From 638fe297a6763906d16765f1a22d67c6791f3985 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 15:00:00 +0100 Subject: [PATCH 01/46] [WIP] workflows: add SBOM generation step --- .github/workflows/sbom.yaml | 59 +++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/sbom.yaml diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml new file mode 100644 index 0000000000000..4eec9fa673142 --- /dev/null +++ b/.github/workflows/sbom.yaml @@ -0,0 +1,59 @@ +name: SBOM generation + +# SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors +# SPDX-FileCopyrightText: 2024 STRATO AG +# SPDX-License-Identifier: AGPL-3.0-or-later + +on: + push: + branches: + # Enable once approved + # - ionos-dev + - tl/sbom-generation + +jobs: + generate-sbom: + runs-on: ubuntu-latest + + permissions: + contents: read + + name: generate-sbom + steps: + - name: Checkout server + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + # Submodules are checked independently + submodules: false + + # SBOM for composer (generate) + + - name: Generate SBOM (composer) + # Output filename can not be configured, is bom.xml + # https://github.com/CycloneDX/gh-php-composer-generate-sbom + uses: CycloneDX/gh-php-composer-generate-sbom@v1 + + - name: Rename composer bom.xml to bom.composer.xml + run: | + mv bom.xml bom.composer.xml + + # SBOM for NPM (install and generate) + + - name: Set up node with version from package.json's engines + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version-file: "package.json" + + - name: Build Nextcloud + env: + FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} + run: | + npm ci + + - name: Generate SBOM (npm) + # https://github.com/CycloneDX/gh-node-module-generatebom + uses: CycloneDX/gh-node-module-generatebom@v1 + with: + output: './bom.npm.xml' + + # TODO: merge BOMs, upload BOMs From 140c7dcc0476da82668933b19e00b2e247a31a9a Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 15:30:22 +0100 Subject: [PATCH 02/46] [WIP] sbom: merge SBOMs --- .github/workflows/sbom.yaml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 4eec9fa673142..6c0de98d1b11a 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -56,4 +56,26 @@ jobs: with: output: './bom.npm.xml' - # TODO: merge BOMs, upload BOMs + merge-sboms: + needs: generate-sbom + runs-on: ubuntu-latest + + # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container + container: + image: cyclonedx/cyclonedx-cli:0.27.1 + steps: + - name: Merge SBOMs + # https://github.com/CycloneDX/cyclonedx-cli#merge-command + run: | + cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + + upload-sboms: + needs: merge-sboms + runs-on: ubuntu-latest + + steps: + - name: Dump merged SBOM + run: | + cat bom.xml + + # TODO: upload BOMs From 3b60f6cdeeecbe6fc1f5addb17e3c2c4b4a35850 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 16:42:01 +0100 Subject: [PATCH 03/46] [WIP] workflow: pass bom.xmls between jobs --- .github/workflows/sbom.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 6c0de98d1b11a..c34d84a65ad21 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -56,6 +56,14 @@ jobs: with: output: './bom.npm.xml' + # Pass BOMs to next Job + # https://github.com/actions/upload-artifact + - name: Store partial BOMs + uses: actions/upload-artifact@v4 + with: + name: bom-partials + path: bom.*.xml + merge-sboms: needs: generate-sbom runs-on: ubuntu-latest @@ -63,12 +71,26 @@ jobs: # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container container: image: cyclonedx/cyclonedx-cli:0.27.1 + steps: + - name: Download partial BOMs + uses: actions/download-artifact@v4 + with: + name: bom-partials + - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command run: | cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + # Pass merged BOM to next Job + # https://github.com/actions/upload-artifact + - name: Store merged BOM + uses: actions/upload-artifact@v4 + with: + name: final-bom + path: bom.xml + upload-sboms: needs: merge-sboms runs-on: ubuntu-latest From ba59d02cadb7432dde646bd197e51a04e3e5ac6b Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 16:56:08 +0100 Subject: [PATCH 04/46] [WIP] workflow: set SBOM out version to 1.3 Upload to DT failed with schema validation error and no details, maybe the version is to recent. --- .github/workflows/sbom.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c34d84a65ad21..c8d552019cddc 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -80,8 +80,9 @@ jobs: - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command + # Using v1_3 because with the default (1.6) the upload failed at the DT web interface run: | - cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From 000742a71a5b7d6794fbe5d3e3a856772b677b6f Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 17:09:50 +0100 Subject: [PATCH 05/46] [NOTE] Upload of merged v1.3 SBOM still fails, partial BOMs upload fine From 4d289eb4150ba8fd3d80d0d917e2870ae57c60a1 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 31 Jan 2025 16:43:01 +0100 Subject: [PATCH 06/46] Revert "[WIP] workflow: set SBOM out version to 1.3" Problem figured out: the merged SBOM contains a "component" node with a "bom-ref" attribute and a "purl" node, both contain values including the current Git branch name, which happens to contain a slash in my case, which, apparently, is not allowed. This reverts commit 2e39012109351fbed4ac0879c760baea0f27a50e. --- .github/workflows/sbom.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c8d552019cddc..c34d84a65ad21 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -80,9 +80,8 @@ jobs: - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command - # Using v1_3 because with the default (1.6) the upload failed at the DT web interface run: | - cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 + cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From 02175f12711a12bc30d68fc9d6ffec136e0b9011 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 31 Jan 2025 16:57:29 +0100 Subject: [PATCH 07/46] [WIP] workflow: fix merged SBOM --- .github/workflows/sbom.