Skip to content

Retain multiple SrcFile and identity evidences #2994

Retain multiple SrcFile and identity evidences

Retain multiple SrcFile and identity evidences #2994

Workflow file for this run

name: Repo tests
on:
workflow_dispatch:
pull_request:
paths-ignore:
- 'docs/**'
- '*.md'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
build:
strategy:
fail-fast: true
matrix:
node-version: ['23.x']
os: ['ubuntu-latest', 'windows-latest']
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '23'
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- uses: denoland/setup-deno@v2
with:
deno-version: v2.x
- uses: oven-sh/setup-bun@v1
- name: Trim CI agent
if: matrix.os == 'ubuntu-latest'
run: |
chmod +x contrib/free_disk_space.sh
./contrib/free_disk_space.sh
- name: Install bazelisk - linux
if: matrix.os == 'ubuntu-latest'
run: |
curl -LO "https://github.com/bazelbuild/bazelisk/releases/download/v1.20.0/bazelisk-linux-amd64"
sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel
chmod +x /usr/local/bin/bazel
- name: Install bazelisk - windows
if: matrix.os == 'windows-latest'
run: choco install -y bazel
- name: npm install, build and test
run: |
corepack enable
corepack pnpm install --package-import-method copy
corepack pnpm test
mkdir -p repotests
mkdir -p bomresults
mkdir -p denoresults
env:
CI: true
- name: Setup Android SDK
uses: android-actions/setup-android@v3
if: matrix.os != 'self-hosted'
- uses: swift-actions/setup-swift@v2
if: matrix.os == 'ubuntu-latest'
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: pip install custom-json-diff
run: |
pip install custom-json-diff
- uses: actions/checkout@v4
with:
repository: 'ShiftLeftSecurity/shiftleft-java-example'
path: 'repotests/shiftleft-java-example'
- uses: actions/checkout@v4
with:
repository: 'ShiftLeftSecurity/shiftleft-ts-example'
path: 'repotests/shiftleft-ts-example'
- uses: actions/checkout@v4
with:
repository: 'ShiftLeftSecurity/shiftleft-go-example'
path: 'repotests/shiftleft-go-example'
- uses: actions/checkout@v4
with:
repository: 'prabhu/shiftleft-scala-example'
path: 'repotests/shiftleft-scala-example'
- uses: actions/checkout@v4
with:
repository: 'HooliCorp/vulnerable_net_core'
path: 'repotests/vulnerable_net_core'
- uses: actions/checkout@v4
with:
repository: 'HooliCorp/Goatly.NET'
path: 'repotests/Goatly.NET'
- uses: actions/checkout@v4
with:
repository: 'HooliCorp/DjanGoat'
path: 'repotests/DjanGoat'
- uses: actions/checkout@v4
with:
repository: 'prabhu/Vulnerable-Web-Application'
path: 'repotests/Vulnerable-Web-Application'
- uses: actions/checkout@v4
with:
repository: 'prabhu/railsgoat'
path: 'repotests/railsgoat'
- uses: actions/checkout@v4
with:
repository: 'bazelbuild/examples'
path: 'repotests/bazel-examples'
- uses: actions/checkout@v4
with:
repository: 'flutter/gallery'
ref: 'v2.10.2'
path: 'repotests/gallery'
- uses: actions/checkout@v4
with:
repository: 'gojek/ziggurat'
ref: '4.9.4'
path: 'repotests/ziggurat'
- uses: actions/checkout@v4
with:
repository: 'apple/swift-markdown'
ref: '0.3.0'
path: 'repotests/swift-markdown'
- uses: actions/checkout@v4
with:
repository: 'GoogleCloudPlatform/microservices-demo'
ref: 'v0.8.1'
path: 'repotests/microservices-demo'
- uses: actions/checkout@v4
with:
repository: 'zoom/meetingsdk-vuejs-sample'
ref: 'v2.18.0'
path: 'repotests/meetingsdk-vuejs-sample'
- uses: actions/checkout@v4
with:
repository: 'kriasoft/react-app'
path: 'repotests/react-app'
- uses: actions/checkout@v4
with:
repository: 'patrickjuchli/basic-ftp'
path: 'repotests/basic-ftp'
- uses: actions/checkout@v4
with:
repository: 'Atome-FE/llama-node'
path: 'repotests/llama-node'
- uses: actions/checkout@v4
with:
repository: 'DIYgod/RSSHub'
path: 'repotests/RSSHub'
- uses: actions/checkout@v4
with:
repository: 'sveltejs/examples'
path: 'repotests/sveltejs-examples'
- uses: actions/checkout@v4
with:
repository: 'openpbs/openpbs'
ref: 'v23.06.06'
path: 'repotests/openpbs'
- uses: actions/checkout@v4
with:
repository: 'home-assistant/android'
ref: '2023.11.3'
path: 'repotests/ha-android'
- uses: actions/checkout@v4
with:
repository: 'rust-lang/rust'
ref: '1.74.0'
