Improve php tree (#1483)

* Added ubuntu lima and cloud-init configs

Signed-off-by: Prabhu Subramanian <[email protected]>

* Retain parent component hierarchy for php projects

Signed-off-by: Prabhu Subramanian <[email protected]>

* Retain parent component hierarchy for php projects

Signed-off-by: Prabhu Subramanian <[email protected]>

* Make the number of npm installs configurable

Signed-off-by: Prabhu Subramanian <[email protected]>

* Make the number of npm installs configurable

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

contrib/cloud-init.txt

@@ -0,0 +1,86 @@
+#cloud-config
+users:
+  - name: builder
+    groups: users, admin
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ssh-rsa <public key>
+packages:
+  - fail2ban
+  - ufw
+  - zip
+  - unzip
+  - wget
+  - binutils
+  - git
+  - gnupg2
+  - curl
+  - tar
+  - libc6-dev
+  - libcurl4-openssl-dev
+  - libedit2
+  - libgcc-13-dev
+  - libpython3-dev
+  - libsqlite3-0
+  - libstdc++-13-dev
+  - libxml2-dev
+  - libncurses-dev
+  - libz3-dev
+  - pkg-config
+  - tzdata
+  - zlib1g-dev
+  - python3.12
+  - python3.12-venv
+  - python3.12-dev
+  - openjdk-21-jdk-headless
+  - gcc-13
+  - build-essential
+  - cargo-1.81
+  - rust-1.81-all
+  - golang-1.23
+  - software-properties-common
+  - ruby-full
+  - ruby-bundler
+  - docker.io
+  - docker-buildx
+  - docker-compose-v2
+  - podman
+  - android-sdk
+  - android-sdk-build-tools
+  - android-sdk-platform-23
+  - android-sdk-platform-tools
+  - maven
+package_update: true
+package_upgrade: true
+runcmd:
+  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+  - systemctl enable fail2ban
+  - ufw allow OpenSSH
+  - ufw enable
+  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 3/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i '$a AllowUsers builder' /etc/ssh/sshd_config
+  - export SWIFT_SIGNING_KEY=52BB7E3DE28A71BE22EC05FFEF80A866B47A981F
+  - export SWIFT_PLATFORM=ubuntu24.04
+  - export SWIFT_BRANCH=swift-6.0.1-release
+  - export SWIFT_VERSION=swift-6.0.1-RELEASE
+  - export SWIFT_WEBROOT=https://download.swift.org
+  - export OS_ARCH_SUFFIX='-aarch64'
+  - export SWIFT_WEBDIR="$SWIFT_WEBROOT/$SWIFT_BRANCH/$(echo $SWIFT_PLATFORM | tr -d .)$OS_ARCH_SUFFIX"
+  - SWIFT_BIN_URL="$SWIFT_WEBDIR/$SWIFT_VERSION/$SWIFT_VERSION-$SWIFT_PLATFORM$OS_ARCH_SUFFIX.tar.gz"
+  - SWIFT_SIG_URL="$SWIFT_BIN_URL.sig"
+  - GNUPGHOME="$(mktemp -d)"
+  - curl -fsSL "$SWIFT_BIN_URL" -o swift.tar.gz "$SWIFT_SIG_URL" -o swift.tar.gz.sig
+  - gpg --batch --quiet --keyserver keyserver.ubuntu.com --recv-keys "$SWIFT_SIGNING_KEY"
+  - gpg --batch --verify swift.tar.gz.sig swift.tar.gz
+  - tar -xzf swift.tar.gz --directory / --strip-components=1
+  - chmod -R o+r /usr/lib/swift
+  - reboot

contrib/lima/README.md

@@ -28,6 +28,12 @@ cd cdxgen
 limactl start --name=cdxgen contrib/lima/cdxgen-opensuse.yaml --tty=false
 ```
 
+For ubuntu, use the below command.
+
+```
+limactl start --name=cdxgen contrib/lima/cdxgen-ubuntu.yaml --tty=false
+```
+
 Sample output
 
 ```shell
@@ -77,6 +83,10 @@ alias cdxgen="limactl shell cdxgen cdxgen"
 
 Monitor the installation by tailing the `/var/log/cloud-init-output.log` file.
 
