BST-19719: create OSV Scalibr SBOM scanner

scanners/boostsecurityio/osv-scalibr-sbom/filelist.txt

@@ -0,0 +1,31 @@
+conan.lock
+pubspec.lock
+mix.lock
+go.mod
+cabal.project.freeze
+stack.yaml.lock
+*.jar
+buildscript-gradle.lockfile
+gradle.lockfile
+verification-metadata.xml
+pom.xml
+bun.lock
+package-lock.json
+pnpm-lock.yaml
+yarn.lock
+deps.json
+packages.config
+*.csproj
+packages.lock.json
+composer.lock
+Pipfile.lock
+poetry.lock
+requirements.txt
+pdm.lock
+pylock.toml
+uv.lock
+renv.lock
+Gemfile.lock
+gems.locked
+Cargo.lock
+osv-scanner.json

scanners/boostsecurityio/osv-scalibr-sbom/module.yaml

@@ -0,0 +1,107 @@
+api_version: 1.0
+
+id: boostsecurityio/osv-scalibr-sbom
+name: OSV Scalibr (FS SBOM)
+namespace: boostsecurityio/osv-scalibr-sbom
+scan_types:
+  - sbom
+
+config:
+  support_diff_scan: false
+  include_files:
+        # C/C++
+    - conan.lock
+    # Dart
+    - pubspec.lock
+    # Elixir
+    - mix.lock
+    # Go
+    - go.mod
+    # Haskell
+    - cabal.project.freeze
+    - stack.yaml.lock
+    # Java
+    - "*.jar"
+    - buildscript-gradle.lockfile
+    - gradle.lockfile
+    - verification-metadata.xml
+    - pom.xml
+    # Javascript
+    - bun.lock
+    - package-lock.json
+    - pnpm-lock.yaml
+    - yarn.lock
+    # .Net
+    - "*.csproj"
+    - deps.json
+    - packages.config
+    - packages.lock.json
+    # PHP
+    - composer.lock
+    # Python
+    - Pipfile.lock
+    - poetry.lock
+    - requirements.txt
+    - pdm.lock
+    - pylock.toml
+    - uv.lock
+    # R
+    - renv.lock
+    # Ruby
+    - Gemfile.lock
+    - gems.locked
+    # Rust
+    - Cargo.lock
+    # Custom lockfile http://google.github.io/osv-scanner/supported-languages-and-lockfiles/#custom-lockfiles
+    - osv-scanner.json
+
+setup:
+  - name: Utility scripts
+    run: |
+      mkdir -p $SETUP_PATH/pre-scan-checks/
+      cp $REGISTRY_MODULE_PATH/prescan_checks.sh $SETUP_PATH/pre-scan-checks/osv-scalibr-sbom-scanner
+
+  - name: download osv-scalibr-sbom scanner
+    environment:
+      VERSION: v0.4.5
+      LINUX_X86_64_SHA: 8059587ad55fc7b30502ba58a1bb9754f92f13d95f315167c5870276954ff4c2
+    run: |
+      BASE_URL="https://assets.build.boostsecurity.io/scanners/osv-scalibr/osv-scalibr-${VERSION}"
+      ARCH=$(uname -m)
+
+      case "$(uname -sm)" in
+        "Linux x86_64")
+          BINARY_URL="${BASE_URL}/linux/amd64/osv-scalibr.gz"
+          SHA="${LINUX_X86_64_SHA} osv-scalibr.gz"
+          ;;
+        *)
+          echo "Unsupported machine: ${OPTARG}"
+          exit 1
+          ;;
+      esac
+
+      curl -o osv-scalibr.gz -fsSL "${BINARY_URL}"
+      echo "${SHA}" | sha256sum --check
+
+      gunzip osv-scalibr.gz
+      chmod +x osv-scalibr
+
+steps:
+  - run: ls -laih $SETUP_PATH/
+  - run: $SETUP_PATH/pre-scan-checks/osv-scalibr-sbom-scanner
+  - run: ls -laih $SETUP_PATH/
+  - scan:
+      command:
+        run: >
+          $SETUP_PATH/osv-scalibr -o
+          spdx23-json=result.spdx.json
+          --plugins=dotnet/csproj,java/archive
+          . &&
+          cat result.spdx.json 2>&1
+      format: cyclonedx
+      post-processor:
+        docker:
+          image: public.ecr.aws/boostsecurityio/boost-scanner-osv-scalibr-sbom:c5d385e@sha256:b1a91854cbc39752eecf50a9f6be78f7dba44dcffb8a50c79f06c6a8a610ee62
+          command: process
+          environment:
+            PYTHONIOENCODING: utf-8

scanners/boostsecurityio/osv-scalibr-sbom/prescan_checks.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+while IFS= read -r line; do
+    if [ "$(find . -name "$line" | wc -l)" != "0" ]
+    then
+        exit 0
+    fi
+done < $REGISTRY_MODULE_PATH/filelist.txt
+>&2 echo "Scan misconfiguration:"
+>&2 echo "  OSV-Scalibr-SBOM-Scanner scan did not run because no supported files were detected"
+>&2 echo "  See documentation list of supported file types: https://google.github.io/osv-scanner/supported-languages-and-lockfiles/"
+
+exit 1

scanners/boostsecurityio/osv-scalibr-sbom/tests.yaml

@@ -0,0 +1,37 @@
+version: "1.0"
+tests:
+#  - name: "gitleaks"  # GO
+#    type: "source-code"
+#    source:
+#      url: "https://github.com/gitleaks/gitleaks.git"
+#      ref: "v8.15.2"
+#  - name: "vaultwarden"  # RUST
+#    type: "source-code"
+#    source:
+#      url: "https://github.com/dani-garcia/vaultwarden.git"
+#      ref: "1.30.5"
+#  - name: "docusaurus"  # NPM
+#    type: "source-code"
+#    source:
+#      url: "https://github.com/facebook/docusaurus.git"
+#      ref: "v3.2.1"
+#  - name: "nomulus"  # Gradle
+#    type: "source-code"
+#    source:
+#      url: "https://github.com/google/nomulus.git"
+#      ref: "nomulus-20240501-RC00"
+#  - name: "openvino"  # Python
+#    type: "source-code"
+#    source:
+#      url: "https://github.com/openvinotoolkit/openvino.git"
+#      ref: "2024.1.0"
+#  - name: "SCA-jar" # java/archive
+#    type: "source-code"
+#    source:
+#      url: "https://github.com/boost-sandbox/SCA-jar.git"
+#      ref: "main"
+  - name: "SCA-csproj" # nuget/csproj
+    type: "source-code"
+    source:
+      url: "https://github.com/boost-sandbox/SCA-csproj.git"
+      ref: "main"