alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
d4ab79259a
esp-idf/tools/ci/config/rules.yml
Frantisek Hrbata d4ab79259a tools: add sbom information for submodules 
Conflicts:
- spiffs submodules version and hash changed to 0.2-221-gf5e26c4e9331
- protobuf-c submodule version and hash changed to v1.3.0
- ci files moved from tools/ci/config/ into .gitlab/ci/ in v4.4, so
  host-test.yml and rules.yml were changed accordingly in tools/ci/config/.
- added patterns-submodule to rules.yml, because they were also added in
  v4.4
- removed pytest dependency

This adds SBOM information for submodules, which are not managed
by Espressif. Meaning there is no fork for them in the espressif
namespace. Other submodules should add sbom.yml manifest file to
the root of their git repository.

The SBOM information for submodules is stored in the .gitmodules file.
Each SBOM related variable has the "sbom-" prefix and the following
variables may be used:

sbom-version:
   submodule version

sbom-cpe:
   CPE record if available in NVD. This will be used by the SBOM
   tool to check for possible submodule vulnerabilities. The
   version in the CPE can be replaced with the "{}" placeholder,
   which will be replaced by the "sbom-version" value from above.

sbom-supplier:
   Person or organization who is providing the submodule.
   It has to start with "Person:" or "Organization:" prefix
   as required by the SPDX-2.2 standard.

sbom-url:
   URL to the project if exists, e.g. github.

sbom-description:
   Project description.

sbom-hash:
   Submodule SHA as recorded in the git-tree. This field is used by
   CI to check that the submodule checkout hash and info in .gitmodules
   are in sync. IOW if submodule is updated and it has SBOM info in
   .gitmodules, the .gitmodules has to be updated too. The test is
   part of this commit. The checkout has of the submodule can be found
   by using "git submodule status".

Example for micro-ecc submodule
---8<---
[submodule "components/bootloader/subproject/components/micro-ecc/micro-ecc"]
	path = components/bootloader/subproject/components/micro-ecc/micro-ecc
	url = ../../kmackay/micro-ecc.git
	sbom-version = 1.0
	sbom-cpe = cpe:2.3🅰️micro-ecc_project:micro-ecc:{}:*:*:*:*:*:*:*
	sbom-supplier = Person: Ken MacKay
	sbom-url = https://github.com/kmackay/micro-ecc
	sbom-description = A small and fast ECDH and ECDSA implementation for 8-bit, 32-bit, and 64-bit processors
	sbom-hash = d037ec89546fad14b5c4d5456c2e23a71e554966
---8<---

