Use node 22 via nvm in docker. Enable NODE_COMPILE_CACHE (#1036)

* Use node 22 via nvm in docker. Enable NODE_COMPILE_CACHE Signed-off-by: Prabhu Subramanian <[email protected]> * Update packages Signed-off-by: Prabhu Subramanian <[email protected]> * Fixes #1037 Signed-off-by: Prabhu Subramanian <[email protected]> * Of course on GitHub every workflow would fail with out of disk space Signed-off-by: Prabhu Subramanian <[email protected]> * Tweaks Signed-off-by: Prabhu Subramanian <[email protected]> * Update docker compose. Regenerate types Signed-off-by: Prabhu Subramanian <[email protected]> --------- Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · May 4, 2024 · 246e995 · 246e995
1 parent 606ae06
commit 246e995
Show file tree

Hide file tree

Showing 22 changed files with 204 additions and 102 deletions.
diff --git a/.github/workflows/dockertests.yml b/.github/workflows/dockertests.yml
@@ -32,6 +32,10 @@ jobs:
  with:
  distribution: 'temurin'
  java-version: ${{ matrix.java-version }}
+ - name: Trim CI agent
+ run: |
+ chmod +x contrib/free_disk_space.sh
+ ./contrib/free_disk_space.sh
  - name: npm install, build and test
  run: |
  npm install
@@ -45,6 +49,7 @@ jobs:
  path: 'repotests/grafana-operator'
  - name: dockertests
  run: |
+ bin/cdxgen.js elasticsearch:7.2.1 -t docker -o bomresults/bom-elastic.json
  bin/cdxgen.js ubuntu:latest -t docker -o bomresults/bom-ubuntu.json
  bin/cdxgen.js almalinux:9.2-minimal -t docker -o bomresults/bom-almalinux.json
  bin/cdxgen.js centos:latest -t docker -o bomresults/bom-centos.json
@@ -83,6 +88,10 @@ jobs:
  with:
  distribution: 'temurin'
  java-version: ${{ matrix.java-version }}
+ - name: Trim CI agent
+ run: |
+ chmod +x contrib/free_disk_space.sh
+ ./contrib/free_disk_space.sh
  - name: npm install, build and test
  run: |
  npm install

diff --git a/.gitignore b/.gitignore
@@ -124,3 +124,4 @@ oci/
 roots/
 .python-version
 build/
+.mise.toml
diff --git a/binary.js b/binary.js
@@ -421,7 +421,12 @@ export function getOSPackages(src) {
  if (DEBUG_MODE) {
  console.log(osReleaseData);
  }
- let distro_codename = osReleaseData["VERSION_CODENAME"] || "";
+ let distro_codename =
+ osReleaseData["VERSION_CODENAME"] ||
+ osReleaseData["CENTOS_MANTISBT_PROJECT"] ||
+ osReleaseData["REDHAT_SUPPORT_PRODUCT"] ||
+ "";
+ distro_codename = distro_codename.toLowerCase();
  let distro_id = osReleaseData["ID"] || "";
  const distro_id_like = osReleaseData["ID_LIKE"] || "";
  let purl_type = "rpm";
@@ -505,6 +510,8 @@ export function getOSPackages(src) {
  if (distro_codename?.length) {
  purlObj.qualifiers["distro_name"] = distro_codename;
  }
+ // Remove any epoch values
+ delete purlObj.qualifiers.epoch;
  // Bug fix for mageia and oracle linux
  // Type is being returned as none for ubuntu as well!
  if (purlObj.type === "none") {
@@ -573,6 +580,32 @@ export function getOSPackages(src) {
  // continue regardless of error
  }
  }
+ if (comp.purl.includes("epoch=")) {
+ try {
+ purlObj = PackageURL.fromString(comp.purl);
+ purlObj.qualifiers = purlObj.qualifiers || {};
+ if (distro_id?.length) {
+ purlObj.qualifiers["distro"] = distro_id;
+ }
+ if (distro_codename?.length) {
+ purlObj.qualifiers["distro_name"] = distro_codename;
+ }
+ delete purlObj.qualifiers.epoch;
+ allTypes.add(purlObj.namespace);
+ comp.purl = new PackageURL(
+ purlObj.type,
+ purlObj.namespace,
+ name,
+ purlObj.version,
+ purlObj.qualifiers,
+ purlObj.subpath,
+ ).toString();
+ comp["bom-ref"] = decodeURIComponent(comp.purl);
+ } catch (err) {
+ // continue regardless of error
+ console.log(err);
+ }
+ }
  // Fix licenses
  if (
  comp.licenses &&
@@ -685,6 +718,7 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
  if (compPurl.qualifiers.distro) {
  tmpPurl.qualifiers.distro = compPurl.qualifiers.distro;
  }
+ delete tmpPurl.qualifiers.epoch;
  }
  dependsOn.add(decodeURIComponent(tmpPurl.toString()));
  } catch (e) {

