Updated to use cyclonedx-python

thanhnguyen-mdb · thanhnguyen-mdb · commit 0c36d554cf21 · 2025-11-24T16:12:00.000Z
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -1,6 +1,6 @@
 name: Generate SBOM
 
-# This workflow uses cdxgen and publishes an sbom.json artifact.
+# This workflow uses cyclonedx-py and publishes an sbom.json artifact.
 # It runs on manual trigger or when package files change on main branch,
 # and creates a PR with the updated SBOM.
 # Internal documentation: go/sbom-scope
@@ -42,10 +42,26 @@ jobs:
           source .venv/bin/activate
           pip install -r requirements.txt
           pip install .
-          npx @cyclonedx/cdxgen@11.0.0 -t python --spec-version 1.5 -o sbom.json
-          jq . sbom.json > sbom.json.tmp && mv sbom.json.tmp sbom.json
-        env:
-          FETCH_LICENSE: true
+          pip uninstall -y pip setuptools
+          deactivate
+          python -m venv .venv-sbom
+          source .venv-sbom/bin/activate
+          pip install cyclonedx-bom==7.2.1
+          cyclonedx-py environment --spec-version 1.5 --output-format JSON --output-file sbom.json .venv
+          # Add PURL for django-mongodb-backend (local package doesn't get PURL automatically)
+          jq '(.components[] | select(.name == "django-mongodb-backend" and .purl == null)) |= (. + {purl: ("pkg:pypi/django-mongodb-backend@" + .version)})' sbom.json > sbom.tmp.json && mv sbom.tmp.json sbom.json
+
+      - name: Download CycloneDX CLI
+        run: |
+          curl -L -s -o /tmp/cyclonedx "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64"
+          chmod +x /tmp/cyclonedx
+
+      - name: Validate SBOM
+        run: /tmp/cyclonedx validate --input-file sbom.json --fail-on-errors
+
+      - name: Cleanup
+        if: always()
+        run: rm -rf .venv .venv-sbom
 
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@v4
@@ -71,7 +87,7 @@ jobs:
             - Updated `sbom.json` to reflect current dependencies
 
             ### Verification
-            The SBOM was generated using cdxgen with the current Python environment.
+            The SBOM was generated using cyclonedx-py v7.2.1 with the current Python environment.
 
             ### Triggered by
             - Commit: ${{ github.sha }}
@@ -82,8 +98,4 @@ jobs:
           labels: |
             sbom
             automated
-            dependencies
-
-      - name: Cleanup
-        if: always()
-        run: rm -rf .venv
+            dependencies
