The Disclosure-CLI provides an easy way to access the public api of the FOSS Disclosure Portal. It is the recommended tool for external suppliers who do not have access to the Disclosure Portal and need access to the project data.
With the Disclosure-CLI external suppliers can:
- Create new project versions
- Access policy rules
- Upload SBOM files
- Set a reference to the corresponding source code
- Get general information about the project
We distribute the Disclosure-CLI as executables, container image and github action.
You can download the binaries for the Disclosure-CLI in the GitHub releases page.
You can also download the source code and build it yourself.
git clone https://github.com/mercedes-benz/disclosure-cli.git
cd disclosure-cli
go build -o disclosure-cli
You can pull a Disclosure-CLI image from https://github.com/orgs/mercedes-benz/packages or build it yourself with the Dockerfile provided in the repository.
docker pull ghcr.io/mercedes-benz/disclosure-cli:0.7.2-amd64
or
git clone https://github.com/mercedes-benz/disclosure-cli.git
cd disclosure-cli
docker build . -t disclosure-cli
Run the image to get project information
docker run disclosure-cli project details -H HOST -u PROJECT_UUID -t TOKEN
Run the image to upload a sbom file to a project version
docker run -v $(pwd)/sbom.spdx.json:/sbom.spdx.json disclosure-cli version sbomUpload sbom.spdx.json -H HOST -u PROJECT_UUID -t TOKEN -v VERSION
The definition of the action can be found in the file action.yml in the repository. A working example (sbom-upload.yml) can be found in the .github/workflows folder.
The recommended way to use the Disclosure-CLI as executable is with a config file, but you can also set environment variables or use flags with your commands instead.
The config file needs to be in the same folder as the Disclosure-CLI, needs to be named config.yml and must have the following structure:
projecttoken: "project-token"
projectuuid: "project-uuid"
projectversion: "1.0"
host: "PUBLIC API"The environment variables mus be named as follows:
INPUT_TOKEN
INPUT_PROJECT_UUID
INPUT_PROJECT_VERSION
INPUT_HOST
./disclosure-cli
A Disclosure Portal client for the disclosure public api.
Manage your projects with this client.
Usage:
disclosure-cli [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
project Execute a project command
sbom Execute a project version sbom command
sha256 Generates a sha256 hash
version Execute a project version command
Flags:
-c, --configFile string location of the config file (default "./config.yml")
-h, --help help for disclosure-cli
-t, --token string disclosure-cli project token
-u, --uuid string uuid of the project
-v, --version string version of the project (default "1.0")
Use "disclosure-cli [command] --help" for more information about a command.
// Retrieving project detail
./disclosure-cli project details -H HOST -u PROJECT_UUID -t TOKEN
// Upload sbom to a project version
./disclosure-cli version sbomUpload FILENAME -H HOST -u PROJECT_UUID -t TOKEN -v VERSION
project details Returning the project details
project policyrules Returning the project policy rules
project sbomCheck On demand check for SBOM files
project schema Returning the project schema
project status Returning the project status
version ccs CCS status
version ccsAdd Add reference (url) to complete corresponding source code
version create Create version
version details Returning the project version details
version list Returning the project version list
version sbomDetails Details of SBOM
version sbomNotice Get third party notice information for a SBOM as html / json / text
version sbomStatus Status information of SBOM
version sbomUpload Uploads SBOM file to a project version
version sboms List of all uploaded SBOMS
sbom tag Add tag to a sbom
Note 12-06-2023: 2024 we will review the disclosure-cli to restructure the command structure and add new features. With the current release we establish a new "sbom" command with a new sub command to add tags to a sbom. Existing sbom commands (sbomDetails, sbomNotice, sbomStatus, sbomUpload, sboms) will move to the new "sbom" command in 2024.
version sbomUpload -h
The next few steps will guide you through a Disclosure Portal project with the Disclosure-CLI. In this guided example we will use a config file to access our project, but you can also use flags or environment variables.
For the next few steps you need a project in the Disclosure Portal, and the unique identifier and token of your project.
You can skip to the Disclosure-CLI subsection, if you already have this data.
Disclosure Portal
Only project owners in the Disclosure Portal have the permissions to do these steps.
a) Create a new Project in the Disclosure Portal. Take note of the Unique identifier of the project, you will need it in a moment.
b) Create a token. You will need this token to access your project with the Disclosure-CLI.
Disclosure-CLI
a) Create a new folder wherever you want. I will call this folder disclosure-cli, but you can name it differently.
b) Download the source code for the Disclosure-CLI client and build it.
go build -o disclosure-cli
c) Move disclosure-cli into your created folder (a)
d) Create a new config file named config.yml with the following attributes and values in the same folder
projecttoken: "project-token"
projectuuid: "project-uuid"
projectversion: "1.0"
host: "" // host needs to be changed to public apiIf you have just created a new project, your project on the Disclosure Portal won't have a project version yet.
We will create a version 1.0 in the following steps.
./disclosure-cli project details
{
"name": "disclosure-cli-example",
"uuid": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee",
"created": "2022-03-16T14:54:13.306719888Z",
"updated": "2022-03-16T15:13:45.461701011Z",
"schema": "EnterpriseIT",
"description": "This is the example project for the cli client."
}
Our project still does not have a project version. Let's create one.
./disclosure-cli version create "1.0" "First iteration of the disclosure-cli example"
{
"success": true,
"message": "version created",
"key": "ab02a5b5-8923-41pb-9a9b-cd5836d66dbe"
}
Let's have a look at the project versions of our project. There should only be one ;)
./disclosure-cli version list
[
"1.0"
]
Next we will upload the SBOM and look at the metadata of the SBOM.
The SBOM is always related to a specific project version. In our case it is 1.0 as described in our config.yml.
./disclosure-cli version sbomUpload ./disclosure-cli/sbom.json
{
"docIsValid": true,
"validationFailedMessage": "",
"hash": "77a50e85477db7580d3052403a8d1ebe4ad9a3b912ad18e3a3b4f0ccecf36c65",
"fileUploaded": true,
"id": "SPDXRef-DOCUMENT"
}
./disclosure-cli version sbomDetails
{
"name": "Disclosure-CLI,
"id": "SPDXRef-DOCUMENT",
"version": "SPDX-2.2",
"creators": "Tool: xxx",
"created": "2022-03-16T14:54:13.306719888Z",
"updated": "2022-03-16T15:13:45.461701011Z",
"status": true
}
We welcome any contributions. If you want to contribute to this project, please read the contributing guide.
Please read our Code of Conduct as it is our base for interaction.
This project is licensed under the MIT LICENSE.
Please visit https://github.com/mercedes-benz/foss/blob/master/PROVIDER_INFORMATION.md for information on the provider.
Notice: Before you use the program in productive use, please take all necessary precautions, e.g. testing and verifying the program with regard to your specific use. The program was tested solely for our own use cases, which might differ from yours.