Linux musl builds

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

Author: prabhu

.github/workflows/native-builds.yml

@@ -43,24 +43,45 @@ jobs:
     - name: Build
       run: |
         bash thirdparty/sourcekitten/build.sh
+        ls -al thirdparty/sourcekitten/SourceKitten/.build
         ls -l thirdparty/sourcekitten/SourceKitten/.build/release
         echo $GITHUB_TOKEN | oras login ghcr.io -u $GITHUB_USERNAME --password-stdin
       env:
         GITHUB_USERNAME: ${{ github.actor }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload linux amd64
       run: |
-        cd thirdparty/sourcekitten/SourceKitten/.build/release/
-        oras push ghcr.io/cyclonedx/cdxgen-plugins-bin:linux-amd64 \
+        pushd thirdparty/trivy
+        make build/linuxmusl_amd64
+        popd
+        sudo chown -R $USER:$USER thirdparty/trivy/build/
+        mkdir -p uploads
+        cp thirdparty/trivy/build/trivy* uploads/
+        cp thirdparty/sourcekitten/SourceKitten/.build/release/sourcekitten uploads/
+        cp thirdparty/sourcekitten/SourceKitten/.build/release/sourcekitten.sha256 uploads/
+        cd uploads
+        oras push --verbose --disable-path-validation ghcr.io/cyclonedx/cdxgen-plugins-bin:linux-amd64 \
           --artifact-type application/vnd.oras.config.v1+json \
+          ./trivy-cdxgen-linuxmusl-amd64:application/vnd.cyclonedx.plugins.layer.v1+tar \
+          ./trivy-cdxgen-linuxmusl-amd64.sha256:application/vnd.cyclonedx.plugins.layer.v1+tar \
           ./sourcekitten:application/vnd.cyclonedx.plugins.layer.v1+tar \
           ./sourcekitten.sha256:application/vnd.cyclonedx.plugins.layer.v1+tar
       if: matrix.os == 'ubuntu-24.04'
     - name: Upload linux arm64
       run: |
-        cd thirdparty/sourcekitten/SourceKitten/.build/release/
-        oras push ghcr.io/cyclonedx/cdxgen-plugins-bin:linux-arm64 \
+        pushd thirdparty/trivy
+        make build/linuxmusl_arm64
+        popd
+        sudo chown -R $USER:$USER thirdparty/trivy/build/
+        mkdir -p uploads
+        cp thirdparty/trivy/build/trivy* uploads/
+        cp thirdparty/sourcekitten/SourceKitten/.build/release/sourcekitten uploads/
+        cp thirdparty/sourcekitten/SourceKitten/.build/release/sourcekitten.sha256 uploads/
+        cd uploads
+        oras push --verbose --disable-path-validation ghcr.io/cyclonedx/cdxgen-plugins-bin:linux-arm64 \
           --artifact-type application/vnd.oras.config.v1+json \
+          ./trivy-cdxgen-linuxmusl-arm64:application/vnd.cyclonedx.plugins.layer.v1+tar \
+          ./trivy-cdxgen-linuxmusl-arm64.sha256:application/vnd.cyclonedx.plugins.layer.v1+tar \
           ./sourcekitten:application/vnd.cyclonedx.plugins.layer.v1+tar \
           ./sourcekitten.sha256:application/vnd.cyclonedx.plugins.layer.v1+tar
       if: matrix.os == 'ubuntu-24.04-arm'

.github/workflows/release.yml

@@ -25,6 +25,10 @@ jobs:
       if: matrix.os == 'ubuntu-latest'
       with:
         swift-version: '6.0'
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
     - uses: oras-project/setup-oras@v1
     - run: oras version
     - name: Trim CI agent
@@ -66,6 +70,20 @@ jobs:
         npm publish --access=public --@cyclonedx:registry='https://registry.npmjs.org'
         popd
 
+        pushd packages/linuxmusl-amd64
+        echo "cyclonedx:registry=https://npm.pkg.github.com" > ~/.npmrc
+        npm publish --access=public --@cyclonedx:registry='https://npm.pkg.github.com'
+        echo "cyclonedx:registry=https://registry.npmjs.org" > ~/.npmrc
+        npm publish --access=public --@cyclonedx:registry='https://registry.npmjs.org'
+        popd
+
+        pushd packages/linuxmusl-arm64
+        echo "cyclonedx:registry=https://npm.pkg.github.com" > ~/.npmrc
+        npm publish --access=public --@cyclonedx:registry='https://npm.pkg.github.com'
+        echo "cyclonedx:registry=https://registry.npmjs.org" > ~/.npmrc
+        npm publish --access=public --@cyclonedx:registry='https://registry.npmjs.org'
+        popd
+
         pushd packages/linux-riscv64
         echo "cyclonedx:registry=https://npm.pkg.github.com" > ~/.npmrc
         npm publish --access=public --@cyclonedx:registry='https://npm.pkg.github.com'

.github/workflows/test.yml

@@ -29,6 +29,10 @@ jobs:
       if: matrix.os == 'ubuntu-latest'
       with:
         swift-version: '6.0'
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
     - uses: oras-project/setup-oras@v1
     - run: oras version
     - name: Trim CI agent
@@ -54,6 +58,12 @@ jobs:
         pushd packages/linux-arm64
         npm publish --dry-run
         popd
+        pushd packages/linuxmusl-amd64
+        npm publish --dry-run
+        popd
+        pushd packages/linuxmusl-arm64
+        npm publish --dry-run
+        popd
         pushd packages/linux-riscv64
         npm publish --dry-run
         popd

build.sh

@@ -21,7 +21,7 @@ done
 upx -9 --lzma ./plugins/trivy/trivy-cdxgen-linux-amd64
 ./plugins/trivy/trivy-cdxgen-linux-amd64 -v
 
-for flavours in windows-amd64 linux-amd64 linux-arm64 linux-riscv64 linux-arm windows-arm64 darwin-arm64 darwin-amd64 ppc64
+for flavours in windows-amd64 linux-amd64 linux-arm64 linuxmusl-amd64 linuxmusl-arm64 linux-riscv64 linux-arm windows-arm64 darwin-arm64 darwin-amd64 ppc64
 do
     chmod +x packages/$flavours/build-$flavours.sh
     pushd packages/$flavours

packages/linux-amd64/build-linux-amd64.sh

@@ -7,6 +7,8 @@ mkdir -p plugins/trivy plugins/osquery plugins/sourcekitten plugins/dosai
 
 oras pull ghcr.io/cyclonedx/cdxgen-plugins-bin:linux-amd64 -o plugins/sourcekitten/
 sha256sum plugins/sourcekitten/sourcekitten > plugins/sourcekitten/sourcekitten.sha256
+rm -f plugins/sourcekitten/trivy-cdxgen-*
+ls -l plugins/sourcekitten/
 
 wget https://github.com/osquery/osquery/releases/download/5.17.0/osquery-5.17.0_1.linux_x86_64.tar.gz
 tar -xf osquery-5.17.0_1.linux_x86_64.tar.gz

packages/linux-amd64/package.json

@@ -28,6 +28,7 @@
   "os": [
     "linux"
   ],
+  "libc": "glibc",
   "cpu": [
     "x64"
   ]

packages/linux-arm/package.json

@@ -28,6 +28,7 @@
   "os": [
     "linux"
   ],
+  "libc": "glibc",
   "cpu": [
     "arm"
   ]

packages/linux-arm64/build-linux-arm64.sh

@@ -9,6 +9,8 @@ rm -rf plugins/sourcekitten
 mkdir -p plugins/osquery plugins/dosai plugins/sourcekitten
 
 oras pull ghcr.io/cyclonedx/cdxgen-plugins-bin:linux-arm64 -o plugins/sourcekitten/
+rm -f plugins/sourcekitten/trivy-cdxgen-*
+ls -l plugins/sourcekitten/
 
 wget https://github.com/osquery/osquery/releases/download/5.17.0/osquery-5.17.0_1.linux_aarch64.tar.gz
 tar -xf osquery-5.17.0_1.linux_aarch64.tar.gz

packages/linux-arm64/package.json

@@ -28,6 +28,7 @@
   "os": [
     "linux"
   ],
+  "libc": "glibc",
   "cpu": [
     "arm64"
   ]

packages/linuxmusl-amd64/build-linuxmusl-amd64.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -e  # Exit on error
+
+# Remove old plugin directories to ensure a clean build
+rm -rf plugins/trivy plugins/dosai
+mkdir -p plugins/trivy plugins/dosai
+
+# Download the Dosai binary
+curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai-linux-musl-x64 -o plugins/dosai/dosai
+chmod +x plugins/dosai/dosai
+sha256sum plugins/dosai/dosai > plugins/dosai/dosai.sha256
+
+oras pull ghcr.io/cyclonedx/cdxgen-plugins-bin:linux-amd64 -o plugins/trivy/
+rm -f plugins/trivy/sourcekitten*
+ls -l plugins/trivy/

packages/linuxmusl-amd64/index.js

@@ -0,0 +1 @@
+console.log('Linux AMD64 package initialized.');

packages/linuxmusl-amd64/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@cyclonedx/cdxgen-plugins-bin-linuxmusl-amd64",
+  "version": "1.6.12",
+  "description": "Linux musl amd64 binary plugins to supercharge @cyclonedx/cdxgen npm package",
+  "main": "index.js",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cyclonedx/cdxgen-plugins-bin.git"
+  },
+  "keywords": [
+    "cdxgen",
+    "sbom",
+    "bom",
+    "plugins",
+    "dependency",
+    "appsec"
+  ],
+  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/cyclonedx/cdxgen-plugins-bin/issues"
+  },
+  "homepage": "https://github.com/cyclonedx/cdxgen-plugins-bin#readme",
+  "files": [
+    "*.js",
+    "plugins/"
+  ],
+  "os": [
+    "linux"
+  ],
+  "libc": "musl",
+  "cpu": [
+    "x64"
+  ]
+}

