[build] Changed image builds to make use of Nexus on self-hosted runs. (#2153)

Changed image builds to make use of Nexus on self-hosted runs.
Also refactored & reordered Dockerfiles.

Signed-off-by: Roland Asmann <[email protected]>

Author: malice00

.dockerignore

@@ -1,4 +1,5 @@
 **
+!.npmrc
 !.pnpmfile.cjs
 !bin/*
 !ci/images/debian/install.sh

.github/actions/build-docker-image/action.yml

@@ -9,6 +9,9 @@ inputs:
     required: true
   labels:
     description: Labels to add to the image
+  language:
+    description: The language and version that is included in this image
+    required: true
   output:
     description: Controls what should be done with the image(s) after building
     required: true
@@ -28,6 +31,10 @@ runs:
     - name: Build Docker image
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       with:
+        build-args: |
+          LANGUAGE=${{ inputs.language }}
+          TAG=${{ inputs.tags[0] }}
+          VERSION=${{ github.ref_name }}
         context: .
         file: ${{ inputs.dockerfile }}
         labels: ${{ inputs.labels }}

.github/actions/build-docker-images-generate-attach-sboms/action.yml

@@ -13,6 +13,9 @@ inputs:
   images:
     description: The name(s) of the image(s) to load metadata for
     required: true
+  language:
+    description: The language and version that is included in this image
+    required: true
   latest:
     description: Tag this image as 'latest' on top of the given tags
     required: true
@@ -40,6 +43,7 @@ runs:
       uses: ./.github/actions/build-docker-image
       with:
         dockerfile: ${{ inputs.dockerfile }}
+        language: ${{ inputs.language }}
         labels: ${{ steps.metadata.outputs.labels }}
         output: registry
         platforms: linux/amd64${{ inputs.build-arm == 'true' && ',linux/arm64' || '' }}
@@ -49,6 +53,7 @@ runs:
       uses: ./.github/actions/generate-attach-sbom
       with:
         dockerfile: ${{ inputs.dockerfile }}
+        language: ${{ inputs.language }}
         platform: linux/amd64
         signing-key: ${{ inputs.signing-key }}
         tag: ${{ inputs.main-tag || fromJSON(steps.metadata.outputs.json).tags[0] }}
@@ -58,6 +63,7 @@ runs:
       uses: ./.github/actions/generate-attach-sbom
       with:
         dockerfile: ${{ inputs.dockerfile }}
+        language: ${{ inputs.language }}
         platform: linux/arm64
         signing-key: ${{ inputs.signing-key }}
         tag: ${{ inputs.main-tag || fromJSON(steps.metadata.outputs.json).tags[0] }}

.github/actions/generate-attach-sbom/action.yml

@@ -7,6 +7,9 @@ inputs:
   dockerfile:
     description: Dockerfile that describes the image
     required: true
+  language:
+    description: The language and version that is included in this image
+    required: true
   platform:
     description: The platforms for which to build the image
     required: true
@@ -27,6 +30,7 @@ runs:
       uses: ./.github/actions/build-docker-image
       with:
         dockerfile: ${{ inputs.dockerfile }}
+        language: ${{ inputs.language }}
         output: docker,dest=${{ runner.temp }}/image.tar
         platforms: ${{ inputs.platform }}
         tags: ${{ inputs.tag }}

