Skip to content

Commit

Permalink
Merge branch 'sbom_alpine_clearing' of https://github.com/siemens/con…
Browse files Browse the repository at this point in the history
…tinuous-clearing into sbom_alpine_clearing
  • Loading branch information
Sumanth K B committed Oct 25, 2023
2 parents 64b319c + f695b81 commit cd5a560
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 6 deletions.
5 changes: 3 additions & 2 deletions doc/UsageDoc/CA-Tool--SBOM-Vision.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Continuous Clearing Tool
The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Maven/Debian & Python project and uploads it to SW360 and Fossology by accepting respective project ID for license clearing.
The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Maven/Debian/Alpine & Python project and uploads it to SW360 and Fossology by accepting respective project ID for license clearing.

## Continuous Clearing SBOM Tool
BOM generated from the Continuous Clearing Tool will have all the dependencies included in the scanned package , component type, source repo URL, dependency type etc.
Expand All @@ -17,6 +17,7 @@ BOM generated from the Continuous Clearing Tool will have all the dependencies i
- Javascript (npm)
- Dotnet (nuget)
- Debian
- Alpine
- Maven (jar)
- Python (poetry, requiremens.txt)

Expand All @@ -25,7 +26,7 @@ BOM generated from the Continuous Clearing Tool will have all the dependencies i
![image.png](../usagedocimg/WF.png)

## Use Cases:
1. Package identifier Should read all 1st and 3rd components of package type (NPM,NUGET,DEBIAN,PYPI & MAVEN)
1. Package identifier Should read all 1st and 3rd components of package type (NPM,NUGET,DEBIAN,ALPINE,PYPI & MAVEN)
- Read SBOM supplied from customer.
- [ ] SBOM needs to be in specified CycloneDX format.
- [ ] At least all the dependencies should be included in SBOM, further CA Tool needs
Expand Down
29 changes: 25 additions & 4 deletions doc/UsageDoc/CA_UsageDocument.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,15 +46,15 @@
<!--te-->
# Introduction

The Continuous Clearing Tool helps the Project Manager/Developer to automate the sw360 clearing process of 3rd party components. This tool scans and identifies the third-party components used in a NPM, NUGET, MAVEN and Debian projects and makes an entry in SW360, if it is not present. Continuous Clearing Tool links the components to the respective project and creates job for code scan in FOSSology.The output is an SBOM file which has a nested description of software artifact components and metadata.
The Continuous Clearing Tool helps the Project Manager/Developer to automate the sw360 clearing process of 3rd party components. This tool scans and identifies the third-party components used in a NPM, NUGET, MAVEN, Debian and Alpine projects and makes an entry in SW360, if it is not present. Continuous Clearing Tool links the components to the respective project and creates job for code scan in FOSSology.The output is an SBOM file which has a nested description of software artifact components and metadata.

Continuous Clearing Tool reduces the effort in creating components in SW360 and identifying the matching source codes from the public repository. Tool eliminates the manual error while creating component and identifying correct version of source code from public repository. Continuous Clearing Tool harmonize the creation of 3P components in SW360 by filling necessary information.

# Continuous Clearing Tool workflow diagram

- Package Identifier
- [NPM/NUGET/MAVEN/PYTHON](../usagedocimg/packageIdentifiernpmnuget.PNG)
- [Debian](../usagedocimg/packageIdentifierdebian.PNG)
- [Debian/Alpine](../usagedocimg/packageIdentifierdebianalpine.PNG)
- SW360 Package Creator
- [NPM/NUGET/MAVEN/PYTHON](../usagedocimg/packageCreatirnpmnuget.PNG)
- [Debian](../usagedocimg/packagecreatordebian.PNG)
Expand Down Expand Up @@ -180,7 +180,22 @@ Continuous Clearing Tool reduces the effort in creating components in SW360 and
Resulted `output.json` file will be having the list of installed packages and the same file will be used as an input to `Continuous clearing tool - Bom creator` as an argument(`--packagefilepath`). The remaining process is same as other project types.

