Add Software Bill of Materials

raffomania · Jan 13, 2025 · 756ef4d · 756ef4d
1 parent 07f2376
commit 756ef4d
Show file tree

Hide file tree

Showing 5 changed files with 12,843 additions and 6 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,14 +26,36 @@ jobs:
       - name: Setup rust cache
         uses: Swatinem/rust-cache@v2
 
+      - name: Setup node
+        uses: actions/setup-node@v4
+
+      # this is needed because `npx` won't install prettier plugins
+      - name: Install node dependencies
+        run: npm install
+
+      - name: Install cargo-run-bin
+        run: cargo install cargo-run-bin
+
+      - run: cargo bin just format
+
+      - run: cargo bin just lint
+
+      - run: cargo bin just generate-sbom
+
+      - name: Check for file changes
+        run: |
+          if [[ -n "$(git status --porcelain)" ]]; then
+            echo "::error::Detected changes in the following files:"
+            git status --porcelain
+            echo "Diff:"
+            git diff
+            exit 1
+          fi
+
       - run: cargo build --release
         env:
           SQLX_OFFLINE: true
 
-      - run: cargo fmt --all -- --check
-
-      - run: cargo clippy -- -D warnings
-
       - name: podman login
         env:
           USER: ${{ github.actor }}

diff --git a/Cargo.toml b/Cargo.toml
@@ -79,6 +79,7 @@ just = { version = "1.38.0", locked = true }
 cargo-watch = { version = "8.5.3", locked = true }
 systemfd = { version = "0.4.3", locked = true }
 sqlx-cli = { version = "0.8.3", locked = true, bins = ["sqlx"] }
+cargo-cyclonedx = { version = "0.5.7", locked = true }
 
 [profile.dev.package]
 insta.opt-level = 3

diff --git a/Justfile b/Justfile
@@ -121,10 +121,18 @@ lint *args:
     cargo clippy {{args}} -- -D warnings
 
 format: format-templates
-    cargo fmt --all -- --check
+    cargo fmt --all
 
 format-templates:
     npx prettier --write '**/*.html'
 
+generate-sbom:
+    cargo bin cargo-cyclonedx --format json --describe binaries
+    # Remove some fields that make the sbom non-reproducible.
+    # https://github.com/CycloneDX/cyclonedx-rust-cargo/issues/556
+    # https://github.com/CycloneDX/cyclonedx-rust-cargo/issues/514
+    jq --sort-keys '.components |= sort_by(.purl) | del(.serialNumber) | del(.metadata.timestamp) | del(.metadata.component."bom-ref") | .metadata.component.components |= map(del(."bom-ref"))' linkblocks_bin.cdx.json > linkblocks.cdx.json
+    rm linkblocks_bin.cdx.json
+
 install-git-hooks:
     ln -srf pre-commit.sh .git/hooks/pre-commit
diff --git a/README.md b/README.md
@@ -39,7 +39,7 @@ cargo install cargo-run-bin
 
 Copy `.env.example` to `.env` and edit it to your liking.
 
-Optional: run `just install-git-hooks` to automatically run checks before committing.
+Optional: run `cargo bin just install-git-hooks` to automatically run checks before committing.
 
 In the root of the repository, launch the server:
 
@@ -84,6 +84,10 @@ This web app is implemented using technologies hand-picked for a smooth developm
 - Built-in CLI for production maintenance
 - Auto-reload in development [without dropped connections](https://github.com/mitsuhiko/listenfd)
 
+## Software Bill of Materials
+
+An up-to-date Software Bill of Materials can be found in the [linkblocks.cdx.json](linkblocks.cdx.json) file.
+
 ## Acknowledgements
 
 <img src="doc/nlnet.svg?raw=true" alt="NLnet logo" height="60em"> <img src="doc/ngi_zero.svg?raw=true" alt="NGI Zero Commons logo" height="60em">