karapace/scripts/generate-sbom.sh at main - marcoallegretti/karapace - Marco's Code Hub (Forgejo): an attempt to group together the code from my projects and those I contribute to

marcoallegretti/karapace

mirror of https://github.com/marcoallegretti/karapace.git synced 2026-03-26 21:43:09 +00:00

Marco Allegretti 62b9b569be fix supply chain: bump cargo-cyclonedx 0.5.7, fix SBOM generation, fix rmeta test

- Bump cargo-cyclonedx from 0.5.5 to 0.5.7 (supports lockfile v4)
- Generate SBOM for karapace-cli crate only (single predictable file)
- Fix --output-prefix → --override-filename (CLI change in 0.5.x)
- Fix rmeta tampering test: accept build failure as valid defense
  (cargo rejects corrupted .rmeta with compilation errors)

2026-02-22 20:31:08 +01:00

10 lines

288 B

Bash

Executable file

Raw Permalink Blame History

 #!/usr/bin/env bash
 set -euo pipefail
 command -v cargo-cyclonedx >/dev/null 2>&1 || {
     echo "Installing cargo-cyclonedx..."
     cargo install cargo-cyclonedx@0.5.7 --locked
 }
 cargo cyclonedx --format json --override-filename karapace_bom
 echo "SBOM written to karapace_bom.cdx.json"