Retain multiple SrcFile and identity evidences #2994
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Repo tests | |
on: | |
workflow_dispatch: | |
pull_request: | |
paths-ignore: | |
- 'docs/**' | |
- '*.md' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
strategy: | |
fail-fast: true | |
matrix: | |
node-version: ['23.x'] | |
os: ['ubuntu-latest', 'windows-latest'] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '23' | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- uses: denoland/setup-deno@v2 | |
with: | |
deno-version: v2.x | |
- uses: oven-sh/setup-bun@v1 | |
- name: Trim CI agent | |
if: matrix.os == 'ubuntu-latest' | |
run: | | |
chmod +x contrib/free_disk_space.sh | |
./contrib/free_disk_space.sh | |
- name: Install bazelisk - linux | |
if: matrix.os == 'ubuntu-latest' | |
run: | | |
curl -LO "https://github.com/bazelbuild/bazelisk/releases/download/v1.20.0/bazelisk-linux-amd64" | |
sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel | |
chmod +x /usr/local/bin/bazel | |
- name: Install bazelisk - windows | |
if: matrix.os == 'windows-latest' | |
run: choco install -y bazel | |
- name: npm install, build and test | |
run: | | |
corepack enable | |
corepack pnpm install --package-import-method copy | |
corepack pnpm test | |
mkdir -p repotests | |
mkdir -p bomresults | |
mkdir -p denoresults | |
env: | |
CI: true | |
- name: Setup Android SDK | |
uses: android-actions/setup-android@v3 | |
if: matrix.os != 'self-hosted' | |
- uses: swift-actions/setup-swift@v2 | |
if: matrix.os == 'ubuntu-latest' | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.12' | |
- name: pip install custom-json-diff | |
run: | | |
pip install custom-json-diff | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'ShiftLeftSecurity/shiftleft-java-example' | |
path: 'repotests/shiftleft-java-example' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'ShiftLeftSecurity/shiftleft-ts-example' | |
path: 'repotests/shiftleft-ts-example' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'ShiftLeftSecurity/shiftleft-go-example' | |
path: 'repotests/shiftleft-go-example' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'prabhu/shiftleft-scala-example' | |
path: 'repotests/shiftleft-scala-example' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'HooliCorp/vulnerable_net_core' | |
path: 'repotests/vulnerable_net_core' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'HooliCorp/Goatly.NET' | |
path: 'repotests/Goatly.NET' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'HooliCorp/DjanGoat' | |
path: 'repotests/DjanGoat' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'prabhu/Vulnerable-Web-Application' | |
path: 'repotests/Vulnerable-Web-Application' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'prabhu/railsgoat' | |
path: 'repotests/railsgoat' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'bazelbuild/examples' | |
path: 'repotests/bazel-examples' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'flutter/gallery' | |
ref: 'v2.10.2' | |
path: 'repotests/gallery' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'gojek/ziggurat' | |
ref: '4.9.4' | |
path: 'repotests/ziggurat' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'apple/swift-markdown' | |
ref: '0.3.0' | |
path: 'repotests/swift-markdown' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'GoogleCloudPlatform/microservices-demo' | |
ref: 'v0.8.1' | |
path: 'repotests/microservices-demo' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'zoom/meetingsdk-vuejs-sample' | |
ref: 'v2.18.0' | |
path: 'repotests/meetingsdk-vuejs-sample' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'kriasoft/react-app' | |
path: 'repotests/react-app' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'patrickjuchli/basic-ftp' | |
path: 'repotests/basic-ftp' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'Atome-FE/llama-node' | |
path: 'repotests/llama-node' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'DIYgod/RSSHub' | |
path: 'repotests/RSSHub' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'sveltejs/examples' | |
path: 'repotests/sveltejs-examples' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'openpbs/openpbs' | |
ref: 'v23.06.06' | |
path: 'repotests/openpbs' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'home-assistant/android' | |
ref: '2023.11.3' | |
path: 'repotests/ha-android' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'rust-lang/rust' | |
ref: '1.74.0' | |
path: 'repotests/rs-rust' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'rust-lang/cargo' | |
ref: '0.75.0' | |
path: 'repotests/rs-cargo' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'Keats/validator' | |
ref: 'v0.15.0' | |
path: 'repotests/rs-validator' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'tokio-rs/axum' | |
ref: 'axum-v0.6.20' | |
path: 'repotests/rs-axum' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'fsprojects/FAKE' | |
ref: '6.0.0' | |
path: 'repotests/dotnet-paket' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'timheuer/SimpleFrameworkApp' | |
ref: 'master' | |
path: 'repotests/SimpleFrameworkApp' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'chabbasaad/Reporting-Windows-Application' | |
ref: 'master' | |
path: 'repotests/Reporting-Windows-Application' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'appthreat/blint' | |
ref: 'v1.0.34' | |
path: 'repotests/blint' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'hoolicorp/java-sec-code' | |
path: 'repotests/java-sec-code' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'DefectDojo/django-DefectDojo' | |
ref: '2.28.2' | |
path: 'repotests/django-DefectDojo' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'googleprojectzero/Jackalope' | |
path: 'repotests/Jackalope' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'hritik14/broken-mvn-wrapper' | |
path: 'repotests/broken-mvn-wrapper' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'microsoft/dotnet-podcasts' | |
path: 'repotests/dotnet-podcasts' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'microsoft/react-native-windows' | |
path: 'repotests/react-native-windows' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'oracle/dbt-oracle' | |
path: 'repotests/dbt-oracle' | |
ref: 'v1.7.6' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'fortra/impacket' | |
path: 'repotests/impacket' | |
ref: 'impacket_0_9_20' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'wix/greyhound' | |
path: 'repotests/greyhound' | |
ref: '385bb84a6f712ee18064a3b5ecb8d9dcbc1c75f3' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'owasp-dep-scan/blint' | |
path: 'repotests/blint' | |
ref: 'v2.2.2' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'malice00/cdxgen-expo-test' | |
ref: 'android' | |
path: 'repotests/expo-test' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'elastic/elasticsearch' | |
path: 'repotests/elasticsearch' | |
- uses: actions/checkout@v4 | |
with: | |
repository: 'quarkusio/quarkus-quickstarts' | |
path: 'repotests/quarkus-quickstarts' | |
ref: '3.17.3' | |
- uses: dtolnay/rust-toolchain@stable | |
- name: setup sdkman | |
run: | | |
curl -s "https://get.sdkman.io" | bash | |
if: runner.os != 'Windows' | |
- name: repotests react-app | |
run: | | |
FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs8 repotests/react-app -o bomresults/react-app.json | |
node bin/evinse.js -i bomresults/react-app.json -o bomresults/react-app.evinse.json -l javascript --with-data-flow -p repotests/react-app | |
shell: bash | |
- name: repotests basic-ftp | |
run: | | |
FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs10 repotests/basic-ftp -o bomresults/basic-ftp.json | |
shell: bash | |
- name: repotests llama-node | |
run: | | |
FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs16 repotests/llama-node -o bomresults/llama-node.json | |
shell: bash | |
- name: repotests RSSHub | |
run: | | |
FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs22 repotests/RSSHub -o bomresults/RSSHub.json | |
shell: bash | |
- name: repotests java-sec-code | |
run: | | |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-1.json --include-formulation --include-crypto | |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-2.json --author foo --author bar --standard asvs-4.0.3 | |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-3.json --required-only | |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-4.json --filter postgres --filter json | |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-5.json --only spring | |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-6.json --deep --evidence | |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-7.json --profile research --export-proto | |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-8.json --profile license-compliance | |
bin/cdxgen.js -p -t java -t github repotests/java-sec-code -o bomresults/bom-java-sec-code-9.json | |
bin/cdxgen.js -p -t java -exclude-type js repotests/java-sec-code -o bomresults/bom-java-sec-code-10.json | |
shell: bash | |
- name: repotests greyhound | |
run: | | |
bin/cdxgen.js -p -r -t java11 repotests/greyhound -o bomresults/bom-greyhound-java.json | |
bin/cdxgen.js -p -r -t gradle repotests/greyhound -o bomresults/bom-greyhound-gradle.json | |
bin/cdxgen.js -p -r -t java11 --exclude-type bazel --exclude-type sbt repotests/greyhound -o bomresults/bom-greyhound-wobazel.json | |
shell: bash | |
env: | |
JAVA_HOME: "" | |
- name: repotests quarkus-quickstarts | |
run: | | |
bin/cdxgen.js -p -r -t quarkus repotests/quarkus-quickstarts -o bomresults/bom-quarkus-quickstarts-quarkus.json --no-recurse | |
bin/cdxgen.js -p -r -t quarkus repotests/quarkus-quickstarts -o bomresults/bom-quarkus-quickstarts-quarkus.json --no-recurse --spec-version 1.5 | |
shell: bash | |
- name: repotests evidence | |
run: | | |
bin/cdxgen.js -p -t js --no-recurse -o bomresults/bom.json --evidence . | |
shell: bash | |
- name: repotests django-DefectDojo | |
run: | | |
bin/cdxgen.js -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo-safe.json --feature-flags safe-pip-install | |
bin/cdxgen.js -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo.json --deep --include-crypto --spec-version 1.6 | |
shell: bash | |
- name: repotests blint | |
run: | | |
bin/cdxgen.js -t python repotests/blint -o bomresults/blint-req.json --required-only -p | |
bin/cdxgen.js -t python repotests/blint -o bomresults/blint-research.json --profile research -p | |
shell: bash | |
- name: repotests dbt-oracle | |
run: | | |
bin/cdxgen.js -t python repotests/dbt-oracle -o bomresults/dbt-oracle.json --deep --spec-version 1.6 | |
shell: bash | |
- name: repotests impacket | |
run: | | |
bin/cdxgen.js -t python repotests/impacket -o bomresults/impacket.json | |
shell: bash | |
- name: repotests pixi | |
run: | | |
mkdir pixi-sample | |
cd pixi-sample | |
curl -LO https://raw.githubusercontent.com/prefix-dev/pixi/main/pixi.lock | |
curl -LO https://raw.githubusercontent.com/prefix-dev/pixi/main/pixi.toml | |
cd .. | |
bin/cdxgen.js -t python pixi-sample -o bomresults/bom-pixi.json -p | |
shell: bash | |
- name: repotests shiftleft-java-example | |
run: | | |
bin/cdxgen.js -p -r -t java repotests/shiftleft-java-example -o bomresults/bom-java.json --generate-key-and-sign | |
node bin/evinse.js -i bomresults/bom-java.json -o bomresults/bom-java.evinse.json -l java --with-data-flow -p repotests/shiftleft-java-example | |
SBOM_SIGN_ALGORITHM=RS512 SBOM_SIGN_PRIVATE_KEY=bomresults/private.key SBOM_SIGN_PUBLIC_KEY=bomresults/public.key bin/cdxgen.js -p -r -t github repotests/shiftleft-java-example -o bomresults/bom-github.json | |
shell: bash | |
- name: repotests shiftleft-ts-example | |
run: | | |
FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-1.json --include-formulation | |
node bin/evinse.js -i bomresults/bom-ts-1.json -o bomresults/bom-ts.evinse.json -l javascript --with-data-flow -p repotests/shiftleft-ts-example | |
FETCH_LICENSE=true bin/cdxgen.js -p -t js repotests/shiftleft-ts-example --required-only -o bomresults/bom-ts-2.json --validate | |
FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-3.json --validate | |
shell: bash | |
- name: repotests meetingsdk-vuejs-sample | |
run: | | |
FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/meetingsdk-vuejs-sample -o bomresults/bom-vue.json | |
node bin/evinse.js -i bomresults/bom-vue.json -o bomresults/bom-vue.evinse.json -l javascript --with-data-flow -p repotests/meetingsdk-vuejs-sample | |
shell: bash | |
- name: repotests sveltejs-examples | |
run: | | |