path: 'repotests/rs-rust'
- uses: actions/checkout@v4
with:
repository: 'rust-lang/cargo'
ref: '0.75.0'
path: 'repotests/rs-cargo'
- uses: actions/checkout@v4
with:
repository: 'Keats/validator'
ref: 'v0.15.0'
path: 'repotests/rs-validator'
- uses: actions/checkout@v4
with:
repository: 'tokio-rs/axum'
ref: 'axum-v0.6.20'
path: 'repotests/rs-axum'
- uses: actions/checkout@v4
with:
repository: 'fsprojects/FAKE'
ref: '6.0.0'
path: 'repotests/dotnet-paket'
- uses: actions/checkout@v4
with:
repository: 'timheuer/SimpleFrameworkApp'
ref: 'master'
path: 'repotests/SimpleFrameworkApp'
- uses: actions/checkout@v4
with:
repository: 'chabbasaad/Reporting-Windows-Application'
ref: 'master'
path: 'repotests/Reporting-Windows-Application'
- uses: actions/checkout@v4
with:
repository: 'appthreat/blint'
ref: 'v1.0.34'
path: 'repotests/blint'
- uses: actions/checkout@v4
with:
repository: 'hoolicorp/java-sec-code'
path: 'repotests/java-sec-code'
- uses: actions/checkout@v4
with:
repository: 'DefectDojo/django-DefectDojo'
ref: '2.28.2'
path: 'repotests/django-DefectDojo'
- uses: actions/checkout@v4
with:
repository: 'googleprojectzero/Jackalope'
path: 'repotests/Jackalope'
- uses: actions/checkout@v4
with:
repository: 'hritik14/broken-mvn-wrapper'
path: 'repotests/broken-mvn-wrapper'
- uses: actions/checkout@v4
with:
repository: 'microsoft/dotnet-podcasts'
path: 'repotests/dotnet-podcasts'
- uses: actions/checkout@v4
with:
repository: 'microsoft/react-native-windows'
path: 'repotests/react-native-windows'
- uses: actions/checkout@v4
with:
repository: 'oracle/dbt-oracle'
path: 'repotests/dbt-oracle'
ref: 'v1.7.6'
- uses: actions/checkout@v4
with:
repository: 'fortra/impacket'
path: 'repotests/impacket'
ref: 'impacket_0_9_20'
- uses: actions/checkout@v4
with:
repository: 'wix/greyhound'
path: 'repotests/greyhound'
ref: '385bb84a6f712ee18064a3b5ecb8d9dcbc1c75f3'
- uses: actions/checkout@v4
with:
repository: 'owasp-dep-scan/blint'
path: 'repotests/blint'
ref: 'v2.2.2'
- uses: actions/checkout@v4
with:
repository: 'malice00/cdxgen-expo-test'
ref: 'android'
path: 'repotests/expo-test'
- uses: actions/checkout@v4
with:
repository: 'elastic/elasticsearch'
path: 'repotests/elasticsearch'
- uses: actions/checkout@v4
with:
repository: 'quarkusio/quarkus-quickstarts'
path: 'repotests/quarkus-quickstarts'
ref: '3.17.3'
- uses: dtolnay/rust-toolchain@stable
- name: setup sdkman
run: |
curl -s "https://get.sdkman.io" | bash
if: runner.os != 'Windows'
- name: repotests react-app
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs8 repotests/react-app -o bomresults/react-app.json
node bin/evinse.js -i bomresults/react-app.json -o bomresults/react-app.evinse.json -l javascript --with-data-flow -p repotests/react-app
shell: bash
- name: repotests basic-ftp
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs10 repotests/basic-ftp -o bomresults/basic-ftp.json
shell: bash
- name: repotests llama-node
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs16 repotests/llama-node -o bomresults/llama-node.json
shell: bash
- name: repotests RSSHub
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs22 repotests/RSSHub -o bomresults/RSSHub.json
shell: bash
- name: repotests java-sec-code
run: |
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-1.json --include-formulation --include-crypto
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-2.json --author foo --author bar --standard asvs-4.0.3
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-3.json --required-only
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-4.json --filter postgres --filter json
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-5.json --only spring
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-6.json --deep --evidence
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-7.json --profile research --export-proto
bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-8.json --profile license-compliance
bin/cdxgen.js -p -t java -t github repotests/java-sec-code -o bomresults/bom-java-sec-code-9.json
bin/cdxgen.js -p -t java -exclude-type js repotests/java-sec-code -o bomresults/bom-java-sec-code-10.json
