~jan0sch/smederee

Showing details for patch f6b621fd537810a06872b169941d6a579337a661.
2025-04-24 (Thu), 7:15 AM - Jens Grassel - f6b621fd537810a06872b169941d6a579337a661

chore: Add tooling to enable workflow using dependency track.

- add parameter to build.sbt to generate XML BOM output
- add `bom_project_id_mapping.sh` to `.ignore` to avoid leaking sensitive data
- add `upload_boms.sh`

If `bom_project_id_mapping.sh` exists and is properly setup then the BOM files
are generated and uploaded to a dependency track instance by executing the
`upload_boms.sh` script.
Summary of changes
1 files added
  • upload_boms.sh
2 files modified with 2 lines added and 0 lines removed
  • .ignore with 1 added and 0 removed lines
  • build.sbt with 1 added and 0 removed lines
diff -rN -u old-smederee/build.sbt new-smederee/build.sbt
--- old-smederee/build.sbt	2025-05-10 04:31:46.933317067 +0000
+++ new-smederee/build.sbt	2025-05-10 04:31:46.933317067 +0000
@@ -35,6 +35,7 @@
             // "-Xfatal-warnings", // FIXME: Make this work despite of Twirl!
             "-Ykind-projector"
         ),
+        bomFormat := "xml",
         coverageExcludedPackages := "<empty>;.*\\.views\\.html.*;.*\\.views\\.txt.*;.*\\.views\\.xml.*;",
         resolvers += "jitpack" at "https://jitpack.io", // for JANSI fork
         Compile / console / scalacOptions --= Seq("-Xfatal-warnings"),
diff -rN -u old-smederee/.ignore new-smederee/.ignore
--- old-smederee/.ignore	2025-05-10 04:31:46.933317067 +0000
+++ new-smederee/.ignore	2025-05-10 04:31:46.933317067 +0000
@@ -25,3 +25,4 @@
 tags
 # Project speficic files for local development
 modules/.*/src/main/resources/application.conf
+bom_project_id_mapping.sh
diff -rN -u old-smederee/upload_boms.sh new-smederee/upload_boms.sh
--- old-smederee/upload_boms.sh	1970-01-01 00:00:00.000000000 +0000
+++ new-smederee/upload_boms.sh	2025-05-10 04:31:46.933317067 +0000
@@ -0,0 +1,54 @@
+#!/usr/bin/env zsh
+#
+# REQUIRES: script `bom_project_id_mapping.sh`
+#   - defining the function `get_project_id`
+#   - defining the variable `DEPTRACK_URL`
+# EXAMPLE `bom_project_id_mapping.sh`:
+# ```
+# DEPTRACK_URL="https://deptrack.example.com/api/v1/bom"
+# function get_project_id() {
+#   readonly port=${1:?"The project name must be specified!"}
+#   case $1 in
+#     DARCS)
+#       PROJECT_ID="..."
+#       ;;
+#     *)
+#       echo "Unknown project name!"
+#       exit 1
+#       ;;
+#   esac
+# }
+# ```
+
+set -e
+set -u
+set -o pipefail
+#set -x
+
+# Define project mapping to dependency-track.
+PROJECT_ID=""
+source ./bom_project_id_mapping.sh
+
+# Generate SBOM files via sbt-bom.
+sbt makeBom
+
+# Find BOM.XML files and process them.
+for BOM in $(find modules -name "*.bom.xml"); do
+  # Get module directory name.
+  MOD=$(echo $BOM | cut -d"/" -f2)
+  # Transform to uppercase and replace "-" with "_".
+  PROJECT="$MOD:u:gs/-/_/"
+  if [ ! -z "$PROJECT" ]; then
+    get_project_id $PROJECT
+    if [ ! -z "$PROJECT_ID" ]; then
+      echo "Uploading BOM from $PROJECT."
+      curl --silent -X "POST" "$DEPTRACK_URL" \
+        -H 'Content-Type: multipart/form-data' \
+        -H 'X-Api-Key: deptrack_U1VHEwCQ88ZpJNWdMxdxHthZWAha2Pnd' \
+        -F "project=$PROJECT_ID" \
+        -F "bom=@$BOM" > /dev/null
+    fi
+  else
+    echo "No project mapping for: $MOD ($PROJECT)!"
+  fi
+done