From cf62ba0a938094538eef94474c55d2e4dcfbcfe6 Mon Sep 17 00:00:00 2001
From: Giannin <puzzle@giannin.ch>
Date: Fri, 25 Oct 2024 10:48:46 +0200
Subject: [PATCH] feature/143-aii-eft-delivery Pin SBOM version to 1.4

---
 .github/workflows/release-docker-image.yml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-docker-image.yml b/.github/workflows/release-docker-image.yml
index 7083d85c..f477600e 100644
--- a/.github/workflows/release-docker-image.yml
+++ b/.github/workflows/release-docker-image.yml
@@ -111,16 +111,16 @@ jobs:
         uses: anchore/sbom-action@v0
         with:
           image: ghcr.io/puzzle/unilu-pruefungsabfrage:${{ needs.create-release.outputs.imageVersion }}
-          output-file: application-sbom.xml
-          format: cyclonedx
+          output-file: application-sbom.spdx
+          format: spdx
           upload-artifact: false
 
       - name: Generate SBOM for Shibboleth SP Docker image
         uses: anchore/sbom-action@v0
         with:
           image: ghcr.io/puzzle/unilu-pruefungsabfrage-shibboleth-sp:${{ needs.create-release.outputs.imageVersion }}
-          output-file: shibboleth-sp-sbom.xml
-          format: cyclonedx
+          output-file: shibboleth-sp-sbom.spdx
+          format: spdx
           upload-artifact: false
 
       - name: Install cyclonedx-cli
@@ -130,9 +130,17 @@ jobs:
           name: 'cyclonedx-cli'
           version: '0.27.1'
 
+      - name: Convert SBOMs to cyclonedx@1.4
+        run: |
+          cyclonedx-cli convert --input-file application-sbom.spdx --output-file application-sbom.xml --input-format spdx --output-format xml
+          cyclonedx-cli convert --input-file shibboleth-sp-sbom.spdx --output-file shibboleth-sp-sbom.xml --input-format spdx --output-format xml
+
       - name: Merge SBOMs
         run: cyclonedx-cli merge --input-files application-sbom.xml shibboleth-sp-sbom.xml target/bom.xml --output-file sbom.xml
 
+      - name: Debug
+        run: cyclonedx-cli analyze sbom.xml
+
       - name: Get semver version from pom and store major and minor version as deptrack version
         run: echo "DEPTRACK_PROJECT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout | cut -d '-' -f 1 | cut -d '.' -f 1-2).x" >> $GITHUB_ENV