Specify work dir in container images. Secure mode improvements

Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Jan 27, 2025 · 218eec0 · 218eec0
1 parent 40f361e
commit 218eec0
Show file tree

Hide file tree

Showing 30 changed files with 61 additions and 48 deletions.
diff --git a/ci/Dockerfile b/ci/Dockerfile
@@ -173,5 +173,5 @@ RUN set -e; \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && rm -rf /var/cache/yum /root/.cache/pypoetry \
     && microdnf clean all
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/Dockerfile-bun b/ci/Dockerfile-bun
@@ -142,5 +142,5 @@ RUN cd /opt/cdxgen && bun install --no-cache --production \
     && chmod a-w -R /opt \
     && rm -rf /var/cache/yum \
     && microdnf clean all
-
+WORKDIR /app
 ENTRYPOINT ["bun", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/Dockerfile-deno b/ci/Dockerfile-deno
@@ -167,5 +167,5 @@ RUN set -e; \
     && chmod a-w -R /opt \
     && rm -rf /var/cache/yum \
     && microdnf clean all
-
+WORKDIR /app
 ENTRYPOINT ["cdxgen"]
diff --git a/ci/Dockerfile-ppc64 b/ci/Dockerfile-ppc64
@@ -112,5 +112,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && chmod a-w -R /opt \
     && rm -rf /root/.cache /var/cache/yum /root/.cargo \
     && microdnf clean all
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/Dockerfile-secure b/ci/Dockerfile-secure
@@ -60,15 +60,17 @@ ENV GOPATH=/opt/app-root/go \
     CDXGEN_IN_CONTAINER=true \
     CDXGEN_SECURE_MODE=true \
     CDXGEN_DEBUG_MODE=debug \
+    CDXGEN_TEMP_DIR=/tmp/cdxgen-temp \
     SDKMAN_DIR=/opt/.sdkman \
     SDKMAN_CANDIDATES_DIR=/opt/.sdkman/candidates \
     npm_config_python=/usr/bin/python3.12 \
     MALLOC_CONF="dirty_decay_ms:2000,narenas:2,background_thread:true" \
     RUBY_CONFIGURE_OPTS="--with-jemalloc --enable-yjit" \
     RUBYOPT="--yjit" \
     RUBY_BUILD_BUILD_PATH="/tmp/rbenv" \
-    RUBY_BUILD_HTTP_CLIENT=curl
-ENV PATH=${PATH}:/opt/bin:/opt/.nvm/versions/node/v${NODE_VERSION}/bin:${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:${GOPATH}/bin:/usr/local/go/bin:/usr/local/bin/:/opt/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:/root/.cargo/bin:/opt/pypi/bin:/root/.rbenv/bin:/root/.rbenv/versions/3.4.1/bin:
+    RUBY_BUILD_HTTP_CLIENT=curl \
+    RBENV_ROOT=/opt/.rbenv
+ENV PATH=${PATH}:/opt/bin:/opt/.nvm/versions/node/v${NODE_VERSION}/bin:${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:${GOPATH}/bin:/usr/local/go/bin:/usr/local/bin/:/opt/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:/root/.cargo/bin:/home/cyclonedx/.cargo/bin:/opt/pypi/bin:/opt/.rbenv/bin:/opt/.rbenv/versions/3.4.1/bin:
 
