chore: add module for generating the platform SBOM with all dependenc…

…ies (#3677) * chore: add specific module for SBOM generation * chore: workflow adjustmets * chore: update license whitelist * chore: add sso and k8s kits * enclose frontend build in a profile * chore: publish SBOM in release * fix failure when using snapshots in java versions * rename report files, and save with the artifacts * fix hasOssToken by moving it to the cmd object * use a profile for the sbom maven module * make hasOssToken boolean * put OSSINDEX credentials in env
vaadin · Jan 17, 2023 · 04fafce · 04fafce · jojule · Aug 4, 2024
1 parent a9fbbb4
commit 04fafce
Show file tree

Hide file tree

Showing 6 changed files with 169 additions and 37 deletions.
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -1,8 +1,12 @@
 name: SBOM
 on:
   push:
-    paths: [".github/workflows/sbom.yml", "scripts/generateAndCheckSBOM.js"]
+    branches: ["master", "23.3"]
   pull_request:
+    types: [opened, synchronize, reopened, edited]
+    paths: ["versions.json", "**/pom.xml", ".github/workflows/sbom.yml", "scripts/generateAndCheckSBOM.js"]
+  release:
+    types: ["published"]
   workflow_dispatch:
     inputs:
           useBomber:
@@ -67,20 +71,35 @@ jobs:
           mkdir -p ~/.vaadin/
           echo '{"username":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f1`'","proKey":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f2`'"}' > ~/.vaadin/proKey
       - run: |
-         [ false = "${{github.event.inputs.useBomber}}" ] && A="$A --disable-bomber"
-         [ false = "${{github.event.inputs.useOSV}}" ] && A="$A --disable-osv-scan"
-         [ false = "${{github.event.inputs.useOWASP}}" ] && A="$A --disable-owasp"
-         [ true = "${{github.event.inputs.useFullOWASP}}" ] && A="$A --enable-full-owasp"
-         [ -n "${{github.event.inputs.version}}" ] && A="--version ${{github.event.inputs.version}}"
-         cmd="scripts/generateAndCheckSBOM.js $A"
-         echo "Running: $cmd"
-         $cmd
+          # Generate And Check SBOM
+          [ false = "${{github.event.inputs.useBomber}}" ] && A="$A --disable-bomber"
+          [ false = "${{github.event.inputs.useOSV}}" ] && A="$A --disable-osv-scan"
+          [ false = "${{github.event.inputs.useOWASP}}" ] && A="$A --disable-owasp"
+          [ true = "${{github.event.inputs.useFullOWASP}}" ] && A="$A --enable-full-owasp"
+          [ -n "${{github.event.inputs.version}}" ] && A="--version ${{github.event.inputs.version}}"
+          cmd="scripts/generateAndCheckSBOM.js $A"
+          echo "Running: $cmd"
+          $cmd
+        env:
+         OSSINDEX_USER: ${{secrets.OSSINDEX_USER}}
+         OSSINDEX_TOKEN: ${{secrets.OSSINDEX_TOKEN}}
       - if: ${{always()}}
         uses: actions/upload-artifact@v3.1.1
         with:
           name: files
           path: |
             **/target/bom-vaadin.json
+            **/target/*-report.json
             **/target/tree-*.txt
           if-no-files-found: error
           retention-days: 60
+      - if: ${{success() && (github.event.inputs.version || github.event.release.tag_name)}}
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: vaadin-platform-sbom/target/bom-vaadin.json
+          asset_name: sbom.json
+          tag: ${{ github.event.inputs.version || github.event.release.tag_name }}
+          overwrite: true
+          body: "Vaadin Platform V${{github.event.inputs.version}} SBOM"
+
diff --git a/pom.xml b/pom.xml
@@ -46,6 +46,12 @@
     </modules>
 