+```shell
+limactl shell cdxgen sudo tail -f /var/log/cloud-init-output.log
+```
+
 ```shell
 limactl shell cdxgen-aarch64 sudo tail -f /var/log/cloud-init-output.log
 ```

contrib/lima/cdxgen-opensuse.yaml

@@ -63,11 +63,11 @@ provision:
     sdk install gradle $GRADLE_VERSION || true
     sdk install sbt $SBT_VERSION || true
     mkdir -p /opt
+    curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash
     npm install -g node-gyp @cyclonedx/cdxgen --omit=dev
     npx node-gyp install
     node -v
     npm -v
     gcc --version
     zypper clean -a
     cdxgen --version
-    curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash

contrib/lima/cdxgen-ubuntu.yaml

@@ -0,0 +1,83 @@
+images:
+- location: "https://cloud-images.ubuntu.com/releases/24.10/release-20241109/ubuntu-24.10-server-cloudimg-amd64.img"
+  arch: "x86_64"
+  digest: "sha256:05bbfe57d7701c685d8c65f4d34cebe947bc89e3509c4d8a2b9c77f39e91f3ca"
+- location: "https://cloud-images.ubuntu.com/releases/24.10/release-20241109/ubuntu-24.10-server-cloudimg-arm64.img"
+  arch: "aarch64"
+  digest: "sha256:0f1d5b8318342201e4200f592ff46c23ce29d486025b5b12b2036a6a009c93d8"
+- location: "https://cloud-images.ubuntu.com/releases/24.10/release/ubuntu-24.10-server-cloudimg-amd64.img"
+  arch: "x86_64"
+- location: "https://cloud-images.ubuntu.com/releases/24.10/release/ubuntu-24.10-server-cloudimg-arm64.img"
+  arch: "aarch64"
+mounts:
+- location: "/tmp/cdxgen"
+  writable: true
+containerd:
+  system: false
+  user: true
+env:
+  MAVEN_VERSION: 3.9.9
+  SBT_VERSION: 1.10.5
+  GRADLE_VERSION: 8.11
+  MAVEN_HOME: /.sdkman/candidates/maven/current
+  MAVEN_CMD: /.sdkman/candidates/maven/current/bin/mvn
+  GRADLE_HOME: /.sdkman/candidates/gradle/current
+  GRADLE_CMD: /.sdkman/candidates/gradle/current/bin/gradle
+  SBT_HOME: /.sdkman/candidates/sbt/current
+  SBT_CMD: /.sdkman/candidates/sbt/current/bin/sbt
+  SDKMAN_DIR: /.sdkman
+  SDKMAN_CANDIDATES_DIR: /.sdkman/candidates
+provision:
+- mode: dependency
+  skipDefaultDependencyResolution: false
+  script: |
+    #!/bin/bash
+    set -eux -o pipefail
+    apt update -y
+    apt install -y zip unzip wget binutils git gnupg2 curl tar libc6-dev libcurl4-openssl-dev libedit2 libgcc-13-dev libpython3-dev libsqlite3-0 libstdc++-13-dev libxml2-dev libncurses-dev libz3-dev pkg-config tzdata zlib1g-dev python3.12 python3.12-venv python3.12-dev openjdk-21-jdk-headless gcc-13 build-essential cargo-1.81 rust-1.81-all golang-1.23 software-properties-common ruby-full ruby-bundler docker.io docker-buildx docker-compose-v2 podman android-sdk android-sdk-build-tools android-sdk-platform-23 android-sdk-platform-tools
+    python3 -m pip install --no-cache-dir --upgrade pip virtualenv
+    python3 -m pip install --no-cache-dir poetry pipenv blint custom-json-diff owasp-depscan
+- mode: system
+  script: |
+    #!/bin/bash
+    set -e -o pipefail
+    export MAVEN_VERSION=3.9.9
+    export SBT_VERSION=1.10.5
+    export GRADLE_VERSION=8.11
+    export MAVEN_HOME="/.sdkman/candidates/maven/${MAVEN_VERSION}"
+    export GRADLE_HOME="/.sdkman/candidates/gradle/${GRADLE_VERSION}"
+    export SBT_HOME="/.sdkman/candidates/sbt/${SBT_VERSION}"
+    export SDKMAN_DIR=/.sdkman
+    export SDKMAN_CANDIDATES_DIR=/.sdkman/candidates
+    export PATH=${PATH}:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:/usr/local/bin:
+    curl -s "https://get.sdkman.io" | bash
+    echo -e "sdkman_auto_answer=true\nsdkman_selfupdate_feature=false\nsdkman_auto_env=true\nsdkman_curl_connect_timeout=60\nsdkman_curl_max_time=0" >> /.sdkman/etc/config
+    source "/.sdkman/bin/sdkman-init.sh"
+    sdk install maven $MAVEN_VERSION || true
+    sdk install gradle $GRADLE_VERSION || true
+    sdk install sbt $SBT_VERSION || true
+    curl -fsSL https://deb.nodesource.com/setup_23.x -o nodesource_setup.sh
+    bash nodesource_setup.sh
+    apt install -y nodejs
+    rm nodesource_setup.sh
+    npm install -g node-gyp @cyclonedx/cdxgen --omit=dev
+    npx node-gyp install
+    node -v
+    npm -v
+    gcc --version
+    cdxgen --version
+    export SWIFT_SIGNING_KEY=52BB7E3DE28A71BE22EC05FFEF80A866B47A981F
+    export SWIFT_PLATFORM=ubuntu24.04
+    export SWIFT_BRANCH=swift-6.0.1-release
+    export SWIFT_VERSION=swift-6.0.1-RELEASE
+    export SWIFT_WEBROOT=https://download.swift.org
+    export OS_ARCH_SUFFIX='-aarch64'
+    export SWIFT_WEBDIR="$SWIFT_WEBROOT/$SWIFT_BRANCH/$(echo $SWIFT_PLATFORM | tr -d .)$OS_ARCH_SUFFIX"
+    SWIFT_BIN_URL="$SWIFT_WEBDIR/$SWIFT_VERSION/$SWIFT_VERSION-$SWIFT_PLATFORM$OS_ARCH_SUFFIX.tar.gz"
+    SWIFT_SIG_URL="$SWIFT_BIN_URL.sig"
+    GNUPGHOME="$(mktemp -d)"
+    curl -fsSL "$SWIFT_BIN_URL" -o swift.tar.gz "$SWIFT_SIG_URL" -o swift.tar.gz.sig
+    gpg --batch --quiet --keyserver keyserver.ubuntu.com --recv-keys "$SWIFT_SIGNING_KEY"
+    gpg --batch --verify swift.tar.gz.sig swift.tar.gz
+    tar -xzf swift.tar.gz --directory / --strip-components=1
+    chmod -R o+r /usr/lib/swift