CDXGEN_DEBUG_MODE=debug ASTGEN_IGNORE_DIRS="" FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/sveltejs-examples -o bomresults/bom-svelte.json | |
CDXGEN_DEBUG_MODE=debug ASTGEN_IGNORE_DIRS="" node bin/evinse.js -i bomresults/bom-svelte.json -o bomresults/bom-svelte.evinse.json -l javascript --with-data-flow -p repotests/sveltejs-examples | |
CDXGEN_DEBUG_MODE=debug ASTGEN_IGNORE_DIRS="" node bin/evinse.js -i bomresults/bom-svelte.json -o bomresults/bom-svelte.evinse.json -l javascript --with-reachables -p repotests/sveltejs-examples | |
shell: bash | |
- name: repotests shiftleft-go-example | |
run: | | |
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/bom-go.json --validate --export-proto | |
shell: bash | |
- name: repotests go mod tests | |
run: | | |
mkdir -p gomod-example | |
cd gomod-example | |
curl -LO https://raw.githubusercontent.com/anchore/syft/main/go.mod | |
cd .. | |
bin/cdxgen.js -p -r -t go gomod-example -o bomresults/bom-gomod.json -p | |
shell: bash | |
- name: repotests vulnerable_net_core | |
run: | | |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --include-formulation | |
shell: bash | |
- name: repotests Goatly.NET | |
run: | | |
FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/bom-csharp3.json --include-formulation | |
shell: bash | |
- name: repotests DjanGoat | |
run: | | |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t python repotests/DjanGoat -o bomresults/bom-python.json --validate | |
shell: bash | |
- name: repotests Vulnerable-Web-Application | |
run: | | |
bin/cdxgen.js -p -t php repotests/Vulnerable-Web-Application -o bomresults/bom-php-1.json --validate | |
bin/cdxgen.js -p -t php --no-recurse repotests/Vulnerable-Web-Application -o bomresults/bom-php-2.json --validate --profile research -p | |
shell: bash | |
- name: repotests railsgoat | |
run: | | |
bin/cdxgen.js -p -r -t ruby repotests/railsgoat -o bomresults/bom-ruby.json --validate | |
shell: bash | |
- name: repotests bazel-examples | |
run: | | |
bin/cdxgen.js -p -r -t java17 repotests/bazel-examples/java-maven -o bomresults/bom-bazel.json --validate | |
shell: bash | |
- name: repotests gallery | |
run: | | |
bin/cdxgen.js -p -r -t dart repotests/gallery -o bomresults/bom-pub.json --validate | |
shell: bash | |
- name: repotests ziggurat | |
run: | | |
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t clojure repotests/ziggurat -o bomresults/bom-clj.json --validate | |
shell: bash | |
- name: repotests swift-markdown | |
run: | | |
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t swift repotests/swift-markdown -o bomresults/bom-swift.json | |
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t swift repotests/swift-markdown -o bomresults/bom-swift.json --profile research | |
shell: bash | |
- name: repotests microservices-demo | |
if: matrix.os == 'windows-latest' | |
run: | | |
bin/cdxgen.js -p --no-recurse repotests/microservices-demo -o bomresults/bom-msd-1.json --validate | |
bin/cdxgen.js -p -r repotests/microservices-demo -o bomresults/bom-msd-2.json --validate | |
bin/cdxgen.js -p -r -t universal repotests/microservices-demo -o bomresults/bom-yaml.json | |
shell: bash | |
- name: repotests openpbs | |
run: | | |
bin/cdxgen.js -p -r -t c repotests/openpbs -o bomresults/bom-openpbs.json | |
bin/cdxgen.js -p -r -t c repotests/openpbs -o bomresults/bom-openpbs.json --min-confidence 0.4 | |
bin/cdxgen.js -p -r -t c repotests/openpbs -o bomresults/bom-openpbs.json --technique manifest-analysis | |
shell: bash | |
- name: repotests Jackalope | |
run: | | |
bin/cdxgen.js -p -r -t c repotests/Jackalope -o bomresults/bom-Jackalope.json | |
shell: bash | |
- name: repotests ha-android | |
run: | | |
cd repotests/ha-android && ./gradlew assembleDebug || true && cd ../.. | |
bin/cdxgen.js -r -t java repotests/ha-android -o bomresults/bom-android.json | |
CDXGEN_DEBUG_MODE=debug bin/evinse.js -i bomresults/bom-android.json -o bomresults/bom-android.evinse.json -l java repotests/ha-android | |
shell: bash | |
- name: repotests rust | |
run: | | |
bin/cdxgen.js -p -r -t rust repotests/rs-rust -o bomresults/bom-rs-rust.json --validate | |
bin/cdxgen.js -p -r -t rust repotests/rs-cargo -o bomresults/bom-rs-cargo.json --validate | |
