deno docker

Signed-off-by: Prabhu Subramanian <[email protected]>

.github/workflows/npm-release.yml

@@ -54,10 +54,25 @@ jobs:
         images: |
           ghcr.io/cyclonedx/cdxgen
     - name: Build and push Docker images
-      uses: docker/build-push-action@v3
+      uses: docker/build-push-action@v4
       with:
         context: .
         platforms: linux/amd64,linux/arm64
         push: true
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta2
+      uses: docker/metadata-action@v4
+      with:
+        images: |
+          ghcr.io/cyclonedx/cdxgen-deno
+    - name: Build and push Docker images
+      uses: docker/build-push-action@v4
+      with:
+        context: .
+        file: Dockerfile-deno
+        platforms: linux/amd64
+        push: true
+        tags: ${{ steps.meta2.outputs.tags }}
+        labels: ${{ steps.meta2.outputs.labels }}

.gitignore

@@ -113,3 +113,6 @@ test/obj
 ./cdxgen
 ./cdxgen.exe
 ./cdxgen.app
+.stacker/
+oci/
+roots/

Dockerfile

@@ -4,20 +4,20 @@ LABEL maintainer="cyclonedx" \
       org.opencontainers.image.authors="Prabhu Subramanian <[email protected]>" \
       org.opencontainers.image.source="https://github.com/cyclonedx/cdxgen" \
       org.opencontainers.image.url="https://github.com/cyclonedx/cdxgen" \
-      org.opencontainers.image.version="8.5.0" \
+      org.opencontainers.image.version="9.1.0" \
       org.opencontainers.image.vendor="cyclonedx" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="cdxgen" \
       org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \
-      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw --cpus=2 --memory=4g -t ghcr.io/cyclonedx/cdxgen -r /app --server"
+      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server"
 
 ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
 ARG SWIFT_PLATFORM=ubi9
 ARG SWIFT_BRANCH=swift-5.8-release
 ARG SWIFT_VERSION=swift-5.8-RELEASE
 ARG SWIFT_WEBROOT=https://download.swift.org
 ARG JAVA_VERSION=22.3.r19-grl
-ARG SBT_VERSION=1.9.0
+ARG SBT_VERSION=1.9.1
 ARG MAVEN_VERSION=3.9.2
 ARG GRADLE_VERSION=8.1.1
 