- **Project Type :** **Alpine**

**Note** : below steps is required only if you have `tar` file to process , otherwise you can keep `CycloneDx.json` file in the InputDirectory.
`Note : Alpine package support in clearing tool is currently only for SBOM discovery and classification.Component Creation and Source code identification is not supported currently`
* Create `InputImage` directory for keeping `tar` images and `InputDirectory` for resulted file storing .

* Run the command given below by replacing the place holder values (i.e., path to input image directory, path to input directory and file name of the Alpine image to be cleared) with actual values.

**Example**: `docker run --rm -v <path/to/InputImageDirectory>:/tmp/InputImages -v <path/to/InputDirectory>:/tmp/OutputFiles ghcr.io/siemens/continuous-clearing ./syft packages /tmp/InputImages/<fileNameoftheAlpineImageTobeCleared.tar> -o cyclonedx-json --file "/tmp/OutputFiles/output.json"`


After successful execution, `output.json` (_CycloneDX.json_) file will be created in specified directory

![image.png](../usagedocimg/output.PNG)

Resulted `output.json` file will be having the list of installed packages and the same file will be used as an input to `Continuous clearing tool - Bom creator` as an argument(`--packagefilepath`). The remaining process is same as other project types.
### **Configuring the Continuous Clearing Tool**

Arguments can be provided to the tool in two ways :
Expand Down Expand Up @@ -255,6 +270,11 @@ Continuous Clearing Tool reduces the effort in creating components in SW360 and
"Exclude": [],
"ExcludedComponents": []
},
"Alpine": {
"Include": [ "*.json" ],
"Exclude": [],
"ExcludedComponents": []
},
"Python": {
"Include": [ "poetry.lock", "*.cdx.json" ],
"Exclude": [],
Expand All @@ -272,7 +292,7 @@ Description for the settings in `appSettings.json` file
| 3 |--bomfolderpath | Path to keep the generated boms | Yes , For Docker run /mnt/Output | D:\Clearing Automation\BOM
| 4| --sw360token | SW360 Auth Token | Yes| Refer the SW360 Doc [here](https://www.eclipse.org/sw360/docs/development/restapi/access).Make sure you pass this credential in a secured way. |
| 5 | --sw360projectid | Project ID from SW360 project URL of the project | Yes| Obtained from SW360 |
| 6| --projecttype | Type of the package | Yes | NPM/NUGET/Debian/MAVEN |
| 6| --projecttype | Type of the package | Yes | NPM/NUGET/Debian/MAVEN/Alpine |
|7 | --removedevdependency | Make this field to `true` , if Dev dependencies needs to be excluded from clearing | Optional ( By default set to true) | true/false |
| 8| --sw360url | SW360 URL |Yes | https://<my_sw360_server>|
| 9| --sw360authtokentype | SW360 Auth Token |Yes | Token/Bearer |
Expand Down Expand Up @@ -333,13 +353,14 @@ Continuous Clearing Tool can be executed as container or as binaries,

### SW360 Package Creator

* SW360 Package Creator is **_`not currently applicable Alpine type package`_** clearance.
- In order to run the SW360PackageCreator.dll , execute the below command.

**Example** : `docker run --rm -it -v /path/to/OutputDirectory:/mnt/Output -v /path/to/LogDirectory:/var/log -v /path/to/configDirectory:/etc/CATool ghcr.io/siemens/continuous-clearing dotnet SW360PackageCreator.dll --settingsfilepath /etc/CATool/appSettings.json`

### Artifactory Uploader

* Artifactory uploader is **_`not applicable for Debian type package`_** clearance.
* Artifactory uploader is **_`not applicable for Debian and Alpine type package`_** clearance.

* In order to run the Artifactory Uploader dll , execute the below command.

Expand Down

0 comments on commit cd5a560

Please sign in to comment.