Problem integrating sbom-action with Grype #157
Comments
|
Hi @patrickdung, great information, thank you!
We should update sbom-action to use the latest Syft. (I don't think it makes a difference with regard to the other issues mentioned here, but we should keep the integration up-to-date nonetheless.)
The core team is working on expanding this functionality right now, as it turns out. Currently, Grype can ingest the Syft JSON format. But we're working on adding support for SPDX anchore/grype#395 (in progress) and CycloneDX anchore/grype#481.
Great! 🙌
@kzantow When you get a chance, can you weigh in re: this part of the issue? What could be happening here that prevents the SBOM from being included as a release asset? |
|
@luhring Thanks for reply. More findings/comments:
Here's the workflow/artifact for this item |
|
FYI, here's a PR to bump Syft -- I'm happy to merge and release when tests pass: #158 |
|
Hi @patrickdung, thanks for using this action! Regarding:
It looks like the latest release is from 27 days ago: https://github.com/patrickdung/MeiliSearch-crossbuild/releases/tag/v0.24.0 the SBOM would only be uploaded to a release generated during the workflow run (or the SBOM would quite likely be incorrect). It should even upload SBOMs as release artifacts if they are generated by a different workflow for the same branch the release is run on - for example, if you have a build that generates an SBOM when you push to |
|
@kzantow , about the action 'anchore/sbom-action/publish-sbom'. I see. I was testing the sbom-action with a pre-existing release. Thanks. |
|
Hi @patrickdung! As noted: the inability for Grype to read SPDX is in progress. I had a look at your workflow file and have a few comments in regards to the
- uses: anchore/sbom-action@v0
with:
image: registry.gitlab.com/patrickdung/docker-images/meilisearch:${{ env.REMOTE_BRANCH_NAME }}-dev
output-file: container-sbom-${{ matrix.arch }}.spdx.json
- uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.PUBLISH_TOKEN }}
file: container-sbom-${{ matrix.arch }}.spdx.json
tag: ${{ env.REMOTE_BRANCH_NAME }}
prerelease: true
overwrite: true
|
|
@kzantow Thanks for the info. I am already making use of the matrix.arch variables for the reports, the new workflow is updated. ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT was used because I tried the sbom-action at the beginning. The codes are already referencing it and don't want to change the codes. I need it as output variable for Syft and as input variable for cosign and Grype. Finally, it's Meilisearch using Rust (not my project) and I want to improve the supply chain security. |
|
@patrickdung we've implemented SPDX and CycloneDX input in Grype, I'd like to understand exactly what would make this workflow work well for you! The current thinking is:
Is this more-or-less what you're looking for? |
|
I have tested with sbom-action and (publish) just now, it should be fine for publishing the SPDX json file to the application release in GitHub. For the second part, scan the spdx-json file with So my remaining question is: Thanks. |
|
@patrickdung I'm in the process of getting the |
|
@kzantow, Good to hear about it. |
|
@patrickdung Just following up here: we just added There's a simplistic example in the |
|
@kzantow Is it 'artifact-name'? |
|
@patrickdung no, it's |
|
@kzantow |
Hello, I am configuring the sbom-action with Grype.
According to the readme, supported export format is spdx, spdx-json, cyclondx and the default format is spdx-json.
Got some problems:
The related workflow file for this step is here
Thanks.
The text was updated successfully, but these errors were encountered: