Use docker for reachables tests

Signed-off-by: Prabhu Subramanian <[email protected]>

.github/workflows/java-reachables-test.yml

@@ -12,7 +12,7 @@ jobs:
       fail-fast: false
       matrix:
         node-version: ['23.x']
-        os: ['ubuntu-latest']
+        os: ['ubuntu-24.04']
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -56,66 +56,38 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: ['23.x']
-        os: ['ubuntu-latest']
+        os: ["ubuntu-24.04"]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
-      - name: Set up JDK
-        uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '23'
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
       - name: setup paths
         run: |
-          corepack enable pnpm
-          echo "${RUNNER_TEMP}/bin" >> "$GITHUB_PATH"
-          echo "${GITHUB_WORKSPACE}/node_modules/.bin" >> "$GITHUB_PATH"
           mkdir -p repotests
           mkdir -p rubyresults
-      - name: npm install, build
-        run: |
-          pnpm install --package-import-method copy
-          pnpm config set global-bin-dir "${RUNNER_TEMP}/bin"
-          pnpm install -g .
       - uses: actions/checkout@v4
         with:
           repository: 'campsite/campsite'
           path: 'repotests/campsite'
           ref: '10197238bbbefd9c9ac7c77467b647fd93993ba0'
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@v4
         with:
-          ruby-version: '3.4'
-        id: ruby34
-      - uses: ruby/setup-ruby@v1
+          repository: 'bionomia/bionomia'
+          path: 'repotests/bionomia'
+          ref: '5ada8b5f4a5f68561a7195e2badc2f744dc4676e'
+      - uses: actions/checkout@v4
         with:
-          ruby-version: '3.3.4'
-      - name: bundle install
-        run: |
-          cd repotests/campsite/api
-          bundle install
-          rm -rf vendor/cache vendor/yarn
-        env:
-          BUNDLE_PATH: ${{ runner.temp }}/vendor/bundle
-          BUNDLE_WITHOUT: "development:test"
-      - name: generate sbom with reachables
+          repository: 'OWASP/railsgoat'
+          path: 'repotests/railsgoat'
+          ref: 'c1e8ff1e3b24a1c48fcfc9fbee0f65dc296b49d9'
+      - name: generate deep sbom
         run: |
-          cd repotests/campsite/api
-          echo "ATOM_RUBY_HOME: ${ATOM_RUBY_HOME}"
-          echo "CDXGEN_GEM_HOME: ${CDXGEN_GEM_HOME}"
-          atom --help
-          rbastgen --help
-          node $GITHUB_WORKSPACE/bin/cdxgen.js -t ruby --profile research -o bom.json .
+          cd repotests/bionomia
+          docker run --rm -e CDXGEN_DEBUG_MODE -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-debian-ruby33:v11 -r /app -o /app/bom.json -t ruby --profile research
           ls -lh
-          cp bom.json *.slices.json $GITHUB_WORKSPACE/rubyresults
+          mkdir -p $GITHUB_WORKSPACE/rubyresults/bionomia
+          cp bom.json *.slices.json $GITHUB_WORKSPACE/rubyresults/bionomia
         env:
           CDXGEN_DEBUG_MODE: debug
-          ATOM_RUBY_HOME: ${{ steps.ruby34.outputs.ruby-prefix }}
-          CDXGEN_GEM_HOME: ${{ runner.temp }}/vendor/bundle/ruby/3.3.0
       - uses: actions/upload-artifact@v4
         with:
           name: rubyresults

deno.json

@@ -48,7 +48,7 @@
     "gen-types": "npx -p typescript tsc"
   },
   "imports": {
-    "@appthreat/atom": "npm:@appthreat/[email protected].5",
+    "@appthreat/atom": "npm:@appthreat/[email protected].8",
     "@appthreat/cdx-proto": "npm:@appthreat/[email protected]",
     "@babel/parser": "npm:@babel/parser@^7.26.3",
     "@babel/traverse": "npm:@babel/traverse@^7.26.4",

lib/evinser/evinser.js

@@ -376,6 +376,18 @@ export function initFromSbom(components, language) {
   };
 }
 
+function usableSlicesFile(slicesFile) {
+  if (!slicesFile || !fs.existsSync(slicesFile)) {
+    return false;
+  }
+  const stats = fs.statSync(slicesFile);
+  if (!stats.isFile()) {
+    return false;
+  }
+  const fileSizeInBytes = stats.size;
+  return fileSizeInBytes > 1024;
+}
+
 /**
  * Function to analyze the project
  *
@@ -411,7 +423,7 @@ export async function analyzeProject(dbObjMap, options) {
   if (options.withReachables || options.includeCrypto) {
     if (
       options.reachablesSlicesFile &&
-      fs.existsSync(options.reachablesSlicesFile)
+      usableSlicesFile(options.reachablesSlicesFile)
     ) {
       reachablesSlicesFile = options.reachablesSlicesFile;
       reachablesSlice = JSON.parse(
@@ -434,7 +446,7 @@ export async function analyzeProject(dbObjMap, options) {
     cryptoGeneratePurls = retMap.cryptoGeneratePurls;
   }
   // Reuse existing usages slices
-  if (options.usagesSlicesFile && fs.existsSync(options.usagesSlicesFile)) {
+  if (options.usagesSlicesFile && usableSlicesFile(options.usagesSlicesFile)) {
     usageSlice = JSON.parse(fs.readFileSync(options.usagesSlicesFile, "utf-8"));
     usagesSlicesFile = options.usagesSlicesFile;
   } else {
@@ -1389,20 +1401,27 @@ export function createEvinseFile(sliceArtefacts, options) {
     console.log(evinseOutFile, "created successfully.");
   } else {
     console.log(
-      "Unable to identify component evidence for the input SBOM. Only java, javascript, python, swift, php, and ruby projects are supported by evinse.",
+      "Unable to identify component evidence for the input SBOM based on the slices from atom. The slices are either empty or lack appropriate tags.",
     );
     if (DEBUG_MODE) {
       console.log(
         "1. Ensure cdxgen was installed without omitting any optional dependencies.",
       );
       console.log(
-        "2. Retry after removing the following files: app.atom, usages.slices.json, reachables.slices.json. For performance reasons, evinse will try to reuse any existing slices, including empty ones, from the root directory.",
+        "2. Retry after removing the following files from the root directory: app.atom, usages.slices.json, reachables.slices.json.",
       );
       if (process.env?.CDXGEN_IN_CONTAINER !== "true") {
         console.log(
           "3. Additional environment variables may have to be set for local invocations. Check the documentation for atom and evinse.",
         );
+      } else {
+        console.log(
+          "TIP: Try creating the slices using the official atom container image `ghcr.io/appthreat/atom:main` directly. Refer to the documentation: https://atom-docs.appthreat.dev/",
+        );
       }
+      console.log(
+        "Large projects may require more memory. Consider increasing the memory to 16GB or higher.",
+      );
     }
   }
   if (tempDir?.startsWith(getTmpDir())) {

lib/stages/pregen/pregen.js

@@ -454,7 +454,18 @@ export function prepareRubyEnv(filePath, options) {
     process.env.CDXGEN_RUBY_CMD = "ruby";
     process.env.CDXGEN_GEM_CMD = "gem";
     process.env.CDXGEN_BUNDLE_CMD = "bundle";
-    return;
+    rubyVersionNeeded = undefined;
+    // Do we have a proper GEM_HOME already?
+    if (cdxgenGemHome && existsSync(cdxgenGemHome)) {
+      const gemspecFiles = getAllFiles(
+        cdxgenGemHome,
+        "**/specifications/**/*.gemspec",
+        options,
+      );
+      if (gemspecFiles.length > 3) {
+        return;
+      }
+    }
   }
   if (rubyVersionNeeded && !rbenvPresent) {
     console.log(

package.json

@@ -99,7 +99,7 @@
     "@iarna/toml": "2.2.5"
   },
   "optionalDependencies": {
-    "@appthreat/atom": "2.1.5",
+    "@appthreat/atom": "2.1.8",
     "@appthreat/cdx-proto": "1.0.1",
     "@cyclonedx/cdxgen-plugins-bin": "1.6.9",
     "@cyclonedx/cdxgen-plugins-bin-arm": "1.6.9",
@@ -123,7 +123,7 @@
     "typescript": "^5.7.2"
   },
   "pnpm": {
-    "onlyBuiltDependencies": ["sqlite3", "@biomejs/biome"],
+    "onlyBuiltDependencies": ["sqlite3", "@biomejs/biome", "@appthreat/atom"],
     "overrides": {
       "glob": "^11.0.0",
       "node-gyp": "^10.2.0",