From 890d5e1e711591ab42a8239093272d8a87e965d2 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 14 Oct 2024 01:24:39 -0400
Subject: [PATCH] microsoft sbom tool

---
 .github/workflows/sbom.yml | 41 ++++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index c297649810..2fab3c4687 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -23,29 +23,36 @@ jobs:
           check-latest: true
           cache: 'yarn'
 
+      - name: Install Microsoft SBOM Tool
+        run: |
+          curl -Lo /tmp/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+          chmod +x /tmp/sbom-tool
+
       - name: Install project dependencies
         run: yarn install --frozen-lockfile --production
 
-      # Anchore Syft Github Action
-        
-      - name: Syft directory installed spdx
+      - name: sbomtool directory spdx
         if: always()
-        uses: anchore/sbom-action@v0
-        with:
-          artifact-name: syft_directory_installed.spdx.json
-          output-file: /tmp/syft_directory_installed.spdx.json
-          format: spdx-json
-          
-      - name: Syft directory installed cyclonedx
+        run: /tmp/sbom-tool generate -b . -bc . -li true -pm true -m /tmp/sbomtool_directory.spdx.json -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose
+
+      - name: sbomtool directory spdx converted
         if: always()
-        uses: anchore/sbom-action@v0
-        with:
-          artifact-name: syft_directory_installed.cdx.json
-          output-file: /tmp/syft_directory_installed.cdx.json
-          format: cyclonedx-json
+        run: docker run -t -v /tmp/sbomtool_directory.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool_directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json  --input-format spdxjson --output-format json 
+
+      - name: Build the Docker image
+        if: always()
+        run: docker build -f Dockerfile -t mitre/heimdall2:throwaway .
+
+      - name: sbomtool image spdx
+        if: always()
+        run: /tmp/sbom-tool generate -di mitre/heimdall2:throwaway -li true -pm true -m /tmp/sbomtool_image.spdx.json -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose
+
+      - name: sbomtool image spdx converted
+        if: always()
+        run: docker run -t -v /tmp/sbomtool_image.spdx.json:/tmp/sbomtool_image.spdx.json -v /tmp/sbomtool_image.cdx.json:/tmp/sbomtool_image.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_image.spdx.json --output-file /tmp/sbomtool_image.cdx.json  --input-format spdxjson --output-format json 
 
       - uses: actions/upload-artifact@v4
         if: always()
         with: 
-          path: /tmp/syft*
-          name: "Syft SBOM experiments - just directory - installed"
+          path: /tmp/sbomtool*
+          name: "MS SBOM Tool experiments"