Dockerfile-deno

@@ -0,0 +1,128 @@
+FROM almalinux:9.2-minimal
+
+LABEL maintainer="cyclonedx" \
+      org.opencontainers.image.authors="Prabhu Subramanian <[email protected]>" \
+      org.opencontainers.image.source="https://github.com/cyclonedx/cdxgen" \
+      org.opencontainers.image.url="https://github.com/cyclonedx/cdxgen" \
+      org.opencontainers.image.version="9.1.0" \
+      org.opencontainers.image.vendor="cyclonedx" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.title="cdxgen" \
+      org.opencontainers.image.description="Container image for cyclonedx cdxgen SBoM generator" \
+      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app --server"
+
+ARG SWIFT_SIGNING_KEY=A62AE125BBBFBB96A6E042EC925CC1CCED3D1561
+ARG SWIFT_PLATFORM=ubi9
+ARG SWIFT_BRANCH=swift-5.8-release
+ARG SWIFT_VERSION=swift-5.8-RELEASE
+ARG SWIFT_WEBROOT=https://download.swift.org
+ARG JAVA_VERSION=22.3.r19-grl
+ARG SBT_VERSION=1.9.1
+ARG MAVEN_VERSION=3.9.2
+ARG GRADLE_VERSION=8.1.1
+
+ENV GOPATH=/opt/app-root/go \
+    GO_VERSION=1.20.4 \
+    JAVA_VERSION=$JAVA_VERSION \
+    SBT_VERSION=$SBT_VERSION \
+    MAVEN_VERSION=$MAVEN_VERSION \
+    GRADLE_VERSION=$GRADLE_VERSION \
+    GRADLE_OPTS="-Dorg.gradle.daemon=false" \
+    JAVA_HOME="/opt/java/${JAVA_VERSION}" \
+    MAVEN_HOME="/opt/maven/${MAVEN_VERSION}" \
+    GRADLE_HOME="/opt/gradle/${GRADLE_VERSION}" \
+    SBT_HOME="/opt/sbt/${SBT_VERSION}" \
+    PYTHONUNBUFFERED=1 \
+    PYTHONIOENCODING="utf-8" \
+    COMPOSER_ALLOW_SUPERUSER=1 \
+    ANDROID_HOME=/opt/android-sdk-linux \
+    GLOBAL_NODE_MODULES_PATH=/root/.cache/deno/npm/registry.npmjs.org \
+    CDXGEN_PLUGINS_DIR=/root/.cache/deno/npm/registry.npmjs.org/@cyclonedx/cdxgen-plugins-bin/1.2.0/plugins \
+    SWIFT_SIGNING_KEY=$SWIFT_SIGNING_KEY \
+    SWIFT_PLATFORM=$SWIFT_PLATFORM \
+    SWIFT_BRANCH=$SWIFT_BRANCH \
+    SWIFT_VERSION=$SWIFT_VERSION \
+    SWIFT_WEBROOT=$SWIFT_WEBROOT
+ENV PATH=${PATH}:${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:${GOPATH}/bin:/usr/local/go/bin:/usr/local/bin/:/root/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:/root/.deno/bin/:
+
+RUN set -e; \
+    ARCH_NAME="$(rpm --eval '%{_arch}')"; \
+    url=; \
+    case "${ARCH_NAME##*-}" in \
+        'x86_64') \
+            OS_ARCH_SUFFIX=''; \
+            GOBIN_VERSION='amd64'; \
+            ;; \
+        'aarch64') \
+            OS_ARCH_SUFFIX='-aarch64'; \
+            GOBIN_VERSION='arm64'; \
+            ;; \
+        *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \
+    esac; \
+    microdnf module enable php ruby -y \
+    && microdnf install -y php php-curl php-zip php-bcmath php-json php-pear php-mbstring php-devel make gcc git-core \
+        python3.11 python3.11-devel python3.11-pip ruby ruby-devel \
+        pcre2 which tar gzip zip unzip sudo ncurses \
+    && alternatives --install /usr/bin/python3 python /usr/bin/python3.11 1 \
+    && python3 --version \
+    && python3 -m pip install --upgrade pip \
+    && curl -fsSL https://deno.land/x/install/install.sh | sh \
+    && deno install --allow-read --allow-env --allow-run --allow-sys=uid --allow-write -n cdxgen "npm:@cyclonedx/cdxgen@^9.0.1" \
+    && curl -s "https://get.sdkman.io" | bash \
+    && source "$HOME/.sdkman/bin/sdkman-init.sh" \
+    && echo -e "sdkman_auto_answer=true\nsdkman_selfupdate_feature=false\nsdkman_auto_env=true" >> $HOME/.sdkman/etc/config \
+    && sdk install java $JAVA_VERSION \
+    && sdk install maven $MAVEN_VERSION \
+    && sdk install gradle $GRADLE_VERSION \
+    && sdk install sbt $SBT_VERSION \
+    && sdk offline enable \
+    && mv /root/.sdkman/candidates/* /opt/ \
+    && rm -rf /root/.sdkman \
+    && SWIFT_WEBDIR="$SWIFT_WEBROOT/$SWIFT_BRANCH/$(echo $SWIFT_PLATFORM | tr -d .)$OS_ARCH_SUFFIX" \
+    && SWIFT_BIN_URL="$SWIFT_WEBDIR/$SWIFT_VERSION/$SWIFT_VERSION-$SWIFT_PLATFORM$OS_ARCH_SUFFIX.tar.gz" \
+    && SWIFT_SIG_URL="$SWIFT_BIN_URL.sig" \
+    # - Download the GPG keys, Swift toolchain, and toolchain signature, and verify.
+    && export GNUPGHOME="$(mktemp -d)" \
+    && curl -fsSL "$SWIFT_BIN_URL" -o swift.tar.gz "$SWIFT_SIG_URL" -o swift.tar.gz.sig \
+    && gpg --batch --quiet --keyserver keyserver.ubuntu.com --recv-keys "$SWIFT_SIGNING_KEY" \
+    && gpg --batch --verify swift.tar.gz.sig swift.tar.gz \
+    && tar -xzf swift.tar.gz --directory / --strip-components=1 \
+    && chmod -R o+r /usr/lib/swift \
+    && chmod +x /usr/bin/swift \
+    && rm -rf "$GNUPGHOME" swift.tar.gz.sig swift.tar.gz \
+    && swift --version \
+    && microdnf install -y epel-release \
+    && mkdir -p ${ANDROID_HOME}/cmdline-tools \
+    && curl -L https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip -o ${ANDROID_HOME}/cmdline-tools/android_tools.zip \
+    && unzip ${ANDROID_HOME}/cmdline-tools/android_tools.zip -d ${ANDROID_HOME}/cmdline-tools/ \
+    && rm ${ANDROID_HOME}/cmdline-tools/android_tools.zip \
+    && mv ${ANDROID_HOME}/cmdline-tools/cmdline-tools ${ANDROID_HOME}/cmdline-tools/latest \
+    && yes | /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager --licenses --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'platform-tools' --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'platforms;android-33' --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'build-tools;33.0.0' --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'extras;google;m2repository' --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'extras;android;m2repository' --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'extras;google;google_play_services' --sdk_root=/opt/android-sdk-linux \
+    && curl -LO "https://dl.google.com/go/go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz" \
+    && tar -C /usr/local -xzf go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz \
+    && rm go${GO_VERSION}.linux-${GOBIN_VERSION}.tar.gz \
+    && curl -LO "https://raw.githubusercontent.com/technomancy/leiningen/stable/bin/lein" \
+    && chmod +x lein \
+    && mv lein /usr/local/bin/ \
+    && /usr/local/bin/lein \
+    && curl -O https://download.clojure.org/install/linux-install-1.11.1.1273.sh \
+    && chmod +x linux-install-1.11.1.1273.sh \
+    && sudo ./linux-install-1.11.1.1273.sh \
+    && useradd -ms /bin/bash cyclonedx \
+    && pecl channel-update pecl.php.net \
+    && pecl install timezonedb \
+    && echo 'extension=timezonedb.so' >> /etc/php.ini \
+    && php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && php composer-setup.php \
+    && mv composer.phar /usr/local/bin/composer \
+    && python3 -m pip install --user pipenv \
+    && chmod a-w -R /opt \
+    && rm -rf /var/cache/yum \
+    && microdnf clean all
+
+ENTRYPOINT ["cdxgen"]

