From 35b55f8bf7b7658c79adde00bf1cc3dab4a09807 Mon Sep 17 00:00:00 2001
From: Ubbo Veentjer <veentjer@sub.uni-goettingen.de>
Date: Mon, 25 Jul 2022 14:39:45 +0200
Subject: [PATCH 1/4] ci: add syft container scanning

---
 .gitlab-ci.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 9b78015..c31f036 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -39,7 +39,7 @@ build:
     - main
     - postgres-image
 
-generate-sbom:
+depdendency-scanning:
   stage: test
   image: python:3.9-slim-bullseye
   needs: []
@@ -50,6 +50,17 @@ generate-sbom:
     paths:
       - 'bom.json'
 
+container-scanning:
+  stage: test
+  image:
+    name: anchore/syft:debug
+    entrypoint: [""]
+  script:
+    - syft $CONTAINER_IMAGE -o cyclonedx-json=sbom.container.json
+  artifacts:
+    paths:
+      - 'sbom.container.json'
+
 tag-dev-image:
   image:
     name: gcr.io/go-containerregistry/crane:debug
-- 
GitLab


From 61bd2b5648bfbd29b8bc4c625f474397fb41894b Mon Sep 17 00:00:00 2001
From: Ubbo Veentjer <veentjer@sub.uni-goettingen.de>
Date: Mon, 25 Jul 2022 15:03:59 +0200
Subject: [PATCH 2/4] ci: path is /syft

---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c31f036..6c6c039 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -56,7 +56,7 @@ container-scanning:
     name: anchore/syft:debug
     entrypoint: [""]
   script:
-    - syft $CONTAINER_IMAGE -o cyclonedx-json=sbom.container.json
+    - /syft $CONTAINER_IMAGE -o cyclonedx-json=sbom.container.json
   artifacts:
     paths:
       - 'sbom.container.json'
-- 
GitLab


From 62a59c900c93ff44c257afab4c26217ad7d8dfef Mon Sep 17 00:00:00 2001
From: Ubbo Veentjer <veentjer@sub.uni-goettingen.de>
Date: Mon, 25 Jul 2022 15:23:00 +0200
Subject: [PATCH 3/4] ci: upload container-sbom to dependency track

---
 .gitlab-ci.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6c6c039..90fcdee 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,6 +1,7 @@
 include:
   - template: Security/Container-Scanning.gitlab-ci.yml
   - template: Security/Secret-Detection.gitlab-ci.yml
+  - remote: https://gitlab.gwdg.de/dariah-de/gitlab-templates/-/raw/main/templates/.deps.gitlab-ci.yml # for upload-container-sbom
   - remote: https://gitlab.gwdg.de/dariah-de/gitlab-templates/-/raw/main/templates/SBOM-Upload.gitlab-ci.yml
 
 variables:
@@ -61,6 +62,20 @@ container-scanning:
     paths:
       - 'sbom.container.json'
 
+# TODO add to templates
+upload-container-sbom:
+  stage: deploy
+  # only:
+  #  - develop
+  variables:
+    X_API_KEY: $DEPS_UPLOAD_TOKEN
+    AUTO_CREATE_PROJECT: 'true'
+    PROJECT_NAME: $CI_PROJECT_NAME-container
+    PROJECT_VERSION: develop
+    BOM_LOCATION: 'sbom.container.json'
+  extends:
+    - .upload-bom-to-deps
+
 tag-dev-image:
   image:
     name: gcr.io/go-containerregistry/crane:debug
-- 
GitLab


From 306b576137ea45c75eccddacdcb2ac3fe578fdf1 Mon Sep 17 00:00:00 2001
From: Ubbo Veentjer <veentjer@sub.uni-goettingen.de>
Date: Mon, 25 Jul 2022 15:34:25 +0200
Subject: [PATCH 4/4] ci: upload container-sbom only on develop branch

---
 .gitlab-ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 90fcdee..d66cc9a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -62,11 +62,11 @@ container-scanning:
     paths:
       - 'sbom.container.json'
 
-# TODO add to templates
+# TODO add to templates, adapt for release BEFORE next release
 upload-container-sbom:
   stage: deploy
-  # only:
-  #  - develop
+  only:
+   - develop
   variables:
     X_API_KEY: $DEPS_UPLOAD_TOKEN
     AUTO_CREATE_PROJECT: 'true'
-- 
GitLab