|
| 1 | +# Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. |
| 2 | + |
| 3 | +# This OCI DevOps build specification file [1] generates a Software Bill of Materials (SBOM) of the repository. |
| 4 | +# It is required for third-party vulnerability checks and business approval under Oracle’s GitHub policies. |
| 5 | +# [1] https://docs.oracle.com/en-us/iaas/Content/devops/using/build_specs.htm |
| 6 | + |
| 7 | +version: 0.1 |
| 8 | +component: build |
| 9 | +timeoutInSeconds: 1000 |
| 10 | +shell: bash |
| 11 | + |
| 12 | +steps: |
| 13 | + - type: Command |
| 14 | + name: "Install Node.js 22 and matching npm" |
| 15 | + command: | |
| 16 | + curl -fsSL https://rpm.nodesource.com/setup_22.x | bash - |
| 17 | + yum install -y nodejs |
| 18 | + node -v |
| 19 | + npm -v |
| 20 | +
|
| 21 | + - type: Command |
| 22 | + name: "Install node-cli & unit-testing packages" |
| 23 | + command: | |
| 24 | + rm -f package-lock.json |
| 25 | + npm install --ignore-scripts |
| 26 | +
|
| 27 | + - type: Command |
| 28 | + name: "Install CycloneDX as dependency" |
| 29 | + command: | |
| 30 | + npm install --ignore-scripts |
| 31 | + npm install --save-dev @cyclonedx/[email protected] --ignore-scripts |
| 32 | +
|
| 33 | +
|
| 34 | + - type: Command |
| 35 | + name: "Run CycloneDX for node-cli & unit-testing packages" |
| 36 | + command: | |
| 37 | + npx @cyclonedx/cyclonedx-npm \ |
| 38 | + --omit dev \ |
| 39 | + --output-format JSON \ |
| 40 | + --output-file artifactSBOM_node-cli_unit-testing.json \ |
| 41 | + --spec-version 1.4 |
| 42 | +
|
| 43 | + - type: Command |
| 44 | + name: "Install vscode extension package" |
| 45 | + command: | |
| 46 | + cd packages/vscode-extension |
| 47 | + rm -f package-lock.json |
| 48 | + npm install --ignore-scripts |
| 49 | +
|
| 50 | + - type: Command |
| 51 | + name: "Run CycloneDX for vscode-extension package" |
| 52 | + command: | |
| 53 | + cd packages/vscode-extension |
| 54 | + npx @cyclonedx/cyclonedx-npm \ |
| 55 | + --omit dev \ |
| 56 | + --output-format JSON \ |
| 57 | + --output-file artifactSBOM_vscode-extension.json \ |
| 58 | + --spec-version 1.4 |
| 59 | +
|
| 60 | + - type: Command |
| 61 | + name: "Download CycloneDX Linux CLI and install dependencies" |
| 62 | + command: | |
| 63 | + wget -O cyclonedx-linux-x64 https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64 |
| 64 | + chmod +x cyclonedx-linux-x64 |
| 65 | + yum install -y libicu |
| 66 | +
|
| 67 | + - type: Command |
| 68 | + name: "Merge multiple SBOMs using CycloneDX-linux-cli" |
| 69 | + command: | |
| 70 | + # For more details, visit https://github.com/CycloneDX/cyclonedx-cli/blob/main/README.md |
| 71 | + chmod +x cyclonedx-linux-x64 |
| 72 | + ./cyclonedx-linux-x64 merge --input-files artifactSBOM_node-cli_unit-testing.json packages/vscode-extension/artifactSBOM_vscode-extension.json --output-file artifactSBOM.json |
| 73 | +outputArtifacts: |
| 74 | + - name: artifactSBOM |
| 75 | + type: BINARY |
| 76 | + location: ${OCI_PRIMARY_SOURCE_DIR}/artifactSBOM.json |
0 commit comments