README.md

@@ -96,6 +96,12 @@ docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /a
 docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:v8.6.0 -r /app -o /app/bom.json
 ```
 
+To use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.
+
+```bash
+docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app -o /app/bom.json
+```
+
 In deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as library](#integration-as-library)
 
 ```ts

binary.js

@@ -78,7 +78,7 @@ if (
 if (!CDXGEN_PLUGINS_DIR) {
   let globalNodePath = process.env.GLOBAL_NODE_MODULES_PATH || undefined;
   if (!globalNodePath) {
-    let result = spawnSync(
+    const result = spawnSync(
       isWin ? "npm.cmd" : "npm",
       ["root", "--quiet", "-g"],
       {
@@ -251,7 +251,7 @@ export const getGoBuildInfo = (src) => {
 
 export const getCargoAuditableInfo = (src) => {
   if (CARGO_AUDITABLE_BIN) {
-    let result = spawnSync(CARGO_AUDITABLE_BIN, [src], {
+    const result = spawnSync(CARGO_AUDITABLE_BIN, [src], {
       encoding: "utf-8"
     });
     if (result.status !== 0 || result.error) {
@@ -278,7 +278,7 @@ export const getOSPackages = (src) => {
     if (existsSync(src)) {
       imageType = "rootfs";
     }
-    let tempDir = mkdtempSync(join(tmpdir(), "trivy-cdxgen-"));
+    const tempDir = mkdtempSync(join(tmpdir(), "trivy-cdxgen-"));
     const bomJsonFile = join(tempDir, "trivy-bom.json");
     const args = [
       imageType,
@@ -299,7 +299,7 @@ export const getOSPackages = (src) => {
     if (DEBUG_MODE) {
       console.log("Executing", TRIVY_BIN, args.join(" "));
     }
-    let result = spawnSync(TRIVY_BIN, args, {
+    const result = spawnSync(TRIVY_BIN, args, {
       encoding: "utf-8"
     });
     if (result.status !== 0 || result.error) {
@@ -350,7 +350,7 @@ export const getOSPackages = (src) => {
             }
             // Fix the group
             let group = dirname(comp.name);
-            let name = basename(comp.name);
+            const name = basename(comp.name);
             let purlObj = undefined;
             let distro_codename = "";
             if (group === ".") {
@@ -461,7 +461,7 @@ export const getOSPackages = (src) => {
             pkgList.push(comp);
             // If there is a source package defined include it as well
             if (srcName && srcVersion && srcName !== comp.name) {
-              let newComp = Object.assign({}, comp);
+              const newComp = Object.assign({}, comp);
               newComp.name = srcName;
               newComp.version = srcVersion;
               if (purlObj) {
@@ -495,7 +495,7 @@ export const executeOsQuery = (query) => {
     if (DEBUG_MODE) {
       console.log("Execuing", OSQUERY_BIN, args.join(" "));
     }
-    let result = spawnSync(OSQUERY_BIN, args, {
+    const result = spawnSync(OSQUERY_BIN, args, {
       encoding: "utf-8"
     });
     if (result.status !== 0 || result.error) {

docker.js

@@ -100,7 +100,7 @@ export const getOnlyDirs = (srcpath, dirName) => {
 };
 
 const getDefaultOptions = () => {
-  let opts = {
+  const opts = {
     enableUnixSockets: true,
     throwHttpErrors: true,
     method: "GET",
@@ -253,7 +253,7 @@ export const getConnection = async (options) => {
 };
 
 export const makeRequest = async (path, method = "GET") => {
-  let client = await getConnection();
+  const client = await getConnection();
   if (!client) {
     return undefined;
   }
@@ -497,7 +497,7 @@ export const exportArchive = async (fullImageName) => {
     console.log(`Unable to find container image archive ${fullImageName}`);
     return undefined;
   }
-  let manifest = {};
+  const manifest = {};
   const tempDir = mkdtempSync(join(tmpdir(), "docker-images-"));
   const allLayersExplodedDir = join(tempDir, "all-layers");
   const blobsDir = join(tempDir, "blobs", "sha256");
@@ -513,14 +513,14 @@ export const exportArchive = async (fullImageName) => {
         );
       }
       const allBlobs = getDirs(blobsDir, "*", false, true);
-      for (let ablob of allBlobs) {
+      for (const ablob of allBlobs) {
         if (DEBUG_MODE) {
           console.log(`Extracting ${ablob} to ${allLayersExplodedDir}`);
         }
         await extractTar(ablob, allLayersExplodedDir);
       }
-      let lastLayerConfig = {};
-      let lastWorkingDir = "";
+      const lastLayerConfig = {};
+      const lastWorkingDir = "";
       const exportData = {
         manifest,
         allLayersDir: tempDir,
@@ -577,7 +577,7 @@ export const extractFromManifest = async (
         console.log(manifest[manifest.length - 1]);
       }
     }
-    let layers = manifest[manifest.length - 1]["Layers"] || [];
+    const layers = manifest[manifest.length - 1]["Layers"] || [];
     if (!layers.length && existsSync(tempDir)) {
       const blobFiles = readdirSync(join(tempDir, "blobs", "sha256"));
       if (blobFiles && blobFiles.length) {
@@ -587,7 +587,7 @@ export const extractFromManifest = async (
       }
     }
     const lastLayer = layers[layers.length - 1];
-    for (let layer of layers) {
+    for (const layer of layers) {
       if (DEBUG_MODE) {
         console.log(`Extracting layer ${layer} to ${allLayersExplodedDir}`);
       }
@@ -660,7 +660,7 @@ export const exportImage = async (fullImageName) => {
     console.log(
       `About to export image ${fullImageName} to ${imageTarFile} using docker cli`
     );
-    let result = spawnSync(
+    const result = spawnSync(
       "docker",
       ["save", "-o", imageTarFile, fullImageName],
       {
@@ -682,7 +682,7 @@ export const exportImage = async (fullImageName) => {
       }
     }
   } else {
-    let client = await getConnection();
+    const client = await getConnection();
     try {
       if (DEBUG_MODE) {
         console.log(`About to export image ${fullImageName} to ${tempDir}`);
@@ -781,7 +781,7 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
   }
   const pyInstalls = getDirs(allLayersDir, "Python*/", false, false);
   if (pyInstalls && pyInstalls.length) {
-    for (let pyiPath of pyInstalls) {
+    for (const pyiPath of pyInstalls) {
       const pyDirs = getOnlyDirs(pyiPath, "site-packages");
       if (pyDirs && pyDirs.length) {
         pathList = pathList.concat(pyDirs);
@@ -805,7 +805,7 @@ export const getPkgPathList = (exportData, lastWorkingDir) => {
   knownSysPaths.push(join(allLayersExplodedDir, "/usr/lib"));
   knownSysPaths.push(join(allLayersExplodedDir, "/usr/lib64"));
   // Build path list
-  for (let wpath of knownSysPaths) {
+  for (const wpath of knownSysPaths) {
     pathList = pathList.concat(wpath);
     const pyDirs = getOnlyDirs(wpath, "site-packages");
     if (pyDirs && pyDirs.length) {

docker.test.js

@@ -4,7 +4,7 @@ import {
   getImage,
   removeImage,
   exportImage
-} from "./docker";
+} from "./docker.js";
 import { expect, test } from "@jest/globals";
 
 test("docker connection", async () => {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "9.0.2",
+  "version": "9.1.0",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <[email protected]>",