Generate SBOMs without .git contents (#654)

.azure-devops/prbuild/mlz-pr-sbom-pipelines.yml

@@ -14,53 +14,60 @@ pool:
   vmImage: ubuntu-latest
 
 jobs:
-- job: sbomManifestGenerator
-  steps: 
+- job: generateSbom
+  displayName: 'Generate SBOM'
+  steps:
   - checkout: self
     persistCredentials: true
 
-  - task: CopyFiles@2
-    displayName: 'Copy Source directory to Target directory'
-    inputs:
-      sourceFolder: '$(Build.SourcesDirectory)'
-      Contents: |
-        **/*
-        !.git/**/*
-      targetFolder: '$(Build.ArtifactStagingDirectory)'
+  - bash: |
+      cd $(Build.SourcesDirectory)
+      rm -rf _manifest
+    displayName: 'Remove previous _manifest contents'
 
-  - task: Bash@3
-    displayName: 'Remove old Manifest files'
-    inputs:
-      targetType: 'inline'
-      script: |
-        cd $(Build.SourcesDirectory)
-        rm -rf _manifest
+  - bash: |
+      cd $(Build.SourcesDirectory)
+      cp -r .git $(Build.ArtifactStagingDirectory)
+      rm -rf .git
+    displayName: 'Temporarily move .git so it is not a part of the SBOM'
 
   - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
     displayName: 'Generate SBOM'
     inputs:
-      BuildComponentPath: '$(Build.ArtifactStagingDirectory)'
+      BuildComponentPath: '$(Build.SourcesDirectory)'
       BuildDropPath: '$(Build.SourcesDirectory)'
       PackageName: 'Mission LZ'
-      PackageVersion: '$(Build.BuildNumber)'      
-
-
-  - task: Bash@3
-    inputs:
-      targetType: 'inline'
-      script: |
-            git config --global user.email "$BUILD_REQUESTEDFOREMAIL"
-            git config --global user.name "$BUILD_REQUESTEDFOR"
-            git checkout -t origin $(Build.SourceBranch)
-            git add '_manifest/*'
-            git status
-            git commit -m "Update Software Bill of Materials (SBOM)"
-            git push --set-upstream origin HEAD:$(Build.SourceBranch)
-      workingDirectory: $(Build.SourcesDirectory)
+      PackageVersion: '$(Build.BuildNumber)'
+      Verbosity: Verbose
+
+  - bash: |
+      cd $(Build.SourcesDirectory)
+      cat _manifest/manifest.json | jq . > temp.json \
+        && mv temp.json _manifest/manifest.json \
+        && rm -f temp.json
+      cat _manifest/spdx_2.2/manifest.spdx.json | jq . > temp.json \
+        && mv temp.json _manifest/spdx_2.2/manifest.spdx.json \
+        && rm -f temp.json
+    displayName: 'Pretty Print SBOM'
+
+  - bash: |
+      cd $(Build.ArtifactStagingDirectory)
+      cp -r .git $(Build.SourcesDirectory)
+      rm -rf .git
+    displayName: 'Restore .git so we can commit back to the source branch'
+
+  - bash: |
+      git config --global user.email "$BUILD_REQUESTEDFOREMAIL"
+      git config --global user.name "$BUILD_REQUESTEDFOR"
+      git checkout -t origin $(Build.SourceBranch)
+      git add '_manifest/*'
+      git status
+      git commit -m "Update Software Bill of Materials (SBOM)"
+      git push --set-upstream origin HEAD:$(Build.SourceBranch)
     displayName: 'Commit SBOM changes back to source branch'
-   
+
   - task: PublishBuildArtifacts@1
-    displayName: 'Publish SBOM to Build Artifact'
+    displayName: 'Publish SBOM as Build Artifact'
     inputs:
       PathtoPublish: '$(Build.SourcesDirectory)/_manifest'
       ArtifactName: 'drop'

README.md

@@ -61,12 +61,12 @@ You must have [Owner RBAC permissions](https://docs.microsoft.com/en-us/azure/ro
     cd missionlz
     ```
 
-1. Deploy Mission Landing Zone with the [`az deployment sub create`](https://docs.microsoft.com/en-us/cli/azure/deployment/sub?view=azure-cli-latest#az_deployment_sub_create) command. For a quickstart test deployment into the current AZ CLI subscription we suggest setting these parameters:
+1. Deploy Mission Landing Zone with the [`az deployment sub create`](https://docs.microsoft.com/en-us/cli/azure/deployment/sub?view=azure-cli-latest#az_deployment_sub_create) command. For a quickstart, we suggest a test deployment into the current AZ CLI subscription setting these parameters:
 
     - `--name`: (optional) The deployment name, which is visible in the Azure Portal under Subscription/Deployments.
     - `--location`: (required) The Azure region to store the deployment metadata.
     - `--template-file`: (required) The file path to the `mlz.bicep` template.
-    - `--parameters resourcePrefix=<value>`: (required) The `resourcePrefix` Bicep parameter is used to generate names for your resources. It is the only required parameter in the Bicep file. You can set it to any alphanumeric value that is between 3-10 characters. You can omit this parameter and the `az deployment sub create` command will prompt you to enter a value.
+    - `--parameters resourcePrefix=<value>`: (required) The `resourcePrefix` Bicep parameter is used to generate names for your resources. It is the only required parameter in the Bicep file. You can set it to any alphanumeric value (without whitespace) that is between 3-10 characters. You can omit this parameter and the `az deployment sub create` command will prompt you to enter a value.
 
     Here's an example: