Some dockerfile SBOMS fail validation

Problem:
Validator complains about 'author' appearing before 'group' or name'.

Solution:
Enforce latest versions of syft, cdx cmds and check ordering guarantees
with Elementtree python module.
Upgrade to cyclonedx 1.4.
Create Dockerfile to enforce dependency versions and enable local
testing.
Remove xmllinting of cyclonedx as upstream now handles this.
Executing xmllint was failing to invalidate the xml file because of the
need to execute in a pipeline.
sbom_scraper.sh can now be executed from any location and is not tied to
being executed in the repo.

Signed-off-by: Paul Hewlett <phewlett76@gmail.com>

Author: eccles

Dockerfile-scraper

@@ -0,0 +1,42 @@
+FROM ubuntu:jammy
+
+RUN apt-get update \
+  && apt-get upgrade -y --no-install-recommends \
+  && apt-get install -y \
+        curl \
+        default-jdk \
+        jq \
+        libdigest-sha-perl \
+        openssl \
+        python3-pip \
+  && apt-get autoremove \
+  && apt-get autoclean \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN python3 -m pip install yq
+
+RUN curl -fsSOL https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64 \
+  && mv cyclonedx-linux-x64 /usr/local/bin/cdx \
+  && chmod +x /usr/local/bin/cdx \
+  && curl -fsSOL https://github.com/anchore/syft/releases/download/v0.60.3/syft_0.60.3_linux_amd64.tar.gz \
+  && tar xvzf syft_0.60.3_linux_amd64.tar.gz syft \
+  && mv syft /usr/local/bin \
+  && chmod +x /usr/local/bin/syft \
+  && rm syft_0.60.3_linux_amd64.tar.gz
+
+RUN which cdx \
+  && which curl \
+  && which jar \
+  && which jdeps \
+  && which jq \
+  && which openssl \
+  && which python3 \
+  && which shasum \
+  && which syft \
+  && which xq
+
+COPY scripts/sbom_scraper.sh /usr/local/bin/sbom_scraper.sh
+RUN chmod +x /usr/local/bin/sbom_scraper.sh
+
+ENTRYPOINT ["/usr/local/bin/sbom_scraper.sh"]

README.md

@@ -87,6 +87,20 @@ Make a change to the code and validate the changes:
 task check
 ```
 
+And then test changes with a working set of options:
+
+```bash
+task build-scraper
+task scrape -- -h
+task scrape -- -a "RKVST, Inc" \
+               -e support@rkvst.com \
+               -A Docker \
+               -c credentials/client_secret \
+               -u https://app.rkvst.io \
+               8f8f2467-01fe-48fb-891a-5c0be643cec1 \
+               aerospike:ce-6.0.0.5
+```
+
 ### Seeking a review
 
 #### Synchronizing the upstream

Taskfile.yml

@@ -2,6 +2,11 @@ version: '3'
 
 tasks:
 
+  build-scraper:
+    desc: Build scraper image
+    cmds:
+      - docker build --no-cache -f Dockerfile-scraper -t archivist-shell-scraper .
+
   check:
     desc: Standard linting of shell scripts
     cmds:
@@ -11,3 +16,17 @@ tasks:
     desc: Clean git repo
     cmds:
       - git clean -fdX
+
+  scrape:
+    desc: Execute scraper command in dockerfile
+    cmds:
+      - |
+        docker run \
+          --rm -it \
+          -v $(pwd):$(pwd) \
+          -w $(pwd) \
+          -u $(id -u):$(id -g) \
+          -e USER \
+          archivist-shell-scraper \
+          {{.CLI_ARGS}}
+