cargo generate-lockfile --manifest-path repotests/rs-validator/validator/Cargo.toml | |
bin/cdxgen.js -p -r -t rust repotests/rs-validator -o bomresults/bom-rs-validator.json --validate | |
bin/cdxgen.js -p -r -t rust repotests/rs-axum -o bomresults/bom-rs-axum.json --validate | |
shell: bash | |
- name: repotests dotnet-paket | |
run: | | |
bin/cdxgen.js -p -r -t dotnet repotests/dotnet-paket -o bomresults/bom-dotnet-paket.json --deep | |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t dotnet repotests/dotnet-paket -o bomresults/bom-dotnet-paket-2.json --validate | |
bin/cdxgen.js -p -r -t dotnet repotests/dotnet-podcasts -o bomresults/bom-dotnet-podcasts.json --profile research --export-proto | |
bin/cdxgen.js -p -r -t dotnet repotests/react-native-windows -o bomresults/bom-react-native-windows.json | |
shell: bash | |
- name: repotests SimpleFrameworkApp | |
run: | | |
bin/cdxgen.js -p -r -t dotnet-framework repotests/SimpleFrameworkApp -o bomresults/bom-dotnet-framework.json | |
bin/cdxgen.js -p -r -t dotnet-framework repotests/Reporting-Windows-Application -o bomresults/bom-dotnet-framework-reporting.json --deep | |
shell: bash | |
- name: repotests blint | |
run: | | |
bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint.json | |
bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint-deep.json --deep | |
bin/cdxgen.js -p -t java repotests/broken-mvn-wrapper -o bomresults/bom-broken-mvn-wrapper.json | |
shell: bash | |
- name: repotests expo | |
run: | | |
cd repotests/expo-test && npm ci && cd ../.. | |
GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json | |
GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json | |
shell: bash | |
- name: repotests elasticsearch | |
run: | | |
bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch.json | |
GRADLE_INCLUDED_BUILDS=:build-conventions,:build-tools,:build-tools-internal bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch-with-included-builds.json | |
custom-json-diff -i bomresults/bom-elasticsearch.json bomresults/bom-elasticsearch-with-included-builds.json -o bomresults/diff-elasticsearch preset-diff | |
shell: bash | |
- name: jenkins plugins | |
run: | | |
mkdir -p jenkins | |
curl -LO https://updates.jenkins.io/download/plugins/sonar/2.14/sonar.hpi | |
curl -LO https://updates.jenkins.io/download/plugins/bouncycastle-api/2.26/bouncycastle-api.hpi | |
curl -LO https://updates.jenkins.io/download/plugins/jsch/0.1.55.61.va_e9ee26616e7/jsch.hpi | |
curl -LO https://updates.jenkins.io/download/plugins/momentjs/1.1.1/momentjs.hpi | |
mv *.hpi jenkins | |
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t jenkins jenkins -o bomresults/bom-jenkins.json --validate | |
shell: bash | |
- name: standalone jar files | |
run: | | |
mkdir -p standalone-jar-files | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/jacoco/org.jacoco.report/0.8.8/org.jacoco.report-0.8.8.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/apache/ws/xmlschema/xmlschema-core/2.2.5/xmlschema-core-2.2.5.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.16.0/jackson-core-2.16.0.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/wsdl4j/wsdl4j/1.6.3/wsdl4j-1.6.3.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/apache/maven/maven-core/3.9.2/maven-core-3.9.2.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/displaytag/displaytag/1.2/displaytag-1.2.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/apache/poi/poi/3.17/poi-3.17.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/jacoco/org.jacoco.agent/0.8.8/org.jacoco.agent-0.8.8.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/javax/jws/javax.jws-api/1.1/javax.jws-api-1.1.jar | |
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/jrobin/jrobin/1.5.9/jrobin-1.5.9.jar | |
FETCH_LICENSE=true bin/cdxgen.js -p standalone-jar-files -o bomresults/bom-standalone-jar-files.json --validate | |
shell: bash | |
- name: post-build lifecycle tests | |
run: | | |
pip install blint | |
mkdir -p bintests | |
cd bintests | |
curl -LO https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai.exe | |
curl -LO https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai | |
curl -LO https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai-osx-arm64 | |
