Created
October 11, 2023 14:54
-
-
Save stekern/4e3b465f398d6a88b436a2844e8acb16 to your computer and use it in GitHub Desktop.
Utility script for creating an empty GitHub dependency graph snapshot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # | |
| # Utility script for creating an empty GitHub dependency graph snapshot for a given <detector>-<job-correlator> combination. | |
| # This can be useful to update your dependency graph in GitHub if you've used Syft or similar to manually publish | |
| # dependency graph snapshots for artifacts that have been removed from the codebase. | |
| # | |
| # The script asks for confirmation before actually making the POST request to GitHub's Dependency Submission API. | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| confirm() { | |
| local query yn | |
| query="$1" | |
| while true; do | |
| read -rp "$query " yn | |
| case $yn in | |
| yes ) return 0;; | |
| [nN]* ) return 1;; | |
| * ) printf "Please answer yes or no.\n";; | |
| esac | |
| done | |
| } | |
| parse_args() { | |
| REF="" | |
| SHA="" | |
| REPOSITORY_OWNER="" | |
| REPOSITORY_NAME="" | |
| JOB_ID="" | |
| JOB_CORRELATOR="" | |
| DETECTOR_NAME="" | |
| while [ "$#" -gt 0 ]; do | |
| case "$1" in | |
| --ref) REF="$2"; shift; shift; ;; | |
| --sha) SHA="$2"; shift; shift; ;; | |
| --job-id) JOB_ID="$2"; shift; shift; ;; | |
| --job-correlator) JOB_CORRELATOR="$2"; shift; shift; ;; | |
| --detector-name) DETECTOR_NAME="$2"; shift; shift; ;; | |
| --repository-owner) REPOSITORY_OWNER="$2"; shift; shift; ;; | |
| --repository-name) REPOSITORY_NAME="$2"; shift; shift; ;; | |
| *) echo "Unknown option '$1'"; exit 1 ;; | |
| esac | |
| done | |
| if [ -z "$REF" ]; then echo "'--ref' is a required argument"; exit 1; fi | |
| if [ -z "$SHA" ]; then echo "'--sha' is a required argument"; exit 1; fi | |
| if [ -z "$JOB_ID" ]; then echo "'--job-id' is a required argument"; exit 1; fi | |
| if [ -z "$JOB_CORRELATOR" ]; then echo "'--job-correlator' is a required argument"; exit 1; fi | |
| if [ -z "$DETECTOR_NAME" ]; then echo "'--detector-name' is a required argument"; exit 1; fi | |
| if [ -z "$REPOSITORY_OWNER" ]; then echo "'--repository-owner' is a required argument"; exit 1; fi | |
| if [ -z "$REPOSITORY_NAME" ]; then echo "'--repository-name' is a required argument"; exit 1; fi | |
| readonly REF SHA JOB_ID JOB_CORRELATOR DETECTOR_NAME REPOSITORY_OWNER REPOSITORY_NAME | |
| export REF SHA JOB_ID JOB_CORRELATOR DETECTOR_NAME REPOSITORY_OWNER REPOSITORY_NAME | |
| } | |
| main() { | |
| parse_args "$@" | |
| endpoint="https://api.github.com/repos/${REPOSITORY_OWNER}/${REPOSITORY_NAME}/dependency-graph/snapshots" | |
| timestamp="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" | |
| filename="sbom.github.$DETECTOR_NAME.$timestamp.json" | |
| cat <<EOF > "$filename" | |
| { | |
| "version": 0, | |
| "detector": { | |
| "name": "$DETECTOR_NAME", | |
| "url": "https://github.com", | |
| "version": "x.x.x" | |
| }, | |
| "ref": "$REF", | |
| "sha": "$SHA", | |
| "job": { | |
| "id": "$JOB_ID", | |
| "correlator": "$JOB_CORRELATOR" | |
| }, | |
| "scanned": "$timestamp" | |
| } | |
| EOF | |
| echo "Generated dependency graph snapshot in file '$filename':" | |
| cat "$filename" | |
| echo "Sending the snapshot to GitHub's Dependency Submission API using endpoint '$endpoint'" | |
| if confirm "Do you want to continue?"; then | |
| curl -X POST \ | |
| --header "Content-Type: application/json" \ | |
| --header "Accept: application/vnd.github+json" \ | |
| --header "X-GitHub-Api-Version: 2022-11-28" \ | |
| --header "Authorization: Bearer $GITHUB_TOKEN" \ | |
| --silent \ | |
| --fail \ | |
| --data "@$filename" \ | |
| "$endpoint" | |
| fi | |
| } | |
| main "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment