Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: integrate dependency track
Browse files Browse the repository at this point in the history
martinakraus committed Dec 18, 2024

Verified

This commit was signed with the committer’s verified signature.
martinakraus Martina Kraus
1 parent 72a1c4e commit 855670f
Showing 3 changed files with 95 additions and 6 deletions.
52 changes: 52 additions & 0 deletions .github/workflows/generate-merge-boms.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: Generate and Merge BOMs

on:
schedule:
- cron: "0 0 * * *" # Run every day at midnight
workflow_dispatch:

concurrency:
group: ${{ github.workflow}}-${{ github.ref }}
cancel-in-progress: true

jobs:
create-boms:
runs-on: ubuntu-latest
defaults:
run:
working-directory: dhis-2/

steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: 17
distribution: temurin
cache: maven

- name: Install CycloneDX CLI
run: |
curl -s https://api.github.com/repos/CycloneDX/cyclonedx-cli/releases/latest | grep "browser_download_url.*linux.x64" | cut -d '"' -f 4 | wget -i -
sudo mv cyclonedx-linux-x64 /usr/local/bin/
sudo chmod +x /usr/local/bin/cyclonedx-linux-x64
- name: Generate BOMs
run: mvn cyclonedx:makeBom

- name: Merge BOMs
run: cyclonedx-linux-x64 merge --input-files $(find . -name 'dxbom.json') --input-format json --output-file target/merged-bom.json --output-format json

- name: Upload SBOM to DependencyTrack
env:
DEPENDENCY_TRACK_API: "https://dt.security.dhis2.org/api/v1/bom"
run: |
curl -X POST "$DEPENDENCY_TRACK_API" \
--fail-with-body \
-H "Content-Type: multipart/form-data" \
-H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}" \
-F "project=56383704-d5a2-4a35-ad6a-081f80f5d6d3" \
-F "bom=@target/merged-bom.json"
27 changes: 21 additions & 6 deletions dhis-2/dhis-web-server/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 22 additions & 0 deletions dhis-2/pom.xml
Original file line number Diff line number Diff line change
@@ -1882,6 +1882,28 @@
<artifactId>sonar-maven-plugin</artifactId>
<version>5.0.0.4389</version>
</plugin>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<configuration>
<projectType>library</projectType>
<schemaVersion>1.6</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>false</includeLicenseText>
<outputReactorProjects>true</outputReactorProjects>
<outputFormat>all</outputFormat>
<outputName>dxbom</outputName>
<outputDirectory>${project.build.directory}</outputDirectory>
<!-- usually target, if not redefined in pom.xml -->
<verbose>false</verbose>
<!-- = ${cyclonedx.verbose} -->
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>

0 comments on commit 855670f

Please sign in to comment.