cornucopia icon indicating copy to clipboard operation
cornucopia copied to clipboard
verified publisher icon OWASP

Add SBOM generator

Open sydseter opened this issue 8 months ago • 7 comments

This will probably be required at some point.

We may need to generate three of them, not sure, seeing that we have the card converter, the website, and the game engine.

sydseter avatar May 09 '25 12:05 sydseter

We can use https://github.com/CycloneDX/cdxgen-action to generate all the SBOMs I think.

  • Game engine (copi) == Elixir ✅
  • Website == Node ✅
  • Card converter == Python ✅

rewtd avatar Oct 10 '25 14:10 rewtd

We need to make sure we release it as well: https://github.com/OWASP/cornucopia/actions/runs/18412255568/job/52467450543

sydseter avatar Oct 10 '25 19:10 sydseter

It’s only creating sbom for the card converter so we need to look at that as well.

bom.xml reports.zip

sydseter avatar Oct 10 '25 19:10 sydseter

Instead of the upload-artifact step we can try this:


- name: Add file to existing release
   uses: softprops/action-gh-release@v2 
   if: startsWith(github.ref, 'refs/tags/')
     with:
       files: reports

Then trigger the dependency report generation when a release tag is pushed.


on:
  push:
      tags:
          - "v*"
          - pre-release

sydseter avatar Oct 10 '25 20:10 sydseter

generating a report for each pull-request, besides for testing, might not give that much value when I think about it.

sydseter avatar Oct 10 '25 20:10 sydseter

You suggesting that we move it to the release workflow?

rewtd avatar Oct 13 '25 11:10 rewtd

Yes, my line of thought is that the value here is for others to have a full overview of our dependencies, not necessarily for us to have one.

sydseter avatar Oct 14 '25 06:10 sydseter