Add SBOM template

andyleejordan · andyleejordan · commit 9ad01c1d00b5 · 2022-02-14T12:39:32.000-08:00
diff --git a/.vsts-ci/templates/ci-general.yml b/.vsts-ci/templates/ci-general.yml
@@ -28,10 +28,23 @@ steps:
     archiveFile: PowerShellEditorServices-Build.zip
     verbose: true
 
+- task: ArchiveFiles@2
+  displayName: Zip sources for SBOM
+  inputs:
+    rootFolderOrFile: src
+    includeRootFolder: false
+    archiveType: zip
+    archiveFile: PowerShellEditorServices-Sources.zip
+    verbose: true
+
 - publish: PowerShellEditorServices-Build.zip
   artifact: PowerShellEditorServices-Build-$(System.JobId)
   displayName: Publish unsigned pipeline artifacts
 
+- publish: PowerShellEditorServices-Sources.zip
+  artifact: PowerShellEditorServices-Sources-$(System.JobId)
+  displayName: Publish unsigned pipeline artifacts
+
 - task: PublishTestResults@2
   displayName: Publish test results
   inputs:
diff --git a/.vsts-ci/templates/release-general.yml b/.vsts-ci/templates/release-general.yml
@@ -48,6 +48,23 @@ steps:
       **/Serilog*.dll
       **/UnixConsoleEcho.dll
 
+# The SBOM generation requires our original sources with the `dotnet restore`
+# produced `project.assets.json` files.
+- task: ExtractFiles@1
+  displayName: Extract source artifacts
+  inputs:
+    archiveFilePatterns: $(Pipeline.Workspace)/PowerShellEditorServices-Sources-*/PowerShellEditorServices-Sources.zip
+    destinationFolder: $(Pipeline.Workspace)/Sources
+    cleanDestinationFolder: true
+
+- template: Sbom.yml@ComplianceRepo
+  parameters:
+    BuildDropPath: $(Pipeline.Workspace)/ThirdPartySigned
+    Build_Repository_Uri: https://github.com/PowerShell/PowerShellEditorServices.git
+    packageName: PowerShellEditorServices
+    packageVersion: $(System.JobId)
+    sourceScanPath: $(Pipeline.Workspace)/Sources
+
 - task: ArchiveFiles@2
   displayName: Zip signed artifacts
   inputs:
@@ -65,8 +82,8 @@ steps:
     # binskim
     AnalyzeTarget: $(Pipeline.Workspace)/*.dll
     AnalyzeSymPath: 'SRV*'
-    # component-governance
-    sourceScanPath: $(Build.SourcesDirectory)/PowerShellEditorServices
+    # component-governance: requires the `project.assets.json` files
+    sourceScanPath: $(Pipeline.Workspace)/Sources
     # credscan
     suppressionsFile: ''
     # TermCheck AKA PoliCheck
