Merge branch 'CycloneDX:master' into Refactor-poetry-install-command

Author: ambuj-1211

.github/actions/build-docker-image/action.yml

@@ -0,0 +1,39 @@
+name: Build a Docker image
+description: |
+  This action does the actual building of an image, based on the given
+  parameters. Depending on the configured 'action', the image is then pushed
+  to a registry or loaded into the local Docker.
+
+inputs:
+  action:
+    description: Action to run on completion of the build -- either 'load' or 'push''
+    required: true
+  dockerfile:
+    description: Dockerfile that describes the image
+    required: true
+  labels:
+    description: Labels to add to the image
+  platforms:
+    description: The platforms for which to build the image
+    required: true
+  tags:
+    description: All tags for the image
+    required: true
+  target:
+    description: Which stage in the Dockerfile to build
+    required: true
+
+runs:
+  using: composite
+  steps:
+  - name: Build Docker image
+    uses: docker/build-push-action@v6
+    with:
+      context: .
+      file: ${{ inputs.dockerfile }}
+      labels: ${{ inputs.labels }}
+      load: ${{ inputs.action == 'load' }}
+      platforms: ${{ inputs.platforms }}
+      push: ${{ inputs.action == 'push' }}
+      tags: ${{ inputs.tags }}
+      target: ${{ inputs.target }}

.github/actions/build-docker-images-generate-attach-sboms/action.yml

@@ -0,0 +1,60 @@
+name: Build Docker image, generate & attach SBOM
+description: |
+  Build and push a multi-platform (always AMD64, configurably ARM64) Docker
+  image and generate and attach an SBOM for all configured platforms.
+
+inputs:
+  build-arm:
+    description: Whether or not to build the arm image
+    required: true
+  dockerfile:
+    description: Dockerfile that describes the image
+    required: true
+  images:
+    description: The name(s) of the image(s) to load metadata for
+    required: true
+  main-tag:
+    description: The tag to attach the SBOMs to, defaults to the first tag returned from the metadata extraction
+  signing-key:
+    description: The key to use for signing the SBOM, base64 encoded
+    required: true
+  tags:
+    description: All tags to set for this image, defaults to all tags returned from the metadata extraction
+  target:
+    description: Which stage in the Dockerfile to build
+    required: true
+
+runs:
+  using: composite
+  steps:
+  - name: Extract metadata (tags, labels) for Docker image
+    id: metadata
+    uses: docker/metadata-action@v5
+    with:
+      images: ${{ inputs.images }}
+  - name: Build and push image
+    uses: ./.github/actions/build-docker-image
+    with:
+      action: push
+      dockerfile: ${{ inputs.dockerfile }}
+      labels: ${{ steps.metadata.outputs.labels }}
+      platforms: linux/amd64${{ inputs.build-arm == 'true' && ',linux/arm64' || '' }}
+      tags: ${{ inputs.tags || steps.metadata.outputs.tags }}
+      target: ${{ inputs.target }}
+  - name: Generate and attach SBOM for amd64
+    uses: ./.github/actions/generate-attach-sbom
+    with:
+      dockerfile: ${{ inputs.dockerfile }}
+      platform: linux/amd64
+      signing-key: ${{ inputs.signing-key }}
+      tag: ${{ inputs.main-tag || fromJSON(steps.metadata.outputs.json).tags[0] }}
+      target: ${{ inputs.target }}
+  - name: Generate and attach SBOM for arm64
+    if: ${{ inputs.build-arm == 'true' }}
+    uses: ./.github/actions/generate-attach-sbom
+    with:
+      dockerfile: ${{ inputs.dockerfile }}
+      platform: linux/arm64
+      signing-key: ${{ inputs.signing-key }}
+      tag: ${{ inputs.main-tag || fromJSON(steps.metadata.outputs.json).tags[0] }}
+      target: ${{ inputs.target }}

.github/actions/generate-attach-sbom/action.yml

@@ -0,0 +1,48 @@
+name: Generate and attach SBOM
+description: |
+  Generate and attach an SBOM to the configured platform-version of an image
+  in its registry.
+
+inputs:
+  dockerfile:
+    description: Dockerfile that describes the image
+    required: true
+  platform:
+    description: The platforms for which to build the image
+    required: true
+  tag:
+    description: All tags for the image
+    required: true
+  signing-key:
+    description: The key to use for signing the SBOM, base64 encoded
+    required: true
+  target:
+    description: Which stage in the Dockerfile to build
+    required: true
+
+runs:
+  using: composite
+  steps:
+  - name: Build and load image
+    uses: ./.github/actions/build-docker-image
+    with:
+      action: load
+      dockerfile: ${{ inputs.dockerfile }}
+      platforms: ${{ inputs.platform }}
+      tags: ${{ inputs.tag }}
+      target: ${{ inputs.target }}
+  - name: Generate and attach SBOM
+    shell: bash
+    run: |
+      node bin/cdxgen.js -t docker -o sbom-oci-image.cdx.json ${{ inputs.tag }}
+      node bin/verify.js -i sbom-oci-image.cdx.json --public-key contrib/bom-signer/public.key
+      oras attach --artifact-type sbom/cyclonedx --platform ${{ inputs.platform }} ${{ inputs.tag }} ./sbom-oci-image.cdx.json:application/json
+      oras discover --format tree --platform ${{ inputs.platform }} ${{ inputs.tag }}
+      node bin/verify.js -i ${{ inputs.tag }} --platform ${{ inputs.platform }} --public-key contrib/bom-signer/public.key
+      docker rmi ${{ inputs.tag }}
+      rm sbom-oci-image.cdx.json
+    env:
+      CDXGEN_TEMP_DIR: ${{ runner.temp }}/cdxgen-sboms
+      DOCKER_USE_CLI: true
+      SBOM_SIGN_ALGORITHM: RS512
+      SBOM_SIGN_PRIVATE_KEY_BASE64: ${{ inputs.signing-key }}

.github/codeql/config.yml

@@ -0,0 +1,6 @@
+version: 2
+analysis:
+  javascript-typescript:
+    validationFunctions:
+      - name: isAllowedHost
+      - name: isAllowedPath

