Implement SBOM generation

Signed-off-by: Arkadii Yakovets <ark@victoriametrics.com>

.github/workflows/test_package.yml

@@ -0,0 +1,59 @@
+name: Package tests
+
+on:
+  push:
+    branches:
+      - cluster
+      - master
+    paths:
+      - '.github/workflows/test_package.yml'
+      - '**/Dockerfile*'
+      - '**/Makefile'
+  pull_request:
+    branches:
+      - cluster
+      - master
+    paths:
+      - '.github/workflows/test_package.yml'
+      - '**/Dockerfile*'
+      - '**/Makefile'
+
+permissions:
+  contents: read
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+
+jobs:
+  test_release:
+    name: Test Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        id: go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false
+
+      - name: Cache Go artifacts
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/bin
+            ~/go/pkg/mod
+          key: go-artifacts-${{ runner.os }}-test-release-${{ steps.go.outputs.go-version }}-${{ hashFiles('Makefile', '**/Dockerfile*', '**/Makefile') }}
+          restore-keys: go-artifacts-${{ runner.os }}-test-release-
+
+      - name: Run make release
+        run: |
+          make clean
+          make release
+
+      - name: Run release tests
+        run: make test-release-victoria-metrics

Makefile

@@ -14,6 +14,10 @@ endif
 
 GO_BUILDINFO = -X '$(PKG_PREFIX)/lib/buildinfo.Version=$(APP_NAME)-$(DATEINFO_TAG)-$(BUILDINFO_TAG)'
 
+VICTORIA_LOGS_COMPONENTS = victoria-logs
+VICTORIA_METRICS_COMPONENTS = victoria-metrics
+VICTORIA_METRICS_UTILS_COMPONENTS = vmagent vmalert vmalert-tool vmauth vmbackup vmrestore vmctl
+
 .PHONY: $(MAKECMDGOALS)
 
 include app/*/Makefile
@@ -23,6 +27,73 @@ include deployment/*/Makefile
 include dashboards/Makefile
 include package/release/Makefile
 
+define RELEASE_GOOS_GOARCH
+	$(eval PKG_NAME := $(1))
+	$(eval PKG_COMPONENTS := $(2))
+
+	# Build
+	$(foreach pkg_component, $(PKG_COMPONENTS), $(MAKE) $(pkg_component)-$(GOOS)-$(GOARCH)-prod)
+
+	# Generate SBOM
+	mkdir -p "bin/$(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom"
+	$(foreach pkg_component, $(PKG_COMPONENTS),
+		cyclonedx-gomod app -assert-licenses -json -licenses -packages \
+			-main app/$(pkg_component) \
+			-output bin/$(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom/$(pkg_component)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom.json)
+	
+	# Pack and compress
+	$(foreach pkg_component, $(PKG_COMPONENTS),
+		cd bin && tar --transform="flags=r;s|-$(GOOS)-$(GOARCH)||" -rf $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG).tar \
+			$(pkg_component)-$(GOOS)-$(GOARCH)-prod)
+	cd bin && gzip $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG).tar
+	cd bin && tar -czf $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom.tar.gz $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom
+
+	# Generate checksums
+	cd bin && \
+		sha256sum $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG).tar.gz > $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_checksums.txt && \
+		sha256sum $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom.tar.gz >> $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_checksums.txt
+	$(foreach pkg_component, $(PKG_COMPONENTS),
+		cd bin && sha256sum $(pkg_component)-$(GOOS)-$(GOARCH)-prod | sed s/-$(GOOS)-$(GOARCH)-prod/-prod/ >> \
+			$(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_checksums.txt)
+
+	# Clean up
+	cd bin && rm -rf $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom
+	$(foreach pkg_component, $(PKG_COMPONENTS), cd bin && rm -f $(pkg_component)-$(GOOS)-$(GOARCH)-prod)
+endef
+
+define RELEASE_WINDOWS_GOARCH
+	$(eval PKG_NAME := $(1))
+	$(eval PKG_COMPONENTS := $(2))
+
+	# Build
+	$(foreach pkg_component, $(PKG_COMPONENTS), $(MAKE) $(pkg_component)-$(GOOS)-$(GOARCH)-prod)
+
+	# Generate SBOM
+	mkdir -p "bin/$(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom"
+	$(foreach pkg_component, $(PKG_COMPONENTS),
+		cyclonedx-gomod app -assert-licenses -json -licenses -packages \
+			-main app/$(pkg_component) \
+			-output bin/$(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom/$(pkg_component)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom.json)
+	
+	# Pack and compress
+	$(foreach pkg_component, $(PKG_COMPONENTS),
+		cd bin && zip -u $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG).zip \
+			$(pkg_component)-$(GOOS)-$(GOARCH)-prod.exe)
+	cd bin && zip $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom.zip -r $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom
+
+	# Generate checksums
+	cd bin && \
+		sha256sum $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG).zip > $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_checksums.txt && \
+		sha256sum $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom.zip >> $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_checksums.txt
+	$(foreach pkg_component, $(PKG_COMPONENTS),
+		cd bin && sha256sum $(pkg_component)-$(GOOS)-$(GOARCH)-prod.exe >> $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_checksums.txt)
+
+	# Clean up
+	cd bin && rm -rf $(PKG_NAME)-$(GOOS)-$(GOARCH)-$(PKG_TAG)_bom
+	$(foreach pkg_component, $(PKG_COMPONENTS), cd bin && rm -f $(pkg_component)-$(GOOS)-$(GOARCH)-prod.exe)
+endef
+
+
 all: \
 	victoria-metrics-prod \
 	victoria-logs-prod \
@@ -241,26 +312,13 @@ release-victoria-metrics-openbsd-amd64:
 	GOOS=openbsd GOARCH=amd64 $(MAKE) release-victoria-metrics-goos-goarch
 
 release-victoria-metrics-windows-amd64:
-	GOARCH=amd64 $(MAKE) release-victoria-metrics-windows-goarch
+	GOOS=windows GOARCH=amd64 $(MAKE) release-victoria-metrics-windows-goarch
 
-release-victoria-metrics-goos-goarch: victoria-metrics-$(GOOS)-$(GOARCH)-prod
-	cd bin && \
-		tar --transform="flags=r;s|-$(GOOS)-$(GOARCH)||" -czf victoria-metrics-$(GOOS)-$(GOARCH)-$(PKG_TAG).tar.gz \
-			victoria-metrics-$(GOOS)-$(GOARCH)-prod \
-		&& sha256sum victoria-metrics-$(GOOS)-$(GOARCH)-$(PKG_TAG).tar.gz \
-			victoria-metrics-$(GOOS)-$(GOARCH)-prod \
-			| sed s/-$(GOOS)-$(GOARCH)-prod/-prod/ > victoria-metrics-$(GOOS)-$(GOARCH)-$(PKG_TAG)_checksums.txt
-	cd bin && rm -rf victoria-metrics-$(GOOS)-$(GOARCH)-prod
+release-victoria-metrics-goos-goarch:
+	$(call RELEASE_GOOS_GOARCH,victoria-metrics,$(VICTORIA_METRICS_COMPONENTS))
 
-release-victoria-metrics-windows-goarch: victoria-metrics-windows-$(GOARCH)-prod
-	cd bin && \
-		zip victoria-metrics-windows-$(GOARCH)-$(PKG_TAG).zip \
-			victoria-metrics-windows-$(GOARCH)-prod.exe \
-		&& sha256sum victoria-metrics-windows-$(GOARCH)-$(PKG_TAG).zip \
-			victoria-metrics-windows-$(GOARCH)-prod.exe \
-			> victoria-metrics-windows-$(GOARCH)-$(PKG_TAG)_checksums.txt
-	cd bin && rm -rf \
-		victoria-metrics-windows-$(GOARCH)-prod.exe
+release-victoria-metrics-windows-goarch:
+	$(call RELEASE_WINDOWS_GOARCH,victoria-metrics,$(VICTORIA_METRICS_COMPONENTS))
 
 release-victoria-logs:
 	$(MAKE_PARALLEL) release-victoria-logs-linux-386 \
@@ -355,77 +413,13 @@ release-vmutils-openbsd-amd64:
 	GOOS=openbsd GOARCH=amd64 $(MAKE) release-vmutils-goos-goarch
 
 release-vmutils-windows-amd64:
-	GOARCH=amd64 $(MAKE) release-vmutils-windows-goarch
+	GOOS=windows GOARCH=amd64 $(MAKE) release-vmutils-windows-goarch
 
-release-vmutils-goos-goarch: \
-	vmagent-$(GOOS)-$(GOARCH)-prod \
-	vmalert-$(GOOS)-$(GOARCH)-prod \
-	vmalert-tool-$(GOOS)-$(GOARCH)-prod \
-	vmauth-$(GOOS)-$(GOARCH)-prod \
-	vmbackup-$(GOOS)-$(GOARCH)-prod \
-	vmrestore-$(GOOS)-$(GOARCH)-prod \
-	vmctl-$(GOOS)-$(GOARCH)-prod
-	cd bin && \
-		tar --transform="flags=r;s|-$(GOOS)-$(GOARCH)||" -czf vmutils-$(GOOS)-$(GOARCH)-$(PKG_TAG).tar.gz \
-			vmagent-$(GOOS)-$(GOARCH)-prod \
-			vmalert-$(GOOS)-$(GOARCH)-prod \
-			vmalert-tool-$(GOOS)-$(GOARCH)-prod \
-			vmauth-$(GOOS)-$(GOARCH)-prod \
-			vmbackup-$(GOOS)-$(GOARCH)-prod \
-			vmrestore-$(GOOS)-$(GOARCH)-prod \
-			vmctl-$(GOOS)-$(GOARCH)-prod \
-		&& sha256sum vmutils-$(GOOS)-$(GOARCH)-$(PKG_TAG).tar.gz \
-			vmagent-$(GOOS)-$(GOARCH)-prod \
-			vmalert-$(GOOS)-$(GOARCH)-prod \
-			vmalert-tool-$(GOOS)-$(GOARCH)-prod \
-			vmauth-$(GOOS)-$(GOARCH)-prod \
-			vmbackup-$(GOOS)-$(GOARCH)-prod \
-			vmrestore-$(GOOS)-$(GOARCH)-prod \
-			vmctl-$(GOOS)-$(GOARCH)-prod \
-			| sed s/-$(GOOS)-$(GOARCH)-prod/-prod/ > vmutils-$(GOOS)-$(GOARCH)-$(PKG_TAG)_checksums.txt
-	cd bin && rm -rf \
-		vmagent-$(GOOS)-$(GOARCH)-prod \
-		vmalert-$(GOOS)-$(GOARCH)-prod \
-		vmalert-tool-$(GOOS)-$(GOARCH)-prod \
-		vmauth-$(GOOS)-$(GOARCH)-prod \
-		vmbackup-$(GOOS)-$(GOARCH)-prod \
-		vmrestore-$(GOOS)-$(GOARCH)-prod \
-		vmctl-$(GOOS)-$(GOARCH)-prod
+release-vmutils-goos-goarch:
+	$(call RELEASE_GOOS_GOARCH, vmutils, $(VICTORIA_METRICS_UTILS_COMPONENTS))
 
