cyclonedx / cyclonedx-bom-repo-server Goto Github PK

The first time a serial number is published a publishing key should be optionally generated.

Intention is to support a public BOM repo server and provide a simple mechanism with which to control updates to existing BOMs.

Currently, the README advises users to run the build-and-run.sh script to get started.

However, this script duplicates functionality (in an indirect manner) that is already native to modern versions of Docker.

By using Docker tooling, this eliminates the onus on maintainers to update the build script when Dockerfile and docker-compose.yml already satisfy that need.

This can be achieved by rolling the environment variable, volume mapping, and port settings into the Docker Compose configuration.

Pending PR #380 illustrates this.

/cc @jkowalleck

Start server using script build-and-run.sh (main branch)

on calling the sample Curl POST example, it does not save BOM into the filesystem

show warning,

warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.

logs
Sending build context to Docker daemon 664.1kB
Step 1/17 : FROM mcr.microsoft.com/dotnet/sdk:6.0 AS builder
---> d3863aa157b5
Step 2/17 : ARG APP_VERSION=0.0.0
---> Using cache
---> 5f06313c8724
Step 3/17 : COPY . /app
---> Using cache
---> 1597d1aed1a8
Step 4/17 : RUN cd /app && mkdir /app/bin && dotnet publish src/CycloneDX.BomRepoServer/CycloneDX.BomRepoServer.csproj --nologo --configuration Release --output bin --no-self-contained -p:Version=${APP_VERSION}
---> Using cache
---> c2b90f7e9b81
Step 5/17 : FROM mcr.microsoft.com/dotnet/aspnet:6.0
---> 70f39e2150e1
Step 6/17 : ENV TZ=Etc/UTC LANG=C.UTF-8 REPO__DIRECTORY=/repo ASPNETCORE_URLS=http://+:8080
---> Using cache
---> 94001d3d93ed
Step 7/17 : ARG APP_VERSION=0.0.0
---> Using cache
---> 05f395defeb9
Step 8/17 : ARG COMMIT_SHA=unknowen
---> Using cache
---> dc8d50c8b74a
Step 9/17 : ARG UID=1001
---> Using cache
---> cb66b8c21562
Step 10/17 : ARG GID=1001
---> Using cache
---> fcee95ea80f6
Step 11/17 : COPY --from=builder /app/bin /cyclonedx
---> Using cache
---> 50dfcc17c953
Step 12/17 : RUN mkdir -p -m 770 ${REPO__DIRECTORY} && addgroup --system --gid ${GID} cyclonedx || true && adduser --system --disabled-login --ingroup cyclonedx --no-create-home --home /nonexistent --gecos "cyclonedx user" --shell /bin/false --uid ${UID} cyclonedx || true && chown -R cyclonedx:0 ${REPO__DIRECTORY} /cyclonedx && chmod -R g=u ${REPO__DIRECTORY} /cyclonedx
---> Using cache
---> 639d843b9fca
Step 13/17 : USER ${UID}
---> Using cache
---> 6d745f2c0ac9
Step 14/17 : WORKDIR /cyclonedx
---> Using cache
---> 21540b8da67c
Step 15/17 : ENTRYPOINT [ "/cyclonedx/CycloneDX.BomRepoServer" ]
---> Using cache
---> c374b9c053c2
Step 16/17 : EXPOSE 8080
---> Using cache
---> 3a225d11f558
Step 17/17 : LABEL org.opencontainers.image.vendor="CycloneDX" org.opencontainers.image.title="Official CycloneDX BOM Repository Server Container image" org.opencontainers.image.description="CycloneDX BOM Repository Server is a BOM repository server for distributing CycloneDX BOMs" org.opencontainers.image.version="${APP_VERSION}" org.opencontainers.image.url="https://cyclonedx.org/" org.opencontainers.image.source="https://github.com/CycloneDX/cyclonedx-bom-repo-server" org.opencontainers.image.revision="${COMMIT_SHA}" org.opencontainers.image.licenses="Apache-2.0"
---> Using cache
---> 38e5b00739b0
Successfully built 38e5b00739b0
Successfully tagged localhost/cyclonedx-bom-repo-server:latest
info: CycloneDX.BomRepoServer.Services.CacheUpdateBackgroundService[0]
Updating BOM cache...
info: CycloneDX.BomRepoServer.Services.RetentionBackgroundService[0]
Updating BOM cache...
info: Microsoft.Hosting.Lifetime[14]
Now listening on: http://[::]:8080
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
Content root path: /cyclonedx
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
info: CycloneDX.BomRepoServer.Services.CacheUpdateBackgroundService[0]
Updating BOM cache...

