Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby SBOMs #1639

Open
konstantinas1 opened this issue Feb 18, 2025 · 4 comments
Open

Ruby SBOMs #1639

konstantinas1 opened this issue Feb 18, 2025 · 4 comments

Comments

@konstantinas1
Copy link
Contributor

Problem 1

I have been trying to configure cdxgen to use a private ruby artifactory (Jfrog) but no matter the env variables I set it always attempts to query rubygems.org.
I am using a debian docker container and installing cdxgen in it using npm.
Using a cdxgen cli on my machine seems fine though, but not when installed in Dockerfile.

Any suggestions how this could be setup with the latest version?
Is it even necessary to try and query the artifactory? Is it possible to disable this?

Problem 2

With the previous versions (tested on 10.0.0, does not work anymore after v11) I manage to generate an SBOM however, with the latest version (11.1.8) the generation stops without any error (last output line using debug mode: Querying rubygems.org for ffi).
I attempted to do the same with the recommended docker images, but same issue.

What actually changed?
How can I debug the problem in more depth?
@prabhu
Copy link
Collaborator

prabhu commented Feb 18, 2025

cdxgen/lib/helpers/utils.js

Line 6585 in d0af121

const RUBYGEMS_V2_URL =

Try using the environment variable RUBYGEMS_V2_URL to customize this. If this works, could you kindly send a PR to update the docs?

@konstantinas1
Copy link
Contributor Author

It does indeed then try to fetch using the custom host however, the artifactory (JFrog) we use does not fetch the gems using .json extension. The url looks like this
https://<company>.jfrog.io/artifactory/<gem-repo>/gems/<package>-<version>.gem and using .json results in 404.
Any plans to support this way of fetching the metadata of a gem?
For now I can disable fetching the license of the gem with export FETCH_LICENSE=false.
Any help of how to set this up properly is appreciated!

@prabhu
Copy link
Collaborator

prabhu commented Feb 19, 2025

Sounds like an opportunity for sponsored development. We don't have any capacity for a few months. Could you try and find someone who could contribute this feature? Alternatively, once there is an sbom, use a platform such as scancode to enhance it with license data.

@prabhu
Copy link
Collaborator

prabhu commented Feb 25, 2025

@konstantinas1 According to this documentation, jfrog is compatible with the v1 api

https://jfrog.com/help/r/jfrog-artifactory-documentation/use-the-rest-api-for-rubygems

http://localhost:8081/artifactory/api/gems/<repository key>/api/v1/gems/my_gem.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prabhu @konstantinas1