diff --git a/ci/Dockerfile b/ci/Dockerfile
@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
  org.opencontainers.image.vendor="cyclonedx" \
  org.opencontainers.image.licenses="Apache-2.0" \
  org.opencontainers.image.title="cdxgen" \
- org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
+ org.opencontainers.image.description="Container image for cdxgen SBOM generator packing latest build tools." \
  org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server"
 
 ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
@@ -21,6 +21,7 @@ ARG SBT_VERSION=1.9.8
 ARG MAVEN_VERSION=3.9.6
 ARG GRADLE_VERSION=8.7
 ARG GO_VERSION=1.22.2
+ARG NODE_VERSION=22.1.0
 
 ENV GOPATH=/opt/app-root/go \
  JAVA_VERSION=$JAVA_VERSION \
@@ -45,8 +46,10 @@ ENV GOPATH=/opt/app-root/go \
  SWIFT_WEBROOT=$SWIFT_WEBROOT \
  LC_ALL=en_US.UTF-8 \
  LANG=en_US.UTF-8 \
- LANGUAGE=en_US.UTF-8
-ENV PATH=${PATH}:${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:${GOPATH}/bin:/usr/local/go/bin:/usr/local/bin/:/root/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:
+ LANGUAGE=en_US.UTF-8 \
+ NVM_DIR="/root/.nvm" \
+ NODE_COMPILE_CACHE="/opt/cdxgen-node-cache"
+ENV PATH=${PATH}:/root/.nvm/versions/node/v${NODE_VERSION}/bin:${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:${GOPATH}/bin:/usr/local/go/bin:/usr/local/bin/:/root/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:
 
 RUN set -e; \
  ARCH_NAME="$(rpm --eval '%{_arch}')"; \
@@ -62,15 +65,17 @@ RUN set -e; \
  ;; \
  *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \
  esac; \
- echo -e "[nodejs]\nname=nodejs\nstream=20\nprofiles=\nstate=enabled\n" > /etc/dnf/modules.d/nodejs.module \
- && microdnf module enable php ruby -y \
+ microdnf module enable php ruby -y \
  && microdnf install -y php php-curl php-zip php-bcmath php-json php-pear php-mbstring php-devel make gcc git-core \
  python3.11 python3.11-devel python3.11-pip ruby ruby-devel glibc-common glibc-all-langpacks \
- pcre2 which tar gzip zip unzip sudo nodejs ncurses sqlite-devel dotnet-sdk-8.0 \
+ pcre2 which tar gzip zip unzip sudo ncurses sqlite-devel dotnet-sdk-8.0 \
  && alternatives --install /usr/bin/python3 python /usr/bin/python3.11 1 \
  && python3 --version \
  && python3 -m pip install --upgrade pip virtualenv \
  && python3 -m pip install --user pipenv poetry blint \
+ && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash \
+ && source /root/.nvm/nvm.sh \
+ && nvm install ${NODE_VERSION} \
  && node --version \
  && curl -s "https://get.sdkman.io" | bash \
  && source "$HOME/.sdkman/bin/sdkman-init.sh" \
@@ -127,8 +132,10 @@ RUN set -e; \
  && bundler --version
 COPY . /opt/cdxgen
 RUN cd /opt/cdxgen && npm install --omit=dev \
- && chown -R cyclonedx:cyclonedx /opt/cdxgen \
+ && mkdir -p /opt/cdxgen-node-cache \
+ && chown -R cyclonedx:cyclonedx /opt/cdxgen /opt/cdxgen-node-cache \
  && chmod a-w -R /opt \
+ && node /opt/cdxgen/bin/cdxgen.js --help \
  && rm -rf /var/cache/yum \
  && microdnf clean all
 