 COPY . /opt/cdxgen    
 
@@ -108,19 +110,20 @@ RUN set -e; \
     && source ${NVM_DIR}/nvm.sh \
     && nvm install ${NODE_VERSION} \
     && node --version \
-    && git clone https://github.com/rbenv/rbenv.git --depth=1 /root/.rbenv \
-    && echo 'export PATH="/root/.rbenv/bin:$PATH"' >> ~/.bashrc \
-    && echo 'eval "$(/root/.rbenv/bin/rbenv init - bash)"' >> ~/.bashrc \
+    && git clone https://github.com/rbenv/rbenv.git --depth=1 /opt/.rbenv \
+    && echo 'export PATH="/opt/.rbenv/bin:$PATH"' >> ~/.bashrc \
+    && echo 'eval "$(/opt/.rbenv/bin/rbenv init - bash)"' >> ~/.bashrc \
+    && echo 'export RBENV_ROOT=/opt/.rbenv' >> ~/.bashrc \
     && echo 'export NVM_DIR=/opt/.nvm' >> ~/.bashrc \
     && source ~/.bashrc \
-    && mkdir -p "$(rbenv root)/plugins" \
-    && git clone https://github.com/rbenv/ruby-build.git --depth=1 "$(rbenv root)/plugins/ruby-build" \
+    && mkdir -p "/opt/.rbenv/plugins" \
+    && git clone https://github.com/rbenv/ruby-build.git --depth=1 "/opt/.rbenv/plugins/ruby-build" \
     && rbenv install ${RUBY_VERSION} \
     && rbenv global ${RUBY_VERSION} \
-    && rm -rf /root/.rbenv/cache $RUBY_BUILD_BUILD_PATH \
+    && rm -rf /opt/.rbenv/cache $RUBY_BUILD_BUILD_PATH \
     && ruby --version \
     && which ruby \
-    && curl -s "https://get.sdkman.io?rcupdate=false" | bash \
+    && curl -s "https://get.sdkman.io" | bash \
     && echo -e "sdkman_auto_answer=true\nsdkman_selfupdate_feature=false\nsdkman_auto_env=true\nsdkman_curl_connect_timeout=20\nsdkman_curl_max_time=0" >> /opt/.sdkman/etc/config \
     && source "/opt/.sdkman/bin/sdkman-init.sh" \
     && sdk install java $JAVA_VERSION /opt/.sdkman/candidates/java \
@@ -162,6 +165,9 @@ RUN set -e; \
     && curl -L --output /usr/local/bin/bazel https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-${GOBIN_VERSION} \
     && chmod +x /usr/local/bin/bazel \
     && useradd -ms /bin/bash cyclonedx \
+    && mv /root/.bashrc /home/cyclonedx/.bashrc \
+    && mv /root/.cargo /home/cyclonedx/.cargo \
+    && chown -R cyclonedx:cyclonedx /home/cyclonedx/.cargo /home/cyclonedx/.bashrc \
     && npm install --unsafe-perm -g node-gyp @microsoft/rush --omit=dev \
     && npx node-gyp install \
     && pecl channel-update pecl.php.net \
@@ -177,11 +183,10 @@ RUN set -e; \
     && mkdir -p /opt/cdxgen-node-cache \
     && chown -R cyclonedx:cyclonedx /opt/cdxgen /opt/cdxgen-node-cache \
     && chmod a-w -R /opt \
-    && cdxgen --help \
     && rm -rf /var/cache/yum /root/.cache/pypoetry \
     && microdnf clean all
-ENV NODE_OPTIONS='--permission --allow-fs-read="/app/*" --allow-fs-read="/opt/*" --allow-fs-write="/tmp/*" --allow-fs-write="/app/*.json" --allow-child-process --trace-warnings'
-RUN cdxgen --help
+ENV NODE_OPTIONS='--permission --allow-fs-read="/app/*" --allow-fs-read="/opt/*" --allow-fs-read="/home/cyclonedx/*" --allow-fs-read="/tmp/cdxgen-temp/*" --allow-fs-write="/tmp/cdxgen-temp/*" --allow-fs-write="/app/*.json" --allow-child-process --trace-warnings'
+RUN mkdir -p /tmp/cdxgen-temp && cdxgen --help
 USER cyclonedx
 WORKDIR /app
 CMD ["cdxgen"]
diff --git a/ci/base-images/cdxgen/Dockerfile.dotnet6 b/ci/base-images/cdxgen/Dockerfile.dotnet6
@@ -42,5 +42,5 @@ RUN set -e; \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.dotnet7 b/ci/base-images/cdxgen/Dockerfile.dotnet7
@@ -42,5 +42,5 @@ RUN set -e; \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.dotnet8 b/ci/base-images/cdxgen/Dockerfile.dotnet8
@@ -42,5 +42,5 @@ RUN set -e; \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.dotnet9 b/ci/base-images/cdxgen/Dockerfile.dotnet9
@@ -23,5 +23,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.java b/ci/base-images/cdxgen/Dockerfile.java
@@ -23,5 +23,5 @@
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.java-slim b/ci/base-images/cdxgen/Dockerfile.java-slim
@@ -21,5 +21,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && mkdir -p /opt/cdxgen-node-cache \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.java17 b/ci/base-images/cdxgen/Dockerfile.java17
@@ -23,5 +23,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.java17-slim b/ci/base-images/cdxgen/Dockerfile.java17-slim
@@ -21,5 +21,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && mkdir -p /opt/cdxgen-node-cache \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.node20 b/ci/base-images/cdxgen/Dockerfile.node20
@@ -22,5 +22,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.python b/ci/base-images/cdxgen/Dockerfile.python
@@ -37,5 +37,5 @@ RUN source /root/.nvm/nvm.sh \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && chmod a-w -R /opt \
     && zypper clean -a
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.python310 b/ci/base-images/cdxgen/Dockerfile.python310
@@ -27,5 +27,5 @@ RUN zypper --non-interactive install --allow-downgrade -l --no-recommends readli
     && pip install --upgrade --no-cache-dir atom-tools --target /opt/pypi \
     && chmod a-w -R /opt \
     && zypper clean -a
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.python311 b/ci/base-images/cdxgen/Dockerfile.python311