-release-vmutils-windows-goarch: \
-	vmagent-windows-$(GOARCH)-prod \
-	vmalert-windows-$(GOARCH)-prod \
-	vmalert-tool-windows-$(GOARCH)-prod \
-	vmauth-windows-$(GOARCH)-prod \
-	vmbackup-windows-$(GOARCH)-prod \
-	vmrestore-windows-$(GOARCH)-prod \
-	vmctl-windows-$(GOARCH)-prod
-	cd bin && \
-		zip vmutils-windows-$(GOARCH)-$(PKG_TAG).zip \
-			vmagent-windows-$(GOARCH)-prod.exe \
-			vmalert-windows-$(GOARCH)-prod.exe \
-			vmalert-tool-windows-$(GOARCH)-prod.exe \
-			vmauth-windows-$(GOARCH)-prod.exe \
-			vmbackup-windows-$(GOARCH)-prod.exe \
-			vmrestore-windows-$(GOARCH)-prod.exe \
-			vmctl-windows-$(GOARCH)-prod.exe \
-		&& sha256sum vmutils-windows-$(GOARCH)-$(PKG_TAG).zip \
-			vmagent-windows-$(GOARCH)-prod.exe \
-			vmalert-windows-$(GOARCH)-prod.exe \
-			vmalert-tool-windows-$(GOARCH)-prod.exe \
-			vmauth-windows-$(GOARCH)-prod.exe \
-			vmbackup-windows-$(GOARCH)-prod.exe \
-			vmrestore-windows-$(GOARCH)-prod.exe \
-			vmctl-windows-$(GOARCH)-prod.exe \
-			> vmutils-windows-$(GOARCH)-$(PKG_TAG)_checksums.txt
-	cd bin && rm -rf \
-		vmagent-windows-$(GOARCH)-prod.exe \
-		vmalert-windows-$(GOARCH)-prod.exe \
-		vmalert-tool-windows-$(GOARCH)-prod.exe \
-		vmauth-windows-$(GOARCH)-prod.exe \
-		vmbackup-windows-$(GOARCH)-prod.exe \
-		vmrestore-windows-$(GOARCH)-prod.exe \
-		vmctl-windows-$(GOARCH)-prod.exe
+release-vmutils-windows-goarch:
+	$(call RELEASE_WINDOWS_GOARCH, vmutils, $(VICTORIA_METRICS_UTILS_COMPONENTS))
 
 pprof-cpu:
 	go tool pprof -trim_path=github.com/VictoriaMetrics/VictoriaMetrics@ $(PPROF_FILE)
@@ -514,6 +508,9 @@ install-wwhrd:
 check-licenses: install-wwhrd
 	wwhrd check -f .wwhrd.yml
 
+cyclonedx-gomod-install:
+	which cyclonedx-gomod || go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
+
 copy-docs:
 # The 'printf' function is used instead of 'echo' or 'echo -e' to handle line breaks (e.g. '\n') in the same way on different operating systems (MacOS/Ubuntu Linux/Arch Linux) and their shells (bash/sh/zsh/fish).
 # For details, see https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4548#issue-1782796419 and https://stackoverflow.com/questions/8467424/echo-newline-in-bash-prints-literal-n

package/release/Makefile

@@ -69,3 +69,6 @@ github-delete-release: github-token-check
 			cat $(GITHUB_DEBUG_FILE); \
 			exit 1; \
 		fi
+
+test-release-victoria-metrics:
+	@go test -run TestVictoriaMetrics package/release/asset_test.go

