lijiaoqiao/scripts/ci/m017_sbom.sh

#!/usr/bin/env bash
# scripts/ci/m017_sbom.sh - M-017 SBOM生成脚本
# 功能：使用syft生成项目SPDX 2.3格式的SBOM
# 输入：REPORT_DATE, REPORT_DIR
# 输出：sbom_{date}.spdx.json

set -e

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PROJECT_ROOT="${PROJECT_ROOT:-$(cd "$SCRIPT_DIR/.." && pwd)}"

REPORT_DATE="${1:-$(date +%Y-%m-%d)}"
REPORT_DIR="${2:-${PROJECT_ROOT}/reports/dependency}"

mkdir -p "$REPORT_DIR"

echo "[M017-SBOM] Starting SBOM generation for ${REPORT_DATE}"

# 检查syft是否安装
if ! command -v syft >/dev/null 2>&1; then
    echo "[M017-SBOM] WARNING: syft is not installed. Generating placeholder SBOM."

    # 生成占位符SBOM
    cat > "${REPORT_DIR}/sbom_${REPORT_DATE}.spdx.json" << 'EOF'
{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "llm-gateway",
  "documentNamespace": "https://llm-gateway.example.com/spdx/2026-04-02",
  "creationInfo": {
    "created": "2026-04-02T00:00:00Z",
    "creators": ["Tool: syft-placeholder"]
  },
  "packages": []
}
EOF

    if [ -f "${REPORT_DIR}/sbom_${REPORT_DATE}.spdx.json" ]; then
        echo "[M017-SBOM] WARNING: Generated placeholder SBOM (syft not available)"
        exit 0
    else
        echo "[M017-SBOM] ERROR: Failed to generate placeholder SBOM"
        exit 1
    fi
fi

echo "[M017-SBOM] Using syft for SBOM generation"

# 生成SBOM
SBOM_FILE="${REPORT_DIR}/sbom_${REPORT_DATE}.spdx.json"

if syft "${PROJECT_ROOT}" -o spdx-json > "$SBOM_FILE" 2>/dev/null; then
    # 验证SBOM包含有效包
    if ! grep -q '"packages"' "$SBOM_FILE" || \
       [ "$(grep -c '"SPDXRef' "$SBOM_FILE" || echo 0)" -eq 0 ]; then
        echo "[M017-SBOM] ERROR: syft generated invalid SBOM (no packages found)"
        exit 1
    fi

    echo "[M017-SBOM] SUCCESS: SBOM generated at $SBOM_FILE"
    exit 0
else
    echo "[M017-SBOM] ERROR: Failed to generate SBOM with syft"
    exit 1
fi