.github/workflows/image-build.yml

@@ -18,6 +18,7 @@ on:
         type: boolean
 
 env:
+  NEXUS_URL: http://100.73.146.80:8081/repository/npm/ # IP for mini-dev-1, sometimes docker engine can't resolve names!
   REPO: ghcr.io
   TAG: v11
   TEAM: cyclonedx
@@ -56,6 +57,9 @@ jobs:
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - name: Setup ORAS
         uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
+      - name: Setup Nexus usage
+        if: ${{ fromJSON(inputs.image).runner }}
+        run: echo "registry=$NEXUS_URL" > .npmrc
       - name: Install project dependencies
         run: |
           corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile
@@ -92,6 +96,7 @@ jobs:
             ${{ fromJSON(inputs.image).cdxgen-image.additional-image && format('{0}/{1}/{2}', env.REPO, env.TEAM, fromJSON(inputs.image).cdxgen-image.additional-image) || '' }}
             ${{ fromJSON(inputs.image).cdxgen-image.additional-image2 && format('{0}/{1}/{2}', env.REPO, env.TEAM, fromJSON(inputs.image).cdxgen-image.additional-image2) || '' }}
             ${{ fromJSON(inputs.image).cdxgen-image.additional-image3 && format('{0}/{1}/{2}', env.REPO, env.TEAM, fromJSON(inputs.image).cdxgen-image.additional-image3) || '' }}
+          language: ${{ fromJSON(inputs.image).lang }}
           latest: ${{ inputs.latest }}
           main-tag: ${{ env.REPO }}/${{ env.TEAM }}/cdxgen${{ fromJSON(inputs.image).distro && format('-{0}', fromJSON(inputs.image).distro) }}-${{ fromJSON(inputs.image).lang }}:${{ env.TAG }}
           signing-key: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
@@ -112,6 +117,7 @@ jobs:
             ${{ fromJSON(inputs.image).cdxgen-image.additional-image && format('{0}/{1}/{2}', env.REPO, env.TEAM, fromJSON(inputs.image).cdxgen-image.additional-image) || '' }}
             ${{ fromJSON(inputs.image).cdxgen-image.additional-image2 && format('{0}/{1}/{2}', env.REPO, env.TEAM, fromJSON(inputs.image).cdxgen-image.additional-image2) || '' }}
             ${{ fromJSON(inputs.image).cdxgen-image.additional-image3 && format('{0}/{1}/{2}', env.REPO, env.TEAM, fromJSON(inputs.image).cdxgen-image.additional-image3) || '' }}
+          language: ${{ fromJSON(inputs.image).lang }}
           latest: ${{ inputs.latest }}
           signing-key: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
           target: cdxgen

ci/images/Dockerfile.dotnet7

@@ -1,18 +1,46 @@
 # Base-image
 FROM registry.suse.com/bci/dotnet-sdk:7.0 AS base
 
-ENV DOTNET_GENERATE_ASPNET_CERTIFICATE=false \
+ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    DOTNET_GENERATE_ASPNET_CERTIFICATE=false \
     DOTNET_NOLOGO=true \
+    DOTNET_RUNNING_IN_CONTAINER=true \
     DOTNET_USE_POLLING_FILE_WATCHER=false \
     NUGET_XMLDOC_MODE=skip \
-    DOTNET_RUNNING_IN_CONTAINER=true \
-    DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    PATH=${PATH}:/usr/local/bin \
+    PYTHONPATH=/opt/pypi \
     npm_config_python=/usr/bin/python3.11
-ENV PATH=${PATH}:/usr/local/bin
 
-RUN zypper refresh && zypper --non-interactive update && zypper --non-interactive install -l --no-recommends git-core nodejs20 npm20 python311 python311-pip wget zip unzip make gawk curl \
-    && npm install -g corepack \
-    && zypper clean -a
+RUN set -e; \
+    zypper refresh \
+ && zypper \
+      --non-interactive \
+        update \
+ && zypper \
+      --non-interactive \
+        install \
+        -l \
+        --no-recommends \
+          curl \
+          gawk \
+          git-core \
+          make \
+          nodejs20 \
+          npm20 \
+          python311 \
+          python311-pip \
+          unzip \
+          wget \
+          zip \
+ && pip install \
+      --no-cache-dir \
+      --target ${PYTHONPATH} \
+      --upgrade \
+        atom-tools \
+        blint \
+ && npm install -g \
+      corepack \
+ && zypper clean -a
 
 CMD ["/bin/bash"]
 
@@ -21,48 +49,57 @@ CMD ["/bin/bash"]
 # cdxgen-image
 FROM base AS cdxgen
 
+ARG VERSION=master
+
 LABEL maintainer="CycloneDX" \
+      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t $TAG -r /app --server" \
       org.opencontainers.image.authors="Team AppThreat <[email protected]>" \
+      org.opencontainers.image.description="Image with cdxgen SBOM generator for $LANGUAGE apps" \
+      org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.source="https://github.com/CycloneDX/cdxgen" \
+      org.opencontainers.image.title="cdxgen" \
       org.opencontainers.image.url="https://github.com/CycloneDX/cdxgen" \
-      org.opencontainers.image.version="rolling" \
       org.opencontainers.image.vendor="CycloneDX" \
-      org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Rolling image with cdxgen SBOM generator for dotnet 7 apps" \
-      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-dotnet7:v11 -r /app --server"
+      org.opencontainers.image.version="$VERSION"
 
