From 1501f5095e2cabd719460c2014a2af2fbc902372 Mon Sep 17 00:00:00 2001
From: Nicholas Felt <nicholas.felt@tektronix.com>
Date: Wed, 28 Feb 2024 09:07:58 -0800
Subject: [PATCH 1/6] ci: Add a workflow that can perform an SBOM generation
 and scan.

---
 .github/workflows/sbom-scan.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 .github/workflows/sbom-scan.yml

diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
new file mode 100644
index 00000000..c770038a
--- /dev/null
+++ b/.github/workflows/sbom-scan.yml
@@ -0,0 +1,32 @@
+---
+name: Create & Scan SBOM
+on:
+  push:
+    branches: [main]
+    tags: ['*']
+  pull_request:
+    branches: [main]
+  release:
+    types: [published]
+jobs:
+  create-and-scan-sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Create SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: spdx-json
+          output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+      - name: Scan SBOM
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          fail-build: true
+          severity-cutoff: low
+      - name: Upload SBOM scan SARIF report
+        if: github.event_name != "pull_request"
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

From d1aa4bbf9c61aaffd0e7d7bf5227a74657eaab77 Mon Sep 17 00:00:00 2001
From: Nicholas Felt <nicholas.felt@tektronix.com>
Date: Wed, 28 Feb 2024 09:09:17 -0800
Subject: [PATCH 2/6] ci: Update conditional check in SARIF upload step.

---
 .github/workflows/sbom-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
index c770038a..10cb8f15 100644
--- a/.github/workflows/sbom-scan.yml
+++ b/.github/workflows/sbom-scan.yml
@@ -26,7 +26,7 @@ jobs:
           fail-build: true
           severity-cutoff: low
       - name: Upload SBOM scan SARIF report
-        if: github.event_name != "pull_request"
+        if: ${{ github.event_name != 'pull_request' }}
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

From 4e5d39d4112af6e5637c14718b32071d6dae284f Mon Sep 17 00:00:00 2001
From: Nicholas Felt <nicholas.felt@tektronix.com>
Date: Wed, 28 Feb 2024 09:37:52 -0800
Subject: [PATCH 3/6] ci: Create a lockfile so that syft can read the
 dependencies.

---
 .github/workflows/sbom-scan.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
index 10cb8f15..4992757c 100644
--- a/.github/workflows/sbom-scan.yml
+++ b/.github/workflows/sbom-scan.yml
@@ -3,7 +3,6 @@ name: Create & Scan SBOM
 on:
   push:
     branches: [main]
-    tags: ['*']
   pull_request:
     branches: [main]
   release:
@@ -13,6 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+      - name: Create lockfile
+        run: |
+          pip install poetry
+          poetry lock
       - name: Create SBOM
         uses: anchore/sbom-action@v0
         with:
@@ -27,6 +31,6 @@ jobs:
           severity-cutoff: low
       - name: Upload SBOM scan SARIF report
         if: ${{ github.event_name != 'pull_request' }}
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

From cfc368e31862482dddf71656853f8e503fb4f269 Mon Sep 17 00:00:00 2001
From: Nicholas Felt <nicholas.felt@tektronix.com>
Date: Wed, 28 Feb 2024 09:42:18 -0800
Subject: [PATCH 4/6] ci: Output the scan into a table.

---
 .github/workflows/sbom-scan.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
index 4992757c..30c618cd 100644
--- a/.github/workflows/sbom-scan.yml
+++ b/.github/workflows/sbom-scan.yml
@@ -13,6 +13,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
+        with:
+          python-version: x  # any version
       - name: Create lockfile
         run: |
           pip install poetry
@@ -29,8 +31,9 @@ jobs:
           sbom: ${{ github.event.repository.name }}-sbom.spdx.json
           fail-build: true
           severity-cutoff: low
-      - name: Upload SBOM scan SARIF report
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          output-format: table
+#      - name: Upload SBOM scan SARIF report
+#        if: ${{ github.event_name != 'pull_request' }}
+#        uses: github/codeql-action/upload-sarif@v3
+#        with:
+#          sarif_file: ${{ steps.scan.outputs.sarif }}

From d838262006a517ae4e2d99418769523c3516bb22 Mon Sep 17 00:00:00 2001
From: Nicholas Felt <nicholas.felt@tektronix.com>
Date: Wed, 28 Feb 2024 09:48:43 -0800
Subject: [PATCH 5/6] ci: Re-enable the SARIF upload.

---
 .github/workflows/sbom-scan.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
index 30c618cd..3f09f38f 100644
--- a/.github/workflows/sbom-scan.yml
+++ b/.github/workflows/sbom-scan.yml
@@ -31,9 +31,8 @@ jobs:
           sbom: ${{ github.event.repository.name }}-sbom.spdx.json
           fail-build: true
           severity-cutoff: low
-          output-format: table
-#      - name: Upload SBOM scan SARIF report
-#        if: ${{ github.event_name != 'pull_request' }}
-#        uses: github/codeql-action/upload-sarif@v3
-#        with:
-#          sarif_file: ${{ steps.scan.outputs.sarif }}
+      - name: Upload SBOM scan SARIF report
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

From 08ff826d9b1e58481458bcc39924a72afc474753 Mon Sep 17 00:00:00 2001
From: Nicholas Felt <nicholas.felt@tektronix.com>
Date: Thu, 28 Mar 2024 08:14:55 -0700
Subject: [PATCH 6/6] docs: Update readme admonition to make it display better
 in GitHub.

---
 README.rst | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/README.rst b/README.rst
index ca12158f..450e2be2 100644
--- a/README.rst
+++ b/README.rst
@@ -164,13 +164,13 @@ Supported Devices & Software Solutions
 .. admonition:: Legend
    :class: hint
 
-   =========== ================
+   =========== ==================
    Symbol/Term Definition
-   =========== ================
-   🚧          Work in progress
-   ✅          Implemented
-   ❌          Not Supported
-   =========== ================
+   =========== ==================
+   🚧           Work in progress
+   ✅           Implemented
+   ❌           Not Supported
+   =========== ==================
 
    See the :doc:`glossary` for information on abbreviations.