cdxgen to v1 with orchestration for writing to dependency track for now

Author: northdpole

components/scanners/cdxgen/README.md

@@ -0,0 +1,4 @@
+# cdxgen
+
+This component implements a [scanner](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+that runs CDXGEN and puts the results in a waiting Dependency Track instance. The component does not parse or handle the produced SBOM any other way for now.

components/scanners/cdxgen/component.yaml

@@ -0,0 +1,30 @@
+name: cdxgen
+description: "Creates an SBOM then sends it to a remote Dependency Track"
+type: scanner
+parameters:
+  - name: backend_server_url
+    type: string
+    value: ""
+  - name: api_key
+    type: string
+    value: ""
+  - name: project_name
+    type: string
+    value: ""
+  - name: project_version
+    type: string
+    value: ""
+steps:
+  - name: run-cdxgen
+    image: ghcr.io/cyclonedx/cdxgen:latest
+
+    executable: "node"
+    args:
+     - "/opt/cdxgen/bin/cdxgen.js"
+     - --server-url='{{.parameters.backend_server_url}}'
+     - --skip-dt-tls-check=true
+     - --api-key='{{.parameters.api_key}}'
+     - --project-name='{{.parameters.project_name}}'
+     - --project-version='{{.parameters.project_version}}'
+     - --output={{scratchWorkspace}}/sbom.cyclonedx.json
+     - '{{sourceCodeWorkspace}}'

examples/cdxgen/overrides.yaml

@@ -0,0 +1,17 @@
+git-clone:
+- name: "repo_url"
+  type: "string"
+  value: ""
+cdxgen:
+- name: "backend_server_url"
+  type: "string"
+  value: ""
+- name: "api_key"
+  type: "string"
+  value: ""
+- name: "project_name"
+  type: "string"
+  value: ""
+- name: "project_version"
+  type: "string"
+  value: ""

examples/cdxgen/workflow.yaml

@@ -0,0 +1,5 @@
+description: cdxgen based workflow
+name: cdxgen
+components:
+- component: file://components/targets/git-clone/component.yaml
+- component: file://components/scanners/cdxgen/component.yaml