lib/github.sh, GitHub SBOM Download Retry, Licenses 2025-08-01 (#32)

* lib/github.sh, GitHub SBOM Download Retry, Licenses 2025-08-01

Signed-off-by: Julio Jimenez <julio@clickhouse.com>

* lib/github.sh, GitHub SBOM Download Retry, Licenses 2025-08-01

Signed-off-by: Julio Jimenez <julio@clickhouse.com>

* github download retry logic

Signed-off-by: Julio Jimenez <julio@clickhouse.com>

* licenses

Signed-off-by: Julio Jimenez <julio@clickhouse.com>

---------

Signed-off-by: Julio Jimenez <julio@clickhouse.com>

Author: juliojimenez

README.md

@@ -137,7 +137,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -180,7 +180,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -234,7 +234,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -299,7 +299,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -363,7 +363,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -405,7 +405,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -459,7 +459,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Merge Production SBOMs Only
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -514,7 +514,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM from Mend
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
           aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
@@ -565,7 +565,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM from Wiz
-        uses: ClickHouse/ClickBom@v1.0.6
+        uses: ClickHouse/ClickBom@v1.0.7
         with:
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
           aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}

entrypoint.sh

@@ -9,79 +9,7 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$SCRIPT_DIR/lib/sanitize.sh"
 source "$SCRIPT_DIR/lib/common.sh"
 source "$SCRIPT_DIR/lib/validation.sh"
-
-# Download SBOM from GitHub repository
-download_sbom() {
-    local repo="$1"
-    local output_file="$2"
-    
-    log_info "Downloading SBOM from $repo"
-    
-    # GitHub API URL for SBOM
-    local api_url="https://api.github.com/repos/$repo/dependency-graph/sbom"
-
-    # Authentication header
-    local auth_header="Authorization: Bearer $GITHUB_TOKEN"
-    
-    # Download SBOM file with optimizations for large files
-    log_info "Starting SBOM download (may take time for large files)..."
-
-    if curl -L \
-            --max-time 300 \
-            --connect-timeout 30 \
-            --retry 3 \
-            --retry-delay 5 \
-            --retry-max-time 180 \
-            --silent \
-            --show-error \
-            --compressed \
-            -H "Accept: application/vnd.github+json" \
-            -H "$auth_header" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "$api_url" \
-            -o "$output_file"; then
-        # Verify the download
-        if [[ -f "$output_file" && -s "$output_file" ]]; then
-            local file_size
-            file_size=$(du -h "$output_file" | cut -f1)
-            log_success "SBOM downloaded successfully ($file_size)"
-            
-            # Debug: Show first few lines of downloaded content
-            log_debug "First 200 characters of downloaded content:"
-            if [[ "${DEBUG:-false}" == "true" ]]; then
-                head -c 200 "$output_file" | tr '\n' ' ' | sed 's/[[:space:]]\+/ /g'
-                echo ""
-            fi
-            
-            # Quick validation that it's JSON
-            if ! jq . "$output_file" > /dev/null 2>&1; then
-                log_error "Downloaded file is not valid JSON"
-                log_error "Content preview:"
-                head -n 5 "$output_file" || cat "$output_file"
-                exit 1
-            fi
-            
-            # Check if it looks like an error response
-            if jq -e '.message' "$output_file" > /dev/null 2>&1; then
-                local error_message
-                error_message=$(jq -r '.message' "$output_file")
-                log_error "GitHub API returned error: $error_message"
-                exit 1
-            fi
-        else
-            log_error "Downloaded file is empty or missing"
-            exit 1
-        fi
-    else
-        log_error "Failed to download SBOM file"
-        log_error "This could be due to:"
-        log_error "  - Network timeout (file too large)"
-        log_error "  - Authentication issues"
-        log_error "  - Repository doesn't have dependency graph enabled"
-        log_error "  - SBOM not available for this repository"
-        exit 1
-    fi
-}
+source "$SCRIPT_DIR/lib/github.sh"
 
