Breaking: [AEA-4433] - Parameterise NPM version (#17)

* Bump npm to version 20

* Use set e

* NON-WORKING - saving progress (such as it is)

* Handle multiple versions of node in the dockerfile and tests

* Rename test data

* Add tool versions back in

* Revert dependabot changes so tests pass

* Fix input

* Fix docker asdf install

* Actually fix path

* REALLY actually fix the path issue

* REALL ACTUALLY fix the path issue

* this time, REALLY ACTUALLY fix the path issue

* stupid github

* Debugging

* More debugging

* More debugging

* Try resetting asdf dir in action

* poor mans debugging

* copy asdf to where github expects it to be

* copy asdf to where github expects it to be

* Add docstring, and make checks proper

* linting fix

* Add node22 support

* Fix path

* Why did you break?

* Why did you break?

* Why did you break?

* Why did you break?

* fix typo

* Rename python requirements files

* Rename test files

* Add some blank lines

* Add empty lines

Author: wildjames

.devcontainer/Dockerfile

@@ -36,4 +36,4 @@ WORKDIR /workspaces/eps-action-sbom
 ADD .tool-versions /workspaces/eps-action-sbom/.tool-versions
 ADD .tool-versions /home/vscode/.tool-versions
 
-RUN asdf install
+RUN asdf install

.devcontainer/devcontainer.json

@@ -46,9 +46,8 @@
           "github.vscode-github-actions"
         ],
         "settings": {
-          "cSpell.words": ["fhir", "Formik", "pino", "serialisation"],
+          "cSpell.words": ["fhir", "Formik", "pino", "serialisation"]
         }
       }
     }
   }
-  

.github/dependabot.yml

@@ -33,4 +33,4 @@ updates:
       interval: "daily"
     versioning-strategy: increase
     commit-message:
-      prefix: "Upgrade: [dependabot] - "
+      prefix: "Upgrade: [dependabot] - "

.gitignore

@@ -1,2 +1,2 @@
 node_modules
-*sbom*.json
+*sbom*.json

.tool-versions

@@ -2,4 +2,4 @@ shellcheck 0.9.0
 actionlint 1.6.26
 nodejs 20.16.0
 python 3.8.15
-poetry 1.6.1
+poetry 1.6.1

Dockerfile

@@ -1,35 +1,72 @@
-# Use an official Python runtime as a parent image
-FROM python:3.10-slim
-
-# Set environment variables for versions with default values
-ARG POETRY_VERSION=1.8.0
-ARG NODE_VERSION=18
-ARG CYCLONE_PYTHON_VERSION=4.5.0
-ARG CYCLONE_NPM_VERSION=1.19.3
-
-# Install system dependencies and tools
-RUN apt-get update && \
-    apt-get install -y \
-    curl \
-    gnupg \
-    jq \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Node.js
-RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && \
-    apt-get install -y nodejs
-
-# Install cyclonedx
-RUN pip install cyclonedx-bom==${CYCLONE_PYTHON_VERSION}
-RUN npm install -g @cyclonedx/cyclonedx-npm@${CYCLONEDX_VERSION}
+FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
+
+RUN apt-get update \
+    && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y dist-upgrade \
+    && apt-get -y install --no-install-recommends htop vim curl git build-essential \
+    libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \
+    zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \
+    jq apt-transport-https ca-certificates gnupg-agent \
+    software-properties-common bash-completion python3-pip make libbz2-dev \
+    libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \
+    xz-utils tk-dev liblzma-dev libyaml-dev bats bats-support bats-assert bats-file \
+    python3 python3-pip python3-dev
+
+# Install ASDF
+RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.14.1; \
+    echo '. /root/.asdf/asdf.sh' >> ~/.bashrc; \
+    echo '. /root/.asdf/completions/asdf.bash' >> ~/.bashrc; \
+    echo 'PATH="$PATH:/root/.asdf/bin/"' >> ~/.bashrc;
+
+ENV PATH="$PATH:/root/.asdf/bin/"
+
+# Install ASDF plugins
+RUN asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git; \
+    asdf plugin add actionlint; \
+    asdf plugin add python; \
+    asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git; \
+    asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git;
 
 # Install Grype
 RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
 
-WORKDIR /github/workspace
+# For each supported npm version, asdf install, and install cyclonedx (latest versions)
+
+ADD node18/.tool-versions /node_versions/node18/.tool-versions
+WORKDIR /node_versions/node18
+RUN asdf install
+RUN asdf exec npm install -g @cyclonedx/cyclonedx-npm
+RUN asdf exec python -m pip install cyclonedx-bom
+
+
+ADD node20/.tool-versions /node_versions/node20/.tool-versions
+WORKDIR /node_versions/node20
+RUN asdf install
+RUN asdf exec npm install -g @cyclonedx/cyclonedx-npm
+RUN asdf exec python -m pip install --no-cache-dir cyclonedx-bom
+
+
+ADD node22/.tool-versions /node_versions/node22/.tool-versions
+WORKDIR /node_versions/node22
+RUN asdf install
+RUN asdf exec npm install -g @cyclonedx/cyclonedx-npm
+RUN asdf exec python -m pip install --no-cache-dir cyclonedx-bom
+
+
+# Set the workdir to what we'll actually use
+WORKDIR /working
+
+# And install cyclonedx in this asdf environment
+RUN echo "python 3.12.5" >> .tool-versions
+RUN asdf exec python -m pip install --no-cache-dir cyclonedx-bom
+RUN rm .tool-versions
+
+# Files to execute when the docker container starts up
+ADD entrypoint.sh /entrypoint.sh
+ADD check-sbom-issues-against-ignores.sh /check-sbom-issues-against-ignores.sh 
 
