ozg-7494 upload sbom

ccdeba1a · Bastian · a992dd26 · ccdeba1a
Commit ccdeba1a authored 3 months ago by Bastian
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -28,7 +28,6 @@ pipeline {
        }
    }

-tools { go 'go-1.22.0' }
    environment {
        RELEASE_REGEX = /v\d+.\d+.\d+/
        BETA_REGEX = /v\d+.\d+.\d+-beta.\d/
@@ -82,9 +81,6 @@ tools { go 'go-1.22.0' }
                    FAILED_STAGE=env.STAGE_NAME
                        
                    sh '''
-                        #export GOPATH so that installed dependecies could be found
-                        export GOPATH=$GOROOT
-                        
                        go mod download
                        go install \
                        github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
@@ -113,24 +109,6 @@ tools { go 'go-1.22.0' }
            }
        } 

-
-        stage ('OWASP Dependency-Check Vulnerabilities') {
-            steps {
-                dependencyCheck additionalArguments: ''' 
-                    -o "./" 
-                    -s "./"
-                    -f "ALL" 
-                    -d /dependency-check-data
-                    --suppression dependency-check-supressions.xml
-                    --disableKnownExploited
-                    --noupdate
-                    --disableArchive
-                    --prettyPrint''', odcInstallation: 'dependency-check-owasp'
-
-                dependencyCheckPublisher pattern: 'dependency-check-report.xml'
-            }
-        }   
-
        stage('Build and publish Docker image') {
            steps {
                script {
@@ -204,8 +182,31 @@ tools { go 'go-1.22.0' }
                }
            }
        }
+
+        stage ('Deploy SBOM to DependencyTrack') {
+            when {
+                anyOf {
+                    branch 'main'
+                    branch 'release'
+                }
+            }
+            steps {
+                script {
+                    catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                        sh '''
+                            go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
+                            go env -w GOFLAGS=-buildvcs=false
+                            
+                            cyclonedx-gomod version
+                            cyclonedx-gomod app -main cmd/antragsraum-proxy/ -output sbom.xml
+                            '''
+
+                        dependencyTrackPublisher artifact: 'sbom.xml', projectName: 'fachstellen-proxy', projectVersion: env.BRANCH_NAME, synchronous: true
+                    }
+                }
+            }
+        }
    }
-    
 }