bom in docker image

jkowalleck · jkowalleck · commit baf17271ce31 · 2023-06-13T11:59:01.000+02:00
Signed-off-by: Jan Kowalleck &lt;jan.kowalleck@gmail.com&gt;
diff --git a/.dockerignore b/.dockerignore
@@ -9,6 +9,8 @@ vagrant/
 logs/
 Dockerfile
 .npmrc
+/bom.json
+/bom.xml
 
 # Pattern is *not covered* by node_modules/ above no matter what IntelliJ says!
 frontend/node_modules/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -335,6 +335,7 @@ jobs:
           build-args: |
             VCS_REF=${{ env.VCS_REF }}
             BUILD_DATE=${{ env.BUILD_DATE }}
+            CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }}
   heroku:
     if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && (github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master')
     needs: [test, api-test, e2e, custom-config-test]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -80,6 +80,7 @@ jobs:
           build-args: |
             VCS_REF=${{ env.VCS_REF }}
             BUILD_DATE=${{ env.BUILD_DATE }}
+            CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }}
   notify-slack:
     if: always()
     needs:
diff --git a/Dockerfile b/Dockerfile
@@ -15,6 +15,10 @@ RUN rm data/chatbot/botDefaultTrainingData.json || true
 RUN rm ftp/legal.md || true
 RUN rm i18n/*.json || true
 
+ARG CYCLONEDX_NPM_VERSION=latest
+RUN npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION
+RUN npm run sbom
+
 FROM gcr.io/distroless/nodejs:18
 ARG BUILD_DATE
 ARG VCS_REF