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c34d84a65ad21..f98da9482f69d 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -80,8 +80,13 @@ jobs: - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command + # + # The generated SBOM is fixed with sed to remove potentially bad characters + # Slashes are not allowed after the @ in the meta/component's bom-ref + # attribute and purl node. run: | cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + sed -i -r 's;(pkg:composer/__root__)@[^"<]+;\1@merged-sbom;' bom.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From 76c5a3465a38d1393ea845bca82019d6ae255d05 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 16:56:08 +0100 Subject: [PATCH 08/46] [WIP] workflow: set SBOM out version to 1.3 Upload to DT failed with schema validation error and no details, maybe the version is to recent. --- .github/workflows/sbom.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index f98da9482f69d..602ec624afe2c 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -80,12 +80,13 @@ jobs: - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command + # Using v1_3 because with the default (1.6) the upload failed at the DT web interface # # The generated SBOM is fixed with sed to remove potentially bad characters # Slashes are not allowed after the @ in the meta/component's bom-ref # attribute and purl node. run: | - cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 sed -i -r 's;(pkg:composer/__root__)@[^"<]+;\1@merged-sbom;' bom.xml # Pass merged BOM to next Job From 783f82a4bdea92ac88cfafa68310636b7363fb8f Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 31 Jan 2025 17:44:23 +0100 Subject: [PATCH 09/46] [WIP] Use @yclonedx/cyclonedx-npm via npx, not an action The action was declared to be deprecated [1], [2] was mentioned as alternative. [1]: https://github.com/CycloneDX/gh-node-module-generatebom?tab=readme-ov-file [2]: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-npm --- .github/workflows/sbom.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 602ec624afe2c..b78a93d61da6f 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -51,10 +51,8 @@ jobs: npm ci - name: Generate SBOM (npm) - # https://github.com/CycloneDX/gh-node-module-generatebom - uses: CycloneDX/gh-node-module-generatebom@v1 - with: - output: './bom.npm.xml' + run: | + npx @cyclonedx/cyclonedx-npm --output-format XML --output-file './bom.npm.xml' # Pass BOMs to next Job # https://github.com/actions/upload-artifact From e9feea10f9d3e8db79df1d91087e7257ef293e0e Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 14:27:22 +0100 Subject: [PATCH 10/46] [WIP] Add --ignore-npm-errors to @cyclonedx/cyclonedx-npm See the comment. --- .github/workflows/sbom.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b78a93d61da6f..8ceb5dc1b93f4 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -51,8 +51,14 @@ jobs: npm ci - name: Generate SBOM (npm) + # Switch --ignore-npm-errors is used to not fail on inconsistencies + # found by npm ls, which complains about (mostly) "extraneous" packages + # found in node_modules, which are apparently related to us using npm + # overrides in package.json and presumably npm ls not being capable + # of analyzing this correctly. + # run: | - npx @cyclonedx/cyclonedx-npm --output-format XML --output-file './bom.npm.xml' + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.npm.xml' # Pass BOMs to next Job # https://github.com/actions/upload-artifact From dacd6bce2b8f6813ff33dc0ac19d2f20359d7beb Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 14:54:33 +0100 Subject: [PATCH 11/46] [WIP] Fix fetch of stored artifact --- .github/workflows/sbom.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 8ceb5dc1b93f4..8732b5ca5321e 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -104,8 +104,12 @@ jobs: upload-sboms: needs: merge-sboms runs-on: ubuntu-latest - steps: + - name: Download partial BOMs + uses: actions/download-artifact@v4 + with: + name: final-bom + - name: Dump merged SBOM run: | cat bom.xml From de5619c1b826a2e6692df2172d8873fb480deaa8 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 15:21:43 +0100 Subject: [PATCH 12/46] [WIP] Change merged SBOM fix to replace _branch name_ by dummy string --- .github/workflows/sbom.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 8732b5ca5321e..b127c1f7d9b86 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -83,6 +83,8 @@ jobs: name: bom-partials - name: Merge SBOMs + env: + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} # https://github.com/CycloneDX/cyclonedx-cli#merge-command # Using v1_3 because with the default (1.6) the upload failed at the DT web interface # @@ -91,7 +93,7 @@ jobs: # attribute and purl node. run: | cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 - sed -i -r 's;(pkg:composer/__root__)@[^"<]+;\1@merged-sbom;' bom.xml + sed -i -r "s;${BRANCH_NAME};merged-sbom;" bom.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From 4a139661791aabc45ef41d8a58a157b0865a4562 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 16:25:56 +0100 Subject: [PATCH 13/46] [WIP] Change merged BOM patching - it failed once again --- .github/workflows/sbom.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b127c1f7d9b86..196be4f0686c8 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -83,17 +83,14 @@ jobs: name: bom-partials - name: Merge SBOMs - env: - BRANCH_NAME: ${{ github.head_ref || github.ref_name }} # https://github.com/CycloneDX/cyclonedx-cli#merge-command # Using v1_3 because with the default (1.6) the upload failed at the DT web interface # - # The generated SBOM is fixed with sed to remove potentially bad characters - # Slashes are not allowed after the @ in the meta/component's bom-ref - # attribute and purl node. + # The generated SBOM is fixed with awk to remove XML schema violating + # elements or values that prevent upload to Dependency Track. run: | cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 - sed -i -r "s;${BRANCH_NAME};merged-sbom;" bom.xml + awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.patched.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From 03ab6457b45031a2ee66ce5cf1cb73611f93913b Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 16:37:22 +0100 Subject: [PATCH 14/46] [WIP] Rename build step descriptions --- .github/workflows/sbom.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 196be4f0686c8..be49d492fe5bb 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -28,7 +28,7 @@ jobs: # SBOM for composer (generate) - - name: Generate SBOM (composer) + - name: Generate SBOM (Nextcloud - composer) # Output filename can not be configured, is bom.xml # https://github.com/CycloneDX/gh-php-composer-generate-sbom uses: CycloneDX/gh-php-composer-generate-sbom@v1 @@ -50,7 +50,7 @@ jobs: run: | npm ci - - name: Generate SBOM (npm) + - name: Generate SBOM (Nextcloud - npm) # Switch --ignore-npm-errors is used to not fail on inconsistencies # found by npm ls, which complains about (mostly) "extraneous" packages # found in node_modules, which are apparently related to us using npm From a4060cba640251007e40241e2b9c15c9073860fe Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 16:59:14 +0100 Subject: [PATCH 15/46] [WIP] Use run composer instead of deprecated action The action is marked "deprecated" [1] [1]: https://github.com/CycloneDX/gh-php-composer-generate-sbom --- .github/workflows/sbom.yaml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index be49d492fe5bb..35b05ec27797b 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -29,13 +29,10 @@ jobs: # SBOM for composer (generate) - name: Generate SBOM (Nextcloud - composer) - # Output filename can not be configured, is bom.xml - # https://github.com/CycloneDX/gh-php-composer-generate-sbom - uses: CycloneDX/gh-php-composer-generate-sbom@v1 - - - name: Rename composer bom.xml to bom.composer.xml + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | - mv bom.xml bom.composer.xml + composer global require cyclonedx/cyclonedx-php-composer + composer CycloneDX:make-sbom --output-file=bom.nextcloud.composer.xml # SBOM for NPM (install and generate) @@ -58,7 +55,7 @@ jobs: # of analyzing this correctly. # run: | - npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.npm.xml' + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.nextcloud.npm.xml' # Pass BOMs to next Job # https://github.com/actions/upload-artifact @@ -89,16 +86,17 @@ jobs: # The generated SBOM is fixed with awk to remove XML schema violating # elements or values that prevent upload to Dependency Track. run: | - cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 - awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.patched.xml + echo "Merge BOMs for: Nextcloud" + cyclonedx merge --input-files bom.nextcloud.composer.xml bom.nextcloud.npm.xml --output-file bom.xml --output-version v1_3 + awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.nextcloud.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact - name: Store merged BOM uses: actions/upload-artifact@v4 with: - name: final-bom - path: bom.xml + name: final-boms + path: bom.*.xml upload-sboms: needs: merge-sboms @@ -107,10 +105,10 @@ jobs: - name: Download partial BOMs uses: actions/download-artifact@v4 with: - name: final-bom + name: final-boms - - name: Dump merged SBOM + - name: Dump merged SBOMs run: | - cat bom.xml + cat bom.*.xml # TODO: upload BOMs From f928ce7c618afdd69e73204864ab4deddf67737b Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:02:10 +0100 Subject: [PATCH 16/46] [WIP] Add SBOM generation for one app --- .github/workflows/sbom.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 35b05ec27797b..5bb969ce0ba79 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -26,6 +26,10 @@ jobs: # Submodules are checked independently submodules: false + # + # Nextcloud + # + # SBOM for composer (generate) - name: Generate SBOM (Nextcloud - composer) @@ -57,6 +61,23 @@ jobs: run: | npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.nextcloud.npm.xml' + + + # + # Custom App: googleanalytics + # + + # SBOM for composer (generate) + + - name: Generate SBOM (Custom App googleanalytics - composer) + working-directory: ./apps-custom/googleanalytics + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + composer global require cyclonedx/cyclonedx-php-composer + composer CycloneDX:make-sbom --output-file=bom.app-googleanalytics.xml + + + # Pass BOMs to next Job # https://github.com/actions/upload-artifact - name: Store partial BOMs @@ -90,6 +111,8 @@ jobs: cyclonedx merge --input-files bom.nextcloud.composer.xml bom.nextcloud.npm.xml --output-file bom.xml --output-version v1_3 awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.nextcloud.xml + # TODO use for loop where needed for apps + # Pass merged BOM to next Job # https://github.com/actions/upload-artifact - name: Store merged BOM From d86b6cc6897d992a2b3c457654a02083d83369dd Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:21:17 +0100 Subject: [PATCH 17/46] [WIP] Enable install of cyclonedx/cyclonedx-php-composer; split install and run --- .github/workflows/sbom.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 5bb969ce0ba79..b5fb3e48eebd9 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -26,6 +26,12 @@ jobs: # Submodules are checked independently submodules: false + - name: Install CycloneDX + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + composer global config --no-plugins allow-plugins.cyclonedx/cyclonedx-php-composer true + composer global require cyclonedx/cyclonedx-php-composer + # # Nextcloud # @@ -35,7 +41,6 @@ jobs: - name: Generate SBOM (Nextcloud - composer) # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | - composer global require cyclonedx/cyclonedx-php-composer composer CycloneDX:make-sbom --output-file=bom.nextcloud.composer.xml # SBOM for NPM (install and generate) @@ -73,7 +78,6 @@ jobs: working-directory: ./apps-custom/googleanalytics # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | - composer global require cyclonedx/cyclonedx-php-composer composer CycloneDX:make-sbom --output-file=bom.app-googleanalytics.xml From dfc0f0753e8e4cd9f2ba21752b096ec74af68a58 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:26:31 +0100 Subject: [PATCH 18/46] [WIP] Checkout submodules too --- .github/workflows/sbom.