Merge branch 'feat/sbom-go-image' into 'master'

feat: use go image for sbom job

Closes #42

See merge request to-be-continuous/golang!79

README.md

@@ -257,7 +257,7 @@ It is bound to the `test` stage, and uses the following variables:
 | --------------------- | -------------------------------------- | ----------------- |
 | `sbom-disabled` / `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
 | `TBC_SBOM_MODE`                      | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `GO_SBOM_DISABLED` takes precedence | `onrelease` |
-| `sbom-image` / `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | `registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GO_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GO_SBOM_IMAGE) |
+| `sbom-image` / `GO_SBOM_IMAGE` | Specific Docker image used to run cyclonedx-gomod | `$GO_IMAGE` |
 | `sbom-opts` / `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `-main .` |
 
 :warning: if you don't have your main class located at the root of your `GO_PROJECT_DIR`, then you will need to override the `-main` option in `GO_SBOM_OPTS` and define your real main class location.

kicker.json

@@ -150,7 +150,9 @@
         },
         {
           "name": "GO_SBOM_IMAGE",
-          "default": "registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest"
+          "description": "Specific Docker image used to run cyclonedx-gomod",
+          "advanced": true,
+          "default": "$GO_IMAGE"
         },
         {
           "name": "GO_SBOM_OPTS",

templates/gitlab-ci-golang.yml

@@ -109,7 +109,8 @@ spec:
       type: boolean
       default: false
     sbom-image:
-      default: registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest
+      description: Specific Docker image used to run cyclonedx-gomod
+      default: '$GO_IMAGE'
     sbom-opts:
       description: '[@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis'
       default: -main .
@@ -807,7 +808,7 @@ go-sbom:
   image:
     name: $GO_SBOM_IMAGE
     entrypoint: [""]
-  # manage separate GitLab cache to prevent permission denied error (this image being rootless, it can't rewrite Go cache - owned by root)
+  # manage separate GitLab cache to prevent permission denied error (cyclonedx-gomod image being rootless, it can't rewrite Go cache - owned by root)
   # see: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29663
   cache:
     key: "$CI_COMMIT_REF_SLUG-golang-sbom"
@@ -817,10 +818,10 @@ go-sbom:
   dependencies: []
   needs: []
   script:
+    - command -v cyclonedx-gomod > /dev/null || go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
     - mkdir -p -m 777 reports
     - go_mode=$(go_build_mode)
-    - |
-      cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
+    - cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
     - chmod a+r reports/go-sbom.cyclonedx.json
   artifacts:
     name: "SBOM for golang from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"