generate-sbom.sh
1 #!/usr/bin/env bash 2 # Generate CycloneDX SBOM for the Rust workspace and compute BLAKE3 hash. 3 set -euo pipefail 4 5 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" 6 source "${SCRIPT_DIR}/lib/log.sh" 7 8 VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*"\(.*\)"/\1/') 9 OUTDIR="sbom" 10 OUTFILE="${OUTDIR}/org-17711-mesh-v${VERSION}.cdx.json" 11 12 mkdir -p "${OUTDIR}" 13 14 jlog "SBOM generation started" version="${VERSION}" output="${OUTFILE}" 15 16 if command -v cargo-sbom &>/dev/null; then 17 cargo sbom --output-format cyclonedx-json > "${OUTFILE}" 18 elif command -v cargo-cyclonedx &>/dev/null; then 19 cargo cyclonedx --format json --output "${OUTDIR}/" 20 if [ -f "${OUTDIR}/bom.json" ]; then 21 mv "${OUTDIR}/bom.json" "${OUTFILE}" 22 fi 23 else 24 jfatal "no SBOM tool found — install cargo-sbom" tool="cargo-sbom" 25 fi 26 27 jlog "SBOM written" file="${OUTFILE}" 28 29 if command -v b3sum &>/dev/null; then 30 HASH=$(b3sum "${OUTFILE}" | awk '{print $1}') 31 printf '%s %s\n' "${HASH}" "${OUTFILE}" > "${OUTFILE}.b3" 32 jlog "BLAKE3 hash computed" hash="${HASH}" file="${OUTFILE}" 33 else 34 jwarn "b3sum not found — BLAKE3 hash not computed" 35 fi