feat: add a job generating software bill of materials (1624b74a) · Commits · to be continuous... / PHP

README.md

+12 −0

Original line number	Diff line number	Diff line
		@@ -128,3 +128,15 @@ More info:
		* [PHP language support](https://docs.sonarqube.org/latest/analysis/languages/php/)
		* [test coverage & execution parameters](https://docs.sonarqube.org/latest/analysis/coverage/)
		* [third-party issues](https://docs.sonarqube.org/latest/analysis/external-issues/)

		### `php-sbom` job

		This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [@cyclonedx/cyclonedx-php](https://github.com/CycloneDX/cyclonedx-php-composer).

		It is bound to the `test` stage, and uses the following variables:

		\| Name \| description \| default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\| `PHP_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `PHP_SBOM_VERSION` \| The version of @cyclonedx/cyclonedx-php used to emit SBOM \| _none_ (uses latest) \|
		\| `PHP_SBOM_OPTS` \| [@cyclonedx/cyclonedx-php options](https://github.com/CycloneDX/cyclonedx-php-composer#usage) used for SBOM analysis \| `--exclude-plugins --exclude-dev` \|

+19 −0

Original line number	Diff line number	Diff line
		@@ -42,6 +42,25 @@
		"advanced": true
		}
		]
		},
		{
		"id": "sbom",
		"name": "Software Bill of Materials",
		"description": "This job generates a file listing all dependencies using [@cyclonedx/cyclonedx-php](https://github.com/CycloneDX/cyclonedx-php-composer)",
		"disable_with": "PHP_SBOM_DISABLED",
		"variables": [
		{
		"name": "PHP_SBOM_VERSION",
		"description": "Version of the cyclonedx-php-composer used for SBOM analysis",
		"advanced": true
		},
		{
		"name": "PHP_SBOM_OPTS",
		"description": "[`cyclonedx/cyclonedx-php` options](https://github.com/CycloneDX/cyclonedx-php-composer#usage) used for SBOM analysis",
		"default": "--exclude-plugins --exclude-dev",
		"advanced": true
		}
		]
		}
		]
		}

+26 −0

Original line number	Diff line number	Diff line
		@@ -49,6 +49,9 @@ variables:

		PHP_PROJECT_DIR: "."

		# Version of the cyclonedx/cyclonedx-php-composer used for SBOM analysis
		PHP_SBOM_OPTS: "--exclude-plugins --exclude-dev"

		# default production ref name (pattern)
		PROD_REF: '/^(master\|main)$/'
		# default integration ref name (pattern)
		@@ -326,3 +329,26 @@ php-codesniffer:
		- if: '$PHP_CODESNIFFER_DISABLED == "true"'
		when: never
		- !reference [.test-policy, rules]

		php-sbom:
		extends: .php-base
		stage: test
		# force no dependency
		dependencies: []
		script:
		- mkdir -p -m 777 reports
		- docomposer global config --no-plugins allow-plugins.cyclonedx/cyclonedx-php-composer true
		- docomposer global require "cyclonedx/cyclonedx-php-composer${PHP_SBOM_VERSION:+:$PHP_SBOM_VERSION}"
		- docomposer make-bom --output-file=reports/php-sbom.cyclonedx.json --output-format=JSON --no-interaction $PHP_SBOM_OPTS
		- chmod a+r reports/php-sbom.cyclonedx.json
		artifacts:
		name: "SBOM for PHP from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
		expire_in: 1 week
		when: always
		paths:
		- $PHP_PROJECT_DIR/reports/php-sbom.cyclonedx.json
		rules:
		# exclude if disabled
		- if: '$PHP_SBOM_DISABLED == "true"'
		when: never
		- !reference [.test-policy, rules]