Changed image builds to make use of Nexus on slef-hosted runs.

Also refactored & reordered Dockerfiles.

Signed-off-by: Roland Asmann <[email protected]>

Author: malice00

.dockerignore

@@ -1,4 +1,5 @@
 **
+!.npmrc
 !.pnpmfile.cjs
 !bin/*
 !ci/images/debian/install.sh

.github/actions/build-docker-image/action.yml

@@ -28,6 +28,8 @@ runs:
     - name: Build Docker image
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       with:
+        build-args: |
+          VERSION=${{ github.ref_name }}
         context: .
         file: ${{ inputs.dockerfile }}
         labels: ${{ inputs.labels }}

.github/workflows/image-build.yml

@@ -56,6 +56,9 @@ jobs:
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - name: Setup ORAS
         uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
+      - name: Setup Nexus usage
+        if: ${{ fromJSON(inputs.image).runner }}
+        run: echo "registry=http://mini-dev-1:8081/repository/npm/" > .npmrc
       - name: Install project dependencies
         run: |
           corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile

ci/images/Dockerfile.dotnet7

@@ -1,18 +1,46 @@
 # Base-image
 FROM registry.suse.com/bci/dotnet-sdk:7.0 AS base
 
-ENV DOTNET_GENERATE_ASPNET_CERTIFICATE=false \
+ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    DOTNET_GENERATE_ASPNET_CERTIFICATE=false \
     DOTNET_NOLOGO=true \
+    DOTNET_RUNNING_IN_CONTAINER=true \
     DOTNET_USE_POLLING_FILE_WATCHER=false \
     NUGET_XMLDOC_MODE=skip \
-    DOTNET_RUNNING_IN_CONTAINER=true \
-    DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    PATH=${PATH}:/usr/local/bin \
+    PYTHONPATH=/opt/pypi \
     npm_config_python=/usr/bin/python3.11
-ENV PATH=${PATH}:/usr/local/bin
 
-RUN zypper refresh && zypper --non-interactive update && zypper --non-interactive install -l --no-recommends git-core nodejs20 npm20 python311 python311-pip wget zip unzip make gawk curl \
-    && npm install -g corepack \
-    && zypper clean -a
+RUN set -e; \
+    zypper refresh \
+ && zypper \
+      --non-interactive \
+        update \
+ && zypper \
+      --non-interactive \
+        install \
+        -l \
+        --no-recommends \
+          curl \
+          gawk \
+          git-core \
+          make \
+          nodejs20 \
+          npm20 \
+          python311 \
+          python311-pip \
+          unzip \
+          wget \
+          zip \
+ && pip install \
+      --no-cache-dir \
+      --target ${PYTHONPATH} \
+      --upgrade \
+        atom-tools \
+        blint \
+ && npm install -g \
+      corepack \
+ && zypper clean -a
 
 CMD ["/bin/bash"]
 
@@ -21,48 +49,57 @@ CMD ["/bin/bash"]
 # cdxgen-image
 FROM base AS cdxgen
 
+ARG VERSION=master
+
 LABEL maintainer="CycloneDX" \
+      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-dotnet7:$VERSION -r /app --server" \
       org.opencontainers.image.authors="Team AppThreat <[email protected]>" \
+      org.opencontainers.image.description="Image with cdxgen SBOM generator for dotnet 7 apps" \
+      org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.source="https://github.com/CycloneDX/cdxgen" \
+      org.opencontainers.image.title="cdxgen" \
       org.opencontainers.image.url="https://github.com/CycloneDX/cdxgen" \
-      org.opencontainers.image.version="rolling" \
       org.opencontainers.image.vendor="CycloneDX" \
-      org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Rolling image with cdxgen SBOM generator for dotnet 7 apps" \
-      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-dotnet7:v11 -r /app --server"
+      org.opencontainers.image.version="$VERSION"
 
