[
https://issues.apache.org/jira/browse/NIFI-14137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17911190#comment-17911190
]
David Handermann commented on NIFI-14137:
-----------------------------------------
Thanks [~joewitt]. For reference, the SBOM and Scan actions wrap the Syft and
Grype commands. To run these directly, perform a standard NiFi package or
install build with Maven, and then run these two commands:
{noformat}
syft scan file:nifi-assembly/target/nifi-2.2.0-SNAPSHOT-bin.zip --output
syft-json=/tmp/nifi-assembly.json
grype sbom:/tmp/nifi-assembly.json
{noformat}
Although it is possible to run Grype directly, using Syft to produce the
intermediate SBOM is useful for cataloging dependencies.
> Add SBOM and Dependency Scanning GitHub Workflow
> ------------------------------------------------
>
> Key: NIFI-14137
> URL: https://issues.apache.org/jira/browse/NIFI-14137
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The automated GitHub Actions workflows should be updated to include new steps
> that generate a Software Bill-of-Materials and dependency scanning results
> for the NiFi assembly.
> Earlier versions of workflows included running the OWASP dependency check,
> but changes to the database download process increased the time required to
> run the scan.
> The Anchore Syft and Grype tools are open source and licensed under Apache
> Software License Version 2, providing GitHub Action integration through the
> [sbom-action|https://github.com/anchore/sbom-action] and the
> [scan-action|https://github.com/anchore/scan-action]. These tools support not
> only container images, but standard Zip archives and introspection, capable
> of enumerating packaged JAR files. Initial testing shows results produced in
> minutes, making them ideal for automated evaluation. Although the SBOM
> produced should not considered official, it should provide additional options
> for visibility into the packaged dependencies include in the standard NiFi
> assembly.
> Based on how this works, SBOM generation could be considered for additional
> build artifacts in subsequent work.
> This scanning augments existing code quality and compliance capabilities that
> already include Checkstyle, PMD, Apache Rat, and GitHub CodeQL.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
