@@ -8,17 +8,34 @@ version: 0.1
88component : build
99timeoutInSeconds : 1000
1010shell : bash
11-
11+ env :
12+ variables :
13+ PYTHON_CMD : " python3"
14+ CDXGEN_DEBUG_MODE : " debug"
1215steps :
1316 - type : Command
14- name : " Install cyclonedx_py module"
17+ name : " Download the version 10.10.0 of cdxgen globally"
18+ command : |
19+ npm install -g @cyclonedx/[email protected] 20+ type : Command
21+ name : " Workaround to let cdxgen run on nodejs 16"
1522 command : |
16- pip install cyclonedx-bom
23+ # cdxgen relies on a fourth-party dependency that cannot be executed in a Node.js environment running version 16
24+ # (as installed on the build runner instance)
25+ # This is a workaround to ensure cdxgen functions correctly, even in an older Node.js environment.
26+ cd /node/node-v16.14.2-linux-x64/lib/node_modules/@cyclonedx/cdxgen && \
27+ 1728type : Command
18- name : " Run Python cyclonedx_py module "
29+ name : " Generate SBOM for Python "
1930 command : |
20- # For more details, visit https://github.com/CycloneDX/cyclonedx-python/blob/main/README.md
21- python3 -m cyclonedx_py -r -pb --format json -o artifactSBOM.json --schema-version 1.4
31+ # Search the test or dev requirements files, so that test and dev py packages can be excluded in the generated SBOM
32+ files=$(find . -type f -regex ".*\(test.*requirements\|requirements.*test\|dev.*requirements\|requirements.*dev\).*\.txt") && \
33+ if [ -n "$files" ]; then \
34+ cdxgen -t python -o artifactSBOM.json --spec-version 1.4 \
35+ --exclude "*{requirements,dev,test}*{requirements,dev,test}*.txt" --project-name "$(basename $OCI_PRIMARY_SOURCE_URL)" --no-recurse
36+ else \
37+ cdxgen -t python -o artifactSBOM.json --spec-version 1.4 --project-name "$(basename $OCI_PRIMARY_SOURCE_URL)" --no-recurse
38+ fi \
2239outputArtifacts :
2340 - name : artifactSBOM
2441 type : BINARY
0 commit comments