 # Authenticate with Mend API and get JWT token
 authenticate_mend() {

lib/github.sh

@@ -0,0 +1,136 @@
+#!/bin/bash
+# GitHub SBOM download and processing
+
+source "$(dirname "${BASH_SOURCE[0]}")/common.sh"
+
+# Download SBOM from GitHub repository
+download_sbom() {
+    local repo="$1"
+    local output_file="$2"
+    local max_attempts=3
+    local base_delay=30
+    
+    log_info "Downloading SBOM from $repo"
+    
+    # GitHub API URL for SBOM
+    local api_url="https://api.github.com/repos/$repo/dependency-graph/sbom"
+
+    # Authentication header
+    local auth_header="Authorization: Bearer $GITHUB_TOKEN"
+    
+    for attempt in $(seq 1 $max_attempts); do
+        # Download SBOM file with optimizations for large files
+        log_info "Starting SBOM download $attempt/$max_attempts (may take time for large files)..."
+
+        # Calculate delay for this attempt (exponential backoff)
+        local delay=$((base_delay * attempt))
+
+        if curl -L \
+                --max-time 600 \
+                --connect-timeout 60 \
+                --retry 2 \
+                --retry-delay 10 \
+                --retry-max-time 120 \
+                --silent \
+                --show-error \
+                --compressed \
+                -H "Accept: application/vnd.github+json" \
+                -H "$auth_header" \
+                -H "X-GitHub-Api-Version: 2022-11-28" \
+                "$api_url" \
+                -o "$output_file"; then
+            # Verify the download
+            if [[ -f "$output_file" && -s "$output_file" ]]; then
+                local file_size
+                file_size=$(du -h "$output_file" | cut -f1)
+                log_success "SBOM downloaded successfully ($file_size) on attempt $attempt"
+            
+                # Debug: Show first few lines of downloaded content
+                log_debug "First 200 characters of downloaded content:"
+                if [[ "${DEBUG:-false}" == "true" ]]; then
+                    head -c 200 "$output_file" | tr '\n' ' ' | sed 's/[[:space:]]\+/ /g'
+                    echo ""
+                fi
+            
+                # Quick validation that it's JSON
+                if ! jq . "$output_file" > /dev/null 2>&1; then
+                    log_warning "Downloaded file is not valid JSON on attempt $attempt"
+                    log_error "Content preview:"
+                    head -n 5 "$output_file" || cat "$output_file"
+
+                    # If not last attempt, continue to retry
+                    if [[ $attempt -lt $max_attempts ]]; then
+                        log_info "Invalid JSON received, waiting ${delay} seconds before retry..."
+                        sleep $delay
+                        continue
+                    else
+                        log_error "Downloaded file is not valid JSON after all attempts"
+                        exit 1
+                    fi
+                fi
+            
+                # Check if it looks like an error response
+                if jq -e '.message' "$output_file" > /dev/null 2>&1; then
+                    local error_message
+                    error_message=$(jq -r '.message' "$output_file")
+                    # Check if it's a timeout or generation error that we can retry
+                    if [[ "$error_message" =~ "Request timed out" ]] || [[ "$error_message" =~ "Failed to generate SBOM" ]] || [[ "$error_message" =~ "timeout" ]]; then
+                        log_warning "GitHub SBOM generation timed out on attempt $attempt: $error_message"
+                        
+                        if [[ $attempt -lt $max_attempts ]]; then
+                            log_info "GitHub's SBOM generation timed out, waiting ${delay} seconds before retry..."
+                            sleep $delay
+                            continue
+                        else
+                            log_error "GitHub SBOM generation failed after $max_attempts attempts"
+                            log_error "Final error: $error_message"
+                            log_error "This repository may be too large or complex for GitHub's SBOM generation"
+                            log_error "Possible solutions:"
+                            log_error "  - Try again later when GitHub's service load is lower"
+                            log_error "  - Consider using alternative SBOM sources (Mend, Wiz)"
+                            log_error "  - Break down the repository analysis into smaller components"
+                            exit 1
+                        fi
+                    else
+                        # Non-retryable error
+                        log_error "GitHub API returned error: $error_message"
+                        exit 1
+                    fi
+                fi
+
+                # Success - SBOM downloaded and validated
+                log_success "SBOM download completed successfully"
+                return 0
+            else
+                log_error "Downloaded file is empty or missing on attempt $attempt"
+                if [[ $attempt -lt $max_attempts ]]; then
+                    log_info "Empty file received, waiting ${delay} seconds before retry..."
+                    sleep $delay
+                    continue
+                else
+                    log_error "Downloaded file is empty or missing after all attempts"
+                    exit 1
+                fi
+            fi
+        else
+            local curl_exit_code=$?
+            log_warning "Curl failed on attempt $attempt with exit code: $curl_exit_code"
+            
+            if [[ $attempt -lt $max_attempts ]]; then
+                log_info "Network request failed, waiting ${delay} seconds before retry..."
+                sleep $delay
+                continue
+            else
+                log_error "Failed to download SBOM file after $max_attempts attempts"
+                log_error "This could be due to:"
+                log_error "  - Repository is too large for GitHub's SBOM generation (common cause)"
+                log_error "  - GitHub's SBOM service is experiencing high load or issues"
+                log_error "  - Network connectivity problems"
+                log_error "  - Authentication issues with the provided token"
+                log_error "  - Repository doesn't have dependency graph enabled"
+                log_error "  - SBOM feature not available for this repository type"
+                exit 1
+            fi
+        fi
+    done
+}

license-mappings.json

@@ -616,18 +616,88 @@
   "github.com/mattn/go-tty": "MIT",
   "github.com/matttproud/golang_protobuf_extensions": "Apache-2.0",
   "github.com/mdlayher/netlink": "MIT",
+  "github.com/mdlayher/socket": "MIT",
+  "github.com/mdlayher/vsock": "MIT",
+  "github.com/mfridman/interpolate": "MIT",
+  "github.com/mfridman/xflag": "MIT",
+  "github.com/mgechev/revive": "MIT",
+  "github.com/microcosm-cc/bluemonday": "BSD-3-Clause",
+  "github.com/microsoft/go-mssqldb": "BSD-3-Clause",
   "github.com/Microsoft/go-winio": "MIT",
   "github.com/Microsoft/hcsshim": "MIT",
+  "github.com/miekg/dns": "BSD-3-Clause",
+  "github.com/minio/md5-simd": "Apache-2.0",
+  "github.com/minio/minio-go/v7": "Apache-2.0",
+  "github.com/minio/sha256-simd": "Apache-2.0",
+  "github.com/mitchellh/colorstring": "MIT",
+  "github.com/mitchellh/copystructure": "MIT",
+  "github.com/mitchellh/go-homedir": "MIT",
+  "github.com/mitchellh/go-ps": "MIT",
+  "github.com/mitchellh/go-wordwrap": "MIT",
+  "github.com/mitchellh/hashstructure": "MIT",
+  "github.com/mitchellh/mapstructure": "MIT",
+  "github.com/mitchellh/reflectwalk": "MIT",
   "github.com/mkevac/debugcharts": "MIT",
   "github.com/moby/docker-image-spec": "Apache-2.0",
   "github.com/moby/go-archive": "Apache-2.0",
+  "github.com/moby/locker": "Apache-2.0",
   "github.com/moby/patternmatcher": "Apache-2.0",
+  "github.com/moby/spdystream": "Apache-2.0",
+  "github.com/moby/sys/atomicwriter": "Apache-2.0",
   "github.com/moby/sys/sequential": "Apache-2.0",
   "github.com/moby/sys/user": "Apache-2.0",
   "github.com/moby/sys/userns": "Apache-2.0",
   "github.com/moby/term": "Apache-2.0",
+  "github.com/modern-go/concurrent": "Apache-2.0",
+  "github.com/modern-go/reflect2": "Apache-2.0",
+  "github.com/monochromegane/go-gitignore": "MIT",
+  "github.com/moricho/tparallel": "MIT",
   "github.com/morikuni/aec": "MIT",
+  "github.com/mostynb/go-grpc-compression": "MIT",
+  "github.com/motemen/go-loghttp": "MIT",
+  "github.com/motemen/go-nuts": "MIT",
+  "github.com/mozillazg/go-httpheader": "MIT",
+  "github.com/muesli/ansi": "MIT",
+  "github.com/muesli/cancelreader": "MIT",
+  "github.com/muesli/reflow": "MIT",
+  "github.com/muesli/termenv": "MIT",
+  "github.com/munnerz/goautoneg": "BSD-3-Clause",
+  "github.com/mwitkow/go-conntrack": "Apache-2.0",
+  "github.com/mxk/go-flowrate": "BSD-3-Clause",
+  "github.com/nakabonne/nestif": "BSD-2-Clause",
+  "github.com/ncruces/go-strftime": "MIT",
+  "github.com/ncw/swift": "MIT",
+  "github.com/neilotoole/jsoncolor": "MIT",
+  "github.com/nexus-rpc/sdk-go": "MIT",
+  "github.com/nicksnyder/go-i18n/v2": "MIT",
   "github.com/NimbleMarkets/ntcharts": "MIT",
+  "github.com/nishanths/exhaustive": "BSD-2-Clause",
+  "github.com/nishanths/predeclared": "BSD-3-Clause",
+  "github.com/nqd/flat": "MIT",
+  "github.com/nunnatsa/ginkgolinter": "MIT",
+  "github.com/oapi-codegen/runtime": "Apache-2.0",
+  "github.com/oklog/run": "Apache-2.0",
+  "github.com/oklog/ulid": "Apache-2.0",
+  "github.com/olekukonko/tablewriter": "MIT",
+  "github.com/olivere/elastic/v7": "MIT",
+  "github.com/onsi/ginkgo": "MIT",
+  "github.com/onsi/ginkgo/v2": "MIT",
+  "github.com/onsi/gomega": "MIT",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/connector/routingconnector": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/exporter/clickhouseexporter": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/exporter/fileexporter": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/exporter/prometheusexporter": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/extension/k8sleaderelector": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/extension/oidcauthextension": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage/filestorage": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/internal/aws/ecsutil": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/internal/common": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/internal/coreinternal": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/internal/filter": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/internal/k8sconfig": "Apache-2.0",
+  "github.com/open-telemetry/opentelemetry-collector-contrib/internal/metadataproviders": "Apache-2.0",
   "github.com/opencontainers/go-digest": "Apache-2.0",
   "github.com/opencontainers/image-spec": "Apache-2.0",
   "github.com/OpenPeeDeeP/depguard/v2": "GPL-3.0",

test/advanced.bats

@@ -19,6 +19,7 @@ setup() {
     sed -i "s|source \"\$SCRIPT_DIR/lib/sanitize.sh\"|source \"$PROJECT_ROOT/lib/sanitize.sh\"|" "$TEST_SCRIPT"
     sed -i "s|source \"\$SCRIPT_DIR/lib/common.sh\"|source \"$PROJECT_ROOT/lib/common.sh\"|" "$TEST_SCRIPT"
     sed -i "s|source \"\$SCRIPT_DIR/lib/validation.sh\"|source \"$PROJECT_ROOT/lib/validation.sh\"|" "$TEST_SCRIPT"
+    sed -i "s|source \"\$SCRIPT_DIR/lib/github.sh\"|source \"$PROJECT_ROOT/lib/github.sh\"|" "$TEST_SCRIPT"
 
     # Source the functions
     source "$TEST_SCRIPT"