 ENV CDXGEN_IN_CONTAINER=true \
+    DOSAI_CMD=/usr/local/bin/dosai \
     NODE_COMPILE_CACHE="/opt/cdxgen-node-cache" \
-    PYTHONPATH=/opt/pypi \
-    DOSAI_CMD=/usr/local/bin/dosai
-ENV PATH=${PATH}:/usr/local/bin:${PYTHONPATH}/bin:/opt/cdxgen/node_modules/.bin
+    PATH=${PATH}:${PYTHONPATH}/bin:/opt/cdxgen/node_modules/.bin
 
 COPY . /opt/cdxgen
 
 RUN set -e; \
     ARCH_NAME="$(rpm --eval '%{_arch}')"; \
-    url=; \
     case "${ARCH_NAME##*-}" in \
-        'x86_64') \
-            DOSAI_ARCH_SUFFIX='-full'; \
-            ;; \
-        'arm64') \
-            DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
-            ;; \
-        'aarch64') \
-            DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
-            ;; \
-        *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \
+      'amd64' | 'x86_64') \
+        DOSAI_ARCH_SUFFIX='-full'; \
+        ;; \
+      'aarch64' | 'arm64') \
+        DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
+        ;; \
+      *) \
+        echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; \
+        exit 1 \
+        ;; \
     esac \
-    && cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --package-import-method copy --frozen-lockfile && corepack pnpm cache delete \
-    && curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai${DOSAI_ARCH_SUFFIX} -o /usr/local/bin/dosai \
-    && chmod +x /usr/local/bin/dosai \
-    && dosai --help \
-    && mkdir -p ${NODE_COMPILE_CACHE} \
-    && node /opt/cdxgen/bin/cdxgen.js --help \
-    && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
-    && rm -rf /root/.cache/node \
-    && chmod a-w -R /opt
+ && cd /opt/cdxgen \
+ && corepack enable \
+ && corepack pnpm install \
+      --config.strict-dep-builds=true \
+      --frozen-lockfile \
+      --package-import-method copy \
+      --prod \
+ && corepack pnpm cache delete \
+ && curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai${DOSAI_ARCH_SUFFIX} \
+      -o /usr/local/bin/dosai \
+ && chmod +x /usr/local/bin/dosai \
+ && dosai --help \
+ && mkdir -p ${NODE_COMPILE_CACHE} \
+ && node /opt/cdxgen/bin/cdxgen.js --help \
+ && rm -rf .npmrc /root/.cache/node \
+ && chmod a-w -R /opt
+
 WORKDIR /app
+
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]

ci/images/Dockerfile.dotnet8

@@ -1,18 +1,47 @@
 # Base-image
 FROM registry.suse.com/bci/dotnet-sdk:8.0 AS base
 
-ENV DOTNET_GENERATE_ASPNET_CERTIFICATE=false \
+ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    DOTNET_GENERATE_ASPNET_CERTIFICATE=false \
     DOTNET_NOLOGO=true \
+    DOTNET_RUNNING_IN_CONTAINER=true \
     DOTNET_USE_POLLING_FILE_WATCHER=false \
     NUGET_XMLDOC_MODE=skip \
-    DOTNET_RUNNING_IN_CONTAINER=true \
-    DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    PATH=${PATH}:/usr/local/bin \
+    PYTHONPATH=/opt/pypi \
     npm_config_python=/usr/bin/python3.11
 
-RUN zypper refresh && zypper --non-interactive update && zypper --non-interactive install -l --no-recommends git-core nodejs22 npm22 python311 python311-pip wget zip unzip make gawk java-21-openjdk-devel \
-    && dotnet --list-sdks \
-    && npm install -g corepack \
-    && zypper clean -a
+RUN set -e; \
+    zypper refresh \
+ && zypper \
+      --non-interactive \
+        update \
+ && zypper \
+      --non-interactive \
+        install \
+        -l \
+        --no-recommends \
+          gawk \
+          git-core \
+          java-21-openjdk-devel \
+          make \
+          nodejs22 \
+          npm22 \
+          python311 \
+          python311-pip \
+          unzip \
+          wget \
+          zip \
+ && pip install \
+      --no-cache-dir \
+      --target ${PYTHONPATH} \
+      --upgrade \
+        atom-tools \
+        blint \
+ && dotnet --list-sdks \
+ && npm install -g \
+      corepack \
+ && zypper clean -a
 
 CMD ["/bin/bash"]
 
@@ -21,48 +50,57 @@ CMD ["/bin/bash"]
 # cdxgen-image
 FROM base AS cdxgen
 
+ARG VERSION=master
+
 LABEL maintainer="CycloneDX" \
+      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-dotnet8:$VERSION -r /app --server" \
       org.opencontainers.image.authors="Team AppThreat <[email protected]>" \
+      org.opencontainers.image.description="Image with cdxgen SBOM generator for dotnet 8 apps" \
+      org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.source="https://github.com/CycloneDX/cdxgen" \
+      org.opencontainers.image.title="cdxgen" \
       org.opencontainers.image.url="https://github.com/CycloneDX/cdxgen" \
-      org.opencontainers.image.version="rolling" \
       org.opencontainers.image.vendor="CycloneDX" \
-      org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.title="cdxgen" \
-      org.opencontainers.image.description="Rolling image with cdxgen SBOM generator for dotnet 8 apps" \
-      org.opencontainers.docker.cmd="docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-dotnet8:v11 -r /app --server"
+      org.opencontainers.image.version="$VERSION"
 
 ENV CDXGEN_IN_CONTAINER=true \
+    DOSAI_CMD=/usr/local/bin/dosai \
     NODE_COMPILE_CACHE="/opt/cdxgen-node-cache" \
-    PYTHONPATH=/opt/pypi \
-    DOSAI_CMD=/usr/local/bin/dosai
-ENV PATH=${PATH}:/usr/local/bin:${PYTHONPATH}/bin:/opt/cdxgen/node_modules/.bin
+    PATH=${PATH}:${PYTHONPATH}/bin:/opt/cdxgen/node_modules/.bin
 
 COPY . /opt/cdxgen
 
 RUN set -e; \
     ARCH_NAME="$(rpm --eval '%{_arch}')"; \
-    url=; \
     case "${ARCH_NAME##*-}" in \
-        'x86_64') \
-            DOSAI_ARCH_SUFFIX='-full'; \
-            ;; \
-        'arm64') \
-            DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
-            ;; \
-        'aarch64') \
-            DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
-            ;; \
-        *) echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; exit 1 ;; \
+      'amd64' | 'x86_64') \
+        DOSAI_ARCH_SUFFIX='-full'; \
+        ;; \
+      'aarch64' | 'arm64') \
+        DOSAI_ARCH_SUFFIX='-linux-arm64-full'; \
+        ;; \
+      *) \
+        echo >&2 "error: unsupported architecture: '$ARCH_NAME'"; \
+        exit 1 \
+        ;; \
     esac \
-    && cd /opt/cdxgen && corepack enable && corepack pnpm install --config.strict-dep-builds=true --prod --package-import-method copy --frozen-lockfile && corepack pnpm cache delete \
-    && curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai${DOSAI_ARCH_SUFFIX} -o /usr/local/bin/dosai \
-    && chmod +x /usr/local/bin/dosai \
-    && dosai --help \
-    && mkdir -p ${NODE_COMPILE_CACHE} \
-    && node /opt/cdxgen/bin/cdxgen.js --help \
-    && pip install --upgrade --no-cache-dir blint atom-tools --target /opt/pypi \
-    && rm -rf /root/.cache/node \
-    && chmod a-w -R /opt
+ && cd /opt/cdxgen \
+ && corepack enable \
+ && corepack pnpm install \
+      --config.strict-dep-builds=true \
+      --frozen-lockfile \
+      --package-import-method copy \
+      --prod \
+ && corepack pnpm cache delete \
+ && curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai${DOSAI_ARCH_SUFFIX} \
+      -o /usr/local/bin/dosai \
+ && chmod +x /usr/local/bin/dosai \
+ && dosai --help \
+ && mkdir -p ${NODE_COMPILE_CACHE} \
+ && node /opt/cdxgen/bin/cdxgen.js --help \
+ && rm -rf .npmrc /root/.cache/node \
+ && chmod a-w -R /opt
+
 WORKDIR /app
+
 ENTRYPOINT ["node", "/opt/cdxgen/bin/cdxgen.js"]