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b5fb3e48eebd9..c651d803f7085 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -23,8 +23,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: - # Submodules are checked independently - submodules: false + submodules: true - name: Install CycloneDX # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer From 84b5e78bac69c9b0488ae938932eda6ee3271869 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:37:06 +0100 Subject: [PATCH 19/46] [WIP] Specify store paths explicitly * The bom.app-googleanalytics.xml was not packaged for whatever reason. * Partials were packaged while actually not needed (just good for debugging) * Make it explicit --- .github/workflows/sbom.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c651d803f7085..6dd7c263fdd8d 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -49,7 +49,7 @@ jobs: with: node-version-file: "package.json" - - name: Build Nextcloud + - name: Nextcloud: install npm dependencies env: FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} run: | @@ -122,7 +122,9 @@ jobs: uses: actions/upload-artifact@v4 with: name: final-boms - path: bom.*.xml + path: | + bom.nextcloud.xml + bom.app-googleanalytics.xml upload-sboms: needs: merge-sboms From 6813072b7d6feaa81d93bc172ed5a3069b7485d4 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:38:50 +0100 Subject: [PATCH 20/46] [WIP] Debug ls --- .github/workflows/sbom.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 6dd7c263fdd8d..ad8f5c0199ed6 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -116,6 +116,10 @@ jobs: # TODO use for loop where needed for apps + - name: Show BOMs + run: | + ls -l bom.*.xml + # Pass merged BOM to next Job # https://github.com/actions/upload-artifact - name: Store merged BOM From 38a9cbfc933e75c0b8acd9d0490f5c48c4318a29 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:40:29 +0100 Subject: [PATCH 21/46] [WIP] Quote string --- .github/workflows/sbom.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index ad8f5c0199ed6..944e5152f4d41 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -49,7 +49,7 @@ jobs: with: node-version-file: "package.json" - - name: Nextcloud: install npm dependencies + - name: "Nextcloud: install npm dependencies" env: FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} run: | From 162f51f02b0c523d76828bb1b1a9cedb8837d820 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:45:20 +0100 Subject: [PATCH 22/46] [WIP] Fix app BOM XML location, make store paths explicit --- .github/workflows/sbom.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 944e5152f4d41..c79b64d5dae68 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -77,7 +77,7 @@ jobs: working-directory: ./apps-custom/googleanalytics # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | - composer CycloneDX:make-sbom --output-file=bom.app-googleanalytics.xml + composer CycloneDX:make-sbom --output-file=../../bom.app-googleanalytics.xml @@ -87,7 +87,9 @@ jobs: uses: actions/upload-artifact@v4 with: name: bom-partials - path: bom.*.xml + path: | + bom.nextcloud.*.xml + bom.app-googleanalytics.xml merge-sboms: needs: generate-sbom From a8380bb6d3041700ec08249453cf78e8086b9116 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:45:56 +0100 Subject: [PATCH 23/46] [WIP] Unify step name schema From 520755bfab416b11e3bdf04b813c53eb4946993f Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:54:03 +0100 Subject: [PATCH 24/46] [WIP] Move SBOM merge to function --- .github/workflows/sbom.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c79b64d5dae68..60ea86cbeea21 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -49,7 +49,7 @@ jobs: with: node-version-file: "package.json" - - name: "Nextcloud: install npm dependencies" + - name: "Install dependencies (Nextcloud - npm)" env: FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} run: | @@ -113,10 +113,12 @@ jobs: # elements or values that prevent upload to Dependency Track. run: | echo "Merge BOMs for: Nextcloud" - cyclonedx merge --input-files bom.nextcloud.composer.xml bom.nextcloud.npm.xml --output-file bom.xml --output-version v1_3 - awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.nextcloud.xml + function merge_bom() { + cyclonedx merge --input-files bom.${1}.composer.xml bom.${1}.npm.xml --output-file bom.xml --output-version v1_3 ; + awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.${1}.xml ; + } - # TODO use for loop where needed for apps + merge_bom "nextcloud" - name: Show BOMs run: | From e5cb50040237f5349734d8304d4dc6f0599aefcc Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 16:42:57 +0200 Subject: [PATCH 25/46] [WIP] Fix function definition sh does not know about function keyword. --- .github/workflows/sbom.yaml | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 60ea86cbeea21..406973e961ffd 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -66,21 +66,6 @@ jobs: npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.nextcloud.npm.xml' - - # - # Custom App: googleanalytics - # - - # SBOM for composer (generate) - - - name: Generate SBOM (Custom App googleanalytics - composer) - working-directory: ./apps-custom/googleanalytics - # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer - run: | - composer CycloneDX:make-sbom --output-file=../../bom.app-googleanalytics.xml - - - # Pass BOMs to next Job # https://github.com/actions/upload-artifact - name: Store partial BOMs @@ -89,7 +74,6 @@ jobs: name: bom-partials path: | bom.nextcloud.*.xml - bom.app-googleanalytics.xml merge-sboms: needs: generate-sbom @@ -113,7 +97,7 @@ jobs: # elements or values that prevent upload to Dependency Track. run: | echo "Merge BOMs for: Nextcloud" - function merge_bom() { + merge_bom() { cyclonedx merge --input-files bom.${1}.composer.xml bom.${1}.npm.xml --output-file bom.xml --output-version v1_3 ; awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.${1}.xml ; } @@ -132,7 +116,6 @@ jobs: name: final-boms path: | bom.nextcloud.xml - bom.app-googleanalytics.xml upload-sboms: needs: merge-sboms From 97cb9d94823dfadf4a40e52e9f13aad69286bfc1 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 16:51:53 +0200 Subject: [PATCH 26/46] [WIP] Upload SBOM --- .github/workflows/sbom.