]; then - aws s3 cp /tmp/reports/ s3://foundation-security/blackduck/${{ github.event.repository.name }}/ --recursive; - fi - continue-on-error: true - env: - AWS_EC2_METADATA_DISABLED: 'true' - diff --git a/.github/workflows/blackduck/get_bd_sbom.sh b/.github/workflows/blackduck/get_bd_sbom.sh deleted file mode 100644 index a53122c13..000000000 --- a/.github/workflows/blackduck/get_bd_sbom.sh +++ /dev/null @@ -1,200 +0,0 @@ -#!/usr/bin/env bash - -set -E - -#### Functions - -function show_banner { - echo "==============================================================" - echo " Create Blackduck SBOM " - echo "==============================================================" - echo -} - -function show_usage { - echo - echo "Usage: ./get-bd-sbom.sh " -} - -function get_bearer { - result=$(curl --silent --location --request POST "${blackduck_url}api/tokens/authenticate" \ - --header "Authorization: token $blackduck_token") - if [[ $(echo "$result" | jq -r .errorCode) != null ]] - then - >&2 echo "ERROR: No bearer token found" - exit 1 - else - echo "$result" | jq -r .bearerToken - fi -} - -function get_project_id { - result=$(curl --silent --location --request GET "${blackduck_url}api/projects?q=name:$project" \ - --header "Authorization: Bearer $bearer_token") - if [[ $(echo "$result" | jq -r .totalCount) -eq 0 ]] - then - >&2 echo "ERROR: No project found with name: $project" - exit 1 - else - echo "$result" | jq -r .items[0]._meta.href - fi -} - -function get_version_id { - result=$(curl --silent --location --request GET "$project_api_url/versions?q=versionName:$version" \ - --header "Authorization: Bearer $bearer_token") - if [[ $(echo "$result" | jq -r .totalCount) -eq 0 ]] - - then - >&2 echo "ERROR: No version found with name: $version" - exit 1 - else - echo "$result" | jq -r .items[0]._meta.href - fi -} - -function create_sbom_report { - dataraw="{\"reportFormat\": \"JSON\", \"reportType\" : \"SBOM\", \"sbomType\" : \"SPDX_22\"}" - result=$(curl --silent --location --request POST "$version_api_url/sbom-reports" \ - --header "Authorization: Bearer $bearer_token" \ - --header 'Accept: application/json' \ - --header 'Content-Type: application/json' \ - --data-raw "$dataraw" ) - if [ "$result" != "" ] - then - >&2 echo "ERROR: error in creating SBOM report" - >&2 echo $result - exit 1 - fi -} - -function get_report_id { - report_status="IN_PROGRESS" - max_retries=50 - retries=0 - - while [ "$report_status" = "IN_PROGRESS" ] - do - ((retries++)) - if [ "$retries" -gt "$max_retries" ]; - then - >&2 echo "ERROR: max retries reached" - exit 1 - fi - echo "| attempt $retries of $max_retries to get SPDX report" - sleep 15 - result=$(curl --silent --location --request GET "$version_api_url/reports" \ - --header "Authorization: Bearer $bearer_token" \ - --header 'Content-Type: application/json') - report_api_url=$(echo "$result" | jq -r '.items[0]._meta.href') - report_status=$(echo "$result" | jq -r '.items[0].status') - echo "| - report_status: $report_status" - done - - if [ "$report_status" != "COMPLETED" ]; - then - >&2 echo " ERROR: report_status is not COMPLETED, it is $report_status." - exit 1 - fi -} - -function download_sbom_report { - curl --silent --location --request GET "$report_api_url/download.zip" \ - -o /tmp/reports/sbom.zip \ - --header "Authorization: Bearer $bearer_token" \ - --header 'Content-Type: application/zip' -} - -function get_report_contents { - curl --silent --location --request GET "$report_api_url/contents" \ - --header "Authorization: Bearer $bearer_token" \ - --header 'Content-Type: application/json' | jq -rc .reportContent[0].fileContent -} - - -#### Main program - -show_banner - -error=false - -if [ -z "$1" ] - then - echo "ERROR: No blackduck-url supplied" - error=true -fi - -if [ -z "$2" ] - then - echo "ERROR: No blackduck-api-token supplied" - error=true -fi - -if [ -z "$3" ] - then - echo "ERROR: No project-name supplied" - error=true -fi - -if [ -z "$4" ] - then - echo "ERROR: No version-name supplied" - error=true -fi - -if [ $error == "true" ] - then - show_usage - exit 1 -fi - -blackduck_url=$1 -blackduck_token=$2 -project=$3 -version=$4 - -sbom_type="SPDX_22" - -echo "+ getting bearer" -bearer_token=$(get_bearer) -echo "| got bearer" -echo - -echo "+ getting project api base url" -project_api_url=$(get_project_id) -echo "| got project api base url: ${project_api_url}" -echo - -echo "+ getting version api base url" -version_api_url=$(get_version_id) -echo "| got version api base url: ${version_api_url}" -echo - -echo "+ creating SBOM report" -if [ "${NO_CREATE}" == true ] -then - echo "| We're not creating a new report for the because of the secret environment variable NO_CREATE" -else - create_sbom_report - echo "| triggered creating SBOM report" -fi -echo - -echo "+ getting SBOM report api base url" -get_report_id -echo "| got SBOM report status: ${report_status}" -echo "| got SBOM report api base url: ${report_api_url}" -echo - -echo "+ getting SBOM report" -download_sbom_report -echo "| got SBOM report" -echo - -echo "+ getting content information" -report_contents=$(get_report_contents) -echo "| got content information" -echo - -echo "sbom-file=sbom.zip" >> $GITHUB_OUTPUT -echo "sbom-contents=${report_contents}" >> $GITHUB_OUTPUT