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-06-16 07:34:49 +02:00

320 lines
8.2 KiB
YAML
Raw Blame History

# patterns
.patterns-submodule: &patterns-submodule
- "components/asio/asio"
- "components/bootloader/subproject/components/micro-ecc/micro-ecc"
- "components/bt/controller/lib_esp32"
- "components/bt/controller/lib_esp32c3_family"
- "components/bt/host/nimble/nimble"
- "components/cbor/tinycbor"
- "components/cmock/CMock"
- "components/cmock/CMock/vendor/c_exception"
- "components/cmock/CMock/vendor/unity"
- "components/coap/libcoap"
- "components/coap/libcoap/ext/tinydtls"
- "components/esp_phy/lib"
- "components/esp_wifi/lib"
- "components/esptool_py/esptool"
- "components/expat/expat"
- "components/json/cJSON"
- "components/libsodium/libsodium"
- "components/lwip/lwip"
- "components/mbedtls/mbedtls"
- "components/mqtt/esp-mqtt"
- "components/nghttp/nghttp2"
- "components/nghttp/nghttp2/third-party/mruby"
- "components/nghttp/nghttp2/third-party/neverbleed"
- "components/openthread/lib"
- "components/protobuf-c/protobuf-c"
- "components/spiffs/spiffs"
- "components/tinyusb/tinyusb"
- "components/unity/unity"
- "examples/build_system/cmake/import_lib/main/lib/tinyxml2"
- "examples/peripherals/secure_element/atecc608_ecdsa/components/esp-cryptoauthlib"
- ".gitmodules"
.patterns-sbom: &patterns-sbom
- "tools/test_sbom/*"
# if anchors
.if-ref-master: &if-ref-master
if: '$CI_COMMIT_REF_NAME == "master"'
.if-tag-release-no_label: &if-tag-release-no_label
if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+(\.\d+)?($|-)/ && $BOT_TRIGGER_WITH_LABEL == null'
.if-protected: &if-protected
if: '($CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_BRANCH =~ /^release\/v/ || $CI_COMMIT_TAG =~ /^v\d+\.\d+(\.\d+)?($|-)/)'
.if-protected-no_label: &if-protected-no_label
if: '($CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_BRANCH =~ /^release\/v/ || $CI_COMMIT_TAG =~ /^v\d+\.\d+(\.\d+)?($|-)/) && $BOT_TRIGGER_WITH_LABEL == null'
.if-dev-push: &if-dev-push
if: '$CI_COMMIT_REF_NAME != "master" && $CI_COMMIT_BRANCH !~ /^release\/v/ && $CI_COMMIT_TAG !~ /^v\d+\.\d+(\.\d+)?($|-)/ && ($CI_PIPELINE_SOURCE == "push" || $CI_PIPELINE_SOURCE == "merge_request_event")'
.if-schedule: &if-schedule
if: '$CI_PIPELINE_SOURCE == "schedule"'
.if-trigger: &if-trigger
if: '$CI_PIPELINE_SOURCE == "trigger"'
.if-label-regular_test: &if-label-regular_test
if: '$BOT_LABEL_REGULAR_TEST'
.if-label-build: &if-label-build
if: '$BOT_LABEL_BUILD'
.if-label-build_docs: &if-label-build_docs
if: '$BOT_LABEL_BUILD_DOCS'
.if-label-integration_test: &if-label-integration_test
if: '$BOT_LABEL_INTEGRATION_TEST'
.if-label-unit_test: &if-label-unit_test
if: '$BOT_LABEL_UNIT_TEST'
.if-label-unit_test-32: &if-label-unit_test-32
if: '$BOT_LABEL_UNIT_TEST_32'
.if-label-unit_test-s2: &if-label-unit_test-s2
if: '$BOT_LABEL_UNIT_TEST_S2'
.if-label-unit_test-c3: &if-label-unit_test-c3
if: '$BOT_LABEL_UNIT_TEST_C3'
.if-label-unit_test-all_labels: &if-label-unit_test-all_labels
if: '$BOT_LABEL_UNIT_TEST || $BOT_LABEL_UNIT_TEST_32 || $BOT_LABEL_UNIT_TEST_S2 || $BOT_LABEL_UNIT_TEST_C3'
.if-label-weekend_test: &if-label-weekend_test
if: '$BOT_LABEL_WEEKEND_TEST'
.if-label-example_test: &if-label-example_test
if: '$BOT_LABEL_EXAMPLE_TEST'
.if-label-custom_test: &if-label-custom_test
if: '$BOT_LABEL_CUSTOM_TEST'
.if-label-host_test: &if-label-host_test
if: '$BOT_LABEL_HOST_TEST'
.if-label-fuzzer_test: &if-label-fuzzer_test
if: '$BOT_LABEL_FUZZER_TEST'
.if-label-nvs_coverage: &if-label-nvs_coverage
if: '$BOT_LABEL_NVS_COVERAGE'
.if-label-static_analysis: &if-label-static_analysis
if: '$BOT_LABEL_STATIC_ANALYSIS || $BOT_LABEL_STATIC_ANALYSIS_ALL'
.if-label-iperf_stress_test: &if-label-iperf_stress_test
if: '$BOT_LABEL_IPERF_STRESS_TEST'
.if-os-mac: &if-os-mac
if: '$BOT_LABEL_MACOS_TEST'
# Rules templates
.rules:protected:
rules:
- <<: *if-protected
.rules:protected-no_label:
rules:
- <<: *if-protected-no_label
.rules:protected-schedule:
rules:
- <<: *if-protected
- <<: *if-schedule
.rules:trigger:
rules:
- <<: *if-trigger
.rules:dev:
rules:
- <<: *if-trigger
- <<: *if-dev-push
.rules:os:mac_os:
rules:
- <<: *if-protected-no_label
- <<: *if-os-mac
.rules:tag:release-no_label:
rules:
- <<: *if-tag-release-no_label
.rules:ref:master-schedule:
rules:
- <<: *if-ref-master
- <<: *if-schedule
.rules:ref:master-always:
rules:
- <<: *if-ref-master
when: always
.rules:labels:static_analysis-only:
rules:
- <<: *if-label-static_analysis
.rules:labels:build:
rules:
- <<: *if-protected-no_label
- <<: *if-label-regular_test
- <<: *if-label-build
.rules:labels:build_docs:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build
- <<: *if-label-regular_test
- <<: *if-label-build_docs
.rules:labels:build_docs-slim:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build_docs
.rules:labels:build_docs-preview:
rules:
- <<: *if-label-build_docs
.rules:labels:weekend_test-only:
rules:
- <<: *if-label-weekend_test
.rules:labels:iperf_stress_test-only:
rules:
- <<: *if-label-iperf_stress_test
.rules:labels:fuzzer_test-weekend_test-only:
rules:
- <<: *if-label-fuzzer_test
- <<: *if-label-weekend_test
.rules:labels:nvs_coverage-only:
rules:
- <<: *if-label-nvs_coverage
.rules:labels:host_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-regular_test
- <<: *if-label-host_test
.rules:tests:example_test-schedule:
rules:
- <<: *if-protected-no_label
- <<: *if-label-example_test
- <<: *if-schedule
.rules:tests:custom_test-schedule:
rules:
- <<: *if-protected-no_label
- <<: *if-label-custom_test
- <<: *if-schedule
.rules:tests:unit_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-unit_test-all_labels
.rules:tests:unit_test_32:
rules:
- <<: *if-protected-no_label
- <<: *if-label-unit_test
- <<: *if-label-unit_test-32
.rules:tests:unit_test_s2:
rules:
- <<: *if-protected-no_label
- <<: *if-label-unit_test
- <<: *if-label-unit_test-s2
.rules:tests:unit_test_c3:
rules:
- <<: *if-protected-no_label
- <<: *if-label-unit_test
- <<: *if-label-unit_test-c3
.rules:tests:integration_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-integration_test
.rules:assign_test:target_test-integration_test-weekend_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-regular_test
- <<: *if-label-example_test
- <<: *if-label-custom_test
- <<: *if-label-unit_test-all_labels
- <<: *if-label-integration_test
- <<: *if-label-weekend_test
.rules:build_tests:integration_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build
- <<: *if-label-regular_test
- <<: *if-label-integration_test
.rules:build_tests:weekend_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build
- <<: *if-label-regular_test
- <<: *if-label-weekend_test
.rules:build_tests:unit_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build
- <<: *if-label-regular_test
- <<: *if-label-unit_test-all_labels
.rules:build_tests:example_test-weekend_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build
- <<: *if-label-regular_test
- <<: *if-label-example_test
- <<: *if-label-weekend_test
.rules:build_tests:custom_test-weekend_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build
- <<: *if-label-regular_test
- <<: *if-label-custom_test
- <<: *if-label-weekend_test
.rules:build_tests:target_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build
- <<: *if-label-regular_test
- <<: *if-label-example_test
- <<: *if-label-custom_test
- <<: *if-label-unit_test-all_labels
.rules:build_tests:target_test-weekend_test:
rules:
- <<: *if-protected-no_label
- <<: *if-label-build
- <<: *if-label-regular_test
- <<: *if-label-example_test
- <<: *if-label-custom_test
- <<: *if-label-unit_test-all_labels
- <<: *if-label-weekend_test
.rules:patterns:sbom:
rules:
- <<: *if-protected
- <<: *if-label-regular_test
- <<: *if-label-host_test
- <<: *if-dev-push
changes: *patterns-sbom
- <<: *if-dev-push
changes: *patterns-submodule
Reference in New Issue View Git Blame Copy Permalink