diff --git a/scanners/boostsecurityio/osv-scalibr-sbom/filelist.txt b/scanners/boostsecurityio/osv-scalibr-sbom/filelist.txt new file mode 100644 index 00000000..bee90822 --- /dev/null +++ b/scanners/boostsecurityio/osv-scalibr-sbom/filelist.txt @@ -0,0 +1,31 @@ +conan.lock +pubspec.lock +mix.lock +go.mod +cabal.project.freeze +stack.yaml.lock +*.jar +buildscript-gradle.lockfile +gradle.lockfile +verification-metadata.xml +pom.xml +bun.lock +package-lock.json +pnpm-lock.yaml +yarn.lock +deps.json +packages.config +*.csproj +packages.lock.json +composer.lock +Pipfile.lock +poetry.lock +requirements.txt +pdm.lock +pylock.toml +uv.lock +renv.lock +Gemfile.lock +gems.locked +Cargo.lock +osv-scanner.json diff --git a/scanners/boostsecurityio/osv-scalibr-sbom/module.yaml b/scanners/boostsecurityio/osv-scalibr-sbom/module.yaml new file mode 100644 index 00000000..212c41ea --- /dev/null +++ b/scanners/boostsecurityio/osv-scalibr-sbom/module.yaml @@ -0,0 +1,107 @@ +api_version: 1.0 + +id: boostsecurityio/osv-scalibr-sbom +name: OSV Scalibr (FS SBOM) +namespace: boostsecurityio/osv-scalibr-sbom +scan_types: + - sbom + +config: + support_diff_scan: false + include_files: + # C/C++ + - conan.lock + # Dart + - pubspec.lock + # Elixir + - mix.lock + # Go + - go.mod + # Haskell + - cabal.project.freeze + - stack.yaml.lock + # Java + - "*.jar" + - buildscript-gradle.lockfile + - gradle.lockfile + - verification-metadata.xml + - pom.xml + # Javascript + - bun.lock + - package-lock.json + - pnpm-lock.yaml + - yarn.lock + # .Net + - "*.csproj" + - deps.json + - packages.config + - packages.lock.json + # PHP + - composer.lock + # Python + - Pipfile.lock + - poetry.lock + - requirements.txt + - pdm.lock + - pylock.toml + - uv.lock + # R + - renv.lock + # Ruby + - Gemfile.lock + - gems.locked + # Rust + - Cargo.lock + # Custom lockfile http://google.github.io/osv-scanner/supported-languages-and-lockfiles/#custom-lockfiles + - osv-scanner.json + +setup: + - name: Utility scripts + run: | + mkdir -p $SETUP_PATH/pre-scan-checks/ + cp $REGISTRY_MODULE_PATH/prescan_checks.sh $SETUP_PATH/pre-scan-checks/osv-scalibr-sbom-scanner + + - name: download osv-scalibr-sbom scanner + environment: + VERSION: v0.4.5 + LINUX_X86_64_SHA: 8059587ad55fc7b30502ba58a1bb9754f92f13d95f315167c5870276954ff4c2 + run: | + BASE_URL="https://assets.build.boostsecurity.io/scanners/osv-scalibr/osv-scalibr-${VERSION}" + ARCH=$(uname -m) + + case "$(uname -sm)" in + "Linux x86_64") + BINARY_URL="${BASE_URL}/linux/amd64/osv-scalibr.gz" + SHA="${LINUX_X86_64_SHA} osv-scalibr.gz" + ;; + *) + echo "Unsupported machine: ${OPTARG}" + exit 1 + ;; + esac + + curl -o osv-scalibr.gz -fsSL "${BINARY_URL}" + echo "${SHA}" | sha256sum --check + + gunzip osv-scalibr.gz + chmod +x osv-scalibr + +steps: + - run: ls -laih $SETUP_PATH/ + - run: $SETUP_PATH/pre-scan-checks/osv-scalibr-sbom-scanner + - run: ls -laih $SETUP_PATH/ + - scan: + command: + run: > + $SETUP_PATH/osv-scalibr -o + spdx23-json=result.spdx.json + --plugins=dotnet/csproj,java/archive + . && + cat result.spdx.json 2>&1 + format: cyclonedx + post-processor: + docker: + image: public.ecr.aws/boostsecurityio/boost-scanner-osv-scalibr-sbom:c5d385e@sha256:b1a91854cbc39752eecf50a9f6be78f7dba44dcffb8a50c79f06c6a8a610ee62 + command: process + environment: + PYTHONIOENCODING: utf-8 diff --git a/scanners/boostsecurityio/osv-scalibr-sbom/prescan_checks.sh b/scanners/boostsecurityio/osv-scalibr-sbom/prescan_checks.sh new file mode 100755 index 00000000..8e783c9d --- /dev/null +++ b/scanners/boostsecurityio/osv-scalibr-sbom/prescan_checks.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +while IFS= read -r line; do + if [ "$(find . -name "$line" | wc -l)" != "0" ] + then + exit 0 + fi +done < $REGISTRY_MODULE_PATH/filelist.txt +>&2 echo "Scan misconfiguration:" +>&2 echo " OSV-Scalibr-SBOM-Scanner scan did not run because no supported files were detected" +>&2 echo " See documentation list of supported file types: https://google.github.io/osv-scanner/supported-languages-and-lockfiles/" + +exit 1 \ No newline at end of file diff --git a/scanners/boostsecurityio/osv-scalibr-sbom/tests.yaml b/scanners/boostsecurityio/osv-scalibr-sbom/tests.yaml new file mode 100644 index 00000000..d5ecd5cf --- /dev/null +++ b/scanners/boostsecurityio/osv-scalibr-sbom/tests.yaml @@ -0,0 +1,37 @@ +version: "1.0" +tests: +# - name: "gitleaks" # GO +# type: "source-code" +# source: +# url: "https://github.com/gitleaks/gitleaks.git" +# ref: "v8.15.2" +# - name: "vaultwarden" # RUST +# type: "source-code" +# source: +# url: "https://github.com/dani-garcia/vaultwarden.git" +# ref: "1.30.5" +# - name: "docusaurus" # NPM +# type: "source-code" +# source: +# url: "https://github.com/facebook/docusaurus.git" +# ref: "v3.2.1" +# - name: "nomulus" # Gradle +# type: "source-code" +# source: +# url: "https://github.com/google/nomulus.git" +# ref: "nomulus-20240501-RC00" +# - name: "openvino" # Python +# type: "source-code" +# source: +# url: "https://github.com/openvinotoolkit/openvino.git" +# ref: "2024.1.0" +# - name: "SCA-jar" # java/archive +# type: "source-code" +# source: +# url: "https://github.com/boost-sandbox/SCA-jar.git" +# ref: "main" + - name: "SCA-csproj" # nuget/csproj + type: "source-code" + source: + url: "https://github.com/boost-sandbox/SCA-csproj.git" + ref: "main"