Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate SBOM on release #4479

Closed
wants to merge 1 commit into from
Closed

Generate SBOM on release #4479

wants to merge 1 commit into from

Conversation

martinkuba
Copy link
Contributor

Which problem is this PR solving?

This adds a Github workflow that generates an SBOM file using the Github dependency graph. SBOMs are useful for users to detect vulnerabilities in packages including their dependencies.

An example SBOM file generated by this workflow is available here.

@martinkuba martinkuba requested a review from a team February 13, 2024 21:05
@codecov Codecov
Copy link

codecov bot commented Feb 13, 2024
edited
Loading

Codecov Report

Merging #4479 (49624af) into main (44b0b29) will decrease coverage by 0.14%.
Report is 4 commits behind head on main.
The diff coverage is n/a.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4479      +/-   ##
==========================================
- Coverage   92.55%   92.41%   -0.14%     
==========================================
  Files         315      330      +15     
  Lines        9375     9520     +145     
  Branches     2013     2031      +18     
==========================================
+ Hits         8677     8798     +121     
- Misses        698      722      +24

see 17 files with indirect coverage changes

pichlermarc
pichlermarc approved these changes Feb 22, 2024
View reviewed changes
Copy link
Member

@pichlermarc pichlermarc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks 🙂

Notes from the SIG Meeting (Feb 21, 2023):

As discussed in the SIG meeting, once the npm sbom issue is sorted out, I'd be great to use it instead. For now this is better than not having it 👍

We talked about how npm sbom does not work for this repo due to it being a monorepo, @martinkuba would you mind adding the link to the issue you opened on NPM for future reference? 🙁

@trentm
Copy link
Contributor

trentm commented Feb 22, 2024

FWIW, I think I was able to get it working with npm sbom ....
See https://gist.github.com/trentm/b2e7c51bede8075827559468e6bb6bfa

npm sbom --sbom-format=spdx --omit=dev --workspaces --sbom-type=library > otel-js-sbom.spdx

I am very ignorant about SBOM's however, so I don't know if this is a valid result.

@pichlermarc
Copy link
Member

FWIW, I think I was able to get it working with npm sbom .... See https://gist.github.com/trentm/b2e7c51bede8075827559468e6bb6bfa

npm sbom --sbom-format=spdx --omit=dev --workspaces --sbom-type=library > otel-js-sbom.spdx

I am very ignorant about SBOM's however, so I don't know if this is a valid result.

Ah, interesting. IIRC Martin mentioned that this approach was missing some dependencies. @martinkuba would you mind taking a look if the output has the same issues that you saw when you tested it?

@martinkuba
Copy link
Contributor Author

The ideal output, IMO, would be the following:

  • multiple SBOM files, one for each package (combined in a single zip file)
  • no dev dependencies included

This would allow users to only look at SBOM files of packages that they actually use. And since dev dependencies are not installed, there would be no false positives for vulnerabilities or licenses of packages that don't actually get installed.

I have tested npm sbom, the Github API, and Syft. Only npm sbom has options to exclude dev dependencies and generate SBOM with workspaces. Unfortunately, when validating the output, I have found that there were some packages and relationships missing in the npm sbom output.

Here is the issue that I created for NPM CLI: npm/cli#7204

For example, the output of this command is missing the dependency of @opentelemetry/core on @opentelemetry/semantic-conventions (in the relationships section):
npm sbom --sbom-format spdx --omit dev --workspace packages/opentelemetry-core > sbom.json

With that said, I have done some more testing since then and found that the output is fine without the --omit dev. All packages and relationships are there. The downside is that all dev dependencies are included. But they are included in the Github output as well. I am now inclined to change this PR to use npm sbom after all since:

  1. npm includes relationships while Github does not
  2. npm captures licenses while Github does not

@pichlermarc
Copy link
Member

With that said, I have done some more testing since then and found that the output is fine without the --omit dev. All packages and relationships are there. The downside is that all dev dependencies are included. But they are included in the Github output as well. I am now inclined to change this PR to use npm sbom after all since:

1. npm includes relationships while Github does not

2. npm captures licenses while Github does not

Switching over to use npm sbom without --omit dev sounds like a good way forward 👍
Another upside: this way we won't have to use a third-party action to generate it. 🙂

@martinkuba
Copy link
Contributor Author

I am closing this PR and will open another one that uses npm sbom.

@martinkuba martinkuba closed this Feb 28, 2024
@martinkuba martinkuba mentioned this pull request Mar 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pichlermarc pichlermarc pichlermarc approved these changes

Assignees
No one assigned
Labels
Skip Changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@martinkuba @trentm @pichlermarc