From b34843fd5284e036a6d40175786806bdca6b5475 Mon Sep 17 00:00:00 2001
From: Alexey Makhov <amakhov@mirantis.com>
Date: Wed, 27 Sep 2023 10:36:19 +0300
Subject: [PATCH] SBOM generation

Signed-off-by: Alexey Makhov <amakhov@mirantis.com>
---
 .github/workflows/go.yml          | 20 +++++++++++++++++
 .github/workflows/sbom-upload.yml | 36 +++++++++++++++++++++++++++++++
 Makefile                          | 32 +++++++++++++++++++++++++++
 syft.yaml                         |  4 ++++
 4 files changed, 92 insertions(+)
 create mode 100644 .github/workflows/sbom-upload.yml
 create mode 100644 syft.yaml

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 559ba59a9..0df9f2864 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -48,6 +48,26 @@ jobs:
         run: |
           make docker-build
 
+  generate-sbom:
+    name: "Build :: SBOM"
+    needs: [ build ]
+
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
+      - name: Generate SBOM
+        run: |
+          mkdir -p sbom && chmod 777 sbom
+          make sbom/spdx.json
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: spdx.json
+          path: sbom/spdx.json
+
   unittest:
     name: Unit test
     needs: build
diff --git a/.github/workflows/sbom-upload.yml b/.github/workflows/sbom-upload.yml
new file mode 100644
index 000000000..b10c50d1b
--- /dev/null
+++ b/.github/workflows/sbom-upload.yml
@@ -0,0 +1,36 @@
+name: SBOM upload
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  sbom-upload:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Generate SBOM
+        env:
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          mkdir -p sbom && chmod 777 sbom
+          echo $COSIGN_KEY | base64 -d > cosign.key
+          make sign-sbom
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: sbom
+          path: sbom/
+
+      - name: SBOM upload
+        uses: advanced-security/spdx-dependency-submission-action@v0.0.1
+        with:
+          filePath: sbom/spdx.json
diff --git a/Makefile b/Makefile
index dfe5fd436..0c1645b74 100644
--- a/Makefile
+++ b/Makefile
@@ -252,3 +252,35 @@ kind-deploy-k0smotron: release k0smotron-image-bundle.tar
 	kubectl apply -f install.yaml
 	kubectl rollout restart -n k0smotron deployment/k0smotron-controller-manager
 
+sbom/spdx.json: go.mod
+	mkdir -p -- '$(dir $@)'
+	docker run --rm \
+	  -v "$(CURDIR)/go.mod:/k0s/go.mod" \
+	  -v "$(CURDIR)/embedded-bins/staging/linux/bin:/k0s/bin" \
+	  -v "$(CURDIR)/syft.yaml:/tmp/syft.yaml" \
+	  -v "$(CURDIR)/sbom:/out" \
+	  --user $(BUILD_UID):$(BUILD_GID) \
+	  anchore/syft:v0.90.0 \
+	  /k0s -o spdx-json@2.2=/out/spdx.json -c /tmp/syft.yaml
+
+.PHONY: sign-sbom
+sign-sbom: sbom/spdx.json
+	docker run --rm \
+	  -v "$(CURDIR):/k0s" \
+	  -v "$(CURDIR)/sbom:/out" \
+	  -e COSIGN_PASSWORD="$(COSIGN_PASSWORD)" \
+	  gcr.io/projectsigstore/cosign:v2.2.0 \
+	  sign-blob \
+	  --key /k0s/cosign.key \
+	  --tlog-upload=false \
+	  /k0s/sbom/spdx.json --output-file /out/spdx.json.sig
+
+.PHONY: sign-pub-key
+sign-pub-key:
+	docker run --rm \
+	  -v "$(CURDIR):/k0s" \
+	  -v "$(CURDIR)/sbom:/out" \
+	  -e COSIGN_PASSWORD="$(COSIGN_PASSWORD)" \
+	  gcr.io/projectsigstore/cosign:v2.2.0 \
+	  public-key \
+	  --key /k0s/cosign.key --output-file /out/cosign.pub
diff --git a/syft.yaml b/syft.yaml
new file mode 100644
index 000000000..b040587ec
--- /dev/null
+++ b/syft.yaml
@@ -0,0 +1,4 @@
+file-metadata:
+  cataloger:
+    enabled: true
+  digests: ["sha256"]