diff --git a/ci/Dockerfile-bun b/ci/Dockerfile-bun
@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
  org.opencontainers.image.vendor="cyclonedx" \
  org.opencontainers.image.licenses="Apache-2.0" \
  org.opencontainers.image.title="cdxgen" \
- org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
+ org.opencontainers.image.description="Container image for cdxgen SBOM generator" \
  org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app --server"
 
 ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561

diff --git a/ci/Dockerfile-deno b/ci/Dockerfile-deno
@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
  org.opencontainers.image.vendor="cyclonedx" \
  org.opencontainers.image.licenses="Apache-2.0" \
  org.opencontainers.image.title="cdxgen" \
- org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
+ org.opencontainers.image.description="Container image for cdxgen SBOM generator" \
  org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app --server"
 
 ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561

diff --git a/ci/Dockerfile-fedora b/ci/Dockerfile-fedora
@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
  org.opencontainers.image.vendor="cyclonedx" \
  org.opencontainers.image.licenses="Apache-2.0" \
  org.opencontainers.image.title="cdxgen" \
- org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator for testing" \
+ org.opencontainers.image.description="Container image for cdxgen SBOM generator for testing" \
  org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-fedora -r /app --server"
 
 ARG JAVA_VERSION=21-tem

diff --git a/ci/Dockerfile-ppc64 b/ci/Dockerfile-ppc64
@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
  org.opencontainers.image.vendor="cyclonedx" \
  org.opencontainers.image.licenses="Apache-2.0" \
  org.opencontainers.image.title="cdxgen" \
- org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
+ org.opencontainers.image.description="Container image for cdxgen SBOM generator" \
  org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ppc64 -r /app --server"
 
 ARG SBT_VERSION=1.9.8

diff --git a/deno.json b/deno.json
@@ -1,6 +1,6 @@
 {
  "name": "@cyclonedx/cdxgen",
- "version": "10.5.0",
+ "version": "10.5.1",
  "exports": "./index.js",
  "compilerOptions": {
  "allowJs": true,
@@ -46,8 +46,8 @@
  "@appthreat/cdx-proto": "npm:@appthreat/[email protected]",
  "@babel/parser": "npm:@babel/parser@^7.24.5",
  "@babel/traverse": "npm:@babel/traverse@^7.24.5",
- "@npmcli/arborist": "npm:@npmcli/[email protected].0",
- "ajv": "npm:ajv@^8.12.0",
+ "@npmcli/arborist": "npm:@npmcli/[email protected].1",
+ "ajv": "npm:ajv@^8.13.0",
  "ajv-formats": "npm:ajv-formats@^3.0.1",
  "cheerio": "npm:cheerio@^1.0.0-rc.12",
  "edn-data": "npm:[email protected]",

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,6 +1,16 @@
-version: "3.9"
+name: cdxgen
+
 services:
  cdxgen:
+ # For custom builds, use the annotations to describe the pedigree.variants
+ annotations:
+ org.opencontainers.image.vendor: cyclonedx
+ org.opencontainers.image.licenses: Apache-2.0
+ org.opencontainers.image.title: cdxgen
+ environment:
+ - NODE_COMPILE_CACHE=/tmp/cdxgen-node-cache # Using compile cache improves cold start performance
+ - FETCH_LICENSE=false # Set this to true to always include license
+ - CDXGEN_DEBUG_MODE=info # Set this to debug to get more console output
  build:
  dockerfile: ./ci/Dockerfile
  context: .

diff --git a/docker.js b/docker.js
@@ -367,6 +367,10 @@ export const getConnection = async (options, forRegistry) => {
  "Ensure Docker for Desktop is running as an administrator with 'Exposing daemon on TCP without TLS' setting turned on.",
  opts,
  );
+ } else if (_platform() === "darwin") {
+ console.warn(
+ "Ensure Podman Desktop (open-source) or Docker for Desktop (May require subscription) is running.",
+ );
  } else {
  console.warn(
  "Ensure docker/podman service or Docker for Desktop is running.",
@@ -690,20 +694,25 @@ export const extractTar = async (fullImageName, dir) => {
  preserveOwner: false,
  noMtime: true,
  noChmod: true,
- strict: false,
+ strict: true,
  C: dir,
  portable: true,
  onwarn: () => {},
  filter: (path, entry) => {
  // Some files are known to cause issues with extract
  if (
+ path.endsWith("etc/machine-id") ||
+ path.includes("usr/lib/systemd/") ||
+ path.includes("usr/lib64/libdevmapper.so") ||
+ path.includes("usr/sbin/") ||
  path.includes("cacerts") ||
  path.includes("ssl/certs") ||
  path.includes("logs/") ||
  path.includes("dev/") ||
  path.includes("usr/share/zoneinfo/") ||
  path.includes("usr/share/doc/") ||
  path.includes("usr/share/i18n/") ||
+ path.includes("usr/share/licenses/device-mapper-libs") ||
  [
  "BlockDevice",
  "CharacterDevice",
@@ -728,7 +737,9 @@ export const extractTar = async (fullImageName, dir) => {
  "Please run cdxgen from a powershell terminal with admin privileges to create symlinks.",
  );
  console.log(err);
- } else if (!["TAR_BAD_ARCHIVE", "TAR_ENTRY_INFO"].includes(err.code)) {
+ } else if (
+ !["TAR_BAD_ARCHIVE", "TAR_ENTRY_INFO", "EACCES"].includes(err.code)
+ ) {
  console.log(
  `Error while extracting image ${fullImageName} to ${dir}. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues`,
  );
@@ -739,6 +750,8 @@ export const extractTar = async (fullImageName, dir) => {
  if (DEBUG_MODE) {
  console.log(`Archive ${fullImageName} is empty. Skipping.`);
  }
+ } else if (["EACCES"].includes(err.code)) {
+ console.log(err);
  } else {
  console.log(err);
  }

diff --git a/docs/ADVANCED.md b/docs/ADVANCED.md
@@ -492,11 +492,16 @@ Example:
 
 ## Generate Cryptography Bill of Materials (CBOM)
 
-Use the `cbom` alias to generate a CBOM. This is currently supported only for Java projects.
+Use the `cbom` alias to generate a CBOM. This is currently supported only for Java and Python projects.
 
 ```shell
 cbom -t java
-# cdxgen -t java --include-crypto -o bom.json .
+# cdxgen -t java --include-crypto -o bom.json --spec-version 1.6 .
+```
+
+```shell
+cbom -t python
+# cdxgen -t python --include-crypto -o bom.json --spec-version .
 ```
 
 Using the `cbom` alias sets the following options:

diff --git a/index.js b/index.js
@@ -5807,18 +5807,6 @@ export async function createBom(path, options) {
  [...new Set(exportData.pkgPathList)],
  options,
  );
- if (exportData.allLayersDir?.startsWith(tmpdir())) {
- if (DEBUG_MODE) {
- console.log(`Cleaning up ${exportData.allLayersDir}`);
- }
- try {
- if (rmSync) {
- rmSync(exportData.allLayersDir, { recursive: true, force: true });
- }
- } catch (err) {
- // continue regardless of error
- }
- }
  return bomData;
  }
  if (path.endsWith(".war")) {

diff --git a/jsr.json b/jsr.json
@@ -1,6 +1,6 @@
 {
  "name": "@cyclonedx/cdxgen",
- "version": "10.5.0",
+ "version": "10.5.1",
  "exports": "./index.js",
  "include": ["*.js", "bin/**", "data/**", "types/**"],
  "exclude": ["test/", "docs/", "contrib/", "ci/", "tools_config/"]