Skip to content

Collect node bundled components in formulation #2087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 22, 2025
Merged

Collect node bundled components in formulation #2087

merged 3 commits into from
Jul 22, 2025

Conversation

prabhu
Copy link
Collaborator

@prabhu prabhu commented Jul 22, 2025

Also bundle sbom in the generated sea binaries

Fixes #2086
Fixes #2074

Sample sbom with formulation that gets attached to a sea binary

sbom-postbuild-js.cdx.json

@prabhu prabhu requested a review from malice00 July 22, 2025 05:56
prabhu
prabhu commented Jul 22, 2025
View reviewed changes
lib/cli/index.js
"GRADLE_",
"NODE_",
];
const envBlocklist = [
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To the best of my knowledge, this must exclude any secrets. Also manually tested by extracting one of the generated Sea binaries from here. Maybe further filtering might be required to be safe.

prabhu
prabhu commented Jul 22, 2025
View reviewed changes
.github/workflows/binary-builds.yml
@@ -87,9 +87,12 @@ jobs:
# Set the commands
- cmd: |
# Prepare workspace
rm -rf ci contrib tools_config
rm -rf ci test contrib tools_config devenv.* ADVANCED.md pyproject.toml renovate.json uv.lock
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple unwanted files were getting included in the Sea binaries, since caxa wasn't filtering them all by default. To identify this, execute the binary once with --help and then navigate to $TMPDIR/caxa/applications/cdxgen/<rand>/0 directory.

prabhu
prabhu commented Jul 22, 2025
View reviewed changes
.github/workflows/binary-builds.yml Outdated
Remove-Item contrib -Recurse -Force
Remove-Item tools_config -Recurse -Force
npm install --omit=dev --no-package-lock --no-audit --no-fund --no-progress

# Generate sbom (imprecise)
node bin/cdxgen.js -t js --exclude "**/test/**" -o sbom-postbuild-js.cdx.json --include-formulation
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we build Windows binaries using npm and without a lock file, the generated SBOM is slightly imprecise since it will be based on the pnpm lockfile.

@prabhu prabhu marked this pull request as draft July 22, 2025 10:38
prabhu
prabhu commented Jul 22, 2025
View reviewed changes
.github/workflows/binary-builds.yml
pnpm install --config.strict-dep-builds=true --virtual-store-dir node_modules/pnpm --prod --package-import-method copy --frozen-lockfile

# Generate sbom
node bin/cdxgen.js -t js -t jar -t ruby --exclude "**/test/**" -o sbom-postbuild.cdx.json --include-formulation
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we bundle atom and binary plugins, I have added more types to the generated sbom.

@prabhu prabhu marked this pull request as ready for review July 22, 2025 10:55
@prabhu prabhu force-pushed the feature/node-components-formulation branch from fa71996 to 3c85226 Compare July 22, 2025 11:04
@prabhu
Rebase
b33f0c8 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu prabhu force-pushed the feature/node-components-formulation branch from 3c85226 to b33f0c8 Compare July 22, 2025 11:52
@prabhu
devenv update
af7c86c 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
malice00
malice00 reviewed Jul 22, 2025
View reviewed changes
@prabhu
Review comment
3641600 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@malice00
Copy link
Collaborator

I don't see the NodeJS Runtime anywhere in the SBOM -- is this because your example is from an intermediate version?
Also, in the SBOM I see several of our dotfiles and workflows, these should not be there anymore, right?
And finally, should we attach the SBOM directly to the release as well? It's probably good for people to be able to download them without having to download the binaries...

@prabhu
Copy link
Collaborator Author

prabhu commented Jul 22, 2025

@malice00 I can see the below.

"name": "Node.js",
"version": "24.3.0",
"components": [
                        {
                            "name": "CoreFoundation",
                            "type": "library",
                            "scope": "excluded",
                            "purl": "pkg:generic/CoreFoundation#/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation",
                            "bom-ref": "pkg:generic/CoreFoundation"
                        },

Regarding dotfiles, it is from the listFiles function, which gets the list directly from git. There is already an sbom that gets attached to the releases. The slim version has --required-only filter applied on top of js packages alone, but otherwise identical to this.

@malice00
Copy link
Collaborator

You're right, must have missed it.

lgtm

@prabhu prabhu merged commit 6edabf4 into master Jul 22, 2025
80 checks passed
@prabhu prabhu deleted the feature/node-components-formulation branch July 22, 2025 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@malice00 malice00 malice00 left review comments

Assignees
No one assigned
Labels
formulation infra Ready for QA
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[formulation] collect host shared objects under formulation Generate SBOM for SEA binaries
2 participants
@prabhu @malice00