build: added SBOM (Software Bill of Materials) generation

Author: thorsten

CHANGELOG.md

@@ -27,6 +27,7 @@ This is a log of major user-visible changes in each phpMyFAQ release.
 - added phpMyFAQ recent news widget to the admin dashboard (Thorsten)
 - added experimental support for API key authentication via OAuth2 (Thorsten)
 - added experimental per-tenant quota enforcement and API request rate limits (Thorsten)
+- added SBOM (Software Bill of Materials) generation (Thorsten)
 - improved audit and activity log with comprehensive security event tracking (Thorsten)
 - improved API errors with formatted RFC 7807 Problem Details JSON responses (Thorsten)
 - improved support for PDO (Thorsten)

package.json

@@ -37,6 +37,7 @@
     "build:prod": "vite build",
     "release:artifacts": "./scripts/prepare-release-artifacts.sh",
     "release:sign": "./scripts/sign-release-artifacts.sh",
+    "sbom": "./scripts/generate-sbom.sh",
     "eslint": "eslint .",
     "lint": "prettier --check .",
     "lint:fix": "prettier --write .",

scripts/generate-sbom.sh

@@ -0,0 +1,139 @@
+#!/bin/sh
+
+#
+# Generate CycloneDX Software Bill of Materials (SBOM) files for the
+# PHP (Composer) and JS/TS (pnpm) dependency graphs.
+#
+# Usage:
+#   ./scripts/generate-sbom.sh [source-dir] [output-dir]
+#
+# Both arguments are optional:
+#   source-dir  defaults to the repository root
+#   output-dir  defaults to <repo-root>/build/release/<version>
+#
+# The release version is resolved from scripts/get-version.php unless
+# the VERSION environment variable is set.
+#
+# The resulting files follow the CycloneDX 1.5 JSON schema and are named
+# after the release version:
+#   <output-dir>/phpMyFAQ-<version>-php.sbom.json      (Composer only)
+#   <output-dir>/phpMyFAQ-<version>-js.sbom.json       (pnpm only)
+#   <output-dir>/phpMyFAQ-<version>.sbom.json          (both ecosystems)
+#
+# Requires pnpm (used to run @cyclonedx/cdxgen via `pnpm dlx`) and php
+# (used to resolve the project version).
+#
+# This Source Code Form is subject to the terms of the Mozilla Public License,
+# v. 2.0. If a copy of the MPL was not distributed with this file, You can
+# obtain one at https://mozilla.org/MPL/2.0/.
+#
+# @package   phpMyFAQ
+# @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+# @copyright 2008-2026 phpMyFAQ Team
+# @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+# @link      https://www.phpmyfaq.de
+# @version   2026-04-10
+#
+
+set -eu
+
+# shellcheck disable=SC3040
+if (set -o pipefail 2>/dev/null); then
+    set -o pipefail
+fi
+IFS=$(printf ' \t\n')
+
+# shellcheck disable=SC1007
+SCRIPT_DIR=$(CDPATH= cd -- "$(dirname "$0")" && pwd)
+# shellcheck disable=SC1007
+REPO_ROOT=$(CDPATH= cd -- "${SCRIPT_DIR}/.." && pwd)
+
+if [ "$#" -gt 2 ]; then
+    printf 'Usage: %s [source-dir] [output-dir]\n' "$0" >&2
+    exit 1
+fi
+
+SOURCE_DIR="${1:-${REPO_ROOT}}"
+
+# shellcheck disable=SC1007
+SOURCE_DIR=$(CDPATH= cd -- "${SOURCE_DIR}" && pwd)
+
+: "${PHP_BIN:=php}"
+: "${VERSION:=$("${PHP_BIN}" "${REPO_ROOT}/scripts/get-version.php")}"
+: "${CDXGEN_VERSION:=latest}"
+: "${CDXGEN_SPEC_VERSION:=1.5}"
+
+OUTPUT_DIR="${2:-${REPO_ROOT}/build/release/${VERSION}}"
+
+SBOM_PHP="${OUTPUT_DIR}/phpMyFAQ-${VERSION}.php.sbom.json"
+SBOM_JS="${OUTPUT_DIR}/phpMyFAQ-${VERSION}.js.sbom.json"
+SBOM_COMBINED="${OUTPUT_DIR}/phpMyFAQ-${VERSION}.sbom.json"
+
+log() {
+    printf '\n[%s] %s\n' "$(date '+%H:%M:%S')" "$*"
+}
+
+fail() {
+    printf '\n[ERROR] %s\n' "$*" >&2
+    exit 1
+}
+
+require_command() {
+    command -v "$1" >/dev/null 2>&1 || fail "Required command '$1' not found in PATH"
+}
+
+check_prerequisites() {
+    require_command pnpm
+
+    if [ ! -f "${SOURCE_DIR}/composer.lock" ]; then
+        fail "composer.lock not found in ${SOURCE_DIR}"
+    fi
+    if [ ! -f "${SOURCE_DIR}/pnpm-lock.yaml" ]; then
+        fail "pnpm-lock.yaml not found in ${SOURCE_DIR}"
+    fi
+}
+
+run_cdxgen() {
+    # Usage: run_cdxgen <project-type> <output-file>
+    # <project-type> may be a single type or a comma-separated list,
+    # which cdxgen interprets as a combined multi-ecosystem scan.
+    _type="$1"
+    _out="$2"
+    pnpm dlx "@cyclonedx/cdxgen@${CDXGEN_VERSION}" \
+        --type "${_type}" \
+        --spec-version "${CDXGEN_SPEC_VERSION}" \
+        --output "${_out}" \
+        --project-name "phpMyFAQ-${VERSION}" \
+        --project-version "${VERSION}" \
+        --required-only \
+        --no-recurse \
+        "${SOURCE_DIR}"
+}
+
+generate_php_sbom() {
+    log "Generating PHP SBOM from ${SOURCE_DIR}/composer.lock"
+    run_cdxgen composer "${SBOM_PHP}"
+}
+
+generate_js_sbom() {
+    log "Generating JS/TS SBOM from ${SOURCE_DIR}/pnpm-lock.yaml"
+    run_cdxgen pnpm "${SBOM_JS}"
+}
+
+generate_combined_sbom() {
+    log "Generating combined PHP + JS/TS SBOM"
+    run_cdxgen composer,pnpm "${SBOM_COMBINED}"
+}
+
+main() {
+    check_prerequisites
+    mkdir -p "${OUTPUT_DIR}"
+    generate_php_sbom
+    generate_js_sbom
+    generate_combined_sbom
+
+    log "SBOMs written to:"
+    printf ' - %s\n' "${SBOM_PHP}" "${SBOM_JS}" "${SBOM_COMBINED}"
+}
+
+main