     <profiles>
+        <profile>
+            <id>sbom</id>
+            <modules>
+                <module>vaadin-platform-sbom</module>
+            </modules>
+        </profile>
         <profile>
             <id>gradle</id>
             <activation>

diff --git a/scripts/generateAndCheckSBOM.js b/scripts/generateAndCheckSBOM.js
@@ -10,22 +10,7 @@ const { spawn } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const VAADIN_LICENSE = 'https://vaadin.com/commercial-license-and-service-terms';
-
-const cmd = { useBomber: true, useOSV: true, useOWASP: true };
-for (let i = 2, l = process.argv.length; i < l; i++) {
-  switch (process.argv[i]) {
-    case '--disable-bomber': cmd.useBomber = false; break;
-    case '--disable-osv-scan': cmd.useOSV = false; break;
-    case '--disable-owasp': cmd.useOWASP = false; break;
-    case '--enable-full-owasp': cmd.useFullOWASP = true; break;
-    case '--version': cmd.version = process.argv[++i]; break;
-    default:
-      console.log(`Usage: ${path.relative('.', process.argv[1])} 
-        [--disable-bomber] [--disable-osv-scan] [--disable-owasp] [--enable-full-owasp] [--version x.x.x]`);
-      process.exit(1);
-  }
-}
-
+const testProject = path.resolve('vaadin-platform-sbom');
 const licenseWhiteList = [
   'ISC',
   'MIT',
@@ -38,17 +23,37 @@ const licenseWhiteList = [
   'LGPL-2.1-only',
   'BSD-3-Clause',
   'BSD-2-Clause',
+  'EPL-1.0',
   'EPL-2.0',
   'AFL-2.1',
   'MPL-1.1',
   'CC0-1.0',
   'CC-BY-4.0',
   'Zlib',
-  'https://vaadin.com/commercial-license-and-service-terms',
+  'WTFPL',
+  'http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html',
+  VAADIN_LICENSE,
   'https://www.highcharts.com/license'
 ];
 
-const testProject = path.resolve('vaadin-platform-test');
+const cmd = { useBomber: true, useOSV: true, useOWASP: true,
+    hasOssToken: !!(process.env.OSSINDEX_USER && process.env.OSSINDEX_TOKEN)};
+for (let i = 2, l = process.argv.length; i < l; i++) {
+  switch (process.argv[i]) {
+    case '--disable-bomber': cmd.useBomber = false; break;
+    case '--disable-osv-scan': cmd.useOSV = false; break;
+    case '--disable-owasp': cmd.useOWASP = false; break;
+    case '--enable-full-owasp': cmd.useFullOWASP = true; break;
+    case '--version': cmd.version = process.argv[++i]; break;
+    default:
+      console.log(`Usage: ${path.relative('.', process.argv[1])} 
+        [--disable-bomber] [--disable-osv-scan] [--disable-owasp] [--enable-full-owasp] [--version x.x.x]`);
+      process.exit(1);
+  }
+}
+
+console.log(`Running ${process.argv[1]} with arguments: ${JSON.stringify(cmd)}`);
+
 function log(...args) {
   process.stderr.write(`\x1b[0m> \x1b[0;32m${args}\x1b[0m\n`);
 }
@@ -272,20 +277,19 @@ async function main() {
   await isInstalled('mvn');
 
   if (cmd.version) {
-    await run(`mvn -ntp -N -B -DnewVersion=${cmd.version} versions:set -q`);
+    await run(`mvn -ntp -N -B -DnewVersion=${cmd.version} -Psbom versions:set -q`);
   }
 
   await run(`./scripts/generateBoms.sh`, { debug: false });
   await run('mvn -ntp -B clean install -T 1C -q');
 
   log(`cd ${testProject}`);
   process.chdir(testProject);
-  const hasOssToken = process.env.OSSINDEX_USER && process.env.OSSINDEX_TOKEN;
 
   log(`cleaning package.json`);
   fs.existsSync('package.json') && fs.unlinkSync('package.json');
 
