Generate SBOM for maven project in gitlab-ci job

[kingnoahkong]

Hi,

I am new to CDXGEN and I am trying to generate SBOM for a maven project in gitlab-ci job. I can install and generate the SBOM on my local machine where I have node 21.6.0 and maven 3.8.8 but I keep getting error when the job runs in the gitlab-ci pipeline.

There are two errors depending on the image specification:

if I use node:20 for the image I get the following error:

$ cdxgen -o bom.json -p
Executing 'mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputName=bom -q' in /builds/ros/camunda
Fallback to executing mvn dependency:tree -DoutputFile=/tmp/cdxmvn-vFOtZr/mvn-tree.txt
 /bin/sh: 1: mvn: not found

if I use maven:3.9.6-eclipse-temurin-17 I get the following error:

npm install -g @cyclonedx/cdxgen
/usr/bin/bash: line 164: npm: command not found

here is my ci job:

generate_dependency_tracker:
  extends:
    - .standard-rules
  stage: report
  image: maven:3.9.6-eclipse-temurin-17
  needs: [ ]
  before_script:
    - mkdir dep-reports
    - npm install -g @cyclonedx/cdxgen
  script:
    - echo "generating dependency tracker now"
    - cdxgen -o bom.json -t java --profile research . -p
    - cp bom.json dep-reports/dep-report.json
  artifacts:
    paths:
      - dep-reports
    expire_in: 1 day

I kind of understand that I need both images, the node:20 for the cdxgen installation and the maven:3.9.6-eclipse-temurin-17 to generate the sbom for the maven project. My question is how do I achieve the impossible of having both images available. I have also tried to have a pre-job with node:20 as image where I can successfully install cdxgen, but it is not available in the next job where I try to generate the sbom.

Any assistance will be appreciated. ( I have tried to find solutions on here and stack.. but I found nothing that could help me).

[prabhu]

@kingnoahkong, this is devops. You need a custom image that wraps all build tools. It will look similar to the cdxgen dockerfile, but use CMD instead of ENTRYPOINT here. Depending on CI, there might be other packages that may have to be added to the docker file.

https://github.com/CycloneDX/cdxgen/blob/master/ci/Dockerfile#L135

Please share the final dockerfile once you get it working.

[kingnoahkong]

Thank you for your input, I will definitely share here when I implement the solution.