Skip to content

Validate SBOMs with CycloneDX CLI #33757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mpreyskurantov wants to merge 22 commits into
base: 26_1
Choose a base branch
from
+263 −85
Open

Validate SBOMs with CycloneDX CLI #33757

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
ebb1509
cyclonedx cli validate sbom
mpreyskurantov May 25, 2026
5411141
sha256sum / checksum
mpreyskurantov Jun 3, 2026
e2aab28
Merge remote-tracking branch 'origin(upstream)/26_1' into 26_1-sbom-v…
mpreyskurantov Jun 4, 2026
16d2046
Merge remote-tracking branch 'origin(upstream)/26_1' into 26_1-sbom-v…
mpreyskurantov Jun 5, 2026
73369e3
CYCLONEDX_CLI: WIN -> LINUX (after #33854)
mpreyskurantov Jun 5, 2026
76ef292
CYCLONEDX_CLI: WIN -> LINUX, v2, exe || true (after #33854)
mpreyskurantov Jun 5, 2026
aaffe18
SBOM package(s) flow (like for NPM package(s))
mpreyskurantov Jun 5, 2026
0da90d6
SBOM package(s) optimized flow only (no NPM package(s))
mpreyskurantov Jun 5, 2026
7614d05
revert "continue-on-error: true"
mpreyskurantov Jun 8, 2026
935e8e2
Merge remote-tracking branch 'origin(upstream)/26_1' into 26_1-sbom-v…
mpreyskurantov Jun 8, 2026
6cf243a
Revert "SBOM package(s) optimized flow only (no NPM package(s))"
mpreyskurantov Jun 8, 2026
eb2326f
*.sbom.json -> *.cdx.json
mpreyskurantov Jun 8, 2026
525e50b
dx-make-sbom with hashes
mpreyskurantov Jun 8, 2026
3ed1bf0
hasSbom for tgz
mpreyskurantov Jun 8, 2026
5519d6c
build-hashed
mpreyskurantov Jun 9, 2026
b223804
Merge remote-tracking branch 'origin(upstream)/26_1' into 26_1-sbom-v…
mpreyskurantov Jun 10, 2026
f036feb
validate via action
mpreyskurantov Jun 10, 2026
d8cb985
Merge remote-tracking branch 'origin(upstream)/26_1' into 26_1-sbom-v…
mpreyskurantov Jun 16, 2026
c29251a
Merge remote-tracking branch 'origin(upstream)/26_1' into 26_1-sbom-v…
mpreyskurantov Jun 17, 2026
8f9a65f
DevExpress/github-actions/validate-sbom + commit hash
mpreyskurantov Jun 17, 2026
6bb3327
publish scoped sboms instantly (without changing scope)
mpreyskurantov Jun 20, 2026
2212238
packages/sbom/pnpm-lock.yaml: the lockfile contains entries that the …
mpreyskurantov Jun 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 31 additions & 1 deletion .github/workflows/build_all.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ on:

env:
NX_SKIP_NX_CACHE: ${{ contains(github.event.pull_request.labels.*.name, 'skip-cache') && 'true' || 'false' }}
CYCLONEDX_CLI_VERSION: 0.32.0
CYCLONEDX_CLI_LINUX_X64_SHA256: 454879e6a4a405c8a13bff49b8982adcb0596f3019b26b0811c66e4d7f0783e1

jobs:
build:
Expand Down Expand Up @@ -69,7 +71,35 @@ jobs:
pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN";
pnpm nx build sbom;

- name: Upload SBOM artifacts
- name: Install CycloneDX CLI
if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
shell: bash
run: |
tool_dir="$RUNNER_TEMP/cyclonedx-cli"
mkdir -p "$tool_dir"
curl -fsSL "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${{ env.CYCLONEDX_CLI_VERSION }}/cyclonedx-linux-x64" -o "$tool_dir/cyclonedx"
echo "${{ env.CYCLONEDX_CLI_LINUX_X64_SHA256 }} $tool_dir/cyclonedx" | sha256sum -c -
chmod +x "$tool_dir/cyclonedx"
echo "$tool_dir" >> "$GITHUB_PATH"
Comment thread
mpreyskurantov marked this conversation as resolved.

