Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cdxgen-bun is confused and using npm/yarn #1662

Open
crimsonvspurple opened this issue Feb 27, 2025 · 4 comments
Open

cdxgen-bun is confused and using npm/yarn #1662

crimsonvspurple opened this issue Feb 27, 2025 · 4 comments

Comments

@crimsonvspurple
Copy link

I have a simple bun project.

On local, i tried this command:
docker run --rm -e CDXGEN_DEBUG_MODE=debug -v .:/app -t ghcr.io/cyclonedx/cdxgen-bun:master

This worked fine but then the same command didn't work in Github Actions. With some trial an error, I realized the followings:

  • This will work if node_modules is already present.
  • Will not work if not present. In that case, it will try
    • either npm npm install has failed. Generated SBOM will be empty or with a lower precision.
    • or yarn yarn install has failed. Generated SBOM will be empty or with a lower precision.

I'm not sure when it tries npm or yarn.

The project has bun.lockb file.
@prabhu
Copy link
Collaborator

prabhu commented Feb 27, 2025

Interesting. We don't support bun.lockb format, so when node_modules is available cdxgen would work in a fallback mode to recover at least the components.

I would also check the argument .:/app, since dot stands for the current directory from where the command gets executed, which could be different depending on how the CI agents interpret it and execute all the commands. So best to always pass absolute paths in CI use cases. Example: ${GITHUB_WORKSPACE}

@crimsonvspurple
Copy link
Author

crimsonvspurple commented Mar 4, 2025
edited
Loading

Yes, I do that in CI (use gh workspace var). But this command was something I was running on local for testing. The path (.:/app) is correct as it works just fine as long as node_modules folder is there.

Does cdxgen support bun.lock ? If not, is this planned?

And since it is a cdxgen-bun image, should it not try bun install if it can't find the lock file but finds the package file?

Right now, in the CI, I'm executing bun install --production manually before calling cdxgen.

Thank you for this great tool.

@prabhu
Copy link
Collaborator

prabhu commented Mar 4, 2025

I would love to add support for bun lock file. Unfortunately, at 479 downloads, it is very difficult to prioritize bun over the rest of the tickets. Happy to collaborate if you are willing to give it a go and have a branch going.

@crimsonvspurple
Copy link
Author

crimsonvspurple commented Mar 7, 2025
edited
Loading

I know very little about ClyconeDX; only learned about it in less than 6 months ago. But I'm happy to give it a shot.

I guess, essentially, I need to mostly copy-paste (of how yarn is supported) and work on reading bun.lock.
Would you be kind enough to give me a list of relevant files and an overview of changes/tests needed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prabhu @crimsonvspurple