chore(sbom): create SBoM from image

.github/workflows/build.yaml

@@ -4,6 +4,9 @@ on:
     branches:
       - master
   pull_request:
+    branches:
+      - master
+  workflow_dispatch:
 jobs:
   build:
     name: Build
@@ -16,13 +19,60 @@ jobs:
         run: |
           docker build --file Dockerfile --tag conplementag/cops-controller:${{ github.sha }} .
 
-      - name: Upload SBOM to DTrack
+      - name: Download and install syft
+        run: |
+          curl -L https://github.com/anchore/syft/releases/download/v${{ vars.SYFT_VERSION }}/syft_${{ vars.SYFT_VERSION }}_linux_amd64.tar.gz --output syft.tgz
+          echo "${{ vars.SYFT_SHA256 }}  syft.tgz" > cksum.txt
+          sha256sum --check --status cksum.txt
+          if [ $? -eq 1 ]
+            then
+              echo "Security-Error: Unexpected SHA256 of downloaded syft executable!"
+              exit 1
+            fi
+          rm cksum.txt
+          tar xvfz syft.tgz
+          chmod +x ./syft
+          ./syft --version
+          export PATH=$PATH:$(pwd)
+
+      - name: Download and install cp BomCleaner
+        run: |
+          curl -L https://github.com/conplementAG/BomCleaner/releases/download/v${{ vars.BOMCLEANER_VERSION }}/dotnetbomcleaner --output dotnetbomcleaner
+          echo "${{vars.BOMCLEANER_SHA256 }}  dotnetbomcleaner" > cksum.txt
+          sha256sum --check --status cksum.txt
+          if [ $? -eq 1 ]
+          then
+            echo "Security-Error: Unexpected SHA256 of downloaded bomcleaner executable!"
+            exit 1
+          fi
+          rm cksum.txt
+          chmod +x ./dotnetbomcleaner
+          export PATH=$PATH:$(pwd)
+
+      - name: Create SBoM with syft
+        run: |
+          ./syft conplementag/cops-controller:${{ github.sha }} -c syft.yaml -o cyclonedx-xml=sbom.xml
+          ret_code=$?
+          if [ $ret_code -ne 0 ]
+          then
+            echo "syft failed to create SBoM with error code $ret_code"
+            exit 1
+          fi
+          cat sbom.xml
+
+      - name: Clean SBoM with cp BomCleaner
+        run: |
+          id=$(docker create conplementag/cops-controller:${{ github.sha }})
+          docker cp $id:/app/ConplementAG.CopsController.deps.json ./ConplementAG.CopsController.deps.json
+          docker rm -v $id
+          ./dotnetbomcleaner sbom.xml ConplementAG.CopsController.deps.json
+
+          cat ./cleanbom.xml
+
+      - name: Upload SBoM to DTrack
         run: |
-          docker run --name cops-controller-${{ github.sha }} --entrypoint dotnet conplementag/cops-controller:${{ github.sha }} --info
-          docker cp cops-controller-${{ github.sha }}:/sboms/ ./sboms
-
           echo "Uploading SBOM to ${{ vars.DTRACK_URL }}/api/v1/bom"
-          curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/bom' -H 'Content-Type:multipart/form-data' -H 'X-API-Key:${{ secrets.DTRACK_API_KEY }}' -F 'project=${{ secrets.DTRACK_PROJECTID }}' -F 'bom=@./sboms/cops-controller-sbom.xml'
+          curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/bom' -H 'Content-Type:multipart/form-data' -H 'X-API-Key:${{ secrets.DTRACK_API_KEY }}' -F 'project=${{ secrets.DTRACK_PROJECTID }}' -F 'bom=@./cleanbom.xml'
 
           echo "Updating Project Version in ${{ vars.DTRACK_URL }}/api/v1/project"
-          curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/project' -H 'Content-Type:application/json' -H 'Accept:application/json' -H 'X-Api-Key:${{ secrets.DTRACK_API_KEY }}' -d '{"uuid": "${{ secrets.DTRACK_PROJECTID }}","name": "${{ vars.DTRACK_PROJECTNAME }}","version": "${{ github.sha }}","classifier": "APPLICATION","tags": [],"active": true}'     
+          curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/project' -H 'Content-Type:application/json' -H 'Accept:application/json' -H 'X-Api-Key:${{ secrets.DTRACK_API_KEY }}' -d '{"uuid": "${{ secrets.DTRACK_PROJECTID }}","name": "${{ vars.DTRACK_PROJECTNAME }}","version": "${{ github.sha }}","classifier": "APPLICATION","tags": [],"active": true}'