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.0.5",
+  "version": "11.0.6",
   "exports": "./lib/cli/index.js",
   "compilerOptions": {
     "lib": ["deno.window"],

docs/ENV.md

@@ -61,7 +61,8 @@ The following environment variables are available to configure the bom generatio
 | DOCKER_CERT_PATH                | Path to the certs directory containing cert.pem and key.pem                                                                                                                                                                                                                                                                         |
 | DOCKER_TLS_VERIFY               | Set to empty value to disable tls for insecure registries                                                                                                                                                                                                                                                                           |
 | NODE_OPTIONS                    | If you are experiencing Out Of Memory issues, consider increase the node heap (ie: `--max-old-space-size=8192`)                                                                                                                                                                                                                     |
-| NPM_INSTALL_ARGS                | Set to pass additional arguments such as `--package-lock-only` to the npm install command                                                                                                                                                                                                                                           |
+| NPM_INSTALL_ARGS                | Set to pass additional arguments such as `--package-lock-only` or `--legacy-peer-deps` to the npm install command                                                                                                                                                                                                                   |
+| NPM_INSTALL_COUNT               | Limit the number of automatic npm install to this count. Default: 2. Since cdxgen 11.0.5                                                                                                                                                                                                                                            |
 | SWIFT_COMPILER_ARGS             | Full compiler arguments string to use for semantic analysis. Eg: -sdk <path> -F <path> -Xcc -I <path>                                                                                                                                                                                                                               |
 | SWIFT_SDK_ARGS                  | Swift sdk arguments. Eg: -sdk <path>                                                                                                                                                                                                                                                                                                |
 | SWIFT_COMPILER_EXTRA_ARGS       | Extra compiler arguments to add to the auto-detected string. Eg: -suppress-warnings -track-system-dependencies                                                                                                                                                                                                                      |

jsr.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.0.5",
+  "version": "11.0.6",
   "exports": "./lib/cli/index.js",
   "include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"],
   "exclude": [