-COPY entrypoint.sh /entrypoint.sh
-COPY check-sbom-issues-against-ignores.sh /check-sbom-issues-against-ignores.sh 
+# Set the umask so that the files created by docker can be universally accessed. 
+# Lets the tests successfully teardown.
+RUN echo "umask 000" >> /etc/profile
 
-# Code file to execute when the docker container starts up
 ENTRYPOINT ["/entrypoint.sh"]

Makefile

@@ -3,8 +3,5 @@
 test:
 	bats test/test.bats
 
-submodule_update:
-	git submodule update
-
 lint:
 	shellcheck *.sh

README.md

@@ -1,12 +1,19 @@
 # EPS SBOM scanning action
 
-This action generates a Software Bill Of Materials (SBOM) for Python and NPM in a project. It also scans these for security vulnerabilities, and reports an error if any are found.
+This action generates a Software Bill Of Materials (SBOM) for Python and NPM in a project. It also scans these for security vulnerabilities, and reports an error if any are found. For python, both `requirements.txt` and Poetry installations are supported.
 
-Specific vulnerabilities can be ignored by adding their ID to the ignore file in this repository: `ignored_security_issues.json`.
+Specific vulnerabilities can be ignored by adding their ID to the ignore file in this repository: `ignored_security_issues.json`, e.g.
+```
+[
+	"GHSA-4jcv-vp96-94xr"
+]
+```
 
 ## Inputs
 
-None
+### "node_version"
+
+Used to specify the version of nodeJS used in your project. Versions are mutually incompatible, so a project built with node 18 cannot be analysed using node 20, for example. Allowed versions are `["18", "20", "22"]`. Defaults to "20".
 
 ## Outputs
 
@@ -15,8 +22,10 @@ None
 ## Example usage
 
 ```
-      - name: Create and scan SBOM
-        uses: NHSDigital/eps-action-sbom@v1
+- name: Create and scan SBOM
+  uses: NHSDigital/eps-action-sbom@v1
+  with:
+	node_version: "20"
 ```
 
 This can be used as a `makefile` target like so:
@@ -31,3 +40,13 @@ Note that this requires the `LOCAL_WORKSPACE_FOLDER` environment variable to be
 ```
   "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" },
 ```
+In addition, if you are using a dev container, it must have the docker-in-docker feature installed. This is added to the `devcontainer.json` features field:
+```
+    "features": {
+      "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+        "version": "latest",
+        "moby": "true",
+        "installDockerBuildx": "true"
+      }
+    },
+```

action.yml

@@ -1,6 +1,17 @@
 # action.yml
 name: 'EPS SBOM'
 description: 'Create SBOMs, and scan for security risks.'
+inputs:
+  node_version:
+    description: 'The version of NPM used in the project'
+    required: false
+    default: '20'
+    
 runs:
   using: 'docker'
   image: 'Dockerfile'
+  args:
+    - ${{ inputs.node_version }}
+  env:
+    ASDF_DIR: ""
+    ASDF_DATA_DIR: ""

entrypoint.sh

@@ -1,14 +1,33 @@
 #!/bin/sh -l
 
+set -e
+
+
 # Remove any existing SBOMs
 rm -f ./sbom*.json
 
+# Get the .tool-versions for the correct node
+NODE_VERSION=${1:-'20'}
+cp /node_versions/node"${NODE_VERSION}"/.tool-versions .
+
+# If the current github workflow has installed asdf, it will pass the ASDF_DIR and ASDF_DATA_DIR
+# environment variables in to the action, overriding this docker container's installation and leaving it
+# unable to find the scripts.
+# Here, we check if these variables are set, and if necessary we copy in our local installation of asdf.
+if [ -n "${ASDF_DIR}" ]; then
+    echo "ASDF_DIR not set. Copying in local installation of asdf..."
+    mkdir -p "${ASDF_DIR}"
+    cp -r /root/.asdf/* "${ASDF_DIR}"/
+    ls -lha "${ASDF_DIR}"
+fi
+asdf reshim
+
 # Scan the dependencies for NPM
 if [ -f "package.json" ] && [ -f "package-lock.json" ]; then
     echo "Generating SBOM for Node.js..."
-    # The node_modules directory is not needed for generating the SBOM
-    npm install
-    cyclonedx-npm --output-format json --output-file sbom-node.json
+    # The node_modules directory is needed for generating the SBOM
+    asdf exec npm install
+    asdf exec cyclonedx-npm --output-format json --output-file sbom-node.json
     echo "Done"
 else
     echo "package.json and package-lock.json not found. Cannot generate Node.js SBOM."
@@ -18,12 +37,12 @@ fi
 # Check if pyproject.toml (Poetry) or requirements.txt exists
 if [ -f "pyproject.toml" ]; then
     echo "Detected Poetry project. Generating SBOM using Poetry..."
-    cyclonedx-py poetry > sbom-python-poetry.json
+    asdf exec cyclonedx-py poetry > sbom-python-poetry.json
 fi 
 
 if [ -f "requirements.txt" ]; then
     echo "Detected requirements.txt. Generating SBOM using pip..."
-    cyclonedx-py requirements > sbom-python-pip.json
+    asdf exec cyclonedx-py requirements > sbom-python-pip.json
 fi
 
 echo "Done"
@@ -37,6 +56,8 @@ for sbom in ./sbom*.json; do
     fi
 done
 
+# Don't exit on failure until we check all files.
+set +e
 # Initialize an error flag
 error_occurred=false
 
@@ -60,5 +81,4 @@ if [ "$error_occurred" = true ]; then
     exit 1
 else
     echo "All checks completed successfully."
-    exit 0
-fi
+fi