-  await run('mvn package -ntp -B -Pproduction -DskipTests -q');
+  await run('mvn clean package -ntp -B -Pproduction -DskipTests -q');
   await run('mvn dependency:tree -ntp -B', { output: 'target/tree-maven.txt' });
   await run('mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -q');
   await run('npm ls --depth 6', { output: 'target/tree-npm.txt' });
@@ -302,18 +306,18 @@ async function main() {
   const vulnerabilities = {}
   if (cmd.useBomber) {
     const cmdBomber = `bomber scan target/bom-vaadin.json --output json`;
-    await run(cmdBomber, { output: 'target/report-bomber-osv.json' });
-    sumarizeBomber('target/report-bomber-osv.json', vulnerabilities);
+    await run(cmdBomber, { output: 'target/bomber-osv-report.json' });
+    sumarizeBomber('target/bomber-osv-report.json', vulnerabilities);
     if (cmd.hasOssToken) {
       await run(`${cmdBomber} --provider ossindex --username ${process.env.OSSINDEX_USER} --token ${process.env.OSSINDEX_TOKEN}`,
-        { output: 'target/report-bomber-oss.json' });
-      sumarizeBomber('target/report-bomber-oss.json', vulnerabilities);
+        { output: 'target/bomber-oss-report.json' });
+      sumarizeBomber('target/bomber-oss-report.json', vulnerabilities);
     }
   }
 
   if (cmd.useOSV) {
-    await run('osv-scanner --sbom=target/bom-vaadin.json --json', { output: 'target/report-osv-scanner.json' , throw: false});
-    sumarizeOSV('target/report-osv-scanner.json', vulnerabilities);
+    await run('osv-scanner --sbom=target/bom-vaadin.json --json', { output: 'target/osv-scanner-report.json' , throw: false});
+    sumarizeOSV('target/osv-scanner-report.json', vulnerabilities);
   }
 
   if (cmd.useOWASP) {

diff --git a/scripts/generator/src/creator.js b/scripts/generator/src/creator.js
@@ -318,7 +318,8 @@ function compareAndBuildJavaComponentReleaseString(versionName, currentVersion,
     let result = '';
     const currentVersionSemver = toSemVer(currentVersion);
     const previousVersionSemver = toSemVer(previousVersion);
-    if (compareVersions(currentVersionSemver, previousVersionSemver) === 1) {
+    // sometimes we use SNAPSHOTS in versions.json e.g. when waiting for a new alpha/beta with a fix
+    if (compareVersions(currentVersionSemver.replace('-SNAPSHOT', '.0'), previousVersionSemver) === 1) {
         result = getReleaseNoteLink(versionName, currentVersion);
     }
     return result;

diff --git a/vaadin-platform-sbom/pom.xml b/vaadin-platform-sbom/pom.xml
@@ -0,0 +1,95 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>com.vaadin</groupId>
+        <artifactId>vaadin-platform-parent</artifactId>
+        <version>24.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>vaadin-platform-sbom</artifactId>
+    <packaging>jar</packaging>
+    <properties>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+    </properties>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.vaadin</groupId>
+                <artifactId>vaadin-bom</artifactId>
+                <version>${project.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-spreadsheet-flow</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-spring-boot-starter</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-testbench</artifactId>
+        </dependency>
+
+        <!-- TEMPORARY until they are included with the versions.json in 24.0 -->
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>sso-kit-starter</artifactId>
+            <version>2.0-SNAPSHOT</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>kubernetes-kit-starter</artifactId>
+            <version>1.0.2</version>
+            <scope>compile</scope>
+        </dependency>
+
+    </dependencies>
+    <profiles>
+        <profile>
+            <id>production</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>com.vaadin</groupId>
+                        <artifactId>vaadin-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>prepare-frontend</goal>
+                                    <goal>build-frontend</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.eclipse.jetty</groupId>
+                        <artifactId>jetty-maven-plugin</artifactId>
+                        <version>11.0.8</version>
+                    </plugin>
+                </plugins>
+            </build>
+            <dependencies>
+                <dependency>
+                    <groupId>com.vaadin</groupId>
+                    <artifactId>flow-server-production-mode</artifactId>
+                </dependency>
+            </dependencies>
+        </profile>
+    </profiles>
+</project>
diff --git a/vaadin-spring-boot-starter/pom.xml b/vaadin-spring-boot-starter/pom.xml
@@ -59,6 +59,13 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
             <version>${spring-boot.version}</version>
+            <!-- CVE-2022-1471 TEMPORARY FIX UNTIL https://github.com/spring-projects/spring-boot/issues/33457 -->
+            <exclusions>
+                <exclusion>
+                    <groupId>org.yaml</groupId>
+                    <artifactId>snakeyaml</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <!-- End Spring -->