Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: integrate sbom generation to goreleaser #1850

Merged
merged 7 commits into from
Nov 2, 2021
Merged

feat: integrate sbom generation to goreleaser #1850

merged 7 commits into from
Nov 2, 2021

Conversation

tricky42
Copy link
Contributor

Securing the Software Supply Chain becomes more and more critical. This PR will generate a SBOM using cyclonedx-gomod for each binary. Users can use the SBOM to get full transparency of existing vulnerabilities in a given releaee.

Related issue(s)

n/a

Checklist

Further Comments

tricky42 and others added 2 commits October 17, 2021 15:56
@tricky42
feat: integrate sbom generation to goreleaser
24cc75c 
- add cyclonedx-gomod post hook
- add *.bom.json to release artifacts
@tricky42
Merge branch 'master' into sbom-integration
60ebfe0
@tricky42
Copy link
Contributor Author

tricky42 commented Oct 17, 2021
edited
Loading

Open tasks:

  • naming of SBOM files need to use the same replacements as used in archives section so *.bom.json files match the archive files they are created for
  • test release process to ensure *.bom.json files included in release artifacts

I looked at the cylconedx-gomod repository for inspiration:

@aeneasr aeneasr added this to the v0.8.0-alpha.1 milestone Oct 19, 2021
@tricky42
Copy link
Contributor Author

Log from running the build locally:

➜ docker run --mount type=bind,source="$(pwd)",target=/project \
    -v /var/run/docker.sock:/var/run/docker.sock \
    oryd/xgoreleaser:latest --skip-publish --snapshot --rm-dist
   • releasing...             
   • loading config file       file=.goreleaser.yml
   • loading environment variables
   • getting and validating git state
      • building...               commit=e7e4a4a7cafdd720803dd250b535cc1b0bf9e16f latest tag=v0.8.0-alpha.3
      • pipe skipped              error=disabled during snapshot mode
   • parsing tag              
   • running before hooks     
      • running                   hook=go mod download
      • running                   hook=go mod tidy
      • running                   hook=go install github.com/CycloneDX/[email protected]
   • setting defaults         
      • snapshotting             
      • github/gitlab/gitea releases
      • project name             
      • loading go mod information
      • building binaries        
      • creating source archive  
      • archives                 
      • linux packages           
      • snapcraft packages       
      • calculating checksums    
      • signing artifacts        
      • signing docker images    
      • docker images            
      • docker manifests         
      • artifactory              
      • blobs                    
      • homebrew tap formula     
      • scoop manifests          
      • twitter                  
      • reddit                   
      • slack                    
      • milestones               
   • snapshotting             
      • building snapshot...      version=v0.8.0-alpha.3-next
   • checking ./dist          
      • --rm-dist is set, cleaning it up
   • loading go mod information
   • writing effective config file
      • writing                   config=dist/config.yaml
   • generating changelog     
      • pipe skipped              error=not available for snapshots
   • building binaries        
      • building                  binary=/project/dist/kratos-sqlite-darwin_darwin_amd64/kratos
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next-sqlite_darwin_amd64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next-sqlite_darwin_amd64.bom.json"
      • building                  binary=/project/dist/kratos-sqlite-darwin-arm_darwin_arm64/kratos
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next-sqlite_darwin_arm64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next-sqlite_darwin_arm64.bom.json"
      • building                  binary=/project/dist/kratos-sqlite-linux_linux_amd64/kratos
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next-sqlite_linux_amd64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next-sqlite_linux_amd64.bom.json"
      • building                  binary=/project/dist/kratos-sqlite-linux-libmusl_linux_amd64/kratos
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next-sqlite-libmusl_linux_amd64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next-sqlite-libmusl_linux_amd64.bom.json"
      • building                  binary=/project/dist/kratos-sqlite-windows_windows_amd64/kratos.exe
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next-sqlite_windows_amd64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next-sqlite_windows_amd64.bom.json"
      • building                  binary=/project/dist/kratos_darwin_arm64/kratos
      • building                  binary=/project/dist/kratos_linux_arm_6/kratos
      • building                  binary=/project/dist/kratos_windows_arm_7/kratos.exe
      • building                  binary=/project/dist/kratos_windows_arm_5/kratos.exe
      • building                  binary=/project/dist/kratos_windows_arm64/kratos.exe
      • building                  binary=/project/dist/kratos_windows_arm_6/kratos.exe
      • building                  binary=/project/dist/kratos_linux_arm64/kratos
      • building                  binary=/project/dist/kratos_linux_arm_7/kratos
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_linux_arm_7.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_linux_arm_6.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_linux_arm64.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_windows_arm_5.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_windows_arm_7.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_windows_arm64.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_windows_arm_6.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_darwin_arm64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_windows_arm_6.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_windows_arm_7.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_linux_arm_7.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_windows_arm64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_windows_arm_5.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_linux_arm_6.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_linux_arm64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_darwin_arm64.bom.json"
      • building                  binary=/project/dist/kratos_darwin_amd64/kratos
      • building                  binary=/project/dist/kratos_windows_amd64/kratos.exe
      • building                  binary=/project/dist/kratos_windows_386/kratos.exe
      • building                  binary=/project/dist/kratos_linux_386/kratos
      • building                  binary=/project/dist/kratos_linux_amd64/kratos
      • building                  binary=/project/dist/kratos_linux_arm_5/kratos
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_linux_amd64.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_windows_amd64.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_darwin_amd64.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_linux_arm_5.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_linux_386.bom.json"
      • running hook              hook=cyclonedx-gomod app -licenses -json -output "./dist/kratos_v0.8.0-alpha.3-next_windows_386.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_darwin_amd64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_linux_amd64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_windows_amd64.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_linux_arm_5.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_linux_386.bom.json"
      • running hook              hook=./.releaser/rename.sh "./dist/kratos_v0.8.0-alpha.3-next_windows_386.bom.json"
   • archives                 
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next-sqlite_macos_64bit.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next-sqlite_macos_arm64.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next-sqlite_linux_64bit.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next-sqlite_windows_64bit.zip
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_windows_arm32v7.zip
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next-sqlite-libmusl_linux_64bit.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_windows_arm32v5.zip
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_linux_64bit.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_linux_arm32v5.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_windows_64bit.zip
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_linux_32bit.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_linux_arm64.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_macos_64bit.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_windows_32bit.zip
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_linux_arm32v6.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_windows_arm32v6.zip
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_windows_arm64.zip
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_macos_arm64.tar.gz
      • creating                  archive=dist/kratos_v0.8.0-alpha.3-next_linux_arm32v7.tar.gz
   • creating source archive  
   • linux packages           
   • snapcraft packages       
   • calculating checksums    
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite_macos_arm64.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_64bit.zip
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_32bit.zip
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_arm32v5.zip
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite_windows_64bit.zip
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_arm32v7.zip
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_32bit.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite_windows_64bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_64bit.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_arm32v5.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite-libmusl_linux_64bit.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_arm32v5.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite_macos_64bit.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_arm32v6.zip
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_arm64.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_arm64.zip
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_arm32v6.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_arm32v7.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_macos_64bit.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_macos_arm64.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite_linux_64bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite_macos_arm64.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_32bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_arm64.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_arm32v7.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite-libmusl_linux_64bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_macos_64bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_32bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_arm32v6.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_64bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_arm32v6.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite_macos_64bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_64bit.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_arm32v7.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_macos_arm64.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next-sqlite_linux_64bit.tar.gz
      • checksumming              file=kratos_v0.8.0-alpha.3-next_linux_arm32v5.bom.json
      • checksumming              file=kratos_v0.8.0-alpha.3-next_windows_arm64.bom.json
   • signing artifacts        
   • docker images            
      • building docker image     image=oryd/kratos:v0
      • building docker image     image=oryd/kratos:v0-sqlite
      • pipe skipped              error=publishing is disabled
   • publishing               
      • blobs                    
      • http upload              
      • custom publisher         
      • artifactory              
      • docker images            
         • pipe skipped              error=publishing is disabled
      • docker manifests         
         • pipe skipped              error=publishing is disabled
      • snapcraft packages       
         • pipe skipped              error=publishing is disabled
      • github/gitlab/gitea releases
         • pipe skipped              error=publishing is disabled
      • homebrew tap formula     
         • writing                   formula=dist/kratos.rb
         • pipe skipped              error=publishing is disabled
      • scoop manifests          
         • writing                   manifest=dist/kratos.json
         • pipe skipped              error=publishing is disabled
      • milestones               
         • pipe skipped              error=publishing is disabled
   • signing docker images    
      • pipe skipped              error=artifact signing is disabled
   • announcing               
      • twitter                  
         • pipe skipped              error=announcing is disabled
      • reddit                   
         • pipe skipped              error=announcing is disabled
      • slack                    
         • pipe skipped              error=announcing is disabled
   • release succeeded after 1105.81s

@tricky42 tricky42 marked this pull request as ready for review October 31, 2021 21:24
@aeneasr aeneasr merged commit 305bb28 into ory:master Nov 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

@zepatrik zepatrik Awaiting requested review from zepatrik zepatrik is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.8.0-alpha.1
Development

Successfully merging this pull request may close these issues.
2 participants
@tricky42 @aeneasr