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 406973e961ffd..2eca23be082c6 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -130,4 +130,16 @@ jobs: run: | cat bom.*.xml - # TODO: upload BOMs + upload_bom() { + echo "Upload Nextcloud SBOM ${1} for object ${2} ..." + + curl \ + -D- \ + -X POST ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom \ + -H "Content-Type: multipart/form-data" \ + -H "X-API-Key: ${DEPENDENCY_TRACK_API_KEY}" \ + -F "project=${2}" \ + -F "bom=@${1}" + } + + upload_bom "bom.nextcloud.xml" "${DT_OBJECT_NEXTCLOUD}" From 8d45c6b55dead59e86adf3e25fa5c68e383f9154 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 17:07:28 +0200 Subject: [PATCH 27/46] [WIP] sbom upload: never cat, change Job description --- .github/workflows/sbom.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 2eca23be082c6..209e06b431045 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -126,9 +126,9 @@ jobs: with: name: final-boms - - name: Dump merged SBOMs + - name: Upload SBOMs run: | - cat bom.*.xml + wc --total=never -l bom.*.xml upload_bom() { echo "Upload Nextcloud SBOM ${1} for object ${2} ..." From ba3d66343f5fcf2a9fe43442fba0072696c20905 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 17:19:55 +0200 Subject: [PATCH 28/46] [WIP] sbom upload: print URL --- .github/workflows/sbom.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 209e06b431045..3272bf5be2a4f 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -130,12 +130,14 @@ jobs: run: | wc --total=never -l bom.*.xml + echo "Upload to: ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom" + upload_bom() { echo "Upload Nextcloud SBOM ${1} for object ${2} ..." curl \ -D- \ - -X POST ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom \ + -X POST "${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom" \ -H "Content-Type: multipart/form-data" \ -H "X-API-Key: ${DEPENDENCY_TRACK_API_KEY}" \ -F "project=${2}" \ From f1583c0373fd326844c38583acdca6ee41bfe4cc Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 17:31:40 +0200 Subject: [PATCH 29/46] [WIP] Use GitHub expressions, not env vars D'oh --- .github/workflows/sbom.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 3272bf5be2a4f..715b0650d9a37 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -130,18 +130,18 @@ jobs: run: | wc --total=never -l bom.*.xml - echo "Upload to: ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom" + echo "Upload to: ${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom" upload_bom() { echo "Upload Nextcloud SBOM ${1} for object ${2} ..." curl \ -D- \ - -X POST "${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom" \ + -X POST "${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom" \ -H "Content-Type: multipart/form-data" \ - -H "X-API-Key: ${DEPENDENCY_TRACK_API_KEY}" \ + -H "X-API-Key: ${{ secrets.DEPENDENCY_TRACK_API_KEY }}" \ -F "project=${2}" \ -F "bom=@${1}" } - upload_bom "bom.nextcloud.xml" "${DT_OBJECT_NEXTCLOUD}" + upload_bom "bom.nextcloud.xml" "${{ vars.DT_OBJECT_NEXTCLOUD }}" From f97f5f1ca5899ca66a5ac91f02cd322297de882f Mon Sep 17 00:00:00 2001 From: "Misha M.-Kupriyanov" Date: Fri, 13 Jun 2025 09:49:05 +0200 Subject: [PATCH 30/46] [WIP] DROP: add mk/tl/sbom-generation to sbom.yaml Signed-off-by: Misha M.-Kupriyanov --- .github/workflows/sbom.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 715b0650d9a37..194da185f8eb7 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -10,6 +10,7 @@ on: # Enable once approved # - ionos-dev - tl/sbom-generation + - mk/tl/sbom-generation jobs: generate-sbom: From 8755cd0cdebbbaa03a6bad189cd716ab152ad1b9 Mon Sep 17 00:00:00 2001 From: "Misha M.-Kupriyanov" Date: Fri, 13 Jun 2025 13:58:09 +0200 Subject: [PATCH 31/46] [WIP] fix: change sbom upload runner to self-hosted Signed-off-by: Misha M.-Kupriyanov --- .github/workflows/sbom.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 194da185f8eb7..509861e0cdcad 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -120,7 +120,7 @@ jobs: upload-sboms: needs: merge-sboms - runs-on: ubuntu-latest + runs-on: self-hosted steps: - name: Download partial BOMs uses: actions/download-artifact@v4 From dec2fdcc6ecc1ce2f97293426dfb8b501bced91e Mon Sep 17 00:00:00 2001 From: "Misha M.-Kupriyanov" Date: Fri, 13 Jun 2025 14:35:45 +0200 Subject: [PATCH 32/46] [WIP] fix: correct word count command for SBOM upload Signed-off-by: Misha M.-Kupriyanov --- .github/workflows/sbom.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 509861e0cdcad..645c7be0c1e9c 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -129,7 +129,7 @@ jobs: - name: Upload SBOMs run: | - wc --total=never -l bom.*.xml + wc -l bom.*.xml echo "Upload to: ${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom" From b4ae197fbc0fc2614ab91b963d96436540e81bb9 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Wed, 2 Jul 2025 15:24:38 +0200 Subject: [PATCH 33/46] [WIP] Configure cacert --- .github/workflows/sbom.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 645c7be0c1e9c..b80eb06015044 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -129,6 +129,9 @@ jobs: - name: Upload SBOMs run: | + cert_file="$( mktemp )" + echo "${{ secrets.IONOS_CA }}" > ${cert_file} + wc -l bom.*.xml echo "Upload to: ${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom" @@ -137,6 +140,7 @@ jobs: echo "Upload Nextcloud SBOM ${1} for object ${2} ..." curl \ + --cacert "${cert_file}" \ -D- \ -X POST "${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom" \ -H "Content-Type: multipart/form-data" \ From 05140f72bf660e0d50ed7ce5901f252e23662c12 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Wed, 2 Jul 2025 15:45:07 +0200 Subject: [PATCH 34/46] [WIP] curl: exit non-zero on 404 to fail the Job --- .github/workflows/sbom.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b80eb06015044..fba6d5c2eacf5 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -141,6 +141,7 @@ jobs: curl \ --cacert "${cert_file}" \ + --fail \ -D- \ -X POST "${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom" \ -H "Content-Type: multipart/form-data" \ @@ -149,4 +150,5 @@ jobs: -F "bom=@${1}" } - upload_bom "bom.nextcloud.xml" "${{ vars.DT_OBJECT_NEXTCLOUD }}" + upload_bom "bom.nextcloud.xml" "${{ vars.DT_OBJECT_NEXTCLOUD }}" \ + || exit 1 From b2e081e6ac02de4efbc46b0c4980b778f560e6fe Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 09:25:17 +0200 Subject: [PATCH 35/46] [WIP] Run on self-hosted --- .github/workflows/sbom.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index fba6d5c2eacf5..b682103d872e9 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -14,7 +14,7 @@ on: jobs: generate-sbom: - runs-on: ubuntu-latest + runs-on: self-hosted permissions: contents: read @@ -78,7 +78,7 @@ jobs: merge-sboms: needs: generate-sbom - runs-on: ubuntu-latest + runs-on: self-hosted # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container container: From cebafa0999a86636f8d13251dcaf6792dceea02e Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 09:30:51 +0200 Subject: [PATCH 36/46] [WIP] Install dependencies --- .github/workflows/sbom.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b682103d872e9..b0d416506561a 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -26,6 +26,9 @@ jobs: with: submodules: true + - name: Install build tools + run: apt-get update && apt-get install -y php8.3 php8.3-common composer + - name: Install CycloneDX # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | From af04d505a17ea707ad0c08e20be175b0a35d2306 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 09:32:15 +0200 Subject: [PATCH 37/46] [WIP] Use sudo for install --- .github/workflows/sbom.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b0d416506561a..11237e16ce0c7 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -27,7 +27,7 @@ jobs: submodules: true - name: Install build tools - run: apt-get update && apt-get install -y php8.3 php8.3-common composer + run: sudo apt-get update && sudo apt-get install -y php8.3 php8.3-common composer - name: Install CycloneDX # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer From 3ae6141a28605b8968163ebf4006de0821e4afc8 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 09:49:12 +0200 Subject: [PATCH 38/46] [WIP] Change to action to setup PHP Use the same step as the build workflow uses. The image does not come with PHP 8.3 anyway. --- .github/workflows/sbom.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 11237e16ce0c7..65f97971670a0 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -26,8 +26,14 @@ jobs: with: submodules: true - - name: Install build tools - run: sudo apt-get update && sudo apt-get install -y php8.3 php8.3-common composer + # Same installation step as in hidrive-next-build.yaml + - name: Setup PHP with PECL extension + uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + with: + tools: composer:v2 + extensions: gd, zip, curl, xml, xmlrpc, mbstring, sqlite, xdebug, pgsql, intl, imagick, gmp, apcu, bcmath, redis, soap, imap, opcache + env: + runner: self-hosted - name: Install CycloneDX # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer From 146bc18229970e69a05656613ba664de9873afcf Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 11:21:48 +0200 Subject: [PATCH 39/46] [WIP] Analyze simple settings --- .github/workflows/sbom.yaml | 47 +++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 65f97971670a0..fbe586ee418c5 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -76,6 +76,52 @@ jobs: npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.nextcloud.npm.xml' + # Apps + # + # Apps reference custom-npms via relative paths and can therefor not + # have their dependencies installed and analyzed and be built in + # isolation. + # + + # + # App: simplesettings + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:simplesettings - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-custom/simplesettings + composer CycloneDX:make-sbom --output-file=../../bom.app-simplesettings.composer.xml + + # SBOM for NPM (install and generate) + + - name: Set up node with version from package.json's engines + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version-file: "apps-custom/simplesettings/package.json" + + - name: "Install dependencies (apps:simplesettings - npm)" + env: + FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} + run: | + cd apps-custom/simplesettings + npm ci + + - name: Generate SBOM (apps:simplesettings - npm) + # Switch --ignore-npm-errors is used to not fail on inconsistencies + # found by npm ls, which complains about (mostly) "extraneous" packages + # found in node_modules, which are apparently related to us using npm + # overrides in package.json and presumably npm ls not being capable + # of analyzing this correctly. + # + run: | + cd apps-custom/simplesettings + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../bom.app-simplesettings.composer.xml' + + + # Pass BOMs to next Job # https://github.com/actions/upload-artifact - name: Store partial BOMs @@ -84,6 +130,7 @@ jobs: name: bom-partials path: | bom.nextcloud.*.xml + bom.app-*.composer.xml merge-sboms: needs: generate-sbom From 815a897a7af5311476781c5373e093072bbffe66 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 11:32:54 +0200 Subject: [PATCH 40/46] [WIP] Fix name of npm SBOM --- .github/workflows/sbom.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index fbe586ee418c5..94fd850dbc478 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -118,7 +118,7 @@ jobs: # run: | cd apps-custom/simplesettings - npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../bom.app-simplesettings.composer.xml' + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../bom.app-simplesettings.npm.xml' From cb34c189f8346a9cc4ee37266a1aabbfc4530cd1 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 11:41:20 +0200 Subject: [PATCH 41/46] [WIP] Remove duplicated comment; fix upload include pattern --- .github/workflows/sbom.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 94fd850dbc478..071c13c6bb75e 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -110,11 +110,8 @@ jobs: npm ci - name: Generate SBOM (apps:simplesettings - npm) - # Switch --ignore-npm-errors is used to not fail on inconsistencies - # found by npm ls, which complains about (mostly) "extraneous" packages - # found in node_modules, which are apparently related to us using npm - # overrides in package.json and presumably npm ls not being capable - # of analyzing this correctly. + # + # See previous step's comment on these options # run: | cd apps-custom/simplesettings @@ -130,7 +127,7 @@ jobs: name: bom-partials path: | bom.nextcloud.