.github/workflows/binary-builds.yml

@@ -18,77 +18,170 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  musl-builds:
+    if: github.repository == 'CycloneDX/cdxgen'
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ 'ubuntu-22.04' ]
+        include:
+          - os: ubuntu-22.04
+            build: |
+              rm -rf ci contrib tools_config
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdxgen" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              chmod +x cdxgen
+              ./cdxgen --help
+              sha256sum cdxgen > cdxgen.sha256
+              rm -rf node_modules
+              pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --no-optional --prod --package-import-method copy --frozen-lockfile              
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdxgen-slim" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              chmod +x cdxgen-slim
+              ./cdxgen-slim --version
+              sha256sum cdxgen-slim > cdxgen-slim.sha256
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdx-verify" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/verify.js"
+              chmod +x cdx-verify
+              ./cdx-verify --version
+              sha256sum cdx-verify > cdx-verify.sha256
+              ./cdxgen --help
+              ./cdxgen-slim --help
+              ./cdx-verify --help
+              mv cdxgen cdxgen-musl
+              mv cdxgen.sha256 cdxgen-musl.sha256
+              mv cdxgen-slim cdxgen-musl-slim
+              mv cdxgen-slim.sha256 cdxgen-musl-slim.sha256
+              mv cdx-verify cdx-musl-verify
+              mv cdx-verify.sha256 cdx-musl-verify.sha256
+            artifact: cdxgen-musl
+            sartifact: cdxgen-musl-slim
+            vartifact: cdx-musl-verify
+    runs-on: ${{ matrix.os }}
+    container:
+      image: alpine:3.20
+    permissions:
+      contents: write
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup alpine builder
+        run: |
+          apk add --no-cache nodejs make python3 python3-dev py3-pip py3-virtualenv gcc g++ musl-dev npm
+      - name: Install pnpm
+        run: |
+          npm install --global [email protected]
+          pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --prod --package-import-method copy --frozen-lockfile
+      - name: Produce sae
+        run: |
+          ${{ matrix.build }}
+        env:
+          CDXGEN_DEBUG_MODE: debug
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            ${{ matrix.artifact }}
+            ${{ matrix.artifact }}.sha256
+            ${{ matrix.sartifact }}
+            ${{ matrix.sartifact }}.sha256
+            ${{ matrix.vartifact }}
+            ${{ matrix.vartifact }}.sha256
   sae-builds:
     if: github.repository == 'CycloneDX/cdxgen'
     strategy:
+      fail-fast: false
       matrix:
-        os: ['ubuntu-22.04', 'windows-latest', 'ubuntu-22.04-arm']
+        os: ['ubuntu-22.04', 'windows-2022', 'windows-11-arm', 'ubuntu-22.04-arm']
         include:
           - os: ubuntu-22.04
             build: |
               rm -rf ci contrib tools_config
-              npx --yes @appthreat/caxa --input . --output "cdxgen" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdxgen" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
               chmod +x cdxgen
               ./cdxgen --help
               sha256sum cdxgen > cdxgen.sha256
               rm -rf node_modules
-              corepack pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --no-optional --prod --package-import-method copy --frozen-lockfile              
-              npx --yes @appthreat/caxa --input . --output "cdxgen-slim" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --no-optional --prod --package-import-method copy --frozen-lockfile              
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdxgen-slim" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
               chmod +x cdxgen-slim
               ./cdxgen-slim --version
               sha256sum cdxgen-slim > cdxgen-slim.sha256
-              npx --yes @appthreat/caxa --input . --output "cdx-verify" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/verify.js"
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdx-verify" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/verify.js"
               chmod +x cdx-verify
               ./cdx-verify --version
               sha256sum cdx-verify > cdx-verify.sha256
-              CDXGEN_DEBUG_MODE=debug ./cdxgen --help
+              ./cdxgen --help
               ./cdxgen-slim --help
+              ./cdx-verify --help
             artifact: cdxgen
             sartifact: cdxgen-slim
             vartifact: cdx-verify
           - os: ubuntu-22.04-arm
             build: |
               rm -rf ci contrib tools_config
-              npx --no-progress --yes @appthreat/caxa --input . --output "cdxgen-arm64" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdxgen-arm64" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
               chmod +x cdxgen-arm64
               ./cdxgen-arm64 --version
               sha256sum cdxgen-arm64 > cdxgen-arm64.sha256
               rm -rf node_modules
-              corepack pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --no-optional --prod --package-import-method copy --frozen-lockfile
-              npx --no-progress --yes @appthreat/caxa --input . --output "cdxgen-arm64-slim" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --no-optional --prod --package-import-method copy --frozen-lockfile
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdxgen-arm64-slim" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
               chmod +x cdxgen-arm64-slim
               ./cdxgen-arm64-slim --version
               sha256sum cdxgen-arm64-slim > cdxgen-arm64-slim.sha256
-              npx --no-progress --yes @appthreat/caxa --input . --output "cdx-arm64-verify" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/verify.js"
+              pnpm --package=@appthreat/caxa dlx caxa --input . --output "cdx-arm64-verify" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/verify.js"
               chmod +x cdx-arm64-verify
               ./cdx-arm64-verify --version
               sha256sum cdx-arm64-verify > cdx-arm64-verify.sha256
-              CDXGEN_DEBUG_MODE=debug ./cdxgen-arm64 --help
+              ./cdxgen-arm64 --help
               ./cdxgen-arm64-slim --help
+              ./cdx-arm64-verify --help
             artifact: cdxgen-arm64
             sartifact: cdxgen-arm64-slim
             vartifact: cdx-arm64-verify
-          - os: windows-latest
+          - os: windows-2022
             build: |
               Remove-Item ci -Recurse -Force
               Remove-Item contrib -Recurse -Force
               Remove-Item tools_config -Recurse -Force
-              npx @appthreat/caxa --input . --output "cdxgen.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              npm install --omit=dev --no-package-lock --no-audit --no-fund --no-progress
+              npx --no-progress --yes @appthreat/caxa --input . --output "cdxgen.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
               .\cdxgen.exe --version
               (Get-FileHash .\cdxgen.exe).hash | Out-File -FilePath .\cdxgen.exe.sha256
               Remove-Item node_modules -Recurse -Force
-              corepack pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --no-optional --prod --package-import-method copy --frozen-lockfile
-              npx @appthreat/caxa --input . --output "cdxgen-slim.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              npm install --omit=optional --omit=dev --no-package-lock --no-audit --no-fund
+              npx --no-progress --yes @appthreat/caxa --input . --output "cdxgen-slim.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
               .\cdxgen-slim.exe --version
               (Get-FileHash .\cdxgen-slim.exe).hash | Out-File -FilePath .\cdxgen-slim.exe.sha256
-              npx @appthreat/caxa --input . --output "cdx-verify.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/verify.js"
-              .\cdx-verify.exe --version
+              npx --no-progress --yes @appthreat/caxa --input . --output "cdx-verify.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/verify.js"
               (Get-FileHash .\cdx-verify.exe).hash | Out-File -FilePath .\cdx-verify.exe.sha256
               .\cdxgen.exe --help
               .\cdxgen-slim.exe --help
+              .\cdx-verify.exe --help
             artifact: cdxgen.exe
             sartifact: cdxgen-slim.exe
             vartifact: cdx-verify.exe
+          - os: windows-11-arm
+            build: |
+              Remove-Item ci -Recurse -Force
+              Remove-Item contrib -Recurse -Force
+              Remove-Item tools_config -Recurse -Force
+              npm install --omit=dev --no-package-lock --no-audit --no-fund --no-progress
+              npx --no-progress --yes @appthreat/caxa --input . --output "cdxgen-arm.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              .\cdxgen-arm.exe --version
+              (Get-FileHash .\cdxgen-arm.exe).hash | Out-File -FilePath .\cdxgen-arm.exe.sha256
+              Remove-Item node_modules -Recurse -Force
+              npm install --omit=optional --omit=dev --no-package-lock --no-audit --no-fund
+              npx --no-progress --yes @appthreat/caxa --input . --output "cdxgen-arm-slim.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/cdxgen.js"
+              .\cdxgen-arm-slim.exe --version
+              (Get-FileHash .\cdxgen-arm-slim.exe).hash | Out-File -FilePath .\cdxgen-arm-slim.exe.sha256
+              npx --no-progress --yes @appthreat/caxa --input . --output "cdx-arm-verify.exe" -- "{{caxa}}/node_modules/.bin/node" "{{caxa}}/bin/verify.js"
+              (Get-FileHash .\cdx-arm-verify.exe).hash | Out-File -FilePath .\cdx-arm-verify.exe.sha256
+              .\cdxgen-arm.exe --help
+              .\cdxgen-arm-slim.exe --help
+              .\cdx-arm-verify.exe --help
+            artifact: cdxgen-arm.exe
+            sartifact: cdxgen-arm-slim.exe
+            vartifact: cdx-arm-verify.exe
     runs-on: ${{ matrix.os }}
     permissions:
       contents: write
@@ -99,12 +192,16 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '24.x'
+      - name: Install pnpm
+        run: |
+          npm install --global [email protected]
+          pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --prod --package-import-method copy --frozen-lockfile
+        if: ${{ !startsWith(matrix.os, 'windows') }}
       - name: Produce sae
         run: |
-          npm install --global corepack@latest
-          corepack enable pnpm
-          corepack pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --prod --package-import-method copy --frozen-lockfile
           ${{ matrix.build }}
+        env:
+          CDXGEN_DEBUG_MODE: debug
       - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.artifact }}