[CRAVEX] SCA Integrations: ORT (part.1) (#1837)

Signed-off-by: tdruez <tdruez@nexb.com>

Author: tdruez

.github/workflows/sca-integration-ort.yml

@@ -0,0 +1,50 @@
+name: Generate SBOM with ORT and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a requirement.txt file using ORT.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Create a Python requirements.txt
+        run: |
+          cat << 'EOF' > requirements.txt
+          amqp==5.1.1
+          appdirs==1.4.4
+          asgiref==3.5.2
+          urllib3==1.26.0
+          EOF
+
+      - name: Run GitHub Action for ORT
+        uses: oss-review-toolkit/ort-ci-github-action@v1
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "${{ env.ORT_RESULTS_PATH }}/bom.cyclonedx.json"
+          scancodeio-repo-branch: "main"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 5; assert package_manager.vulnerable().count() >= 1; assert DiscoveredDependency.objects.count() >= 1"

docs/faq.rst

@@ -376,9 +376,10 @@ are actively supported and tested::
   - Anchore: https://anchore.com/sbom/
   - CycloneDX cdxgen: https://cyclonedx.github.io/cdxgen/
   - OWASP dep-scan: https://owasp.org/www-project-dep-scan/
+  - OSS Review Toolkit (ORT): https://oss-review-toolkit.org/ort/
+  - OSV-Scanner: https://osv.dev/
   - SBOM tool: https://github.com/microsoft/sbom-tool/
   - Trivy: https://trivy.dev/
-  - OSV-Scanner: https://osv.dev/
 
 .. note:: Imported SBOMs must follow the SPDX or CycloneDX standards, in JSON format.
    You can use the ``load_sbom`` pipeline to process and enhance these SBOMs in your

scanpipe/pipes/benchmark.py

@@ -70,8 +70,6 @@ def compare_purls(project, expected_purls):
     - Lines starting with '+' are unexpected in the project.
     """
     sorted_project_purls = get_unique_project_purls(project)
-    print(sorted_project_purls)
-
     diff_result = difflib.ndiff(sorted_project_purls, expected_purls)
 
     # Keep only lines that are diffs (- or +)