packages/linuxmusl-amd64/plugins/.gitignore

@@ -0,0 +1,6 @@
+goversion/
+trivy/
+cargo-auditable/
+osquery/
+dosai/
+sourcekitten/

packages/linuxmusl-amd64/plugins/.gitkeep

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -e  # Exit on error
+
+# Remove old plugin directories to ensure a clean build
+rm -rf plugins/trivy plugins/dosai
+mkdir -p plugins/trivy plugins/dosai
+
+# Download the Dosai binary
+curl -L https://github.com/owasp-dep-scan/dosai/releases/latest/download/Dosai-linux-musl-arm64 -o plugins/dosai/dosai
+chmod +x plugins/dosai/dosai
+sha256sum plugins/dosai/dosai > plugins/dosai/dosai.sha256
+
+oras pull ghcr.io/cyclonedx/cdxgen-plugins-bin:linux-arm64 -o plugins/trivy/
+rm -f plugins/trivy/sourcekitten*
+ls -l plugins/trivy/

packages/linuxmusl-amd64/plugins/.npmignore

@@ -0,0 +1,8 @@
+// Debug mode flag
+const DEBUG_MODE =
+  process.env.CDXGEN_DEBUG_MODE === "debug" ||
+  process.env.NODE_ENV === "development";
+
+if (DEBUG_MODE) {
+  console.log("cdxgen plugins check");
+}

packages/linuxmusl-arm64/build-linuxmusl-arm64.sh

@@ -0,0 +1,35 @@
+{
+  "name": "@cyclonedx/cdxgen-plugins-bin-linuxmusl-arm64",
+  "version": "1.6.12",
+  "description": "Linux musl arm64 binary plugins to supercharge @cyclonedx/cdxgen npm package",
+  "main": "index.js",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cyclonedx/cdxgen-plugins-bin.git"
+  },
+  "keywords": [
+    "cdxgen",
+    "sbom",
+    "bom",
+    "plugins",
+    "dependency",
+    "appsec"
+  ],
+  "author": "Prabhu Subramanian <prabhu@appthreat.com>",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/cyclonedx/cdxgen-plugins-bin/issues"
+  },
+  "homepage": "https://github.com/cyclonedx/cdxgen-plugins-bin#readme",
+  "files": [
+    "*.js",
+    "plugins/"
+  ],
+  "os": [
+    "linux"
+  ],
+  "libc": "musl",
+  "cpu": [
+    "arm64"
+  ]
+}

packages/linuxmusl-arm64/index.js

@@ -0,0 +1,6 @@
+goversion/
+trivy/
+cargo-auditable/
+osquery/
+dosai/
+sourcekitten/

packages/linuxmusl-arm64/package.json

@@ -1,6 +1,7 @@
 PATH  := $(PATH):/usr/local/go/bin:$HOME/go/bin:
 appname := trivy-cdxgen
 sources := main.go
+docker_cmd := docker
 
 build = CGO_ENABLED=0 GOOS=$(1) GOARCH=$(2) go build -ldflags "-s -w -extldflags=-Wl,-z,now,-z,relro" -o build/$(appname)-$(1)-$(2)$(3)
 sha = cd build && sha256sum $(appname)-$(1)-$(2)$(3) > $(appname)-$(1)-$(2)$(3).sha256
@@ -14,6 +15,8 @@ clean: rm -rf build/
 ##### LINUX BUILDS #####
 linux: build/linux_amd64 build/linux_arm64 build/linux_arm build/linux_ppc64le build/linux_riscv64
 
+linuxmusl: build/linuxmusl_amd64 build/linuxmusl_arm64
+
 build/linux_386: $(sources)
 	$(call build,linux,386,)
 	$(call sha,linux,386,)
@@ -30,6 +33,14 @@ build/linux_arm64: $(sources)
 	$(call build,linux,arm64,)
 	$(call sha,linux,arm64,)
 
+build/linuxmusl_%: $(sources)
+	$(docker_cmd) run --rm \
+		--platform=linux/$* \
+		-v "$(PWD)":/src \
+		-w /src \
+		golang:1.19-alpine \
+		sh -c 'CGO_ENABLED=0 GOOS=linux GOARCH=$* go build -ldflags "-s -w -extldflags=-Wl,-z,now,-z,relro" -o build/$(appname)-linuxmusl-$* && cd build && sha256sum $(appname)-linuxmusl-$* > $(appname)-linuxmusl-$*.sha256'
+
 build/linux_ppc64le: $(sources)
 	$(call build,linux,ppc64le,)
 	$(call sha,linux,ppc64le,)