 ENV CDXGEN_IN_CONTAINER=true \
+    DOSAI_CMD=/usr/local/bin/dosai \
     NODE_COMPILE_CACHE="/opt/cdxgen-node-cache" \
-    PYTHONPATH=/opt/pypi \
-    DOSAI_CMD=/usr/local/bin/dosai
-ENV PATH=${PATH}:/usr/local/bin:${PYTHONPATH}/bin:/opt/cdxgen/node_modules/.bin
+    PATH=${PATH}:${PYTHONPATH}/bin:/opt/cdxgen/node_modules/.bin
 
 COPY . /opt/cdxgen
 
 RUN set -e; \
     ARCH_NAME="$(rpm --eval '%{_arch}')"; \
-    url=; \
     case "${ARCH_NAME##*-}" in \
-        'x86_64') \
-            DOSAI_ARCH_SUFFIX='-full'; \
-            ;; \
-        'arm64') \
-            DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
-            ;; \
-        'aarch64') \
-            DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
-            ;; \
-        *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \
+      'amd64' | 'x86_64') \
+        DOSAI_ARCH_SUFFIX='-full'; \
+        ;; \
+      'aarch64' | 'arm64') \
+        DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
+        ;; \
+      *) \
+        echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; \
+        exit 1 \
+        ;; \
     esac \
-    && cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --package-import-method copy --frozen-lockfile && corepack pnpm cache delete \
-    && curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai${DOSAI_ARCH_SUFFIX} -o /usr/local/bin/dosai \
-    && chmod +x /usr/local/bin/dosai \
-    && dosai --help \
-    && mkdir -p ${NODE_COMPILE_CACHE} \
-    && node /opt/cdxgen/bin/cdxgen.js --help \
-    && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
-    && rm -rf /root/.cache/node \
-    && chmod a-w -R /opt
+ && cd /opt/cdxgen \
+ && corepack enable \
+ && corepack pnpm install \
+      --config.strict-dep-builds=true \
+      --frozen-lockfile \
+      --package-import-method copy \
+      --prod \
+ && corepack pnpm cache delete \
+ && curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai${DOSAI_ARCH_SUFFIX} \
+      -o /usr/local/bin/dosai \
+ && chmod +x /usr/local/bin/dosai \
+ && dosai --help \
+ && mkdir -p ${NODE_COMPILE_CACHE} \
+ && node /opt/cdxgen/bin/cdxgen.js --help \
+ && rm -rf .npmrc /root/.cache/node \
+ && chmod a-w -R /opt
+
 WORKDIR /app
+
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]

ci/images/Dockerfile.dotnet8

@@ -1,18 +1,47 @@
 # Base-image
 FROM registry.suse.com/bci/dotnet-sdk:8.0 AS base
 
-ENV DOTNET_GENERATE_ASPNET_CERTIFICATE=false \
+ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    DOTNET_GENERATE_ASPNET_CERTIFICATE=false \
     DOTNET_NOLOGO=true \
+    DOTNET_RUNNING_IN_CONTAINER=true \
     DOTNET_USE_POLLING_FILE_WATCHER=false \
     NUGET_XMLDOC_MODE=skip \
-    DOTNET_RUNNING_IN_CONTAINER=true \
-    DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    PATH=${PATH}:/usr/local/bin \
+    PYTHONPATH=/opt/pypi \
     npm_config_python=/usr/bin/python3.11
 