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: 'release'
+name: release
 on:
   push:
     branches:
@@ -15,7 +15,7 @@ jobs:
         id: release
         with:
           release-type: helm
-          package-name: cops-controller          
+          package-name: cops-controller
           extra-files: |
             deployment/cops-controller/Chart.yaml
             deployment/cops-controller/values.yaml

Dockerfile

@@ -1,22 +1,6 @@
 # .NET 8 LTS End of Lifetime is on 10/11/2026
 FROM mcr.microsoft.com/dotnet/sdk:8.0-jammy AS build-env
 
-## Tooling prerequisites CycloneDX Docker ##################
-ARG SYFT_RELEASE=1.22.0
-ARG SYFT_SHA256=e324f92306232b8f8e80e9a4d5be9418aafe59d5e7ce8c42a3ad86bb3f0ed6b3
-RUN curl -sLO https://github.com/anchore/syft/releases/download/v${SYFT_RELEASE}/syft_${SYFT_RELEASE}_linux_amd64.deb && \
-  echo "${SYFT_SHA256} syft_${SYFT_RELEASE}_linux_amd64.deb" | sha256sum --check --status && \
-  dpkg -i syft_${SYFT_RELEASE}_linux_amd64.deb && \
-  rm syft_${SYFT_RELEASE}_linux_amd64.deb
-## CycloneDX CLI                 
-ARG CycloneDXCLIVersion=0.27.2
-RUN curl -LO https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${CycloneDXCLIVersion}/cyclonedx-linux-x64
-RUN chmod +x cyclonedx-linux-x64
-RUN mv cyclonedx-linux-x64 $GOPATH/bin
-RUN cyclonedx-linux-x64 --version
-
-RUN dotnet tool install --global CycloneDX 
-
 WORKDIR /app
 
 COPY *.csproj ./
@@ -25,13 +9,6 @@ RUN dotnet restore ConplementAG.CopsController.csproj
 COPY . ./
 RUN dotnet publish ConplementAG.CopsController.csproj -c Release -o out
 
-RUN mkdir /sboms
-WORKDIR /sboms
-RUN /root/.dotnet/tools/dotnet-CycloneDX /app/ConplementAG.CopsController.csproj -o .
-RUN syft scan mcr.microsoft.com/dotnet/aspnet:8.0-jammy -o cyclonedx-xml=./docker-sbom.xml
-RUN cyclonedx-linux-x64 merge --input-files bom.xml docker-sbom.xml --output-file cops-controller-sbom.xml
-RUN cyclonedx-linux-x64 convert --input-file cops-controller-sbom.xml --output-file cops-controller-sbom-v1.5.xml --output-version v1_5 # DTrack 
-
 # .NET 8 LTS End of Lifetime is on 10/11/2026
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled
 
@@ -42,5 +19,4 @@ ENV ASPNETCORE_URLS=http://+:8080
 
 WORKDIR /app
 COPY --from=build-env /app/out .
-COPY --from=build-env --chown=donetuser:donetuser /sboms/cops-controller-sbom-v1.5.xml /sboms/cops-controller-sbom.xml
 ENTRYPOINT ["dotnet", "ConplementAG.CopsController.dll"]

syft.yaml

@@ -0,0 +1,16 @@
+default-catalogers:
+  - alpm-db-cataloger
+  - apk-db-cataloger
+  - binary-classifier-cataloger
+  - dotnet-packages-lock-cataloger
+  - dpkg-db-cataloger
+  - go-module-binary-cataloger
+  - go-module-file-cataloger
+  - linux-kernel-cataloger
+  - rpm-archive-cataloger
+  - rpm-db-cataloger
+  - sbom-cataloger
+check-for-app-update: true
+format:
+  pretty: true
+parallelism: 1