Feature/cli SBOM (#31)

* include sbom in cli release step Signed-off-by: Fabian Kammel <fabian.kammel@control-plane.io> --------- Signed-off-by: Fabian Kammel <fabian.kammel@control-plane.io>
datosh-org · Dec 4, 2023 · cac8a68 · cac8a68
1 parent e9a51b4
commit cac8a68
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/.github/workflows/calculator-cli.yml b/.github/workflows/calculator-cli.yml
@@ -21,21 +21,30 @@ jobs:
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version-file: 'go.mod'
+      - name: Install syft & grype
+        uses: ./.github/actions/install_syft_grype
+        with:
+          syftVersion: "0.98.0"
+          grypeVersion: "0.73.3"
       - name: Build Calculator
         run: |
           make build-cli
+          syft calculator \
+            -o spdx-json=calculator.spdx.json
       - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: calculator
           path: calculator
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: calculator.spdx.json
+          path: calculator.spdx.json
       - name: Compute calculator hash
         id: calculator-hash
         run: |
-          CALCULATOR_HASH=$(sha256sum calculator | base64 -w0)
+          CALCULATOR_HASH=$(sha256sum calculator calculator.spdx.json | base64 -w0)
           echo calculator-hash=${CALCULATOR_HASH} >> $GITHUB_OUTPUT
 
-# TODO: Add SBOM generation, record both hashes
-
   provenance:
     permissions:
       actions: read
@@ -46,6 +55,7 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
     with:
       base64-subjects: "${{ needs.build-calculator.outputs.calculator-hash }}"
+      provenance-name: calculator.intoto.jsonl
 
   provenance-verify:
     runs-on: ubuntu-22.04
@@ -84,6 +94,10 @@ jobs:
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: calculator
+      - name: Download SBOM
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: calculator.spdx.json
       - name: Download provenance
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
@@ -92,4 +106,4 @@ jobs:
         uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0
         with:
           draft: true
-          artifacts: "calculator,calculator.intoto.jsonl"
+          artifacts: "calculator,calculator.spdx.json,calculator.intoto.jsonl"
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,7 @@
 calculator
+calculator.intoto.jsonl
+calculator.sbom
+calculator.spdx.json
 calculator-service
 cyclone.json
 spdx.json

diff --git a/README.md b/README.md
@@ -271,7 +271,7 @@ make build-svc
 To protect the container image from malicious tampering, we want to sign it:
 
 ```sh
-# Note that this process stored public information in the transparency log.
+# Note that this process stores public information in the transparency log.
 cosign sign calculator-svc
 # Verify locally signed image
 cosign verify \
@@ -524,14 +524,16 @@ same time.
 
 Furthermore, [it can help you achieve SLSA Build level 3, use of the provided GitHub Actions reusable workflows alone is not sufficient to meet all of the requirements at SLSA Build level 3. Specifically, these workflows do not address provenance distribution or verification.](https://github.com/slsa-framework/slsa-github-generator#what-is-slsa-github-generator)
 
-For the pipeline implementation refer to [workflows/calculator-svc.yml](.github/workflows/calculator-svc.yml).
+For the pipeline implementation refer to [workflows/calculator-cli.yml](.github/workflows/calculator-cli.yml).
 
 ### SLSA-Verifier
 
 Once a release was generated we can use [SLSA-Verifier](https://github.com/slsa-framework/slsa-verifier) to verify both the cryptographic signature, as well as contents of the provenance document, before consuming the binary.
 
 ```sh
-# TODO: curl the required artifacts from release page
+curl -LO https://github.com/datosh-org/most-secure-calculator/releases/download/v0.1.0/calculator
+curl -LO https://github.com/datosh-org/most-secure-calculator/releases/download/v0.1.0/calculator.sbom
+curl -LO https://github.com/datosh-org/most-secure-calculator/releases/download/v0.1.0/calculator.intoto.jsonl
 
 slsa-verifier verify-artifact calculator \
   --provenance-path calculator.intoto.jsonl \