feat: add a job generating software bill of materials (97dda2f4) · Commits · to be continuous... / Go

README.md

+12 −0

Original line number	Diff line number	Diff line
		@@ -154,3 +154,15 @@ More info:

		:warning: an [unsolved issue](https://jira.sonarsource.com/browse/SONARSLANG-450) may prevent SonarQube Go plugin from
		importing your test reports.

		### `php-sbom` job

		This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [@cyclonedx/cyclonedx-gomod](https://github.com/CycloneDX/cyclonedx-gomod).

		It is bound to the `test` stage, and uses the following variables:

		\| Name \| description \| default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\| `GO_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `GO_SBOM_IMAGE` \| Image of cyclonedx-gomod used for SBOM analysis \| cyclonedx/cyclonedx-gomod:latest \|
		\| `GO_SBOM_OPTS` \| [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis \| `--main .` \|

+20 −0

Original line number	Diff line number	Diff line
		@@ -114,6 +114,26 @@
		"advanced": true
		}
		]
		},
		{
		"id": "dtsi",
		"name": "DTSI",
		"description": "Generates SBOM file for [Dependency Track](https://dependencytrack.org/) using [cyclonedx-gomod](https://github.com/CycloneDX/cyclonedx-gomod)",
		"target_project": "to-be-continuous/golang",
		"template_path": "templates/gitlab-ci-golang-dtsi.yml",
		"variables": [
		{
		"name": "GO_SBOM_IMAGE",
		"description": "Image of cyclonedx-gomod used for SBOM analysis",
		"default": "cyclonedx/cyclonedx-gomod:latest"
		},
		{
		"name": "GO_SBOM_OPTS",
		"description": "Options for cyclonedx-gomod used for SBOM analysis",
		"default": "--main .",
		"advanced": true
		}
		]
		}
		]
		}

+30 −0

Original line number	Diff line number	Diff line
		@@ -91,6 +91,11 @@ variables:
		# Default arguments for golangci-lint command
		GO_CI_LINT_ARGS: '-E gosec,goimports ./...'

		# Image of cyclonedx-gomod used for SBOM analysis
		GO_SBOM_IMAGE: cyclonedx/cyclonedx-gomod:latest
		# Options for cyclonedx-gomod used for SBOM analysis
		GO_SBOM_OPTS: "-main ."

		# default production ref name (pattern)
		PROD_REF: '/^(master\|main)$/'
		# default integration ref name (pattern)
		@@ -465,3 +470,28 @@ go-mod-outdated:
		# else manual & non-blocking
		- when: manual
		allow_failure: true

		go-sbom:
		extends: .go-base
		stage: test
		image:
		name: $GO_SBOM_IMAGE
		entrypoint: [""]
		# force no dependency
		dependencies: []
		needs: []
		script:
		- mkdir -p -m 777 reports/toto
		- cyclonedx-gomod app -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
		- chmod a+r reports/go-sbom.cyclonedx.json
		rules:
		# exclude if disabled
		- if: '$GO_SBOM_DISABLED == "true"'
		when: never
		- !reference [.test-policy, rules]
		artifacts:
		name: "SBOM for golang from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
		expire_in: 1 week
		when: always
		paths:
		- "$GO_PROJECT_DIR/reports/go-sbom.cyclonedx.json"