-RUN zypper refresh && zypper --non-interactive update && zypper --non-interactive install -l --no-recommends git-core nodejs22 npm22 python311 python311-pip wget zip unzip make gawk java-21-openjdk-devel \
-    && dotnet --list-sdks \
-    && npm install -g corepack \
-    && zypper clean -a
+RUN set -e; \
+    zypper refresh \
+ && zypper \
+      --non-interactive \
+        update \
+ && zypper \
+      --non-interactive \
+        install \
+        -l \
+        --no-recommends \
+          gawk \
+          git-core \
+          java-21-openjdk-devel \
+          make \
+          nodejs22 \
+          npm22 \
+          python311 \
+          python311-pip \
+          unzip \
+          wget \
+          zip \
+ && pip install \
+      --no-cache-dir \
+      --target ${PYTHONPATH} \
+      --upgrade \
+        atom-tools \
+        blint \
+ && dotnet --list-sdks \
+ && npm install -g \
+      corepack \
+ && zypper clean -a
 
 CMD ["/bin/bash"]
 
@@ -21,48 +50,57 @@ CMD ["/bin/bash"]
 # cdxgen-image
 FROM base AS cdxgen
 
+ARG VERSION=master
+
 LABEL maintainer="CycloneDX" \
+      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t $TAG -r /app --server" \
       org.opencontainers.image.authors="Team AppThreat <[email protected]>" \
+      org.opencontainers.image.description="Image with cdxgen SBOM generator for $LANGUAGE apps" \
+      org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.source="https://github.com/CycloneDX/cdxgen" \
+      org.opencontainers.image.title="cdxgen" \
       org.opencontainers.image.url="https://github.com/CycloneDX/cdxgen" \
-      org.opencontainers.image.version="rolling" \
       org.opencontainers.image.vendor="CycloneDX" \
-      org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Rolling image with cdxgen SBOM generator for dotnet 8 apps" \
-      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-dotnet8:v11 -r /app --server"
+      org.opencontainers.image.version="$VERSION"
 
 ENV CDXGEN_IN_CONTAINER=true \
+    DOSAI_CMD=/usr/local/bin/dosai \
     NODE_COMPILE_CACHE="/opt/cdxgen-node-cache" \
-    PYTHONPATH=/opt/pypi \
-    DOSAI_CMD=/usr/local/bin/dosai
-ENV PATH=${PATH}:/usr/local/bin:${PYTHONPATH}/bin:/opt/cdxgen/node_modules/.bin
+    PATH=${PATH}:${PYTHONPATH}/bin:/opt/cdxgen/node_modules/.bin
 
 COPY . /opt/cdxgen
 
 RUN set -e; \
     ARCH_NAME="$(rpm --eval '%{_arch}')"; \
-    url=; \
     case "${ARCH_NAME##*-}" in \
-        'x86_64') \
-            DOSAI_ARCH_SUFFIX='-full'; \
-            ;; \
-        'arm64') \
-            DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
-            ;; \
-        'aarch64') \
-            DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
-            ;; \
-        *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \
+      'amd64' | 'x86_64') \
+        DOSAI_ARCH_SUFFIX='-full'; \
+        ;; \
+      'aarch64' | 'arm64') \
+        DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
+        ;; \
+      *) \
+        echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; \
+        exit 1 \
+        ;; \
     esac \
-    && cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --package-import-method copy --frozen-lockfile && corepack pnpm cache delete \
-    && curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai${DOSAI_ARCH_SUFFIX} -o /usr/local/bin/dosai \
-    && chmod +x /usr/local/bin/dosai \
-    && dosai --help \
-    && mkdir -p ${NODE_COMPILE_CACHE} \
-    && node /opt/cdxgen/bin/cdxgen.js --help \
-    && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
-    && rm -rf /root/.cache/node \
-    && chmod a-w -R /opt
+ && cd /opt/cdxgen \
+ && corepack enable \
+ && corepack pnpm install \
+      --config.strict-dep-builds=true \
+      --frozen-lockfile \
+      --package-import-method copy \
+      --prod \
+ && corepack pnpm cache delete \
+ && curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai${DOSAI_ARCH_SUFFIX} \
+      -o /usr/local/bin/dosai \
+ && chmod +x /usr/local/bin/dosai \
+ && dosai --help \
+ && mkdir -p ${NODE_COMPILE_CACHE} \
+ && node /opt/cdxgen/bin/cdxgen.js --help \
+ && rm -rf .npmrc /root/.cache/node \
+ && chmod a-w -R /opt
+
 WORKDIR /app
+
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]