From 31ba3be518b4b164cd7d69915ab7adb142f68a83 Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 12 Sep 2025 15:49:59 +0400 Subject: [PATCH 01/11] Add support for SPDX as YAML in load_sbom pipeline Signed-off-by: tdruez --- CHANGELOG.rst | 2 ++ scanpipe/pipes/resolve.py | 11 +++++-- scanpipe/pipes/spdx.py | 15 +++++++-- .../data/manifests/curl-7.70.0-v2.2.spdx.yml | 32 +++++++++++++++++++ .../tests/data/manifests/curl-7.70.0.yaml | 32 +++++++++++++++++++ scanpipe/tests/pipes/test_resolve.py | 12 +++++++ 6 files changed, 98 insertions(+), 6 deletions(-) create mode 100644 scanpipe/tests/data/manifests/curl-7.70.0-v2.2.spdx.yml create mode 100644 scanpipe/tests/data/manifests/curl-7.70.0.yaml diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ff1f149a49..11e3af9610 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -38,6 +38,8 @@ v35.4.0 (unreleased) - Add ORT ``package-list.yml`` as new downloadable output format. https://github.com/aboutcode-org/scancode.io/pull/1852 +- Add support for SPDX as YAML in ``load_sbom`` pipeline. + v35.3.0 (2025-08-20) -------------------- diff --git a/scanpipe/pipes/resolve.py b/scanpipe/pipes/resolve.py index bff8ce1379..0a409dd88c 100644 --- a/scanpipe/pipes/resolve.py +++ b/scanpipe/pipes/resolve.py @@ -30,6 +30,7 @@ from django.core.exceptions import ObjectDoesNotExist import python_inspector.api as python_inspector +import saneyaml from attributecode.model import About from packagedcode import APPLICATION_PACKAGE_DATAFILE_HANDLERS from packagedcode.licensing import get_license_detections_and_expression @@ -378,7 +379,11 @@ def spdx_relationship_to_dependency_data(spdx_relationship): def get_spdx_document_from_file(input_location): """Return the loaded SPDX document from the `input_location` file.""" input_path = Path(input_location) - spdx_document = json.loads(input_path.read_text()) + + if str(input_path).endswith((".yml", ".yaml")): + spdx_document = saneyaml.load(input_path.read_text()) + else: + spdx_document = json.loads(input_path.read_text()) try: spdx.validate_document(spdx_document) @@ -425,13 +430,13 @@ def get_default_package_type(input_location): if handler.is_datafile(input_location): return handler.default_package_type - if input_location.endswith((".spdx", ".spdx.json")): + if input_location.endswith((".spdx", ".spdx.json", ".spdx.yml")): return "spdx" if input_location.endswith(("bom.json", ".cdx.json", "bom.xml", ".cdx.xml")): return "cyclonedx" - if input_location.endswith((".json", ".xml")): + if input_location.endswith((".json", ".xml", ".yml", ".yaml")): if cyclonedx.is_cyclonedx_bom(input_location): return "cyclonedx" if spdx.is_spdx_document(input_location): diff --git a/scanpipe/pipes/spdx.py b/scanpipe/pipes/spdx.py index 6ab474f99a..ba7f22d569 100644 --- a/scanpipe/pipes/spdx.py +++ b/scanpipe/pipes/spdx.py @@ -29,6 +29,8 @@ from datetime import timezone from pathlib import Path +import saneyaml + SPDX_SPEC_VERSION = "2.3" SPDX_LICENSE_LIST_VERSION = "3.20" SPDX_SCHEMA_NAME = "spdx-schema-2.3.json" @@ -653,8 +655,15 @@ def validate_document(document, schema=SPDX_SCHEMA_PATH): def is_spdx_document(input_location): """Return True if the file at `input_location` is a SPDX Document.""" + input_location = str(input_location) + data = {} + with suppress(Exception): - data = json.loads(Path(input_location).read_text()) - if data.get("SPDXID"): - return True + if input_location.endswith(".json"): + data = json.loads(Path(input_location).read_text()) + elif input_location.endswith((".yml", ".yaml")): + data = saneyaml.load(Path(input_location).read_text()) + + if data.get("SPDXID"): + return True return False diff --git a/scanpipe/tests/data/manifests/curl-7.70.0-v2.2.spdx.yml b/scanpipe/tests/data/manifests/curl-7.70.0-v2.2.spdx.yml new file mode 100644 index 0000000000..502facc0a0 --- /dev/null +++ b/scanpipe/tests/data/manifests/curl-7.70.0-v2.2.spdx.yml @@ -0,0 +1,32 @@ +SPDXID: "SPDXRef-DOCUMENT" +spdxVersion: "SPDX-2.2" +creationInfo: + created: "2020-07-23T18:30:22Z" + creators: + - "Organization: Example Inc." + - "Person: Thomas Steenbergen" + licenseListVersion: "3.9" +name: "curl-7.70.0" +dataLicense: "CC0-1.0" +documentNamespace: "http://spdx.org/spdxdocs/spdx-document-curl" +documentDescribes: +- "SPDXRef-Package-curl" +packages: +- SPDXID: "SPDXRef-Package-curl" + description: "A command line tool and library for transferring data with URL syntax, supporting \ + HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \ + IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features." + copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, , and many + contributors, see the THANKS file." + downloadLocation: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz" + externalRefs: + - referenceCategory: "SECURITY" + referenceLocator: "cpe:2.3:a:http:curl:7.70.0:*:*:*:*:*:*:*" + referenceType: "cpe23Type" + filesAnalyzed: false + homepage: "https://curl.haxx.se/" + licenseConcluded: "NOASSERTION" + licenseDeclared: "curl" + name: "curl" + versionInfo: "7.70.0" + originator: "Person: Daniel Stenberg (daniel@haxx.se)" diff --git a/scanpipe/tests/data/manifests/curl-7.70.0.yaml b/scanpipe/tests/data/manifests/curl-7.70.0.yaml new file mode 100644 index 0000000000..502facc0a0 --- /dev/null +++ b/scanpipe/tests/data/manifests/curl-7.70.0.yaml @@ -0,0 +1,32 @@ +SPDXID: "SPDXRef-DOCUMENT" +spdxVersion: "SPDX-2.2" +creationInfo: + created: "2020-07-23T18:30:22Z" + creators: + - "Organization: Example Inc." + - "Person: Thomas Steenbergen" + licenseListVersion: "3.9" +name: "curl-7.70.0" +dataLicense: "CC0-1.0" +documentNamespace: "http://spdx.org/spdxdocs/spdx-document-curl" +documentDescribes: +- "SPDXRef-Package-curl" +packages: +- SPDXID: "SPDXRef-Package-curl" + description: "A command line tool and library for transferring data with URL syntax, supporting \ + HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \ + IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features." + copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, , and many + contributors, see the THANKS file." + downloadLocation: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz" + externalRefs: + - referenceCategory: "SECURITY" + referenceLocator: "cpe:2.3:a:http:curl:7.70.0:*:*:*:*:*:*:*" + referenceType: "cpe23Type" + filesAnalyzed: false + homepage: "https://curl.haxx.se/" + licenseConcluded: "NOASSERTION" + licenseDeclared: "curl" + name: "curl" + versionInfo: "7.70.0" + originator: "Person: Daniel Stenberg (daniel@haxx.se)" diff --git a/scanpipe/tests/pipes/test_resolve.py b/scanpipe/tests/pipes/test_resolve.py index 11a4a24373..aa16edaafc 100644 --- a/scanpipe/tests/pipes/test_resolve.py +++ b/scanpipe/tests/pipes/test_resolve.py @@ -50,9 +50,15 @@ def test_scanpipe_pipes_resolve_get_default_package_type(self): input_location = self.manifest_location / "toml.spdx.json" self.assertEqual("spdx", resolve.get_default_package_type(input_location)) + input_location = self.manifest_location / "curl-7.70.0-v2.2.spdx.yml" + self.assertEqual("spdx", resolve.get_default_package_type(input_location)) + input_location = self.manifest_location / "toml.json" self.assertEqual("spdx", resolve.get_default_package_type(input_location)) + input_location = self.manifest_location / "curl-7.70.0.yaml" + self.assertEqual("spdx", resolve.get_default_package_type(input_location)) + input_location = self.data / "cyclonedx/nested.cdx.json" self.assertEqual("cyclonedx", resolve.get_default_package_type(input_location)) @@ -181,6 +187,12 @@ def test_scanpipe_pipes_resolve_get_spdx_document_from_file(self): self.assertEqual("SPDXRef-DOCUMENT", spdx_document["SPDXID"]) self.assertEqual("SPDX-2.3", spdx_document["spdxVersion"]) + input_location = self.data / "manifests" / "curl-7.70.0-v2.2.spdx.yml" + spdx_document = resolve.get_spdx_document_from_file(input_location) + self.assertIsInstance(spdx_document, dict) + self.assertEqual("SPDXRef-DOCUMENT", spdx_document["SPDXID"]) + self.assertEqual("SPDX-2.2", spdx_document["spdxVersion"]) + def test_scanpipe_pipes_resolve_spdx_package_to_package_data(self): p1 = Project.objects.create(name="Analysis") package = pipes.update_or_create_package(p1, package_data1) From 7f321b07579960b0398f8da34bcba4e09cd4281d Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 12 Sep 2025 16:06:42 +0400 Subject: [PATCH 02/11] Add a workflow for the ScanCode.io to ORT integration Signed-off-by: tdruez --- .../sca-integration-ort-package-file.yml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/sca-integration-ort-package-file.yml diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml new file mode 100644 index 0000000000..26cdd0778e --- /dev/null +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -0,0 +1,59 @@ +name: Generate ORT package-file.yml with ScanCode.io and load into ORT + +# This workflow: +# 1. Analyze a Docker image using ScanCode.io +# 1. Generates an ORT `package-file.yml` from the project results +# 2. Generates an ORT `analyzer-result.yml` using create-analyzer-result-from-package-list +# 3. Run the ORT report on `analyzer-result.yml` to generate a CycloneDX and SpdxDocument + +on: + workflow_dispatch: +# schedule: +# # Run once a week (every 7 days) at 00:00 UTC on Sunday +# - cron: "0 0 * * 0" + pull_request: + push: + branches: + - main + +permissions: + contents: read + +env: + SCIO_IMAGE_INPUT: "docker://osadl/alpine-docker-base-image:v3.22-latest" + ORT_VERSION: "68.1.0" + +jobs: + generate-and-load-sbom: + runs-on: ubuntu-24.04 + steps: + - name: Analyze Docker image with ScanCode.io + uses: aboutcode-org/scancode-action@main + with: + pipelines: "analyze_docker_image" + input-urls: + "${{ env.SCIO_IMAGE_INPUT }}" + scancodeio-repo-branch: "main" + output-formats: "ort-package-list spdx cyclonedx json xlsx" + + - name: DEBUG + run: | + echo ${{ env.PROJECT_WORK_DIRECTORY }} + + - name: Generates an ORT analyzer-result.yml file + run: | + docker run --rm -v ${{ env.PROJECT_WORK_DIRECTORY }}/output:/data \ + --entrypoint /opt/ort/bin/orth \ + ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \ + create-analyzer-result-from-package-list \ + --package-list-file /data/package-list.yml \ + --ort-file /data/analyzer-result.yml + + - name: Generates an ORT analyzer-result.yml file + run: | + docker run --rm -v ${{ env.PROJECT_WORK_DIRECTORY }}/output:/data \ + ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \ + report \ + --ort-file /data/analyzer-result.yml \ + --output-dir /data/results/ \ + --report-formats CycloneDX,SpdxDocument From ee489bf7d1b17696350bab6b84aaaa5924fea601 Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 12 Sep 2025 16:28:56 +0400 Subject: [PATCH 03/11] Copy package-list.yml to workspace root Signed-off-by: tdruez --- .github/workflows/sca-integration-ort-package-file.