*.xml - bom.app-*.composer.xml + bom.app-*.xml merge-sboms: needs: generate-sbom From 81a49293031841a6362ddc4eae29ff0bd53a23b6 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 13:41:39 +0200 Subject: [PATCH 42/46] [WIP] Merge and upload simplesettings SBOMs too --- .github/workflows/sbom.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 071c13c6bb75e..7708d3dbee169 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -157,6 +157,7 @@ jobs: } merge_bom "nextcloud" + merge_bom "app-simplesettings" - name: Show BOMs run: | @@ -170,6 +171,7 @@ jobs: name: final-boms path: | bom.nextcloud.xml + bom.app-simplesettings.xml upload-sboms: needs: merge-sboms @@ -204,4 +206,5 @@ jobs: } upload_bom "bom.nextcloud.xml" "${{ vars.DT_OBJECT_NEXTCLOUD }}" \ + && upload_bom "bom.app-simplesettings.xml" "${{ vars.DT_OBJECT_APP_SIMPLESETTINGS }}" \ || exit 1 From d82f0f1ba0e715d502009bce75564b7ebb1b9d6c Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Thu, 3 Jul 2025 15:26:35 +0200 Subject: [PATCH 43/46] [WIP] Use own registry to pull the mirrored image --- .github/workflows/sbom.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 7708d3dbee169..d3a021d05f0a4 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -135,7 +135,10 @@ jobs: # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container container: - image: cyclonedx/cyclonedx-cli:0.27.1 + image: ${{ vars.HARBOR_URL_PREFIX }}/cyclonedx-cli:0.27.1 + credentials: + username: ${{ secrets.HARBOR_USERNAME }} + password: ${{ secrets.HARBOR_PASSWORD }} steps: - name: Download partial BOMs From 05417b4d880540b0a5facadd41e301a6dde51d0e Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 7 Jul 2025 15:59:39 +0200 Subject: [PATCH 44/46] [WIP] Add apps googleanalytics, nc_theming, nc_ionos_processes --- .github/workflows/sbom.yaml | 49 +++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index d3a021d05f0a4..11cfe9a6a8863 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -118,6 +118,46 @@ jobs: npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../bom.app-simplesettings.npm.xml' + # + # App: googleanalytics + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:googleanalytics - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-custom/googleanalytics + composer CycloneDX:make-sbom --output-file=../../bom.app-googleanalytics.composer.xml + + + # + # App: nc_ionos_processes + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:nc_ionos_processes - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-custom/nc_ionos_processes + composer CycloneDX:make-sbom --output-file=../../bom.app-ionos-processes.composer.xml + + + # + # App: nc_themeing + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:nc_theming - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-custom/nc_theming + composer CycloneDX:make-sbom --output-file=../../bom.app-theming.composer.xml + + + # Pass BOMs to next Job # https://github.com/actions/upload-artifact @@ -161,6 +201,9 @@ jobs: merge_bom "nextcloud" merge_bom "app-simplesettings" + merge_bom "app-googleanalytics" + merge_bom "app-ionos-processes" + merge_bom "app-theming" - name: Show BOMs run: | @@ -175,6 +218,9 @@ jobs: path: | bom.nextcloud.xml bom.app-simplesettings.xml + bom.app-googleanalytics.xml + bom.app-ionos-processes.xml + bom.app-theming.xml upload-sboms: needs: merge-sboms @@ -210,4 +256,7 @@ jobs: upload_bom "bom.nextcloud.xml" "${{ vars.DT_OBJECT_NEXTCLOUD }}" \ && upload_bom "bom.app-simplesettings.xml" "${{ vars.DT_OBJECT_APP_SIMPLESETTINGS }}" \ + && upload_bom "bom.app-googleanalytics.xml" "${{ vars.DT_OBJECT_APP_GOOGLE_ANALYTICS }}" \ + && upload_bom "bom.app-ionos-processes.xml" "${{ vars.DT_OBJECT_APP_IONOS_PROCESSES }}" \ + && upload_bom "bom.app-theming.xml" "${{ vars.DT_OBJECT_APP_THEMING }}" \ || exit 1 From 947f812ad8cea2c67ecd55482788e4f0c33aeb8d Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 7 Jul 2025 16:09:31 +0200 Subject: [PATCH 45/46] [WIP] Don't merge the new SBOMs, there's only one (d'oh) --- .github/workflows/sbom.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 11cfe9a6a8863..9fd4d757bcdb3 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -128,7 +128,7 @@ jobs: # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | cd apps-custom/googleanalytics - composer CycloneDX:make-sbom --output-file=../../bom.app-googleanalytics.composer.xml + composer CycloneDX:make-sbom --output-file=../../bom.app-googleanalytics.xml # @@ -141,7 +141,7 @@ jobs: # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | cd apps-custom/nc_ionos_processes - composer CycloneDX:make-sbom --output-file=../../bom.app-ionos-processes.composer.xml + composer CycloneDX:make-sbom --output-file=../../bom.app-ionos-processes.xml # @@ -154,7 +154,7 @@ jobs: # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | cd apps-custom/nc_theming - composer CycloneDX:make-sbom --output-file=../../bom.app-theming.composer.xml + composer CycloneDX:make-sbom --output-file=../../bom.app-theming.xml @@ -201,9 +201,6 @@ jobs: merge_bom "nextcloud" merge_bom "app-simplesettings" - merge_bom "app-googleanalytics" - merge_bom "app-ionos-processes" - merge_bom "app-theming" - name: Show BOMs run: | From e072cda42f891b02de66a942d2918bef8edc137c Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 14 Jul 2025 09:30:21 +0200 Subject: [PATCH 46/46] [WIP] Add remaining apps --- .github/workflows/sbom.yaml | 195 ++++++++++++++++++++++++++++++++++++ 1 file changed, 195 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 9fd4d757bcdb3..7275e750986fa 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -76,6 +76,31 @@ jobs: npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.nextcloud.npm.xml' + # + # Theme + # + + # SBOM for NPM (install and generate) + + - name: Set up node with version from package.json's engines + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version-file: "themes/nc-ionos-theme/IONOS/package.json" + + - name: "Install dependencies (theme - npm)" + run: | + cd themes/nc-ionos-theme/IONOS + npm ci + + - name: Generate SBOM (theme - npm) + # + # See previous step's comment on these options + # + run: | + cd themes/nc-ionos-theme/IONOS + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../../bom.hidrive-next-theme.xml' + + # Apps # # Apps reference custom-npms via relative paths and can therefor not @@ -156,7 +181,158 @@ jobs: cd apps-custom/nc_theming composer CycloneDX:make-sbom --output-file=../../bom.app-theming.xml + # + # App: viewer + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:viewer - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-external/viewer + composer CycloneDX:make-sbom --output-file=../../bom.app-viewer.composer.xml + + # SBOM for NPM (install and generate) + + - name: Set up node with version from package.json's engines + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version-file: "apps-external/viewer/package.json" + - name: "Install dependencies (apps:viewer - npm)" + run: | + cd apps-external/viewer + npm ci + + - name: Generate SBOM (apps:viewer - npm) + # + # See previous step's comment on these options + # + run: | + cd apps-external/viewer + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../bom.app-viewer.npm.xml' + + + # + # App: user_oidc + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:user_oidc - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-external/user_oidc + composer CycloneDX:make-sbom --output-file=../../bom.app-user_oidc.composer.xml + + # SBOM for NPM (install and generate) + + - name: Set up node with version from package.json's engines + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version-file: "apps-external/user_oidc/package.json" + + - name: "Install dependencies (apps:user_oidc - npm)" + run: | + cd apps-external/user_oidc + npm ci + + - name: Generate SBOM (apps:user_oidc - npm) + # + # See previous step's comment on these options + # + run: | + cd apps-external/user_oidc + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../bom.app-user_oidc.npm.xml' + + # + # App: groupquota + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:groupquota - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-external/groupquota + composer CycloneDX:make-sbom --output-file=../../bom.app-groupquota.xml + + # + # App: richdocuments + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:richdocuments - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-external/richdocuments + composer CycloneDX:make-sbom --output-file=../../bom.app-richdocuments.composer.xml + + # SBOM for NPM (install and generate) + + - name: Set up node with version from package.json's engines + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version-file: "apps-external/richdocuments/package.json" + + - name: "Install dependencies (apps:richdocuments - npm)" + run: | + cd apps-external/richdocuments + npm ci + + - name: Generate SBOM (apps:richdocuments - npm) + # + # See previous step's comment on these options + # + run: | + cd apps-external/richdocuments + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../bom.app-richdocuments.npm.xml' + + # + # App: files_downloadlimit + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:files_downloadlimit - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-external/files_downloadlimit + composer CycloneDX:make-sbom --output-file=../../bom.app-files_downloadlimit.composer.xml + + # SBOM for NPM (install and generate) + + - name: Set up node with version from package.json's engines + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version-file: "apps-external/files_downloadlimit/package.json" + + - name: "Install dependencies (apps:files_downloadlimit - npm)" + run: | + cd apps-external/files_downloadlimit + npm ci + + - name: Generate SBOM (apps:files_downloadlimit - npm) + # + # See previous step's comment on these options + # + run: | + cd apps-external/files_downloadlimit + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file '../../bom.app-files_downloadlimit.npm.xml' + + # + # App: serverinfo + # + + # SBOM for composer (generate) + + - name: Generate SBOM (apps:serverinfo - composer) + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + cd apps-external/serverinfo + composer CycloneDX:make-sbom --output-file=../../bom.app-serverinfo.xml # Pass BOMs to next Job @@ -167,6 +343,7 @@ jobs: name: bom-partials path: | bom.nextcloud.*.xml + bom.hidrive-next-theme.xml bom.app-*.xml merge-sboms: @@ -201,6 +378,10 @@ jobs: merge_bom "nextcloud" merge_bom "app-simplesettings" + merge_bom "app-viewer" + merge_bom "app-user_oidc" + merge_bom "app-richdocuments" + merge_bom "app-files_downloadlimit" - name: Show BOMs run: | @@ -214,10 +395,17 @@ jobs: name: final-boms path: | bom.nextcloud.xml + bom.hidrive-next-theme.xml bom.app-simplesettings.xml bom.app-googleanalytics.xml bom.app-ionos-processes.xml bom.app-theming.xml + bom.app-viewer.xml + bom.app-user_oidc.xml + bom.app-groupquota.xml + bom.app-richdocuments.xml + bom.app-files_downloadlimit.xml + bom.app-serverinfo.xml upload-sboms: needs: merge-sboms @@ -252,8 +440,15 @@ jobs: } upload_bom "bom.nextcloud.xml" "${{ vars.DT_OBJECT_NEXTCLOUD }}" \ + && upload_bom "bom.hidrive-next-theme.xml" "${{ vars.DT_OBJECT_THEME }}" \ && upload_bom "bom.app-simplesettings.xml" "${{ vars.DT_OBJECT_APP_SIMPLESETTINGS }}" \ && upload_bom "bom.app-googleanalytics.xml" "${{ vars.DT_OBJECT_APP_GOOGLE_ANALYTICS }}" \ && upload_bom "bom.app-ionos-processes.xml" "${{ vars.DT_OBJECT_APP_IONOS_PROCESSES }}" \ && upload_bom "bom.app-theming.xml" "${{ vars.DT_OBJECT_APP_THEMING }}" \ + && upload_bom "bom.app-viewer.xml" "${{ vars.DT_OBJECT_APP_VIEWER }}" \ + && upload_bom "bom.app-user_oidc.xml" "${{ vars.DT_OBJECT_APP_USER_OIDC }}" \ + && upload_bom "bom.app-groupquota.xml" "${{ vars.DT_OBJECT_APP_GROUPQUOTA }}" \ + && upload_bom "bom.app-richdocuments.xml" "${{ vars.DT_OBJECT_APP_RICHDOCUMENTS }}" \ + && upload_bom "bom.app-files_downloadlimit.xml" "${{ vars.DT_OBJECT_APP_FILES_DOWNLOADLIMIT }}" \ + && upload_bom "bom.app-serverinfo.xml" "${{ vars.DT_OBJECT_APP_SERVERINFO }}" \ || exit 1