Use FOSSA for SBOM generation (#287)

Syft does not generate a full SBOM report with all transitive dependencies. FOSSA does, so we now use a custom script to generate the SBOM from a FOSSA report and upload to Azure when we release.

Author: sjberman

.github/scripts/generate-sbom.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+ID=custom%2B5618%2Fgithub.com%2Fnginxinc%2Fnginx-service-mesh
+
+get_revision() {
+    curl -s "https://app.fossa.com/api/revisions?projectId=${ID}" -H "Authorization: Bearer ${FOSSA_TOKEN}" | jq -ec ".[] | select(.locator | contains(\"${COMMIT_SHA}\"))"
+}
+
+echo -n "waiting for revision ${COMMIT_SHA} to exist..."
+until get_revision > /dev/null; do
+    sleep 10
+done
+echo "done"
+
+REV_ID="${ID}%24${COMMIT_SHA}"
+
+get_attributions() {
+    curl -s "https://app.fossa.com/api/revisions/${REV_ID}/attribution/full/SPDX_JSON" -H "Authorization: Bearer ${FOSSA_TOKEN}"
+}
+
+echo -n "waiting for attributions to be populated..."
+while 
+OUTPUT=$(get_attributions)
+LEN=$(jq '.packages | length' <<< "$OUTPUT")
+[[ $LEN -le 1 ]]
+do
+  sleep 10
+done
+echo "done"
+
+echo $OUTPUT | jq > nsm.sbom.json
+echo "SBOM report generated"

.github/workflows/ci.yml

@@ -4,10 +4,6 @@ on:
   push:
   pull_request:
 
-defaults:
-  run:
-    shell: bash
-
 env:
   HELM_CHART_DIR: helm-chart
   GIT_NAME: NGINX Kubernetes Team
@@ -35,7 +31,7 @@ jobs:
           version: v1.52
           args: --timeout 10m
       - name: Lint Helm
-        run: helm lint ${{ env.HELM_CHART_DIR }} 
+        run: helm lint ${{ env.HELM_CHART_DIR }}
 
   unit-tests:
     name: Unit Tests
@@ -68,10 +64,6 @@ jobs:
           go-version-file: go.mod
           cache: true
 
-      - name: Download Syft
-        uses: anchore/sbom-action/download-syft@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1
-        if: startsWith(github.ref, 'refs/tags/')
-
       - name: Build binary
         uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
         with:

.github/workflows/docs.yml

@@ -4,14 +4,13 @@ on:
   push:
   pull_request:
 
-defaults:
-  run:
-    shell: bash
-
 concurrency:
   group: ${{ github.ref_name }}-docs
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   markdown-lint:
     name: Markdown Lint

.github/workflows/fossa.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - main
       - release-*
+    tags:
+      - '*'
     paths-ignore:
       - docs/**
       - examples/**
@@ -21,6 +23,7 @@ jobs:
   scan:
     name: Fossa
     runs-on: ubuntu-22.04
+    timeout-minutes: 30
     if: ${{ github.event.repository.fork == false }}
     steps:
       - name: Checkout Repository
@@ -29,3 +32,19 @@ jobs:
         uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
         with:
           api-key: ${{ secrets.FOSSA_TOKEN }}
+      - name: Generate SBOM
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          COMMIT_SHA: ${{ github.sha }}
+          FOSSA_TOKEN: ${{ secrets.FOSSA_TOKEN }}
+        run: .github/scripts/generate-sbom.sh
+      - name: Upload SBOM
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: azure/CLI@fa0f960f00db49b95fdb54328a767aee31e80105 # v1.0.7
+        env:
+          AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
+          AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
+        with:
+          inlineScript: |
+            az storage blob upload -c ${{ secrets.AZURE_SBOM_BUCKET_NAME }} -f nsm.sbom.json \
+              -n product/nginx-service-mesh/${{ github.ref_name }}/nginx-service-mesh-${{ github.ref_name }}.sbom.json

.github/workflows/mend.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - main
       - release-*
+    tags:
+      - '*'
     paths-ignore:
       - docs/**
       - examples/**

.goreleaser.yml

@@ -21,9 +21,6 @@ changelog:
 checksum:
   name_template: checksums.txt
 
-sboms:
-  - artifacts: archive
-
 release:
   ids: [nginx-meshctl]
   header: |
@@ -34,13 +31,11 @@ release:
 archives:
   - id: nginx-meshctl
     builds: [nginx-meshctl]
-    name_template: nginx-meshctl_{{ .Version }}_{{ .Os }}_{{ .Arch }}
+    name_template: nginx-meshctl_{{.Version}}_{{.Os}}_{{.Arch}}
     format_overrides:
       - goos: windows
         format: zip
 
 blobs:
   - provider: azblob
     bucket: '{{.Env.AZURE_BUCKET_NAME}}'
-    extra_files:
-      - glob: ./dist/**.sbom