Merge pull request #166 from LesiaChaban/main

Update sbom_generation.yaml

Author: LesiaChaban

sbom_generation.yaml

@@ -8,17 +8,34 @@ version: 0.1
 component: build
 timeoutInSeconds: 1000
 shell: bash
-
+env:
+  variables:
+    PYTHON_CMD: "python3"
+    CDXGEN_DEBUG_MODE: "debug"
 steps:
   - type: Command
-    name: "Install cyclonedx_py module"
+    name: "Download the version 10.10.0 of cdxgen globally"
+    command: |
+      npm install -g @cyclonedx/cdxgen@10.10.0
+  - type: Command
+    name: "Workaround to let cdxgen run on nodejs 16"
     command: |
-      pip install cyclonedx-bom
+      # cdxgen relies on a fourth-party dependency that cannot be executed in a Node.js environment running version 16
+      # (as installed on the build runner instance)
+      # This is a workaround to ensure cdxgen functions correctly, even in an older Node.js environment.
+      cd /node/node-v16.14.2-linux-x64/lib/node_modules/@cyclonedx/cdxgen && \
+      npm install cheerio@v1.0.0-rc.12
   - type: Command
-    name: "Run Python cyclonedx_py module"
+    name: "Generate SBOM for Python "
     command: |
-      # For more details, visit https://github.com/CycloneDX/cyclonedx-python/blob/main/README.md
-      python3 -m cyclonedx_py -r -pb --format json -o artifactSBOM.json --schema-version 1.4
+      # Search the test or dev requirements files, so that test and dev py packages can be excluded in the generated SBOM
+      files=$(find . -type f -regex ".*\(test.*requirements\|requirements.*test\|dev.*requirements\|requirements.*dev\).*\.txt") && \
+      if [ -n "$files" ]; then \
+        cdxgen -t python -o artifactSBOM.json --spec-version 1.4 \
+        --exclude "*{requirements,dev,test}*{requirements,dev,test}*.txt" --project-name "$(basename $OCI_PRIMARY_SOURCE_URL)" --no-recurse
+      else \
+         cdxgen -t python -o artifactSBOM.json --spec-version 1.4 --project-name "$(basename $OCI_PRIMARY_SOURCE_URL)" --no-recurse
+      fi \
 outputArtifacts:
   - name: artifactSBOM
     type: BINARY