shell: bash
- name: repotests greyhound
run: |
bin/cdxgen.js -p -r -t java11 repotests/greyhound -o bomresults/bom-greyhound-java.json
bin/cdxgen.js -p -r -t gradle repotests/greyhound -o bomresults/bom-greyhound-gradle.json
bin/cdxgen.js -p -r -t java11 --exclude-type bazel --exclude-type sbt repotests/greyhound -o bomresults/bom-greyhound-wobazel.json
shell: bash
env:
JAVA_HOME: ""
- name: repotests quarkus-quickstarts
run: |
bin/cdxgen.js -p -r -t quarkus repotests/quarkus-quickstarts -o bomresults/bom-quarkus-quickstarts-quarkus.json --no-recurse
bin/cdxgen.js -p -r -t quarkus repotests/quarkus-quickstarts -o bomresults/bom-quarkus-quickstarts-quarkus.json --no-recurse --spec-version 1.5
shell: bash
- name: repotests evidence
run: |
bin/cdxgen.js -p -t js --no-recurse -o bomresults/bom.json --evidence .
shell: bash
- name: repotests django-DefectDojo
run: |
bin/cdxgen.js -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo-safe.json --feature-flags safe-pip-install
bin/cdxgen.js -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo.json --deep --include-crypto --spec-version 1.6
shell: bash
- name: repotests blint
run: |
bin/cdxgen.js -t python repotests/blint -o bomresults/blint-req.json --required-only -p
bin/cdxgen.js -t python repotests/blint -o bomresults/blint-research.json --profile research -p
shell: bash
- name: repotests dbt-oracle
run: |
bin/cdxgen.js -t python repotests/dbt-oracle -o bomresults/dbt-oracle.json --deep --spec-version 1.6
shell: bash
- name: repotests impacket
run: |
bin/cdxgen.js -t python repotests/impacket -o bomresults/impacket.json
shell: bash
- name: repotests pixi
run: |
mkdir pixi-sample
cd pixi-sample
curl -LO https://raw.githubusercontent.com/prefix-dev/pixi/main/pixi.lock
curl -LO https://raw.githubusercontent.com/prefix-dev/pixi/main/pixi.toml
cd ..
bin/cdxgen.js -t python pixi-sample -o bomresults/bom-pixi.json -p
shell: bash
- name: repotests shiftleft-java-example
run: |
bin/cdxgen.js -p -r -t java repotests/shiftleft-java-example -o bomresults/bom-java.json --generate-key-and-sign
node bin/evinse.js -i bomresults/bom-java.json -o bomresults/bom-java.evinse.json -l java --with-data-flow -p repotests/shiftleft-java-example
SBOM_SIGN_ALGORITHM=RS512 SBOM_SIGN_PRIVATE_KEY=bomresults/private.key SBOM_SIGN_PUBLIC_KEY=bomresults/public.key bin/cdxgen.js -p -r -t github repotests/shiftleft-java-example -o bomresults/bom-github.json
shell: bash
- name: repotests shiftleft-ts-example
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-1.json --include-formulation
node bin/evinse.js -i bomresults/bom-ts-1.json -o bomresults/bom-ts.evinse.json -l javascript --with-data-flow -p repotests/shiftleft-ts-example
FETCH_LICENSE=true bin/cdxgen.js -p -t js repotests/shiftleft-ts-example --required-only -o bomresults/bom-ts-2.json --validate
FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-3.json --validate
shell: bash
- name: repotests meetingsdk-vuejs-sample
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/meetingsdk-vuejs-sample -o bomresults/bom-vue.json
node bin/evinse.js -i bomresults/bom-vue.json -o bomresults/bom-vue.evinse.json -l javascript --with-data-flow -p repotests/meetingsdk-vuejs-sample
shell: bash
- name: repotests sveltejs-examples
run: |
CDXGEN_DEBUG_MODE=debug ASTGEN_IGNORE_DIRS="" FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/sveltejs-examples -o bomresults/bom-svelte.json
CDXGEN_DEBUG_MODE=debug ASTGEN_IGNORE_DIRS="" node bin/evinse.js -i bomresults/bom-svelte.json -o bomresults/bom-svelte.evinse.json -l javascript --with-data-flow -p repotests/sveltejs-examples
CDXGEN_DEBUG_MODE=debug ASTGEN_IGNORE_DIRS="" node bin/evinse.js -i bomresults/bom-svelte.json -o bomresults/bom-svelte.evinse.json -l javascript --with-reachables -p repotests/sveltejs-examples
shell: bash
- name: repotests shiftleft-go-example
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/bom-go.json --validate --export-proto
shell: bash
- name: repotests go mod tests
run: |
mkdir -p gomod-example
cd gomod-example
curl -LO https://raw.githubusercontent.com/anchore/syft/main/go.mod
cd ..
bin/cdxgen.js -p -r -t go gomod-example -o bomresults/bom-gomod.json -p
shell: bash
- name: repotests vulnerable_net_core
run: |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --include-formulation
shell: bash
- name: repotests Goatly.NET
run: |
FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/bom-csharp3.json --include-formulation
shell: bash
- name: repotests DjanGoat
run: |
FETCH_LICENSE=true bin/cdxgen.js -p -r -t python repotests/DjanGoat -o bomresults/bom-python.json --validate
shell: bash
- name: repotests Vulnerable-Web-Application
run: |
bin/cdxgen.js -p -t php repotests/Vulnerable-Web-Application -o bomresults/bom-php-1.json --validate
bin/cdxgen.js -p -t php --no-recurse repotests/Vulnerable-Web-Application -o bomresults/bom-php-2.json --validate --profile research -p
shell: bash
- name: repotests railsgoat
run: |
bin/cdxgen.js -p -r -t ruby repotests/railsgoat -o bomresults/bom-ruby.json --validate
shell: bash
- name: repotests bazel-examples
run: |
bin/cdxgen.js -p -r -t java17 repotests/bazel-examples/java-maven -o bomresults/bom-bazel.json --validate
shell: bash
- name: repotests gallery
run: |
bin/cdxgen.js -p -r -t dart repotests/gallery -o bomresults/bom-pub.json --validate
shell: bash
- name: repotests ziggurat
run: |
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t clojure repotests/ziggurat -o bomresults/bom-clj.json --validate
shell: bash
- name: repotests swift-markdown
run: |
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t swift repotests/swift-markdown -o bomresults/bom-swift.json
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t swift repotests/swift-markdown -o bomresults/bom-swift.json --profile research
shell: bash
- name: repotests microservices-demo
if: matrix.os == 'windows-latest'
run: |
bin/cdxgen.js -p --no-recurse repotests/microservices-demo -o bomresults/bom-msd-1.json --validate
bin/cdxgen.js -p -r repotests/microservices-demo -o bomresults/bom-msd-2.json --validate
bin/cdxgen.js -p -r -t universal repotests/microservices-demo -o bomresults/bom-yaml.json
shell: bash
- name: repotests openpbs
run: |
bin/cdxgen.js -p -r -t c repotests/openpbs -o bomresults/bom-openpbs.json
bin/cdxgen.js -p -r -t c repotests/openpbs -o bomresults/bom-openpbs.json --min-confidence 0.4
bin/cdxgen.js -p -r -t c repotests/openpbs -o bomresults/bom-openpbs.json --technique manifest-analysis
shell: bash
- name: repotests Jackalope
run: |
bin/cdxgen.js -p -r -t c repotests/Jackalope -o bomresults/bom-Jackalope.json
shell: bash
- name: repotests ha-android
run: |
cd repotests/ha-android && ./gradlew assembleDebug || true && cd ../..
