From 18cf4dfa0f19259549c8385a88b6f7c611381328 Mon Sep 17 00:00:00 2001
From: Thomas Burkhalter <burkhalter@puzzle.ch>
Date: Thu, 22 Dec 2022 15:00:04 +0100
Subject: [PATCH] replace cyclonedx-cli with ruby gem

---
 .github/workflows/reusable-build.yaml |  3 ++
 Dockerfile                            | 56 +++++++++++++++++----------
 2 files changed, 39 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml
index 99d85d6..981ecce 100644
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@@ -42,5 +42,8 @@ jobs:
           push: true
           tags: ${{ env.DECIDIM_IMAGE_REPO }}:latest
           build-args: |
+            GITHUB_SHA=$GITHUB_SHA
+            GITHUB_REPOSITORY=$GITHUB_REPOSITORY
+            GITHUB_REF_NAME=$GITHUB_REF_NAME
             PUZZLE_DEP_TRACK_URL=${{ secrets.PUZZLE_DEP_TRACK_URL }}
             PUZZLE_DEP_TRACK_TOKEN=${{ secrets.PUZZLE_DEP_TRACK_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
index 0de2df4..179e37f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -141,29 +141,45 @@ RUN rm -rf vendor/cache/ .git spec/ node_modules/
 # Send SBOM to Dependency Tracker
 RUN bash -vxc "\
 if [[ -n \"${PUZZLE_DEP_TRACK_TOKEN}\" ]]; then \
-    curl \
-      -L \
-      -o /tmp/cyclonedx-cli \
-      'https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${CYCLONEDX_CLI_VERSION}/cyclonedx-linux-x64' \
- && chmod a+x /tmp/cyclonedx-cli \
- && /tmp/cyclonedx-cli \
-      add files \
-      --no-input \
-      --base-path /app-src \
-      --output-file /app-src/sbom.json \
-      --output-format json \
+    gem install cyclonedx-ruby \
+ && cyclonedx-ruby -v -p /app-src/ -o /app-src/sbom.xml \
  && curl \
-      -X 'POST' \
-      -i \
-      -H 'Content-Type: multipart/form-data' \
-      -H 'X-Api-Key: ${PUZZLE_DEP_TRACK_TOKEN}' \
-      -F 'autoCreate=true' \
-      -F 'projectName=${BUILD_REPO}' \
-      -F 'projectVersion=${BUILD_COMMIT}' \
-      -F 'bom=@/app-src/sbom.json' \
-      '${PUZZLE_DEP_TRACK_URL}'; \
+    -X 'POST' \
+    -i \
+    -H 'Content-Type: multipart/form-data' \
+    -H 'X-Api-Key: ${PUZZLE_DEP_TRACK_TOKEN}' \
+    -F 'autoCreate=true' \
+    -F 'projectName=${BUILD_REPO}' \
+    -F 'projectVersion=${BUILD_COMMIT}' \
+    -F 'bom=@/app-src/sbom.xml' \
+    '${PUZZLE_DEP_TRACK_URL}'; \
 fi"
 
+# RUN bash -vxc "\
+# if [[ -n \"${PUZZLE_DEP_TRACK_TOKEN}\" ]]; then \
+#     curl \
+#       -L \
+#       -o /tmp/cyclonedx-cli \
+#       'https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${CYCLONEDX_CLI_VERSION}/cyclonedx-linux-x64' \
+#  && chmod a+x /tmp/cyclonedx-cli \
+#  && /tmp/cyclonedx-cli \
+#       add files \
+#       --no-input \
+#       --base-path /app-src \
+#       --output-file /app-src/sbom.json \
+#       --output-format json \
+#  && curl \
+#       -X 'POST' \
+#       -i \
+#       -H 'Content-Type: multipart/form-data' \
+#       -H 'X-Api-Key: ${PUZZLE_DEP_TRACK_TOKEN}' \
+#       -F 'autoCreate=true' \
+#       -F 'projectName=${BUILD_REPO}' \
+#       -F 'projectVersion=${BUILD_COMMIT}' \
+#       -F 'bom=@/app-src/sbom.json' \
+#       '${PUZZLE_DEP_TRACK_URL}'; \
+# fi"
+
 ##################################################################
 #                            Run Stage                           #
 ##################################################################