@@ -37,5 +37,5 @@ RUN source /root/.nvm/nvm.sh \
     && pip install --upgrade --no-cache-dir atom-tools --target /opt/pypi \
     && chmod a-w -R /opt \
     && zypper clean -a
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.python36 b/ci/base-images/cdxgen/Dockerfile.python36
@@ -36,5 +36,5 @@ RUN source /root/.nvm/nvm.sh \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && chmod a-w -R /opt \
     && zypper clean -a
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.python39 b/ci/base-images/cdxgen/Dockerfile.python39
@@ -26,5 +26,5 @@ RUN zypper --non-interactive install --allow-downgrade -l --no-recommends readli
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && chmod a-w -R /opt \
     && zypper clean -a
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.rolling b/ci/base-images/cdxgen/Dockerfile.rolling
@@ -25,5 +25,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/Dockerfile.ruby25 b/ci/base-images/cdxgen/Dockerfile.ruby25
@@ -28,5 +28,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && rbastgen --help \
     && rm -rf ${CDXGEN_GEM_HOME} && mkdir -p ${CDXGEN_GEM_HOME} \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/debian/Dockerfile.dotnet6 b/ci/base-images/cdxgen/debian/Dockerfile.dotnet6
@@ -45,5 +45,5 @@ RUN set -e; \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/debian/Dockerfile.dotnet8 b/ci/base-images/cdxgen/debian/Dockerfile.dotnet8
@@ -45,5 +45,5 @@ RUN set -e; \
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/debian/Dockerfile.dotnet9 b/ci/base-images/cdxgen/debian/Dockerfile.dotnet9
@@ -23,5 +23,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && node /opt/cdxgen/bin/cdxgen.js --help \
     && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/debian/Dockerfile.ruby26 b/ci/base-images/cdxgen/debian/Dockerfile.ruby26
@@ -27,5 +27,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && rbastgen --help \
     && rm -rf ${CDXGEN_GEM_HOME} && mkdir -p ${CDXGEN_GEM_HOME} \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/debian/Dockerfile.ruby33 b/ci/base-images/cdxgen/debian/Dockerfile.ruby33
@@ -28,5 +28,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && rbastgen --help \
     && rm -rf ${CDXGEN_GEM_HOME} && mkdir -p ${CDXGEN_GEM_HOME} \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/ci/base-images/cdxgen/debian/Dockerfile.ruby34 b/ci/base-images/cdxgen/debian/Dockerfile.ruby34
@@ -27,5 +27,5 @@ RUN cd /opt/cdxgen && corepack enable && corepack pnpm install --prod --package-
     && rbastgen --help \
     && rm -rf ${CDXGEN_GEM_HOME} && mkdir -p ${CDXGEN_GEM_HOME} \
     && chmod a-w -R /opt
-
+WORKDIR /app
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]
diff --git a/lib/helpers/envcontext.js b/lib/helpers/envcontext.js
@@ -496,21 +496,29 @@ export function installSdkmanTool(toolType, toolName) {
   toolName = getSdkmanToolFullname(toolName);
   let result = undefined;
   if (!isSdkmanToolAvailable(toolType, toolName)) {
-    console.log("About to install", toolType, toolName);
+    let installDir = "";
+    if (process.env.SDKMAN_CANDIDATES_DIR) {
+      installDir = join(process.env.SDKMAN_CANDIDATES_DIR, toolType);
+    }
+    console.log("About to install", toolType, toolName, installDir);
     result = spawnSync(
       process.env.SHELL || "bash",
-      ["-i", "-c", `"echo -e "no" | sdk install ${toolType} ${toolName}"`],
+      [
+        "-i",
+        "-c",
+        `"echo -e "no" | sdk install ${toolType} ${toolName} ${installDir}"`.trim(),
+      ],
       {
         encoding: "utf-8",
         shell: process.env.SHELL || true,
         timeout: TIMEOUT_MS,
       },
     );
     if (DEBUG_MODE) {
-      if (console.stdout) {
+      if (result.stdout) {
         console.log(result.stdout);
       }
-      if (console.stderr) {
+      if (result.stderr) {
         console.log(result.stderr);
       }
     }
@@ -598,10 +606,10 @@ export function getNvmToolDirectory(toolName) {
     },
   );
   if (DEBUG_MODE) {
-    if (console.stdout) {
+    if (resultWhichNode.stdout) {
       console.log(resultWhichNode.stdout);
     }
-    if (console.stderr) {
+    if (resultWhichNode.stderr) {
       console.log(resultWhichNode.stderr);
     }
   }
@@ -634,10 +642,10 @@ export function getOrInstallNvmTool(toolVersion) {
     );
 
     if (DEBUG_MODE) {
-      if (console.stdout) {
+      if (resultInstall.stdout) {
         console.log(resultInstall.stdout);
       }
-      if (console.stderr) {
+      if (resultInstall.stderr) {
         console.log(resultInstall.stderr);
       }
     }

diff --git a/lib/stages/pregen/pregen.js b/lib/stages/pregen/pregen.js
@@ -36,7 +36,7 @@ import {
  * @param {Object} options CLI options
  */
 export function prepareEnv(filePath, options) {
-  if (!options.projectType) {
+  if (!options.projectType || isSecureMode) {
     return;
   }
   for (const pt of options.projectType) {

diff --git a/types/lib/helpers/envcontext.d.ts.map b/types/lib/helpers/envcontext.d.ts.map