- name: Validate SBOMs
if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
shell: bash
run: |
shopt -s nullglob
sbom_files=(packages/sbom/dist/*.sbom.json)

Comment on lines +89 to +91
Comment on lines +88 to +91
Comment on lines +89 to +91
if [ ${#sbom_files[@]} -eq 0 ]; then
echo "No SBOM files found in packages/sbom/dist"
exit 1
fi

for file in "${sbom_files[@]}"; do
echo "Validating $file"
cyclonedx validate --input-file "$file" --input-format json --fail-on-errors
done

- name: Upload SBOMs
if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
uses: actions/upload-artifact@v7
with:
Expand Down
133 changes: 126 additions & 7 deletions .github/workflows/packages_publishing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ env:
NX_SKIP_NX_CACHE: true
FILTER: ${{ github.event_name == 'workflow_dispatch' && inputs.filter || '' }}
SET_TIMESTAMP_VERSION: ${{ inputs.tag == 'daily' }}
SBOM_PACKAGE_NAMES: devextreme,devextreme-angular,devextreme-react,devextreme-vue,devextreme-themebuilder

jobs:
build:
Expand Down Expand Up @@ -52,27 +53,83 @@ jobs:
BUILD_INTERNAL_PACKAGE: true
run: pnpm run all:build

# Builds the dx-make-sbom package argument list from known package names and the tgz files produced in artifacts/npm.
# Produces SBOM_PACKAGES for the packages/sbom build-hashed target.
- name: Prepare SBOM package inputs
shell: bash
run: |
package_version=$(node -p "require('./package.json').version")
IFS=',' read -ra package_names <<< "$SBOM_PACKAGE_NAMES"
sbom_packages=()

for package_name in "${package_names[@]}"; do
tgz_path="artifacts/npm/$package_name-$package_version.tgz"

if [ ! -f "$tgz_path" ]; then
echo "Expected package tarball not found: $tgz_path"
exit 1
fi

sbom_packages+=("$package_name(../../$tgz_path)")
done

sbom_packages_value=$(IFS=,; echo "${sbom_packages[*]}")
echo "SBOM_PACKAGES=$sbom_packages_value" >> "$GITHUB_ENV"
echo "$sbom_packages_value"

# Generates CycloneDX SBOM JSON files for the selected packages using the just-built tgz files.
# Produces packages/sbom/dist/*.cdx.json.
- name: Build SBOMs
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN";
pnpm nx build sbom;
pnpm nx build-hashed sbom;

# Collects concrete SBOM file paths for validation because the shared action expects explicit file names.
# Produces the sbomFiles.outputs.files multiline output.
- name: Collect SBOM files
id: sbomFiles
shell: bash
run: |
shopt -s nullglob
sbom_files=(packages/sbom/dist/*.cdx.json)

if [ ${#sbom_files[@]} -eq 0 ]; then
echo "No SBOM files found in packages/sbom/dist"
exit 1
fi

{
echo "files<<EOF"
printf '%s\n' "${sbom_files[@]}"
echo "EOF"
} >> "$GITHUB_OUTPUT"

# Validates every generated CycloneDX SBOM file with the shared validation action.
# Produces no artifact; fails the workflow if any SBOM is invalid.
- name: Validate SBOMs
uses: DevExpress/github-actions/validate-sbom@5034a6d5e0fd18fc2826ed20a5140f9c83b8994f
with:
input-format: json
input-files: ${{ steps.sbomFiles.outputs.files }}

- name: Build artifacts package
run: pnpm run make-artifacts-package

- name: Upload SBOM artifact
# Saves generated SBOM files for the publish job.
# Produces the sbom-packages workflow artifact.
- name: Upload SBOMs
uses: actions/upload-artifact@v7
with:
name: sbom
name: sbom-packages
path: packages/sbom/dist
retention-days: 7

- name: Upload packages
uses: actions/upload-artifact@v7
with:
name: packages
name: npm-packages
path: artifacts/npm/*.tgz
retention-days: 2

Expand All @@ -94,10 +151,19 @@ jobs:
- name: Get sources
uses: actions/checkout@v6

- name: Download artifacts
- name: Download packages
uses: actions/download-artifact@v8
with:
name: packages
name: npm-packages
path: npm-packages

# Restores generated SBOM files from the build job.
# Produces the local sbom-packages directory for matrix publishing.
- name: Download SBOMs
uses: actions/download-artifact@v8
with:
name: sbom-packages
path: sbom-packages

- name: Use Node.js
uses: actions/setup-node@v6
Expand All @@ -117,13 +183,50 @@ jobs:
PACKAGE: ${{ matrix.package }}
run: |
SCOPE=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]');
PACKAGE_DIR=$(pnpm --silent run change-package-scope --tgz $PACKAGE.tgz --scope $SCOPE)
PACKAGE_DIR=$(pnpm --silent run change-package-scope --tgz npm-packages/$PACKAGE.tgz --scope $SCOPE)
echo "packageDir=$PACKAGE_DIR" >> "$GITHUB_OUTPUT";
cd $PACKAGE_DIR;
pnpm pkg get name | tr -d '"' | sed -r 's/(.*)/name=\1/' >> "$GITHUB_OUTPUT";
pnpm pkg get version | tr -d '"' | sed -r 's/(.*)/version=\1/' >> "$GITHUB_OUTPUT";
pnpm pkg get version | tr -d '"' | sed -r 's/([0-9]+\.[0-9]+).*/majorVersion=\1/' >> "$GITHUB_OUTPUT";

