CycloneDX · prabhu · May 4, 2024 · May 3, 2024 · May 3, 2024 · May 3, 2024
@@ -32,6 +32,10 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java-version }}
+      - name: Trim CI agent
+        run: |
+          chmod +x contrib/free_disk_space.sh
+          ./contrib/free_disk_space.sh
       - name: npm install, build and test
         run: |
           npm install
@@ -45,6 +49,7 @@ jobs:
           path: 'repotests/grafana-operator'
       - name: dockertests
         run: |
+          bin/cdxgen.js elasticsearch:7.2.1 -t docker -o bomresults/bom-elastic.json
           bin/cdxgen.js ubuntu:latest -t docker -o bomresults/bom-ubuntu.json
           bin/cdxgen.js almalinux:9.2-minimal -t docker -o bomresults/bom-almalinux.json
           bin/cdxgen.js centos:latest -t docker -o bomresults/bom-centos.json
@@ -83,6 +88,10 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java-version }}
+      - name: Trim CI agent
+        run: |
+          chmod +x contrib/free_disk_space.sh
+          ./contrib/free_disk_space.sh
       - name: npm install, build and test
         run: |
           npm install

@@ -124,3 +124,4 @@ oci/
 roots/
 .python-version
 build/
+.mise.toml
@@ -421,7 +421,12 @@ export function getOSPackages(src) {
       if (DEBUG_MODE) {
         console.log(osReleaseData);
       }
-      let distro_codename = osReleaseData["VERSION_CODENAME"] || "";
+      let distro_codename =
+        osReleaseData["VERSION_CODENAME"] ||
+        osReleaseData["CENTOS_MANTISBT_PROJECT"] ||
+        osReleaseData["REDHAT_SUPPORT_PRODUCT"] ||
+        "";
+      distro_codename = distro_codename.toLowerCase();
       let distro_id = osReleaseData["ID"] || "";
       const distro_id_like = osReleaseData["ID_LIKE"] || "";
       let purl_type = "rpm";
@@ -505,6 +510,8 @@ export function getOSPackages(src) {
                 if (distro_codename?.length) {
                   purlObj.qualifiers["distro_name"] = distro_codename;
                 }
+                // Remove any epoch values
+                delete purlObj.qualifiers.epoch;
                 // Bug fix for mageia and oracle linux
                 // Type is being returned as none for ubuntu as well!
                 if (purlObj.type === "none") {
@@ -573,6 +580,32 @@ export function getOSPackages(src) {
                 // continue regardless of error
               }
             }
+            if (comp.purl.includes("epoch=")) {
+              try {
+                purlObj = PackageURL.fromString(comp.purl);
+                purlObj.qualifiers = purlObj.qualifiers || {};
+                if (distro_id?.length) {
+                  purlObj.qualifiers["distro"] = distro_id;
+                }
+                if (distro_codename?.length) {
+                  purlObj.qualifiers["distro_name"] = distro_codename;
+                }
+                delete purlObj.qualifiers.epoch;
+                allTypes.add(purlObj.namespace);
+                comp.purl = new PackageURL(
+                  purlObj.type,
+                  purlObj.namespace,
+                  name,
+                  purlObj.version,
+                  purlObj.qualifiers,
+                  purlObj.subpath,
+                ).toString();
+                comp["bom-ref"] = decodeURIComponent(comp.purl);
+              } catch (err) {
+                // continue regardless of error
+                console.log(err);
+              }
+            }
             // Fix licenses
             if (
               comp.licenses &&
@@ -685,6 +718,7 @@ const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
           if (compPurl.qualifiers.distro) {
             tmpPurl.qualifiers.distro = compPurl.qualifiers.distro;
           }
+          delete tmpPurl.qualifiers.epoch;
         }
         dependsOn.add(decodeURIComponent(tmpPurl.toString()));
       } catch (e) {

@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
       org.opencontainers.image.vendor="cyclonedx" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
+      org.opencontainers.image.description="Container image for cdxgen SBOM generator packing latest build tools." \
       org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server"
 
 ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
@@ -21,6 +21,7 @@ ARG SBT_VERSION=1.9.8
 ARG MAVEN_VERSION=3.9.6
 ARG GRADLE_VERSION=8.7
 ARG GO_VERSION=1.22.2
+ARG NODE_VERSION=22.1.0
 
 ENV GOPATH=/opt/app-root/go \
     JAVA_VERSION=$JAVA_VERSION \
@@ -45,8 +46,10 @@ ENV GOPATH=/opt/app-root/go \
     SWIFT_WEBROOT=$SWIFT_WEBROOT \
     LC_ALL=en_US.UTF-8 \
     LANG=en_US.UTF-8 \
-    LANGUAGE=en_US.UTF-8
-ENV PATH=${PATH}:${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:${GOPATH}/bin:/usr/local/go/bin:/usr/local/bin/:/root/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:
+    LANGUAGE=en_US.UTF-8 \
+    NVM_DIR="/root/.nvm" \
+    NODE_COMPILE_CACHE="/opt/cdxgen-node-cache"
+ENV PATH=${PATH}:/root/.nvm/versions/node/v${NODE_VERSION}/bin:${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:${GOPATH}/bin:/usr/local/go/bin:/usr/local/bin/:/root/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:
 
 RUN set -e; \
     ARCH_NAME="$(rpm --eval '%{_arch}')"; \
@@ -62,15 +65,17 @@ RUN set -e; \
             ;; \
         *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \
     esac; \
-    echo -e "[nodejs]\nname=nodejs\nstream=20\nprofiles=\nstate=enabled\n" > /etc/dnf/modules.d/nodejs.module \
-    && microdnf module enable php ruby -y \
+    microdnf module enable php ruby -y \
     && microdnf install -y php php-curl php-zip php-bcmath php-json php-pear php-mbstring php-devel make gcc git-core \
         python3.11 python3.11-devel python3.11-pip ruby ruby-devel glibc-common glibc-all-langpacks \
-        pcre2 which tar gzip zip unzip sudo nodejs ncurses sqlite-devel dotnet-sdk-8.0 \
+        pcre2 which tar gzip zip unzip sudo ncurses sqlite-devel dotnet-sdk-8.0 \
     && alternatives --install /usr/bin/python3 python /usr/bin/python3.11 1 \
     && python3 --version \
     && python3 -m pip install --upgrade pip virtualenv \
     && python3 -m pip install --user pipenv poetry blint \
+    && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash \
+    && source /root/.nvm/nvm.sh \
+    && nvm install ${NODE_VERSION} \
     && node --version \
     && curl -s "https://get.sdkman.io" | bash \
     && source "$HOME/.sdkman/bin/sdkman-init.sh" \
@@ -127,8 +132,10 @@ RUN set -e; \
     && bundler --version
 COPY . /opt/cdxgen
 RUN cd /opt/cdxgen && npm install --omit=dev \
-    && chown -R cyclonedx:cyclonedx /opt/cdxgen \
+    && mkdir -p /opt/cdxgen-node-cache \
+    && chown -R cyclonedx:cyclonedx /opt/cdxgen /opt/cdxgen-node-cache \
     && chmod a-w -R /opt \
+    && node /opt/cdxgen/bin/cdxgen.js --help \
     && rm -rf /var/cache/yum \
     && microdnf clean all
 

@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
       org.opencontainers.image.vendor="cyclonedx" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
+      org.opencontainers.image.description="Container image for cdxgen SBOM generator" \
       org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app --server"
 
 ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561

@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
       org.opencontainers.image.vendor="cyclonedx" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
+      org.opencontainers.image.description="Container image for cdxgen SBOM generator" \
       org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app --server"
 
 ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561

@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
       org.opencontainers.image.vendor="cyclonedx" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator for testing" \
+      org.opencontainers.image.description="Container image for cdxgen SBOM generator for testing" \
       org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-fedora -r /app --server"
 
 ARG JAVA_VERSION=21-tem

@@ -8,7 +8,7 @@ LABEL maintainer="cyclonedx" \
       org.opencontainers.image.vendor="cyclonedx" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Container image for cyclonedx cdxgen SBOM generator" \
+      org.opencontainers.image.description="Container image for cdxgen SBOM generator" \
       org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ppc64 -r /app --server"
 
 ARG SBT_VERSION=1.9.8

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.5.0",
+  "version": "10.5.1",
   "exports": "./index.js",
   "compilerOptions": {
     "allowJs": true,
@@ -46,8 +46,8 @@
     "@appthreat/cdx-proto": "npm:@appthreat/[email protected]",
     "@babel/parser": "npm:@babel/parser@^7.24.5",
     "@babel/traverse": "npm:@babel/traverse@^7.24.5",
-    "@npmcli/arborist": "npm:@npmcli/[email protected].0",
-    "ajv": "npm:ajv@^8.12.0",
+    "@npmcli/arborist": "npm:@npmcli/[email protected].1",
+    "ajv": "npm:ajv@^8.13.0",
     "ajv-formats": "npm:ajv-formats@^3.0.1",
     "cheerio": "npm:cheerio@^1.0.0-rc.12",
     "edn-data": "npm:[email protected]",

@@ -1,6 +1,16 @@
-version: "3.9"
+name: cdxgen
+
 services:
   cdxgen:
+    # For custom builds, use the annotations to describe the pedigree.variants
+    annotations:
+      org.opencontainers.image.vendor: cyclonedx
+      org.opencontainers.image.licenses: Apache-2.0
+      org.opencontainers.image.title: cdxgen
+    environment:
+      - NODE_COMPILE_CACHE=/tmp/cdxgen-node-cache # Using compile cache improves cold start performance
+      - FETCH_LICENSE=false # Set this to true to always include license
+      - CDXGEN_DEBUG_MODE=info # Set this to debug to get more console output
     build:
       dockerfile: ./ci/Dockerfile
       context: .

@@ -367,6 +367,10 @@ export const getConnection = async (options, forRegistry) => {
               "Ensure Docker for Desktop is running as an administrator with 'Exposing daemon on TCP without TLS' setting turned on.",
               opts,
             );
+          } else if (_platform() === "darwin") {
+            console.warn(
+              "Ensure Podman Desktop (open-source) or Docker for Desktop (May require subscription) is running.",
+            );
           } else {
             console.warn(
               "Ensure docker/podman service or Docker for Desktop is running.",
@@ -690,20 +694,25 @@ export const extractTar = async (fullImageName, dir) => {
         preserveOwner: false,
         noMtime: true,
         noChmod: true,
-        strict: false,
+        strict: true,
         C: dir,
         portable: true,
         onwarn: () => {},
         filter: (path, entry) => {
           // Some files are known to cause issues with extract
           if (
+            path.endsWith("etc/machine-id") ||
+            path.includes("usr/lib/systemd/") ||
+            path.includes("usr/lib64/libdevmapper.so") ||
+            path.includes("usr/sbin/") ||
             path.includes("cacerts") ||
             path.includes("ssl/certs") ||
             path.includes("logs/") ||
             path.includes("dev/") ||
             path.includes("usr/share/zoneinfo/") ||
             path.includes("usr/share/doc/") ||
             path.includes("usr/share/i18n/") ||
+            path.includes("usr/share/licenses/device-mapper-libs") ||
             [
               "BlockDevice",
               "CharacterDevice",
@@ -728,7 +737,9 @@ export const extractTar = async (fullImageName, dir) => {
         "Please run cdxgen from a powershell terminal with admin privileges to create symlinks.",
       );
       console.log(err);
-    } else if (!["TAR_BAD_ARCHIVE", "TAR_ENTRY_INFO"].includes(err.code)) {
+    } else if (
+      !["TAR_BAD_ARCHIVE", "TAR_ENTRY_INFO", "EACCES"].includes(err.code)
+    ) {
       console.log(
         `Error while extracting image ${fullImageName} to ${dir}. Please file this bug to the cdxgen repo. https://github.com/CycloneDX/cdxgen/issues`,
       );
@@ -739,6 +750,8 @@ export const extractTar = async (fullImageName, dir) => {
       if (DEBUG_MODE) {
         console.log(`Archive ${fullImageName} is empty. Skipping.`);
       }
+    } else if (["EACCES"].includes(err.code)) {
+      console.log(err);
     } else {
       console.log(err);
     }

@@ -492,11 +492,16 @@ Example:
 
 ## Generate Cryptography Bill of Materials (CBOM)
 
-Use the `cbom` alias to generate a CBOM. This is currently supported only for Java projects.
+Use the `cbom` alias to generate a CBOM. This is currently supported only for Java and Python projects.
 
 ```shell
 cbom -t java
-# cdxgen -t java --include-crypto -o bom.json .
+# cdxgen -t java --include-crypto -o bom.json --spec-version 1.6 .
+```
+
+```shell
+cbom -t python
+# cdxgen -t python --include-crypto -o bom.json --spec-version .
 ```
 
 Using the `cbom` alias sets the following options:

@@ -5807,18 +5807,6 @@ export async function createBom(path, options) {
       [...new Set(exportData.pkgPathList)],
       options,
     );
-    if (exportData.allLayersDir?.startsWith(tmpdir())) {
-      if (DEBUG_MODE) {
-        console.log(`Cleaning up ${exportData.allLayersDir}`);
-      }
-      try {
-        if (rmSync) {
-          rmSync(exportData.allLayersDir, { recursive: true, force: true });
-        }
-      } catch (err) {
-        // continue regardless of error
-      }
-    }
     return bomData;
   }
   if (path.endsWith(".war")) {

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "10.5.0",
+  "version": "10.5.1",
   "exports": "./index.js",
   "include": ["*.js", "bin/**", "data/**", "types/**"],
   "exclude": ["test/", "docs/", "contrib/", "ci/", "tools_config/"]
-Original file line number
+Diff line change
@@ Expand Up / @@ -124,3 +124,4 @@ oci/ @@
     roots/
     .python-version
     build/
+    .mise.toml