bin/cdxgen.js -r -t java repotests/ha-android -o bomresults/bom-android.json
CDXGEN_DEBUG_MODE=debug bin/evinse.js -i bomresults/bom-android.json -o bomresults/bom-android.evinse.json -l java repotests/ha-android
shell: bash
- name: repotests rust
run: |
bin/cdxgen.js -p -r -t rust repotests/rs-rust -o bomresults/bom-rs-rust.json --validate
bin/cdxgen.js -p -r -t rust repotests/rs-cargo -o bomresults/bom-rs-cargo.json --validate
cargo generate-lockfile --manifest-path repotests/rs-validator/validator/Cargo.toml
bin/cdxgen.js -p -r -t rust repotests/rs-validator -o bomresults/bom-rs-validator.json --validate
bin/cdxgen.js -p -r -t rust repotests/rs-axum -o bomresults/bom-rs-axum.json --validate
shell: bash
- name: repotests dotnet-paket
run: |
bin/cdxgen.js -p -r -t dotnet repotests/dotnet-paket -o bomresults/bom-dotnet-paket.json --deep
FETCH_LICENSE=true bin/cdxgen.js -p -r -t dotnet repotests/dotnet-paket -o bomresults/bom-dotnet-paket-2.json --validate
bin/cdxgen.js -p -r -t dotnet repotests/dotnet-podcasts -o bomresults/bom-dotnet-podcasts.json --profile research --export-proto
bin/cdxgen.js -p -r -t dotnet repotests/react-native-windows -o bomresults/bom-react-native-windows.json
shell: bash
- name: repotests SimpleFrameworkApp
run: |
bin/cdxgen.js -p -r -t dotnet-framework repotests/SimpleFrameworkApp -o bomresults/bom-dotnet-framework.json
bin/cdxgen.js -p -r -t dotnet-framework repotests/Reporting-Windows-Application -o bomresults/bom-dotnet-framework-reporting.json --deep
shell: bash
- name: repotests blint
run: |
bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint.json
bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint-deep.json --deep
bin/cdxgen.js -p -t java repotests/broken-mvn-wrapper -o bomresults/bom-broken-mvn-wrapper.json
shell: bash
- name: repotests expo
run: |
cd repotests/expo-test && npm ci && cd ../..
GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json
GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json
shell: bash
- name: repotests elasticsearch
run: |
bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch.json
GRADLE_INCLUDED_BUILDS=:build-conventions,:build-tools,:build-tools-internal bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch-with-included-builds.json
custom-json-diff -i bomresults/bom-elasticsearch.json bomresults/bom-elasticsearch-with-included-builds.json -o bomresults/diff-elasticsearch preset-diff
shell: bash
- name: jenkins plugins
run: |
mkdir -p jenkins
curl -LO https://updates.jenkins.io/download/plugins/sonar/2.14/sonar.hpi
curl -LO https://updates.jenkins.io/download/plugins/bouncycastle-api/2.26/bouncycastle-api.hpi
curl -LO https://updates.jenkins.io/download/plugins/jsch/0.1.55.61.va_e9ee26616e7/jsch.hpi
curl -LO https://updates.jenkins.io/download/plugins/momentjs/1.1.1/momentjs.hpi
mv *.hpi jenkins
CDXGEN_DEBUG_MODE=debug bin/cdxgen.js -p -r -t jenkins jenkins -o bomresults/bom-jenkins.json --validate
shell: bash
- name: standalone jar files
run: |
mkdir -p standalone-jar-files
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/jacoco/org.jacoco.report/0.8.8/org.jacoco.report-0.8.8.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/apache/ws/xmlschema/xmlschema-core/2.2.5/xmlschema-core-2.2.5.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.16.0/jackson-core-2.16.0.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/wsdl4j/wsdl4j/1.6.3/wsdl4j-1.6.3.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/apache/maven/maven-core/3.9.2/maven-core-3.9.2.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/displaytag/displaytag/1.2/displaytag-1.2.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/apache/poi/poi/3.17/poi-3.17.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/jacoco/org.jacoco.agent/0.8.8/org.jacoco.agent-0.8.8.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/javax/jws/javax.jws-api/1.1/javax.jws-api-1.1.jar
curl --output-dir standalone-jar-files -LO https://repo1.maven.org/maven2/org/jrobin/jrobin/1.5.9/jrobin-1.5.9.jar
FETCH_LICENSE=true bin/cdxgen.js -p standalone-jar-files -o bomresults/bom-standalone-jar-files.json --validate
shell: bash
- name: post-build lifecycle tests
run: |
pip install blint
mkdir -p bintests
cd bintests
curl -LO https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai.exe
curl -LO https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai
curl -LO https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai-osx-arm64
cd ..