# Wraps the matching SBOM JSON file into a minimal scoped npm package when the matrix package has an SBOM.
# Produces scopedSbomPackage outputs used by the publish step.
- name: Build SBOM package
id: scopedSbomPackage
env:
PACKAGE_NAME: ${{ steps.scopedPackage.outputs.name }}
PACKAGE_VERSION: ${{ steps.scopedPackage.outputs.version }}
run: |
UNSCOPED_PACKAGE_NAME=$(echo "$PACKAGE_NAME" | sed -r 's#^@[^/]+/##');
SBOM_FILE="sbom-packages/$UNSCOPED_PACKAGE_NAME.cdx.json";

if [[ ",$SBOM_PACKAGE_NAMES," != *",$UNSCOPED_PACKAGE_NAME,"* ]]; then
echo "SBOM publishing is not configured for $UNSCOPED_PACKAGE_NAME"
echo "hasSbom=false" >> "$GITHUB_OUTPUT";
exit 0;
fi

if [ ! -f "$SBOM_FILE" ]; then
echo "No SBOM found for $UNSCOPED_PACKAGE_NAME"
echo "hasSbom=false" >> "$GITHUB_OUTPUT";
exit 0;
fi

SCOPE=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]');
SBOM_PACKAGE_NAME="@$SCOPE/$UNSCOPED_PACKAGE_NAME-sbom";
SBOM_PACKAGE_DIR="sbom-package/$SBOM_PACKAGE_NAME";

mkdir -p "$SBOM_PACKAGE_DIR";
cp "$SBOM_FILE" "$SBOM_PACKAGE_DIR/";
cd "$SBOM_PACKAGE_DIR";
node -e "const fs = require('fs'); const [name, version] = process.argv.slice(1); fs.writeFileSync('package.json', JSON.stringify({ name, version }, null, 2));" "$SBOM_PACKAGE_NAME" "$PACKAGE_VERSION";
echo "hasSbom=true" >> "$GITHUB_OUTPUT";
echo "packageDir=$PWD" >> "$GITHUB_OUTPUT";
pnpm pkg get name | tr -d '"' | sed -r 's/(.*)/name=\1/' >> "$GITHUB_OUTPUT";
pnpm pkg get version | tr -d '"' | sed -r 's/(.*)/version=\1/' >> "$GITHUB_OUTPUT";
pnpm pkg get version | tr -d '"' | sed -r 's/([0-9]+\.[0-9]+).*/majorVersion=\1/' >> "$GITHUB_OUTPUT";

# --ignore-scripts is required for publishing devextreme-angular which fails with error:
# 'Trying to publish a package that has been compiled by Ivy in full compilation mode.'
# Should be removed.
Expand All @@ -139,6 +242,22 @@ jobs:
pnpm publish --no-git-checks --quiet --ignore-scripts --tag $PACKAGE_VERSION_MAJOR-${{ inputs.tag }} --registry https://npm.pkg.github.com;
pnpm dist-tag add $PACKAGE_NAME@$PACKAGE_VERSION latest --registry=https://npm.pkg.github.com;

# --ignore-scripts - like above, should be removed, check if could be removed everywhere
# Publishes the generated scoped SBOM npm package to GitHub Packages.
# Produces @<owner>/<package>-sbom in the npm.pkg.github.com feed.
- name: Publish SBOM to npm.pkg.github.com
if: ${{ steps.scopedSbomPackage.outputs.hasSbom == 'true' }}
working-directory: ${{ steps.scopedSbomPackage.outputs.packageDir }}
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PACKAGE_NAME: ${{ steps.scopedSbomPackage.outputs.name }}
PACKAGE_VERSION: ${{ steps.scopedSbomPackage.outputs.version }}
PACKAGE_VERSION_MAJOR: ${{ steps.scopedSbomPackage.outputs.majorVersion }}
run: |
pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN";
pnpm publish --no-git-checks --quiet --ignore-scripts --tag $PACKAGE_VERSION_MAJOR-${{ inputs.tag }} --registry https://npm.pkg.github.com;
pnpm dist-tag add $PACKAGE_NAME@$PACKAGE_VERSION latest --registry=https://npm.pkg.github.com;

notify:
runs-on: devextreme-shr2
name: Send notifications
Expand Down
Loading
Loading