Merge pull request #114 from yetanalytics/sbom

Depedendency Audit Tasks:

Author: deathtenk

Makefile

@@ -1,4 +1,4 @@
-.phony: test bench clean bundle bundle-help ci
+.phony: test bench clean bundle bundle-help ci sbom sbom-csv runtime-info
 
 clean:
 	rm -rf target dev-resources/bench/*.json pom.xml
@@ -65,3 +65,20 @@ bundle-help: target/bundle
 # Generate a POM for dependency graph resolution
 pom.xml:
 	clojure -Acli -Spom
+
+sbom: pom.xml
+	mvn -q org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom \
+	  -DoutputFormat=json \
+	  -DoutputName=xapipe \
+	  -DschemaVersion=1.6 \
+	  -DprojectType=application
+
+sbom-csv: sbom
+	jq -r -f ./dev-resources/sbom/sbom_flat.jq ./target/xapipe.json > ./target/xapipe-sbom.csv
+
+target/runtime-info.txt: bundle Dockerfile
+	mkdir -p target
+	docker build -t xapipe:local .
+	docker run --rm --entrypoint sh xapipe:local -c 'set -e; echo "== OS =="; cat /etc/os-release; echo; echo "== Kernel =="; uname -a; echo; echo "== Java =="; /xapipe/runtimes/linux/bin/java -version 2>&1; echo; echo "== Packages =="; apk info -vv' > target/runtime-info.txt
+
+runtime-info: target/runtime-info.txt

dev-resources/sbom/sbom_flat.jq

@@ -0,0 +1,17 @@
+def pkg_name(c):
+  if (c.group? // "") != "" then "\(c.group)/\(c.name)" else (c.name // "") end;
+
+[
+  .metadata.component?,
+  .components[]?
+]
+| map(select(. != null))
+| map({
+    package: pkg_name(.),
+    source: (.purl // .["bom-ref"] // .author // .publisher // "unknown"),
+    version: (.version // "unknown")
+  })
+| unique
+| sort_by(.package, .version)
+| (["package","source","version"] | @csv),
+  (.[] | [ .package, .source, .version ] | @csv)