Skip to content

[CRAVEX] SCA Integrations: SBOM tool #1826

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Aug 27, 2025
Merged

[CRAVEX] SCA Integrations: SBOM tool #1826

merged 18 commits into from
Aug 27, 2025

Conversation

tdruez
Copy link
Contributor

@tdruez tdruez commented Aug 26, 2025
edited
Loading

This PR adds support for importing SBOMs generated with SBOM tool.

https://github.com/microsoft/sbom-tool?tab=readme-ov-file#run-the-tool
https://github.com/microsoft/sbom-tool/blob/main/docs/sbom-tool-arguments.md

Notes:

SBOM tool generates SBOM under the SPDX 2.2 format. To ensure full compatibility with SPDX: "Resolve and load dependencies from SPDX SBOMs" was introduced in PR: #1827

Changes:

  • Add a unit test to ensure the SBOM tool SBOM support
  • Add a GitHub workflow that runs every week to ensure the SBOM tool SBOM support (see below for details)

Workflow

Available at .github/workflows/sca-integration-sbom-tool.yml

Documentation:

# This workflow:
#  1. Generates a CycloneDX SBOM for a container image using SBOM tool.
#  2. Uploads the SBOM as a GitHub artifact for future inspection.
#  3. Loads the SBOM into ScanCode.io for further analysis.
#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
#
# It runs on demand, and once a week (scheduled).

tdruez added 18 commits August 26, 2025 13:22
@tdruez
Test the SBOM tool workflow
3f36da1
@tdruez
DEBUG the SBOM tool workflow
e75a116
@tdruez
DEBUG the SBOM tool workflow
53a56be
@tdruez
DEBUG the SBOM tool workflow
91f2207
@tdruez
DEBUG the SBOM tool workflow
996666e
@tdruez
DEBUG the SBOM tool workflow
7d41101
@tdruez
DEBUG the SBOM tool workflow
10bc182
@tdruez
DEBUG the SBOM tool workflow
8e417f0
@tdruez
DEBUG the SBOM tool workflow
4c998c2
@tdruez
DEBUG the SBOM tool workflow
817aebe
@tdruez
Add unit test for the SCA SBOM tool support
1c1658a
@tdruez
Merge branch 'main' into 1732-sca-integration-sbom-tool
855d352
@tdruez
Update test expectations following SPDX dependencies support #1145
aff66bb
@tdruez
Update test expectations following SPDX dependencies support
66fbda4
@tdruez
Merge remote-tracking branch 'origin/1732-sca-integration-sbom-tool' …
a6a574a 
…into 1732-sca-integration-sbom-tool
@tdruez
DEBUG workflow
b4eaf97
@tdruez
Use latest scancodeio main branch in workflow
93045bc
@tdruez
Run the workflow once a week
6a8e669
@tdruez tdruez changed the title SBOM tool workflow [CRAVEX] SCA Integrations: SBOM tool Aug 27, 2025
@tdruez tdruez merged commit b571c17 into main Aug 27, 2025
14 checks passed
@tdruez tdruez deleted the 1732-sca-integration-sbom-tool branch August 27, 2025 12:49
@tdruez tdruez mentioned this pull request Aug 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tdruez