package/release/asset_test.go

@@ -0,0 +1,272 @@
+package main
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"bufio"
+	"compress/gzip"
+	"crypto/sha1"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strings"
+	"testing"
+)
+
+const tarGzExt = ".tar.gz"
+const unixExecSuffix = "-prod"
+const windowsExecSuffix = "-prod.exe"
+const zipExt = ".zip"
+
+func assertArchiveFile(t *testing.T, path string, expectedFiles []string) {
+	// Check if file exists
+	archiveFileInfo, err := getFileInfo(path)
+	if err != nil {
+		t.Fatalf("Could not get archive file information: %s", path)
+	} else if archiveFileInfo.Size() == 0 {
+		t.Fatalf("Archive file is empty: %s", path)
+	}
+
+	var archiveFiles []string
+	if strings.HasSuffix(path, tarGzExt) { // Unix-like stuff
+		// Get file handler
+		tarGzFile, err := os.Open(path)
+		if err != nil {
+			t.Errorf("Failed to open file: %s", path)
+		}
+		defer tarGzFile.Close()
+
+		// Get gzip handler
+		gzipFile, err := gzip.NewReader(tarGzFile)
+		if err != nil {
+			t.Errorf("Failed to create gzip reader: %s", err)
+		}
+		defer gzipFile.Close()
+
+		// Get tar handler
+		tarFile := tar.NewReader(gzipFile)
+		for {
+			header, err := tarFile.Next()
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				t.Fatalf("Failed to read tar header: %s", err)
+			}
+			if header.FileInfo().IsDir() {
+				continue
+			} else if header.Size == 0 {
+				t.Fatalf("Archived file is empty: %s (%s)", header.Name, path)
+			}
+			archiveFiles = append(archiveFiles, header.Name)
+		}
+
+	} else if strings.HasSuffix(path, zipExt) { // Windows stuff
+		// Get file handler
+		zipFile, err := os.Open(path)
+		if err != nil {
+			t.Errorf("Failed to open file: %s", path)
+		}
+		defer zipFile.Close()
+
+		fileInfo, err := zipFile.Stat()
+		if err != nil {
+			t.Fatalf("Failed to get file info: %s", err)
+		}
+
+		// Get zip handler
+		zipReader, err := zip.NewReader(zipFile, fileInfo.Size())
+		if err != nil {
+			t.Fatalf("Failed to create zip reader: %s", err)
+		}
+
+		for _, file := range zipReader.File {
+			if file.FileInfo().IsDir() {
+				continue
+			} else if file.CompressedSize64 == 0 {
+				t.Fatalf("Archived file is empty: %s (%s)", file.Name, path)
+			}
+			archiveFiles = append(archiveFiles, file.Name)
+		}
+
+	} else { // Unexpected stuff.
+		t.Fatalf("Unknown archive type: %s", path)
+	}
+
+	if !compareSlices(archiveFiles, expectedFiles) {
+		t.Fatalf("Archive contents `%s` doesn't match the expected one: `%s`", archiveFiles, expectedFiles)
+	}
+}
+
+func assertChecksumsFile(t *testing.T, path string, expectedFiles []string) {
+	// Check if file exists
+	checksumsFileInfo, err := getFileInfo(path)
+	if err != nil {
+		t.Errorf("Could not get checksums file information: %s", path)
+	} else if checksumsFileInfo.Size() == 0 {
+		t.Errorf("Checksums file is empty: %s", path)
+	}
+
+	checksumsFile, err := os.Open(path)
+	if err != nil {
+		t.Fatalf("Failed to open file: %s", err)
+	}
+	defer checksumsFile.Close()
+
+	checksumsFiles := []string{}
+	scanner := bufio.NewScanner(checksumsFile)
+	for scanner.Scan() {
+		checksumsFiles = append(checksumsFiles, strings.Fields(scanner.Text())[1])
+	}
+	if err := scanner.Err(); err != nil {
+		t.Fatalf("Failed to  read file: %s", err)
+	}
+
+	if !compareSlices(checksumsFiles, expectedFiles) {
+		t.Fatalf("Archive contents `%s` doesn't match the expected one: `%s`", checksumsFiles, expectedFiles)
+	}
+}
+
+func compareSlices(slice1, slice2 []string) bool {
+	if len(slice1) != len(slice2) {
+		return false
+	}
+
+	sort.Strings(slice1)
+	sort.Strings(slice2)
+	for i := range slice1 {
+		if slice1[i] != slice2[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func execCommand(command string) *exec.Cmd {
+	cmd := strings.Fields(command)
+	return exec.Command(cmd[0], cmd[1:]...)
+}
+
+func getArchOsMap() map[string][]string {
+	return map[string][]string{
+		"darwin":  {"amd64", "arm64"},
+		"freebsd": {"amd64"},
+		"linux":   {"386", "amd64", "arm", "arm64"},
