From 6cb271973e7bdcd2a297b96c16a3a13dd42296be Mon Sep 17 00:00:00 2001 From: Clement Bois <clement.bois@orange.com> Date: Tue, 8 Aug 2023 14:20:48 +0200 Subject: [PATCH] fix: add component name to sbom --- README.md | 1 + kicker.json | 6 ++++++ templates/gitlab-ci-python.yml | 3 ++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 081a429..8a4e920 100644 --- a/README.md +++ b/README.md @@ -243,6 +243,7 @@ It is bound to the `test` stage, and uses the following variables: | --------------------- | -------------------------------------- | ----------------- | | `PYTHON_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | | `PYTHON_SBOM_SYFT_URL` | Url to the `tar.gz` package for `linux_amd64` of Syft to use (ex: `https://github.com/anchore/syft/releases/download/v0.62.3/syft_0.62.3_linux_amd64.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ | +| `PYTHON_SBOM_NAME` | Component name of the emitted SBOM | `$CI_PROJECT_PATH/$PYTHON_PROJECT_DIR` | | `PYTHON_SBOM_OPTS` | Options for syft used for SBOM analysis | `--catalogers python-index-cataloger` | In addition to logs in the console, this job produces the following reports, kept for one week: diff --git a/kicker.json b/kicker.json index 65ac497..0aa1a7c 100644 --- a/kicker.json +++ b/kicker.json @@ -161,6 +161,12 @@ "description": "Url to the `tar.gz` package for `linux_amd64` of Syft to use\n\n_When unset, the latest version will be used_", "advanced": true }, + { + "name": "PYTHON_SBOM_NAME", + "description": "Component name of the emitted SBOM", + "default": "$CI_PROJECT_PATH/$PYTHON_PROJECT_DIR", + "advanced": true + }, { "name": "PYTHON_SBOM_OPTS", "description": "Options for syft used for SBOM analysis", diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml index 78b327d..46daf07 100644 --- a/templates/gitlab-ci-python.yml +++ b/templates/gitlab-ci-python.yml @@ -92,6 +92,7 @@ variables: PYTHON_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest" PYTHON_TRIVY_ARGS: "--vuln-type library" + PYTHON_SBOM_NAME: "$CI_PROJECT_PATH/$PYTHON_PROJECT_DIR" PYTHON_SBOM_OPTS: "--catalogers python-index-cataloger" PYTHON_RELEASE_NEXT: "minor" @@ -849,7 +850,7 @@ py-sbom: mkdir -p $PIP_CACHE_DIR mv ./syft $python_sbom_syft fi - - $python_sbom_syft dir:. $PYTHON_SBOM_OPTS -o cyclonedx-json > reports/py-sbom.cyclonedx.json + - $python_sbom_syft dir:. --source-name $PYTHON_SBOM_NAME $PYTHON_SBOM_OPTS -o cyclonedx-json > reports/py-sbom.cyclonedx.json - chmod a+r reports/py-sbom.cyclonedx.json artifacts: name: "Python SBOM from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" -- GitLab