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index 26cdd0778e..af4349172a 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -36,13 +36,15 @@ jobs: scancodeio-repo-branch: "main" output-formats: "ort-package-list spdx cyclonedx json xlsx" - - name: DEBUG + - name: Copy package-list.yml to workspace root run: | - echo ${{ env.PROJECT_WORK_DIRECTORY }} + FILE=$(ls ${{ env.PROJECT_WORK_DIRECTORY }}/output/*.package-list.yml | head -n 1) + cp "$FILE" "${GITHUB_WORKSPACE}/package-list.yml" + ls -lh "${GITHUB_WORKSPACE}/package-list.yml" - name: Generates an ORT analyzer-result.yml file run: | - docker run --rm -v ${{ env.PROJECT_WORK_DIRECTORY }}/output:/data \ + docker run --rm -v ${GITHUB_WORKSPACE}:/data \ --entrypoint /opt/ort/bin/orth \ ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \ create-analyzer-result-from-package-list \ @@ -51,7 +53,7 @@ jobs: - name: Generates an ORT analyzer-result.yml file run: | - docker run --rm -v ${{ env.PROJECT_WORK_DIRECTORY }}/output:/data \ + docker run --rm -v ${GITHUB_WORKSPACE}:/data \ ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \ report \ --ort-file /data/analyzer-result.yml \ From 1a0d8f465fb57ed3dee7bc4d71b9c4c8cad63dfb Mon Sep 17 00:00:00 2001 From: tdruez Date: Mon, 15 Sep 2025 13:23:54 +0400 Subject: [PATCH 04/11] DEBUG workflow Signed-off-by: tdruez --- .../workflows/sca-integration-ort-package-file.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index af4349172a..d18abe30ce 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -34,17 +34,21 @@ jobs: input-urls: "${{ env.SCIO_IMAGE_INPUT }}" scancodeio-repo-branch: "main" - output-formats: "ort-package-list spdx cyclonedx json xlsx" + output-formats: "ort-package-list spdx:2.2 cyclonedx json xlsx" + + - name: DEBUG + run: ls -la ${{ env.PROJECT_WORK_DIRECTORY }}/output/ - name: Copy package-list.yml to workspace root run: | FILE=$(ls ${{ env.PROJECT_WORK_DIRECTORY }}/output/*.package-list.yml | head -n 1) - cp "$FILE" "${GITHUB_WORKSPACE}/package-list.yml" - ls -lh "${GITHUB_WORKSPACE}/package-list.yml" + mkdir -p ${GITHUB_WORKSPACE}/ort-data/ + cp "$FILE" "${GITHUB_WORKSPACE}/ort-data/package-list.yml" + ls -lh "${GITHUB_WORKSPACE}/ort-data/" - name: Generates an ORT analyzer-result.yml file run: | - docker run --rm -v ${GITHUB_WORKSPACE}:/data \ + docker run --rm -v ${GITHUB_WORKSPACE}/ort-data:/data \ --entrypoint /opt/ort/bin/orth \ ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \ create-analyzer-result-from-package-list \ @@ -53,7 +57,7 @@ jobs: - name: Generates an ORT analyzer-result.yml file run: | - docker run --rm -v ${GITHUB_WORKSPACE}:/data \ + docker run --rm -v ${GITHUB_WORKSPACE}/ort-data:/data \ ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \ report \ --ort-file /data/analyzer-result.yml \ From 6ad0f151b57f3321e82e91a8c94dc04c3c226710 Mon Sep 17 00:00:00 2001 From: tdruez Date: Mon, 15 Sep 2025 13:29:37 +0400 Subject: [PATCH 05/11] DEBUG workflow Signed-off-by: tdruez --- .github/workflows/sca-integration-ort-package-file.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index d18abe30ce..77c30798b0 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -43,6 +43,7 @@ jobs: run: | FILE=$(ls ${{ env.PROJECT_WORK_DIRECTORY }}/output/*.package-list.yml | head -n 1) mkdir -p ${GITHUB_WORKSPACE}/ort-data/ + sudo chown -R 1000:1000 ${GITHUB_WORKSPACE}/ort-data cp "$FILE" "${GITHUB_WORKSPACE}/ort-data/package-list.yml" ls -lh "${GITHUB_WORKSPACE}/ort-data/" From d097693322708acf5d0ddbd272c75057b8e97cc6 Mon Sep 17 00:00:00 2001 From: tdruez Date: Mon, 15 Sep 2025 13:33:30 +0400 Subject: [PATCH 06/11] DEBUG workflow Signed-off-by: tdruez --- .github/workflows/sca-integration-ort-package-file.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index 77c30798b0..147dafc765 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -42,9 +42,9 @@ jobs: - name: Copy package-list.yml to workspace root run: | FILE=$(ls ${{ env.PROJECT_WORK_DIRECTORY }}/output/*.package-list.yml | head -n 1) - mkdir -p ${GITHUB_WORKSPACE}/ort-data/ - sudo chown -R 1000:1000 ${GITHUB_WORKSPACE}/ort-data - cp "$FILE" "${GITHUB_WORKSPACE}/ort-data/package-list.yml" + sudo mkdir -p ${GITHUB_WORKSPACE}/ort-data/ + sudo cp "$FILE" "${GITHUB_WORKSPACE}/ort-data/package-list.yml" + sudo chmod -R 777 ${GITHUB_WORKSPACE}/ort-data/ ls -lh "${GITHUB_WORKSPACE}/ort-data/" - name: Generates an ORT analyzer-result.yml file From 3aaaf86ceb757e1ad14cce9475ff10520155b08e Mon Sep 17 00:00:00 2001 From: tdruez Date: Mon, 15 Sep 2025 13:39:46 +0400 Subject: [PATCH 07/11] DEBUG workflow Signed-off-by: tdruez --- .../sca-integration-ort-package-file.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index 147dafc765..6d9b8fe2fd 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -36,9 +36,6 @@ jobs: scancodeio-repo-branch: "main" output-formats: "ort-package-list spdx:2.2 cyclonedx json xlsx" - - name: DEBUG - run: ls -la ${{ env.PROJECT_WORK_DIRECTORY }}/output/ - - name: Copy package-list.yml to workspace root run: | FILE=$(ls ${{ env.PROJECT_WORK_DIRECTORY }}/output/*.package-list.yml | head -n 1) @@ -56,7 +53,7 @@ jobs: --package-list-file /data/package-list.yml \ --ort-file /data/analyzer-result.yml - - name: Generates an ORT analyzer-result.yml file + - name: Report as CycloneDX and SPDX using the analyzer-result.yml file run: | docker run --rm -v ${GITHUB_WORKSPACE}/ort-data:/data \ ghcr.io/oss-review-toolkit/ort:${{ env.ORT_VERSION }} \ @@ -64,3 +61,13 @@ jobs: --ort-file /data/analyzer-result.yml \ --output-dir /data/results/ \ --report-formats CycloneDX,SpdxDocument + + - name: DEBUG + run: ls -la ${{ env.PROJECT_WORK_DIRECTORY }}/output/ + + - name: Upload SBOMs as GitHub Artifact + uses: actions/upload-artifact@v4 + with: + name: ort-report + path: ${GITHUB_WORKSPACE}/ort-data + retention-days: 20 From 244c85050429062a9103ce1f371162447f242abd Mon Sep 17 00:00:00 2001 From: tdruez Date: Mon, 15 Sep 2025 14:01:00 +0400 Subject: [PATCH 08/11] DEBUG workflow Signed-off-by: tdruez --- .github/workflows/sca-integration-ort-package-file.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index 6d9b8fe2fd..f71d4267c5 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -63,11 +63,11 @@ jobs: --report-formats CycloneDX,SpdxDocument - name: DEBUG - run: ls -la ${{ env.PROJECT_WORK_DIRECTORY }}/output/ + run: ls -la ${GITHUB_WORKSPACE}/ort-data - name: Upload SBOMs as GitHub Artifact uses: actions/upload-artifact@v4 with: name: ort-report - path: ${GITHUB_WORKSPACE}/ort-data + path: "${GITHUB_WORKSPACE}/ort-data/*" retention-days: 20 From ef199c18e83e4821af7c64db3550ad20d81c2a29 Mon Sep 17 00:00:00 2001 From: tdruez Date: Mon, 15 Sep 2025 14:08:12 +0400 Subject: [PATCH 09/11] DEBUG workflow Signed-off-by: tdruez --- .../sca-integration-ort-package-file.