sbom generation and upload seems to work

2025-04-02 14:39:20 +02:00
parent b2d816983b
commit 856368c6c3
1 changed files with 40 additions and 2 deletions
--- a/snippets/test03.py
+++ b/snippets/test03.py
@ -1,6 +1,8 @@
 import os
 from loguru import logger
 import argparse
+import subprocess
+import json

 import defectdojo_api
 from defectdojo_api.rest import ApiException as DefectDojoApiException
@ -16,14 +18,31 @@ def executeApiCall(apiClient, ApiClass, EndpointMethod, RequestClass, requestPar
    try:
        logger.info(f"Calling {ApiClass}.{EndpointMethod} with {RequestClass} ({additionalParams}, {requestParams})")
        instance = ApiClass(apiClient)
-        request = RequestClass(**requestParams)
-        response = EndpointMethod(instance, *additionalParams, request)
+        if RequestClass:
+            request = RequestClass(**requestParams)
+            response = EndpointMethod(instance, *additionalParams, request)
+        else:
+            response = EndpointMethod(instance, *additionalParams)
        logger.info(f"Response is {response}")
        return response
    except Exception as e:
        logger.error(f"Caught error {e} with {str(e)}")
        raise MyLocalException(e)

+def generateSBOM(target='.', name='dummyName', version='0.0.0'):
+    try:
+        result = subprocess.run(
+            ["syft", "scan", target, "-o", "cyclonedx-json", "--source-name", name, "--source-version", version],
+            check=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            text=True
+        )
+        sbom = json.loads(result.stdout)
+        return sbom
+    except subprocess.CalledProcessError as e:
+        logger.error(f"SBOM scanner failed: {e.stderr}")
+        raise MyLocalException(e)


 try:
@ -53,12 +72,21 @@ parser.add_argument('--classifier', '-c',
                    help='Project Classifier from DependencyTrack',
                    choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'],
                    required=True)
+parser.add_argument('--target', '-T',
+                    help='Target to scan, either path name for sources or docker image tag',
+                    required=True)
 args = parser.parse_args()
 projectName = args.name
 projectVersion = args.version
 projectDescription = args.description
 productType = args.type
 projectClassifier = args.classifier
+target = args.target
+
+
+logger.info(f"Generating SBOM for {target}")
+sbom = generateSBOM(target, projectName, projectVersion)
+logger.info("Done.")


 defectdojo_configuration = defectdojo_api.Configuration(
@ -135,3 +163,13 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt
            [ project_uuid ]
        )

+    bom_response = \
+        executeApiCall(
+            dependencytrack_api_client,
+            dependencytrack_api.BomApi,
+            dependencytrack_api.BomApi.upload_bom,
+            None,
+            None,
+            [ None, False, projectName, projectVersion, None, None, None, None, True, json.dumps(sbom) ]
+        )
+