Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SBOM as a submission format #12

Open
davidkarlsen opened this issue Jun 19, 2022 · 8 comments
Open

Support SBOM as a submission format #12

davidkarlsen opened this issue Jun 19, 2022 · 8 comments
Labels
enhancement New feature or request

Comments

@davidkarlsen
Copy link

See discussion in https://github.com/orgs/github-community/discussions/18918 - it would be great if the toolkit could support SBOM standards out of the box, as this would enable a bridge from existing tooling into the github dependency submission api.
By leveraging existing standards you have a short way from existing standards into the new github features.
@lseppala
Copy link
Contributor

Definitely agree with the usefulness of the toolkit supporting conversion from an SBOM file to a submission to the API. (We originally considered using one of the SBOM standard formats, but for a handful of reasons, chose instead to provide our own, more minimal format.)

Adding this functionality to the toolkit isn't our near-term roadmap, but would welcome any contributions. We would gladly help support PRs to add functionality to this repo, or we may be able to help promote projects that use the toolkit to develop an Action that converts SBOM files and submit.

Leaving this issue open until this is addressed. Thanks for raising!

@davidkarlsen
Copy link
Author

We have a "bridge" in https://github.com/evryfs/sbom-dependency-submission-action - it will take an sbom and post it to gh using your SDK.
Currently in development by @kjetiloen but we expect to release a minimal 1st version this week.

@captn3m0
Copy link

Just started working on this, but the code here looks pretty much what I was writing, so will just use that instead. Thanks @davidkarlsen 💯!

@davidkarlsen
Copy link
Author

@captn3m0 You can try v0.0.1 now - it's released to the marketplace: https://github.com/marketplace/actions/sbom-submission-action

@davidkarlsen
Copy link
Author

Adding this functionality to the toolkit isn't our near-term roadmap, but would welcome any contributions. We would gladly help support PRs to add functionality to this repo, or we may be able to help promote projects that use the toolkit to develop an Action that converts SBOM files and submit.

Maybe we can collab on https://github.com/evryfs/sbom-dependency-submission-action - we just recently released it.
But we see one snag, when submitting several sbom's only one of them show up in the dependencies pane:
Screenshot 2022-07-01 at 14 06 20

vs submission: https://github.com/evryfs/sbom-dependency-submission-action/actions/runs/2590287090

@lseppala
Copy link
Contributor

lseppala commented Jul 1, 2022
edited
Loading

But we see one snag, when submitting several sbom's only one of them show up in the dependencies pane

@davidkarlsen I'll take a look. A common issue is that the job.correlator and job.name must be unique when multiple snapshots are submitted. I'd check to see if this is the case first. From the API documentation page under the job object

Correlator provides a key that is used to group snapshots submitted over time. Only the "latest" submitted snapshot for a given combination of job.correlator and detector.name will be considered when calculating a repository's current dependencies. Correlator should be as unique as it takes to distinguish all detection runs for a given "wave" of CI workflow you run. If you're using GitHub Actions, a good default value for this could be the environment variables GITHUB_WORKFLOW and GITHUB_JOB concatenated together. If you're using a build matrix, then you'll also need to add additional key(s) to distinguish between each submission inside a matrix variation.

@davidkarlsen
Copy link
Author

But we see one snag, when submitting several sbom's only one of them show up in the dependencies pane

@davidkarlsen I'll take a look. A common issue is that the job.correlator and job.name must be unique when multiple snapshots are submitted. I'd check to see if this is the case first. From the API documentation page under the job object

Correlator provides a key that is used to group snapshots submitted over time. Only the "latest" submitted snapshot for a given combination of job.correlator and detector.name will be considered when calculating a repository's current dependencies. Correlator should be as unique as it takes to distinguish all detection runs for a given "wave" of CI workflow you run. If you're using GitHub Actions, a good default value for this could be the environment variables GITHUB_WORKFLOW and GITHUB_JOB concatenated together. If you're using a build matrix, then you'll also need to add additional key(s) to distinguish between each submission inside a matrix variation.

As you see from the job logs the filename is part of the correlator and thus unique

@stevespringett
Copy link

@davidkarlsen Thanks for the submission and work on the sbom-submission-action. It's been added to the CycloneDX Tool Center.

@jonjanego jonjanego added the enhancement New feature or request label Jul 15, 2024
@jonjanego jonjanego changed the title Support SBOM Support SBOM as a submission format Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@davidkarlsen @captn3m0 @jonjanego @stevespringett @lseppala