We should add support for configurable webhooks. This would support a lot of automation use cases.

First version would just be a BOM or BOM version has been uploaded. With the webhook payload perhaps constrained to top level BOM information and metadata.

Default should be to keep BOMs indefinitely. But it might be useful for some use cases to have a configurable retention policy out of the box.

Currently, the supported storage types are FileSystem and S3. It would be useful to extend support to include Azure Storage.

I'm unable to start the bom-repo-server. I'm testing on an Apple M1 Pro, which can run x86_64 containers under emulation. It works, but its slow. Not sure if platform is related to this error or not though. Here's the stack trace when starting the Docker container:

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Unhandled exception. System.IO.IOException: Function not implemented
   at System.IO.FileSystemWatcher.StartRaisingEvents()
   at System.IO.FileSystemWatcher.StartRaisingEventsIfNotDisposed()
   at System.IO.FileSystemWatcher.set_EnableRaisingEvents(Boolean value)
   at Microsoft.Extensions.FileProviders.Physical.PhysicalFilesWatcher.TryEnableFileSystemWatcher()
   at Microsoft.Extensions.FileProviders.Physical.PhysicalFilesWatcher.CreateFileChangeToken(String filter)
   at Microsoft.Extensions.FileProviders.PhysicalFileProvider.Watch(String filter)
   at Microsoft.Extensions.Configuration.FileConfigurationProvider.<.ctor>b__1_0()
   at Microsoft.Extensions.Primitives.ChangeToken.OnChange(Func`1 changeTokenProducer, Action changeTokenConsumer)
   at Microsoft.Extensions.Configuration.FileConfigurationProvider..ctor(FileConfigurationSource source)
   at Microsoft.Extensions.Configuration.Json.JsonConfigurationSource.Build(IConfigurationBuilder builder)
   at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
   at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()
   at Microsoft.Extensions.Hosting.HostBuilder.Build()
   at CycloneDX.BomRepoServer.Program.Main(String[] args) in /home/runner/work/cyclonedx-bom-repo-server/cyclonedx-bom-repo-server/CycloneDX.BomRepoServer/Program.cs:line 33
qemu: uncaught target signal 6 (Aborted) - core dumped

I have attempted to start the container with and without the environment variables, with the same result.

• REPO__DIRECTORY
• ALLOWEDMETHODS__GET
• ALLOWEDMETHODS__POST
• ALLOWEDMETHODS__DELETE

Add a basic interface to be able to search, browse, and download BOMs from any CDX API compliant repo server.

Hi there,
I am looking for a bom storage solution. I like this small server but i am afraid because the latest commit was 1 year ago. Can someone tell me if this project is alive ?

Regards

Is there any reason to make Urls with CamelCase names?

Like

/Bom
/BomExchange
/Search

The Dockerfile uses a base image that supports x86_64 only. This should be updated to use a base image that is multi-arch.

Related to:

• DependencyTrack/dependency-track#877
• DependencyTrack/dependency-track#1213

Especially for XML BOMs, there can be additional information, like extensions and signatures, that are stripped when serializing/deserializing using the core spec data models. This should likely have a separate endpoint to indicate that you are retrieving the original, unaltered BOM.