bin/cdxgen.js -p -t dotnet --lifecycle post-build -o bomresults/bom-binary.json bintests
mkdir -p gobintests
cd gobintests
curl -LO https://github.com/anchore/syft/releases/download/v1.0.1/syft_1.0.1_linux_arm64.tar.gz
tar -xvf syft_1.0.1_linux_arm64.tar.gz
rm syft_1.0.1_linux_arm64.tar.gz
curl -LO https://github.com/containerd/containerd/releases/download/v2.0.0-rc.0/containerd-static-2.0.0-rc.0-linux-amd64.tar.gz
tar -xvf containerd-static-2.0.0-rc.0-linux-amd64.tar.gz
rm containerd-static-2.0.0-rc.0-linux-amd64.tar.gz
cd ..
bin/cdxgen.js -p -t go --lifecycle post-build -o bomresults/bom-go-binary.json gobintests
shell: bash
- name: repotests 1.6
run: |
bin/cdxgen.js -p -r -t java repotests/shiftleft-java-example -o bomresults/1.6-bom-java.json --generate-key-and-sign --spec-version 1.6
SBOM_SIGN_ALGORITHM=RS512 SBOM_SIGN_PRIVATE_KEY=bomresults/private.key SBOM_SIGN_PUBLIC_KEY=bomresults/public.key bin/cdxgen.js -p -r -t github repotests/shiftleft-java-example -o bomresults/1.6-bom-github.json --spec-version 1.6
FETCH_LICENSE=0 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/1.6-bom-ts-1.json --validate --spec-version 1.6
FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example --required-only -o bomresults/1.6-bom-ts-2.json --validate --spec-version 1.6
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/1.6-bom-go.json --validate --spec-version 1.6
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/1.6-bom-csharp2.json --validate --spec-version 1.6
FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/1.6-bom-csharp3.json --validate --spec-version 1.6
FETCH_LICENSE=true bin/cdxgen.js -p -r -t python repotests/DjanGoat -o bomresults/1.6-bom-python.json --validate --spec-version 1.6
bin/cdxgen.js -p -r -t php repotests/Vulnerable-Web-Application -o bomresults/1.6-bom-php.json --validate --spec-version 1.6
shell: bash
- name: repotests 1.4
run: |
bin/cdxgen.js -p -r -t java repotests/shiftleft-java-example -o bomresults/1.4-bom-java.json --generate-key-and-sign --spec-version 1.4
SBOM_SIGN_ALGORITHM=RS512 SBOM_SIGN_PRIVATE_KEY=bomresults/private.key SBOM_SIGN_PUBLIC_KEY=bomresults/public.key bin/cdxgen.js -p -r -t github repotests/shiftleft-java-example -o bomresults/1.4-bom-github.json --spec-version 1.4
FETCH_LICENSE=0 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/1.4-bom-ts-1.json --validate --spec-version 1.4
FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example --required-only -o bomresults/1.4-bom-ts-2.json --validate --spec-version 1.4
FETCH_LICENSE=false bin/cdxgen.js -p -r -t go repotests/shiftleft-go-example -o bomresults/1.4-bom-go.json --validate --spec-version 1.4
FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/1.4-bom-csharp2.json --validate --spec-version 1.4
FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/1.4-bom-csharp3.json --validate --spec-version 1.4
FETCH_LICENSE=true bin/cdxgen.js -p -r -t python repotests/DjanGoat -o bomresults/1.4-bom-python.json --validate --spec-version 1.4
bin/cdxgen.js -p -r -t php repotests/Vulnerable-Web-Application -o bomresults/1.4-bom-php.json --validate --spec-version 1.4
shell: bash
- name: list repotest bomresults
run: |
ls -ltr bomresults
shell: bash
- name: denotests
run: |
deno info bin/cdxgen.js
deno info bin/evinse.js
deno run --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-deno.json --deep
deno run --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net bin/cdxgen.js -p -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo-deno.json --deep
env:
FETCH_LICENSE: true
shell: bash
- name: buntests
run: |
rm -rf node_modules
bun install
bun --bun bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-bun.json --deep
bun --bun bin/cdxgen.js -p -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo-bun.json
continue-on-error: true
shell: bash
- uses: actions/upload-artifact@v4
if: github.ref == 'refs/heads/master' && matrix.os == 'ubuntu-latest'
with:
name: bomresults
path: bomresults