Develop (#115)

* bom analysis tool deployment docs * Use Develop as target branch * Bump phoenix_html from 2.14.2 to 2.14.3 Bumps [phoenix_html](https://github.com/phoenixframework/phoenix_html) from 2.14.2 to 2.14.3. - [Release notes](https://github.com/phoenixframework/phoenix_html/releases) - [Changelog](https://github.com/phoenixframework/phoenix_html/blob/master/CHANGELOG.md) - [Commits](phoenixframework/phoenix_html@v2.14.2...v2.14.3) Signed-off-by: dependabot[bot] <[email protected]> * Bump credo from 1.5.1 to 1.5.3 Bumps [credo](https://github.com/rrrene/credo) from 1.5.1 to 1.5.3. - [Release notes](https://github.com/rrrene/credo/releases) - [Changelog](https://github.com/rrrene/credo/blob/master/CHANGELOG.md) - [Commits](rrrene/credo@v1.5.1...v1.5.3) Signed-off-by: dependabot[bot] <[email protected]> * Revert "Bump webpack-cli from 3.3.12 to 4.2.0 in /assets" * Automate sbom generation (#109) * added sbom dependancy * automate bom creation process * updated instruction of generating sbom file * update when error occurs on macos * checkin udated lock file Co-authored-by: sigu <[email protected]> * use hexpm elixir docker image (#104) * change schedule interval (#116) * Auto create bom on release (#117) * zip readme to test release asset creation * create bom assets Co-authored-by: sigu <[email protected]> Co-authored-by: Wanjiku Macharia <[email protected]> Co-authored-by: WanjikuMac <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sigu Magwa <[email protected]>
sparrell · Dec 15, 2020 · 54c4825 · 54c4825
1 parent ab1ab81
commit 54c4825
Show file tree

Hide file tree

Showing 9 changed files with 283 additions and 294 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,10 +4,10 @@ updates:
     directory: "/assets"
     target-branch: "develop"
     schedule:
-      interval: "daily"
+      interval: "monthly"
 
   - package-ecosystem: "mix"
     directory: "/"
     target-branch: "develop"
     schedule:
-      interval: "daily"
+      interval: "monthly"
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
@@ -0,0 +1,63 @@
+on:
+  push:
+    tags:
+    - 'v*'
+
+name: Upload Release Asset
+
+jobs:
+  build:
+    name: Upload Release Asset
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Elixir
+        uses: actions/setup-elixir@v1
+        with:
+          elixir-version: '1.11.2' # Define the elixir version [required]
+          otp-version: '22.3' # Define the OTP version [required]
+      - name: Restore dependencies cache
+        uses: actions/cache@v2
+        with:
+          path: deps
+          key: ${{ runner.os }}-mix-${{ hashFiles('**/mix.lock') }}
+          restore-keys: ${{ runner.os }}-mix-
+      - name: Setup Node
+        uses: actions/setup-node@v1
+        with:
+          node-version: 14.13.0
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build project
+        run: |
+          curl -L -o cyclonedx-cli https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.7.0/cyclonedx-linux-x64
+          chmod a+x cyclonedx-cli
+          make sbom
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          draft: false
+          prerelease: false
+      - name: Upload SBOM Json
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./bom.json
+          asset_name: bom.json
+          asset_content_type: application/octet-stream
+      - name: Upload SBOM XML
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./bom.xml
+          asset_name: bom.xml
+          asset_content_type: application/octet-stream
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # heavily borrowed from https://elixirforum.com/t/cannot-find-libtinfo-so-6-when-launching-elixir-app/24101/11?u=sigu
-FROM elixir:1.11.2 AS app_builder
+FROM  hexpm/elixir:1.11.2-erlang-22.3-debian-buster-20200224  AS app_builder
 
 ARG env=prod
 
@@ -14,6 +14,7 @@ RUN mix local.hex --force && mix local.rebar --force
 
 COPY mix.exs .
 COPY mix.lock .
+RUN apt-get update && apt-get install curl make  gcc -y 
 RUN mix deps.get && mix deps.compile
 
 # Let's make sure we have node
@@ -23,7 +24,7 @@ RUN curl -sL https://deb.nodesource.com/setup_14.x | bash - && \
 # Compile assets
 COPY assets ./assets
 RUN npm install --prefix ./assets && \
-    npm run deploy --prefix ./assets
+     npm run deploy --prefix ./assets
 
 # Now, let's go with the actual elixir code. The order matters: if we only
 # change elixir code, all the above layers will be cached ~ less image build time.

diff --git a/Makefile b/Makefile
@@ -67,10 +67,11 @@ test: ## Run the test suite
 .PHONY: format
 format: mix format ## Run formatting tools on the code
 
-.PHONY: sbom ## create sbom file for both hex and npm dependancies
-sbom:
-	mix sbom.cyclonedx -o elixir_bom.xml
-	cd assets && cyclonedx-bom -o ../bom.xml -a ../elixir_bom.xml && cd ..
+.PHONY: sbom
+sbom: ## creates sbom for both  npm and hex dependancies
+	mix deps.get && mix sbom.cyclonedx -o elixir_bom.xml
+	cd assets/  && npm install && npm install -g @cyclonedx/bom && cyclonedx-bom -o ../bom.xml -a ../elixir_bom.xml && cd ..
+	./cyclonedx-cli convert --input-file bom.xml --output-file bom.json
 
 
 release: ## Build a release of the application with MIX_ENV=prod
@@ -123,3 +124,5 @@ deploy-existing-image:
 .PHONY: update-instance
 update-instance:
 	gcloud compute instances update-container $(instance-name) --container-image gcr.io/twinklymaha/sbom:$(image-tag)
+
+
diff --git a/README.md b/README.md
@@ -50,7 +50,20 @@ sbom                   Create SBOM file for hex and npm deps
 ```
 
 ## Generating SBOM file
-To generate an sbom file, use the make task `make sbom` to generate an `sbom.xml` file on the project root
+
+To generate an sbom file, use the make task `make sbom` to generate a `bom.json` and `bom.xml` file on the project root.
+
+**Before you begin:**
+ - [Download cyclonedx-cli tool](https://github.com/CycloneDX/cyclonedx-cli/releases) that supports converting
+ of sbom in different formats.
+ - Ensure that the `cyclonedx-cli tool` is executable, if not use the command to make it executable `chmod a+x cyclonedx-cli tool`
+ - Add the `cyclonedx-cli tool` to the root of the project and rename it to `cyclonedx-cli**
+
+**Note: If you get an error on MacOS**
+```shell
+cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware
+```
+You might get an error when running this command on a mac, follow [instructions on stackoverflow](https://stackoverflow.com/a/59899342/4137155) to allow the binary to execute
 
 ## BOM analysis tool
 If you want to deploy your own bom analysis tool, you can [follow this instructions](./docs/dependancy-tracker.md) to get set up