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index f71d4267c5..f60836c17c 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -63,11 +63,23 @@ jobs: --report-formats CycloneDX,SpdxDocument - name: DEBUG - run: ls -la ${GITHUB_WORKSPACE}/ort-data + run: ls -la ${GITHUB_WORKSPACE}/ort-data/results - name: Upload SBOMs as GitHub Artifact uses: actions/upload-artifact@v4 with: name: ort-report - path: "${GITHUB_WORKSPACE}/ort-data/*" + path: "${GITHUB_WORKSPACE}/ort-data/results" retention-days: 20 + + - name: Import SBOM into ScanCode.io + uses: aboutcode-org/scancode-action@main + with: + pipelines: "load_sbom" + inputs-path: "${GITHUB_WORKSPACE}/ort-data/results/bom.cyclonedx.json" + scancodeio-repo-branch: "main" + + - name: Verify SBOM Analysis Results in ScanCode.io + shell: bash + run: | + scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; print(package_manager.count()); print(package_manager.vulnerable().count()); print(DiscoveredDependency.objects.count())" From 1bbbe3f927eb2a1614fde34a7ec1483e02075184 Mon Sep 17 00:00:00 2001 From: tdruez Date: Mon, 15 Sep 2025 14:20:09 +0400 Subject: [PATCH 10/11] Cleanup workflow Signed-off-by: tdruez --- .../sca-integration-ort-package-file.yml | 27 +++++-------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index f60836c17c..d168d16cea 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -2,15 +2,15 @@ name: Generate ORT package-file.yml with ScanCode.io and load into ORT # This workflow: # 1. Analyze a Docker image using ScanCode.io -# 1. Generates an ORT `package-file.yml` from the project results -# 2. Generates an ORT `analyzer-result.yml` using create-analyzer-result-from-package-list -# 3. Run the ORT report on `analyzer-result.yml` to generate a CycloneDX and SpdxDocument +# 2. Generates an ORT `package-file.yml` from the SCIO project results +# 3. Generates an ORT `analyzer-result.yml` using create-analyzer-result-from-package-list +# 4. Run the ORT report on `analyzer-result.yml` to generate a CycloneDX and SpdxDocument on: workflow_dispatch: -# schedule: -# # Run once a week (every 7 days) at 00:00 UTC on Sunday -# - cron: "0 0 * * 0" + schedule: + # Run once a week (every 7 days) at 00:00 UTC on Sunday + - cron: "0 0 * * 0" pull_request: push: branches: @@ -62,24 +62,9 @@ jobs: --output-dir /data/results/ \ --report-formats CycloneDX,SpdxDocument - - name: DEBUG - run: ls -la ${GITHUB_WORKSPACE}/ort-data/results - - name: Upload SBOMs as GitHub Artifact uses: actions/upload-artifact@v4 with: name: ort-report path: "${GITHUB_WORKSPACE}/ort-data/results" retention-days: 20 - - - name: Import SBOM into ScanCode.io - uses: aboutcode-org/scancode-action@main - with: - pipelines: "load_sbom" - inputs-path: "${GITHUB_WORKSPACE}/ort-data/results/bom.cyclonedx.json" - scancodeio-repo-branch: "main" - - - name: Verify SBOM Analysis Results in ScanCode.io - shell: bash - run: | - scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; print(package_manager.count()); print(package_manager.vulnerable().count()); print(DiscoveredDependency.objects.count())" From ed1a8dc6d1db52320d01031675c42a4e303e4deb Mon Sep 17 00:00:00 2001 From: tdruez Date: Mon, 15 Sep 2025 14:26:10 +0400 Subject: [PATCH 11/11] Only run on schedule Signed-off-by: tdruez --- .github/workflows/sca-integration-ort-package-file.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/sca-integration-ort-package-file.yml b/.github/workflows/sca-integration-ort-package-file.yml index d168d16cea..50cc4780dc 100644 --- a/.github/workflows/sca-integration-ort-package-file.yml +++ b/.github/workflows/sca-integration-ort-package-file.yml @@ -11,10 +11,6 @@ on: schedule: # Run once a week (every 7 days) at 00:00 UTC on Sunday - cron: "0 0 * * 0" - pull_request: - push: - branches: - - main permissions: contents: read