search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server.
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
543 stars 158 forks source link

Support for windows containers #56

Open prabhu opened 3 years ago

miftacul commented 1 year ago

yes, it will be good if cdxgen able to support for windows containers as well

prabhu commented 1 year ago

Let's do this.

prabhu commented 1 year ago

@miftacul Windows is supported in os mode with -t os argument. As explained here, you must install the binary plugins and run cdxgen from within Windows to generate the SBoM file.

https://github.com/AppThreat/cdxgen#plugins

I am yet to test if cdxgen can run successfully during the docker build phase.

Could you give this a try and let me know what you think?

Transmitt0r commented 1 year ago

@prabhu do you have an example? When I try to run cdxgen -t docker myimage:latest I always get the same error message telling me to file an issue:

Error: TAR_ENTRY_INVALID: linkpath required
    at UnpackSync.warn (C:\Users\transmitt0r\AppData\Roaming\nvm\v18.16.0\node_modules\@cyclonedx\cdxgen\node_modules\tar\lib\warn-mixin.js:21:40)
    at UnpackSync.warn (C:\Users\transmitt0r\AppData\Roaming\nvm\v18.16.0\node_modules\@cyclonedx\cdxgen\node_modules\tar\lib\unpack.js:229:18)
    at [consumeHeader] (C:\Users\transmitt0r\AppData\Roaming\nvm\v18.16.0\node_modules\@cyclonedx\cdxgen\node_modules\tar\lib\parse.js:161:16)
    at [consumeChunkSub] (C:\Users\transmitt0r\AppData\Roaming\nvm\v18.16.0\node_modules\@cyclonedx\cdxgen\node_modules\tar\lib\parse.js:471:30)
    at [consumeChunk] (C:\Users\transmitt0r\AppData\Roaming\nvm\v18.16.0\node_modules\@cyclonedx\cdxgen\node_modules\tar\lib\parse.js:443:30)
    at UnpackSync.write (C:\Users\transmitt0r\AppData\Roaming\nvm\v18.16.0\node_modules\@cyclonedx\cdxgen\node_modules\tar\lib\parse.js:385:25)
    at ReadStream.ondata (node:internal/streams/readable:766:22)
    at ReadStream.emit (node:events:513:28)
    at addChunk (node:internal/streams/readable:324:12)
    at readableAddChunk (node:internal/streams/readable:297:9) {
  header: Header {
    cksumValid: true,
    needPax: false,
    nullBlock: false,
    block: null,
    path: 'Files/Program Files/WindowsPowerShell/Modules/Microsoft.PowerShell.Operation.Validation/1.0.1/Test/Modules/Example2.Diagnostics/1.0.1/Diagnostics/Simple/Example2.Diagnostics.Tests.ps1',
    mode: 420,
    uid: 0,
    gid: 0,
    size: 0,
    mtime: 2018-09-15T07:10:22.375Z,
    cksum: 3742,
    linkpath: '',
    uname: '',
    gname: '',
    devmaj: 0,
    devmin: 0,
    atime: null,
    ctime: null,
    global: false,
    [Symbol(type)]: '1'
  },
  cwd: 'C:/Users/transmitt0r/AppData/Local/Temp/docker-images-XtUxgj/all-layers',
  code: 'TAR_ENTRY_INVALID',
  tarCode: 'TAR_ENTRY_INVALID'
}

Do you have an suggestion on how to fix this? I get exactly the same result when I try to run cdxgen -t os ./myimage.tar where myimage.tar is the windows container image that I saved with docker save.

Thank you!

prabhu commented 1 year ago

@Transmitt0r could you try from a wsl2 session? This error indicates that the tar cannot be extracted due the presence of various symlinks in the image.

prabhu commented 1 year ago

@Transmitt0r to answer your other question about the example for windows os, the argument is -t os. Here is an example

https://github.com/CycloneDX/cdxgen/actions/runs/4790407983/jobs/8519484302#step:5:3