SBOM: software bill of materials.
Relevant: Supply Chain Security
Anchore SBOMs
Trying to setup anchore sboms for java packages.
This maven plugin should generate an sbom.json file.
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.5.3</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
<configuration>
<projectType>library</projectType>
<schemaVersion>1.3</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>false</includeLicenseText>
<outputFormat>all</outputFormat>
<outputName>bom</outputName>
</configuration>
</plugin>From there, we should be able to upload that sbom via:
anchorectl source import --sbomFile=./sbom.json --repoHost github.corp.ebay.com --repoName jabrahms/giodemo --revision a20beae7641cd7fd816d17e79c771c4c35e820f8 --branch master --changeAuthor jabrahms@ebay.com -vvvWe’ll need to provide a password.
Need to add an application: anchorectl application add jabrahms/giodemo
app id: 46f46ac5-2186-489b-87de-d20dcd20afc7
add version: anchorectl application version add 85351710-d773-4e7b-b555-085b75a46dd7 1.0
versionid: f49922b4-2726-4116-bd18-2e23a0c07338
link version to source: anchorectl application version artifact add 85351710-d773-4e7b-b555-085b75a46dd7 bcca58e3-4755-4de5-9d30-ec1f79e1eb5a source --uuid 8374af37-9c42-498a-9c3b-359f4c268396
association id: f439993d-cd58-4c98-a0dd-8220c3705937
—
While we wait for anchorectl to work, here it is in curl:
http POST 'http://anchore-anchore-engine-api.anchore-dev.svc.140.tess.io:8228/v1/enterprise/imports/sources' x-anchore-account:Frameworks -a 'Justin:PASSWORD' --proxy http:${http_proxy}
{
"created_at": "2022-04-14T20:09:20Z",
"expires_at": "2022-04-15T20:09:20Z",
"last_updated": "2022-04-14T20:09:20Z",
"status": "pending",
"uuid": "9538077f-5fe2-4a79-af72-ce36c6f5d930"
}
http POST 'http://anchore-anchore-engine-api.anchore-dev.svc.140.tess.io:8228/v1/enterprise/imports/sources/9538077f-5fe2-4a79-af72-ce36c6f5d930/sbom' Content-Type:application/json @./sbom.json x-anchore-account:Frameworks -a 'Justin:PASSWORD' --proxy http:${http_proxy}
{
"created_at": "2022-04-14T20:12:12Z",
"digest": "5c8e446d2f336b39eb449c162ae93404b9f003ca35da5adc09d68fc598361eec"
}
echo '{"branch_name": "master", "change_author": "jabrahms@ebay.com", "contents": {"sbom":"5c8e446d2f336b39eb449c162ae93404b9f003ca35da5adc09d68fc598361eec"}, "host": "https://github.corp.ebay.com", "repository_name": "jabrahms/giodemo", "revision": "a20beae7641cd7fd816d17e79c771c4c35e820f8"}' | http -v POST 'http://anchore-anchore-engine-api.anchore-dev.svc.140.tess.io:8228/v1/enterprise/imports/sources/9538077f-5fe2-4a79-af72-ce36c6f5d930/finalize' Content-Type:application/json x-anchore-account:Frameworks -a 'Justin:PASSWORD' --proxy http:${http_proxy}
{
"account_id": "Frameworks",
"analysis_status": "not_analyzed",
"created_at": "2022-04-14T20:19:42Z",
"host": "https://github.corp.ebay.com",
"last_updated": "2022-04-14T20:19:42Z",
"metadata_records": [
{
"branch_name": "master",
"change_author": "jabrahms@ebay.com",
"ci_workflow_execution_time": null,
"ci_workflow_name": null,
"uuid": "8f64c23b-af46-4ed0-a92d-f093639ed57e"
}
],
"repository_name": "jabrahms/giodemo",
"revision": "a20beae7641cd7fd816d17e79c771c4c35e820f8",
"source_status": "active",
"uuid": "7da0883a-38d8-4e29-8994-2b32feadf02b",
"vcs_type": "git"
}