scripts/prepare-release-artifacts.sh

@@ -64,6 +64,9 @@ ARTIFACT_TAR="${RELEASE_DIR}/phpMyFAQ-${VERSION}.tar.gz"
 ARTIFACT_ZIP="${RELEASE_DIR}/phpMyFAQ-${VERSION}.zip"
 HASH_MANIFEST="${RELEASE_DIR}/hashes-${VERSION}.json"
 ARTIFACT_MANIFEST="${RELEASE_DIR}/ARTIFACTS.txt"
+SBOM_PHP="${RELEASE_DIR}/phpMyFAQ-${VERSION}.php.sbom.json"
+SBOM_JS="${RELEASE_DIR}/phpMyFAQ-${VERSION}.js.sbom.json"
+SBOM_COMBINED="${RELEASE_DIR}/phpMyFAQ-${VERSION}.sbom.json"
 TCPDF_PATH="${CHECKOUT_DIR}/phpmyfaq/src/libs/tecnickcom/tcpdf"
 
 log() {
@@ -162,6 +165,11 @@ create_packages() {
     (cd "${PACKAGE_DIR}" && zip -rq "${ARTIFACT_ZIP}" phpmyfaq)
 }
 
+generate_sboms() {
+    log "Generating CycloneDX SBOMs"
+    VERSION="${VERSION}" "${SCRIPT_DIR}/generate-sbom.sh" "${CHECKOUT_DIR}" "${RELEASE_DIR}"
+}
+
 write_checksums() {
     log "Creating checksum files"
     ${MD5BIN} "${ARTIFACT_TAR}" > "${ARTIFACT_TAR}.md5"
@@ -189,12 +197,18 @@ Artifacts:
 - $(basename "${ARTIFACT_ZIP}")
 - $(basename "${ARTIFACT_TAR}")
 - $(basename "${HASH_MANIFEST}")
+- $(basename "${SBOM_PHP}")
+- $(basename "${SBOM_JS}")
+- $(basename "${SBOM_COMBINED}")
 
 Reserved for signing phase:
 - SHA256SUMS
 - SHA256SUMS.asc
 - $(basename "${ARTIFACT_ZIP}").asc
 - $(basename "${ARTIFACT_TAR}").asc
+- $(basename "${SBOM_PHP}").asc
+- $(basename "${SBOM_JS}").asc
+- $(basename "${SBOM_COMBINED}").asc
 EOF
 }
 
@@ -209,11 +223,19 @@ main() {
     generate_hash_manifest
     stage_for_packaging
     create_packages
+    generate_sboms
     write_checksums
     write_manifest
 
     log "Prepared release artifacts:"
-    printf ' - %s\n' "${ARTIFACT_TAR}" "${ARTIFACT_ZIP}" "${HASH_MANIFEST}" "${ARTIFACT_MANIFEST}"
+    printf ' - %s\n' \
+        "${ARTIFACT_TAR}" \
+        "${ARTIFACT_ZIP}" \
+        "${HASH_MANIFEST}" \
+        "${SBOM_PHP}" \
+        "${SBOM_JS}" \
+        "${SBOM_COMBINED}" \
+        "${ARTIFACT_MANIFEST}"
 }
 
 main

scripts/sign-release-artifacts.sh

@@ -43,10 +43,16 @@ fi
 RELEASE_DIR="${REPO_ROOT}/build/release/${VERSION}"
 ZIP_FILE="${RELEASE_DIR}/phpMyFAQ-${VERSION}.zip"
 TAR_FILE="${RELEASE_DIR}/phpMyFAQ-${VERSION}.tar.gz"
+SBOM_PHP_FILE="${RELEASE_DIR}/phpMyFAQ-${VERSION}.php.sbom.json"
+SBOM_JS_FILE="${RELEASE_DIR}/phpMyFAQ-${VERSION}.js.sbom.json"
+SBOM_COMBINED_FILE="${RELEASE_DIR}/phpMyFAQ-${VERSION}.sbom.json"
 SHA256_FILE="${RELEASE_DIR}/SHA256SUMS"
 SHA256_ASC_FILE="${RELEASE_DIR}/SHA256SUMS.asc"
 ZIP_ASC_FILE="${ZIP_FILE}.asc"
 TAR_ASC_FILE="${TAR_FILE}.asc"
+SBOM_PHP_ASC_FILE="${SBOM_PHP_FILE}.asc"
+SBOM_JS_ASC_FILE="${SBOM_JS_FILE}.asc"
+SBOM_COMBINED_ASC_FILE="${SBOM_COMBINED_FILE}.asc"
 ARTIFACT_MANIFEST="${RELEASE_DIR}/ARTIFACTS.txt"
 
 log() {
@@ -83,6 +89,9 @@ check_prerequisites() {
     [ -d "${RELEASE_DIR}" ] || fail "Release directory ${RELEASE_DIR} does not exist"
     [ -f "${ZIP_FILE}" ] || fail "Missing artifact ${ZIP_FILE}"
     [ -f "${TAR_FILE}" ] || fail "Missing artifact ${TAR_FILE}"
+    [ -f "${SBOM_PHP_FILE}" ] || fail "Missing SBOM ${SBOM_PHP_FILE}"
+    [ -f "${SBOM_JS_FILE}" ] || fail "Missing SBOM ${SBOM_JS_FILE}"
+    [ -f "${SBOM_COMBINED_FILE}" ] || fail "Missing SBOM ${SBOM_COMBINED_FILE}"
 
     if [ "${SKIP_GPG:-0}" != "1" ]; then
         require_command gpg
@@ -97,6 +106,9 @@ generate_checksums() {
         cd "${RELEASE_DIR}"
         ${SHA256_CMD} "$(basename "${ZIP_FILE}")" > "${SHA256_FILE}"
         ${SHA256_CMD} "$(basename "${TAR_FILE}")" >> "${SHA256_FILE}"
+        ${SHA256_CMD} "$(basename "${SBOM_PHP_FILE}")" >> "${SHA256_FILE}"
+        ${SHA256_CMD} "$(basename "${SBOM_JS_FILE}")" >> "${SHA256_FILE}"
+        ${SHA256_CMD} "$(basename "${SBOM_COMBINED_FILE}")" >> "${SHA256_FILE}"
     )
 }
 
@@ -125,7 +137,13 @@ sign_artifacts() {
     fi
 
     log "Signing SHA256SUMS and release artifacts"
-    rm -f "${SHA256_ASC_FILE}" "${ZIP_ASC_FILE}" "${TAR_ASC_FILE}"
+    rm -f \
+        "${SHA256_ASC_FILE}" \
+        "${ZIP_ASC_FILE}" \
+        "${TAR_ASC_FILE}" \
+        "${SBOM_PHP_ASC_FILE}" \
+        "${SBOM_JS_ASC_FILE}" \
+        "${SBOM_COMBINED_ASC_FILE}"
 
     GPG_ARGS="$(gpg_base_args)"
     GPG_USER_ARGS="$(gpg_local_user_args)"
@@ -136,6 +154,12 @@ sign_artifacts() {
     gpg ${GPG_ARGS} ${GPG_USER_ARGS} --armor --detach-sign --output "${ZIP_ASC_FILE}" "${ZIP_FILE}"
     # shellcheck disable=SC2086
     gpg ${GPG_ARGS} ${GPG_USER_ARGS} --armor --detach-sign --output "${TAR_ASC_FILE}" "${TAR_FILE}"
+    # shellcheck disable=SC2086
+    gpg ${GPG_ARGS} ${GPG_USER_ARGS} --armor --detach-sign --output "${SBOM_PHP_ASC_FILE}" "${SBOM_PHP_FILE}"
+    # shellcheck disable=SC2086
+    gpg ${GPG_ARGS} ${GPG_USER_ARGS} --armor --detach-sign --output "${SBOM_JS_ASC_FILE}" "${SBOM_JS_FILE}"
+    # shellcheck disable=SC2086
+    gpg ${GPG_ARGS} ${GPG_USER_ARGS} --armor --detach-sign --output "${SBOM_COMBINED_ASC_FILE}" "${SBOM_COMBINED_FILE}"
 }
 
 verify_outputs() {
@@ -157,6 +181,9 @@ verify_outputs() {
     gpg --verify "${SHA256_ASC_FILE}" "${SHA256_FILE}"
     gpg --verify "${ZIP_ASC_FILE}" "${ZIP_FILE}"
     gpg --verify "${TAR_ASC_FILE}" "${TAR_FILE}"
+    gpg --verify "${SBOM_PHP_ASC_FILE}" "${SBOM_PHP_FILE}"
+    gpg --verify "${SBOM_JS_ASC_FILE}" "${SBOM_JS_FILE}"
+    gpg --verify "${SBOM_COMBINED_ASC_FILE}" "${SBOM_COMBINED_FILE}"
 }
 
 update_manifest() {
@@ -174,6 +201,9 @@ Artifacts:
 - $(basename "${ZIP_FILE}")
 - $(basename "${TAR_FILE}")
 - $(basename "${SHA256_FILE}")
+- $(basename "${SBOM_PHP_FILE}")
+- $(basename "${SBOM_JS_FILE}")
+- $(basename "${SBOM_COMBINED_FILE}")
 EOF
 
     if [ -f "${RELEASE_DIR}/hashes-${VERSION}.json" ]; then
@@ -189,6 +219,9 @@ EOF
 - $(basename "${SHA256_ASC_FILE}")
 - $(basename "${ZIP_ASC_FILE}")
 - $(basename "${TAR_ASC_FILE}")
+- $(basename "${SBOM_PHP_ASC_FILE}")
+- $(basename "${SBOM_JS_ASC_FILE}")
+- $(basename "${SBOM_COMBINED_ASC_FILE}")
 EOF
     fi
 }
@@ -204,7 +237,13 @@ main() {
     printf ' - %s\n' "${SHA256_FILE}"
 
     if [ "${SKIP_GPG:-0}" != "1" ]; then
-        printf ' - %s\n' "${SHA256_ASC_FILE}" "${ZIP_ASC_FILE}" "${TAR_ASC_FILE}"
+        printf ' - %s\n' \
+            "${SHA256_ASC_FILE}" \
+            "${ZIP_ASC_FILE}" \
+            "${TAR_ASC_FILE}" \
+            "${SBOM_PHP_ASC_FILE}" \
+            "${SBOM_JS_ASC_FILE}" \
+            "${SBOM_COMBINED_ASC_FILE}"
     fi
 }