Merge branch 'feat/sbom-go-image' into 'master'

feat: use go image for sbom job Closes #42 See merge request to-be-continuous/golang!79

Merge branch 'feat/sbom-go-image' into 'master'
52a720ff · Cédric OLIVIER · 61e72657 · 9b7e4ee0 · 52a720ff · 52a720ff
Commit 52a720ff authored 1 month ago by Cédric OLIVIER
--- a/README.md
+++ b/README.md
@@ -257,7 +257,7 @@ It is bound to the `test` stage, and uses the following variables:
 | --------------------- | -------------------------------------- | ----------------- |
 | `sbom-disabled` / `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
 | `TBC_SBOM_MODE`                      | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `GO_SBOM_DISABLED` takes precedence | `onrelease` |
-| `sbom-image` / `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | `registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GO_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GO_SBOM_IMAGE) |
+| `sbom-image` / `GO_SBOM_IMAGE` | Specific Docker image used to run cyclonedx-gomod | `$GO_IMAGE` |
 | `sbom-opts` / `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `-main .` |
 :warning: if you don't have your main class located at the root of your `GO_PROJECT_DIR`, then you will need to override the `-main` option in `GO_SBOM_OPTS` and define your real main class location.

--- a/kicker.json
+++ b/kicker.json
@@ -150,7 +150,9 @@
        },
        {
          "name": "GO_SBOM_IMAGE",
-          "default": "registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest"
+          "description": "Specific Docker image used to run cyclonedx-gomod",
+          "advanced": true,
+          "default": "$GO_IMAGE"
        },
        {
          "name": "GO_SBOM_OPTS",

--- a/templates/gitlab-ci-golang.yml
+++ b/templates/gitlab-ci-golang.yml
@@ -109,7 +109,8 @@ spec:
      type: boolean
      default: false
    sbom-image:
-      default: registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest
+      description: Specific Docker image used to run cyclonedx-gomod
+      default: '$GO_IMAGE'
    sbom-opts:
      description: '[@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis'
      default: -main .
@@ -807,7 +808,7 @@ go-sbom:
  image:
    name: $GO_SBOM_IMAGE
    entrypoint: [""]
-  # manage separate GitLab cache to prevent permission denied error (this image being rootless, it can't rewrite Go cache - owned by root)
+  # manage separate GitLab cache to prevent permission denied error (cyclonedx-gomod image being rootless, it can't rewrite Go cache - owned by root)
  # see: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29663
  cache:
    key: "$CI_COMMIT_REF_SLUG-golang-sbom"
@@ -817,10 +818,10 @@ go-sbom:
  dependencies: []
  needs: []
  script:
+    - command -v cyclonedx-gomod > /dev/null || go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
    - mkdir -p -m 777 reports
    - go_mode=$(go_build_mode)
-    - |
+    - cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
-      cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
    - chmod a+r reports/go-sbom.cyclonedx.json
  artifacts:
    name: "SBOM for golang from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"