forked from manifest-cyber/manifest-github-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
update-sbom.sh
executable file
·134 lines (105 loc) · 4.01 KB
/
update-sbom.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
function update_spdx_sbom {
local filepath=$1
local name=$2
local version=$3
currentdate=$(date "+%Y%m%d%H%M%S")
shortsha=$(git rev-parse --short "$GITHUB_SHA")
if [ "$GITHUB_REF_TYPE" = "tag" ]; then
gittag=$GITHUB_REF_NAME
fi
if [ -z "$name" ]; then
name=${GITHUB_REPOSITORY#"$GITHUB_REPOSITORY_OWNER/"}
else
name="$name"
fi
if [ -z "$version" ]; then
version="${gittag:-v0.0.0-$currentdate-$shortsha}"
else
version="$version"
fi
if (! jq '.relationships[] | select(.relationshipType == "DESCRIBES" && .relatedSpdxElement != "SPDXRef-DOCUMENT")' "$filepath") >/dev/null 2>&1; then
jq --arg name "$name-$version" \
'.name = $name' \
"$filepath" >"$filepath".tmp && mv "$filepath".tmp "$filepath"
jq --arg rel "SPDXRef-Package-$name-$version" \
'.documentDescribes = [$rel]' \
"$filepath" >"$filepath".tmp && mv "$filepath".tmp "$filepath"
jq --arg id "SPDXRef-DOCUMENT" --arg rel "SPDXRef-Package-$name-$version" \
'.relationships += [{"relationshipType": "DESCRIBES", "spdxElementId": $id, "relatedSpdxElement": $rel}]' \
"$filepath" >"$filepath".tmp && mv "$filepath".tmp "$filepath"
jq --arg id "SPDXRef-Package-$name-$version" --arg name "$name" --arg version "$version" \
'.packages += [{"SPDXID": $id, "name": $name, "versionInfo": $version}]' \
"$filepath" >"$filepath".tmp && mv "$filepath".tmp "$filepath"
fi
}
function update_cyclonedx_sbom {
local filepath=$1
local tmpname=$2
local tmpversion=$3
local name=""
local version=""
currentdate=$(date "+%Y%m%d%H%M%S")
shortsha=$(git rev-parse --short "$GITHUB_SHA")
if [ "$GITHUB_REF_TYPE" = "tag" ]; then
gittag=$GITHUB_REF_NAME
fi
# Read the input file and parse the JSON
input=$(cat "$filepath")
local existingName=$(echo "$input" | jq -r '.metadata.component.name')
local existingVersion=$(echo "$input" | jq -r '.metadata.component.version')
if [ -z "$tmpname" ]; then
name=${GITHUB_REPOSITORY#"$GITHUB_REPOSITORY_OWNER/"}
else
name="$tmpname"
fi
if [ -z "$tmpversion" ]; then
version="${gittag:-v0.0.0-$currentdate-$shortsha}"
else
version="$tmpversion"
fi
json=$(echo "$input" | jq -r '.metadata.component')
if [ ! -z "$tmpname" ] || [ -d "$existingName" ] || [ "$existingName" == "null" ]; then
# Add the name to the "name" field
json=$(echo "$json" | jq ".name = \"$name\"")
else
echo "using existing SBOM values for name: $existingName"
fi
if [ ! -z "$tmpversion" ] || [ "$existingVersion" == "null" ]; then
# Add the version to the "version" field
json=$(echo "$json" | jq ".version = \"$version\"")
else
echo "using existing SBOM values for version: $existingVersion"
fi
# Update the input JSON with the updated version
input=$(echo "$input" | jq '.metadata.component = $json' --argjson json "$json")
# Output the updated JSON to a file
echo "$input" >"$filepath"
}
function update_sbom {
if [ $# -ne 4 ]; then
echo "Usage: $0 <json file> <version> <name> <type: spdx-json | cyclonedx-json>"
exit 1
fi
if [ ! -f "$1" ]; then
echo "Error: input file does not exist"
exit 1
fi
local filepath=$1
local name=$2
local version=$3
local type=$4
if [ "$type" == "spdx-json" ]; then
update_spdx_sbom "$filepath" "$name" "$version"
elif [ "$type" == "cyclonedx-json" ]; then
update_cyclonedx_sbom "$filepath" "$name" "$version"
else
echo "Error: invalid SBOM type"
fi
}
curl https://gist.githubusercontent.com/manifestori/4a6c62617e05fb054a1410a16ea2b29b/raw/43686f969cf4b7a4752cd8992bfd38fbef2e5e48/syft.yaml >syft.yaml
filename="$SBOM_FILENAME"
output="$SBOM_OUTPUT"
name="$SBOM_NAME"
version="$SBOM_VERSION"
update_sbom "$filename" "$name" "$version" "$output"