cd .. | |
bin/cdxgen.js -p -t dotnet --lifecycle post-build -o bomresults/bom-binary.json bintests | |
mkdir -p gobintests | |
cd gobintests | |
curl -LO https://github.com/anchore/syft/releases/download/v1.0.1/syft_1.0.1_linux_arm64.tar.gz | |
tar -xvf syft_1.0.1_linux_arm64.tar.gz | |
rm syft_1.0.1_linux_arm64.tar.gz | |
curl -LO https://github.com/containerd/containerd/releases/download/v2.0.0-rc.0/containerd-static-2.0.0-rc.0-linux-amd64.tar.gz | |
tar -xvf containerd-static-2.0.0-rc.0-linux-amd64.tar.gz | |
rm containerd-static-2.0.0-rc.0-linux-amd64.tar.gz | |
cd .. | |
bin/cdxgen.js -p -t go --lifecycle post-build -o bomresults/bom-go-binary.json gobintests | |
shell: bash | |
- name: repotests 1.6 | |
run: | | |
bin/cdxgen.js -p -r -t java repotests/shiftleft-java-example -o bomresults/1.6-bom-java.json --generate-key-and-sign --spec-version 1.6 | |
SBOM_SIGN_ALGORITHM=RS512 SBOM_SIGN_PRIVATE_KEY=bomresults/private.key SBOM_SIGN_PUBLIC_KEY=bomresults/public.key bin/cdxgen.js -p -r -t github repotests/shiftleft-java-example -o bomresults/1.6-bom-github.json --spec-version 1.6 | |
FETCH_LICENSE=0 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/1.6-bom-ts-1.json --validate --spec-version 1.6 | |
FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example --required-only -o bomresults/1.6-bom-ts-2.json --validate --spec-version 1.6 | |
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/1.6-bom-go.json --validate --spec-version 1.6 | |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/1.6-bom-csharp2.json --validate --spec-version 1.6 | |
FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/1.6-bom-csharp3.json --validate --spec-version 1.6 | |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t python repotests/DjanGoat -o bomresults/1.6-bom-python.json --validate --spec-version 1.6 | |
bin/cdxgen.js -p -r -t php repotests/Vulnerable-Web-Application -o bomresults/1.6-bom-php.json --validate --spec-version 1.6 | |
shell: bash | |
- name: repotests 1.4 | |
run: | | |
bin/cdxgen.js -p -r -t java repotests/shiftleft-java-example -o bomresults/1.4-bom-java.json --generate-key-and-sign --spec-version 1.4 | |
SBOM_SIGN_ALGORITHM=RS512 SBOM_SIGN_PRIVATE_KEY=bomresults/private.key SBOM_SIGN_PUBLIC_KEY=bomresults/public.key bin/cdxgen.js -p -r -t github repotests/shiftleft-java-example -o bomresults/1.4-bom-github.json --spec-version 1.4 | |
FETCH_LICENSE=0 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/1.4-bom-ts-1.json --validate --spec-version 1.4 | |
FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example --required-only -o bomresults/1.4-bom-ts-2.json --validate --spec-version 1.4 | |
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/1.4-bom-go.json --validate --spec-version 1.4 | |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/1.4-bom-csharp2.json --validate --spec-version 1.4 | |
FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/1.4-bom-csharp3.json --validate --spec-version 1.4 | |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t python repotests/DjanGoat -o bomresults/1.4-bom-python.json --validate --spec-version 1.4 | |
bin/cdxgen.js -p -r -t php repotests/Vulnerable-Web-Application -o bomresults/1.4-bom-php.json --validate --spec-version 1.4 | |
shell: bash | |
- name: list repotest bomresults | |
run: | | |
ls -ltr bomresults | |
shell: bash | |
- name: denotests | |
run: | | |
deno info bin/cdxgen.js | |
deno info bin/evinse.js | |
deno run --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-deno.json --deep | |
deno run --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net bin/cdxgen.js -p -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo-deno.json --deep | |
env: | |
FETCH_LICENSE: true | |
shell: bash | |
- name: buntests | |
run: | | |
rm -rf node_modules | |
bun install | |
bun --bun bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-bun.json --deep | |
bun --bun bin/cdxgen.js -p -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo-bun.json | |
continue-on-error: true | |
shell: bash | |
- uses: actions/upload-artifact@v4 | |
if: github.ref == 'refs/heads/master' && matrix.os == 'ubuntu-latest' | |
with: | |
name: bomresults | |
path: bomresults |