+		"openbsd": {"amd64"},
+		"windows": {"amd64"},
+	}
+}
+
+func getComponentFileMap() map[string][]string {
+	return map[string][]string{
+		"victoria-metrics": {"victoria-metrics"},
+		"vmutils":          {"vmagent", "vmalert", "vmalert-tool", "vmauth", "vmbackup", "vmrestore", "vmctl"},
+	}
+}
+
+func getGitTag() (string, error) {
+	stdOut, err := execCommand("git describe --long --all").Output()
+
+	if err != nil {
+		fmt.Println(err)
+		return "", err
+	}
+	tag := strings.ReplaceAll(strings.ReplaceAll(string(stdOut), "/", "-"), "\n", "")
+
+	// Check if there is a difference with the HEAD.
+	gitDiff := execCommand("git diff-index --quiet HEAD --")
+	err = gitDiff.Run()
+	if _, ok := err.(*exec.ExitError); ok {
+		gitDiffStdOut, _ := execCommand("git diff-index -u HEAD").Output()
+		hashGenerator := sha1.New()
+		_, err := io.WriteString(hashGenerator, string(gitDiffStdOut))
+		if err != nil {
+			return "", err
+		}
+		sha1Hex := fmt.Sprintf("%x", hashGenerator.Sum(nil)[0:4])
+		tag = strings.Join([]string{tag, "-dirty-", sha1Hex}, "")
+	}
+	return tag, nil
+}
+
+func getFileInfo(filePath string) (fs.FileInfo, error) {
+	fileInfo, err := os.Stat(filePath)
+	if err != nil {
+		return fileInfo, err
+	}
+	return fileInfo, nil
+}
+
+func getParentDirectory(path string, directoriesUp int) string {
+	for i := 0; i < directoriesUp; i++ {
+		path = filepath.Dir(path)
+	}
+	return path
+}
+
+func testReleaseAssets(t *testing.T, componentNames []string) {
+	gitTag, err := getGitTag()
+	if err != nil {
+		t.Fatalf("Unable to get a tag: %v", err)
+	}
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("Unable to get CWD: %v", err)
+	}
+
+	binPath := filepath.Join(getParentDirectory(cwd, 2), "bin")
+
+	for _, componentName := range componentNames {
+		for osName, archNames := range getArchOsMap() {
+			var archiveFileExtension string
+			var binaryFileSuffix string
+			if osName == "windows" {
+				archiveFileExtension = zipExt
+				binaryFileSuffix = "-windows-amd64" + windowsExecSuffix
+			} else {
+				archiveFileExtension = tarGzExt
+				binaryFileSuffix = unixExecSuffix
+			}
+
+			for _, archName := range archNames {
+				componentPrefix := strings.Join([]string{componentName, osName, archName, gitTag}, "-")
+
+				// Check binaries.
+				expectedBinaryFiles := []string{}
+				for _, componentFile := range getComponentFileMap()[componentName] {
+					expectedBinaryFiles = append(expectedBinaryFiles, strings.Join([]string{componentFile, binaryFileSuffix}, ""))
+				}
+				archiveFile := strings.Join([]string{componentPrefix, archiveFileExtension}, "")
+				assertArchiveFile(t, filepath.Join(binPath, archiveFile), expectedBinaryFiles)
+
+				// Check checksums.
+				bomFile := strings.Join([]string{componentPrefix, "_bom", archiveFileExtension}, "")
+				expectedChecksumsFiles := []string{archiveFile, bomFile}
+				for _, componentFile := range getComponentFileMap()[componentName] {
+					expectedChecksumsFiles = append(expectedChecksumsFiles, strings.Join([]string{componentFile, binaryFileSuffix}, ""))
+				}
+				checksumsFile := strings.Join([]string{componentPrefix, "_checksums.txt"}, "")
+				assertChecksumsFile(t, filepath.Join(binPath, checksumsFile), expectedChecksumsFiles)
+
+				// Check SBOMs.
+				expectedSbomFiles := []string{}
+				for _, componentFile := range getComponentFileMap()[componentName] {
+					sbomFilePrefix := strings.Join([]string{componentFile, osName, archName, gitTag}, "-")
+					sbomDirectory := strings.Join([]string{componentPrefix, "_bom"}, "")
+					expectedSbomFiles = append(expectedSbomFiles, filepath.Join(sbomDirectory, strings.Join([]string{sbomFilePrefix, "_bom.json"}, "")))
+				}
+				sbomFile := strings.Join([]string{componentPrefix, "_bom", archiveFileExtension}, "")
+				assertArchiveFile(t, filepath.Join(binPath, sbomFile), expectedSbomFiles)
+			}
+		}
+	}
+}
+
+func TestVictoriaMetrics(t *testing.T) {
+	testReleaseAssets(t, []string{"victoria-metrics", "vmutils"})
+}