feat: add a job generating software bill of materials

Signed-off-by: Clement Bois <clement.bois@orange.com>

README.md

@@ -397,6 +397,18 @@ In addition to a textual report in the console, this job produces the following
 | `reports/docker-trivy-*.native.json` | native Trivy report format (json) | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#trivy)<br/>_This report is generated only if DefectDojo template is detected_ |
 | `reports/docker-trivy-*.gitlab.json` | [Trivy report format for GitLab](https://aquasecurity.github.io/trivy/v0.30.4/docs/integrations/gitlab-ci/) format | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscontainer_scanning) |
 
+### `docker-sbom` job
+
+This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [syft](https://github.com/anchore/syft).
+
+It is bound to the `package-test` stage, and uses the following variables:
+
+| Name                  | description                            | default value     |
+| --------------------- | -------------------------------------- | ----------------- |
+| `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `anchore/syft:debug` |
+| `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger` |
+
 ### `docker-publish` job
 
 This job pushes (_promotes_) the built image as the _release_ image [skopeo](https://github.com/containers/skopeo).

kicker.json

@@ -174,6 +174,24 @@
           "advanced": true
         }
       ]
+    },
+    {
+      "id": "sbom",
+      "name": "Software Bill of Materials",
+      "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
+      "disable_with": "DOCKER_SBOM_DISABLED",
+      "variables": [
+        {
+          "name": "DOCKER_SBOM_IMAGE",
+          "default": "anchore/syft:debug"
+        },
+        {
+          "name": "DOCKER_SBOM_OPTS",
+          "description": "Options for syft used for SBOM analysis",
+          "default": "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger",
+          "advanced": true
+        }
+      ]
     }
   ],
   "variants": [

templates/gitlab-ci-docker.yml

@@ -69,6 +69,10 @@ variables:
   DOCKER_TRIVY_IMAGE: "aquasec/trivy:latest"
   DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os"
 
+  # SBOM genenration image and arguments
+  DOCKER_SBOM_IMAGE: anchore/syft:debug
+  DOCKER_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger"
+
   # by default: DevOps pipeline
   PUBLISH_ON_PROD: "true"
 
@@ -677,6 +681,31 @@ docker-trivy:
       when: never
     - !reference [.test-policy, rules]
 
+docker-sbom:
+  extends: .docker-base
+  stage: package-test
+  image:
+    name: $DOCKER_SBOM_IMAGE
+    entrypoint: [""]
+  # force no dependency
+  dependencies: []
+  script:
+    - mkdir -p -m 777 reports
+    - dockerfile_hash=$(md5sum "$DOCKER_FILE" | cut -d" " -f1)
+    - /syft packages $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${dockerfile_hash}.cyclonedx.json
+    - chmod a+r reports/docker-sbom-${dockerfile_hash}.cyclonedx.json
+  artifacts:
+    name: "SBOM for docker from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    expire_in: 1 week
+    when: always
+    paths:
+      - "reports/docker-sbom-*.cyclonedx.json"
+  rules:
+    # exclude if disabled
+    - if: '$DOCKER_SBOM_DISABLED == "true"'
+      when: never
+    - !reference [.test-policy, rules]
+
 # ==================================================
 # Stage: publish
 # ==================================================