Introduction

This repo contains the base images for AppThreat projects such as cdxgen. They were created based on specific issues and challenges observed in enterprise deployments. There will be no FREE community support offered for these images. Pull requests are NOT accepted.

Unofficial cdxgen variants

Legacy Java applications

The official cdxgen image bundles Java >= 23 with the latest maven and gradle. Legacy applications that rely on Java 11 can use the unofficial image ghcr.io/appthreat/cdxgen-java11-slim:v11. For Java 17, use ghcr.io/appthreat/cdxgen-java17-slim:v11.

Example invocations:

Java 11 version

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $HOME/.m2:$HOME/.m2 -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-java11-slim:v11 -r /app -o /app/bom.json -t java

Java 11 version with Android 33 SDK and gcc

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $HOME/.m2:$HOME/.m2 -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-java11:v11 -r /app -o /app/bom.json -t java

Java 17 version

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $HOME/.m2:$HOME/.m2 -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-java17-slim:v11 -r /app -o /app/bom.json -t java

Java 17 version with Android 34 SDK and gcc

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $HOME/.m2:$HOME/.m2 -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-java17:v11 -r /app -o /app/bom.json -t java

.Net Framework, .Net Core 3.1, and .Net 6.0 applications

Use the unofficial image ghcr.io/appthreat/cdxgen-dotnet:v11.

Example invocation:

.Net Framework 4.6 - 4.8

A bundled version of nuget and mono is used to support .Net framework apps.

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-dotnet6:v11 -r /app -o /app/bom.json -t dotnet-framework

Dotnet 3.1 or Dotnet 6.0

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-dotnet6:v11 -r /app -o /app/bom.json -t dotnet

Dotnet 7.0

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-dotnet7:v11 -r /app -o /app/bom.json -t dotnet

Dotnet 8.0

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-dotnet8:v11 -r /app -o /app/bom.json -t dotnet

Dotnet 9.0

Dotnet 9 is also bundled with the official ghcr.io/cyclonedx/cdxgen image.

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-dotnet9:v11 -r /app -o /app/bom.json -t dotnet

Python applications

Use the unofficial image ghcr.io/appthreat/cdxgen-python312:v11 or ghcr.io/appthreat/cdxgen-python311:v11. This includes additional build tools and libraries to build a range of Python applications. Construction of the dependency tree is supported with Python >= 3.9.

Example invocation:

Python 3.6 (Direct dependencies only without dependency tree)

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-python36:v11 -r /app -o /app/bom.json -t python

NOTE: dependency tree is unavailable with Python 3.6

Python 3.9

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-python39:v11 -r /app -o /app/bom.json -t python

Python 3.10

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-python310:v11 -r /app -o /app/bom.json -t python

Python 3.11

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-python311:v11 -r /app -o /app/bom.json -t python

Python 3.12

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-python312:v11 -r /app -o /app/bom.json -t python

Node.js applications

Use the unofficial image ghcr.io/appthreat/cdxgen-node20:v11.

Node.js 20

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-node20:v11 -r /app -o /app/bom.json -t js

Deno version

Use the unofficial image ghcr.io/appthreat/cdxgen-deno:v11.

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-deno:v11 -r /app -o /app/bom.json -t js

PHP applications

Use the unofficial image ghcr.io/appthreat/cdxgen-php82:v11.

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-php82:v11 -r /app -o /app/bom.json -t php

Troubleshooting

npm install issues

Node.js applications that rely on native builds using node-gyp might also require specific version of Node.js and Python to build properly. Try using the base image ghcr.io/appthreat/bci-node20 to test the npm install command directly.

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -w /app -it ghcr.io/appthreat/bci-node20:main npm install

Use the --platform argument to test the install command under a different architecture such as linux/arm64 or linux/amd64.

docker run --platform=linux/arm64 --rm -v /tmp:/tmp -v $(pwd):/app:rw -w /app -it ghcr.io/appthreat/bci-node20:main npm install

docker run --platform=linux/amd64 --rm -v /tmp:/tmp -v $(pwd):/app:rw -w /app -it ghcr.io/appthreat/bci-node20:main npm install

.Net framework issues

Old .Net framework applications (<= 4.7) are well known for their dislike of linux and hence may not restore/build easily. To troubleshoot, try running the nuget restore command manually using the bci-dotnet image as shown.

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -w /app -it ghcr.io/appthreat/bci-dotnet:main nuget restore -Verbosity detailed /app/<solution file name>

If you see any mono-related crashes, there isn't a lot that can be done other than using the correct version of Windows for the restore step.

View the assemblies in the Global Assembly Cache

Assemblies that are present in the Global Assembly Cache can be referred to and used directly without specifying a version number. This style of includes is common with namespaces such as System., Microsoft., and Mono.. Use the command gacutil -l to obtain the version details for libraries from GAC.

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -w /app -it ghcr.io/appthreat/bci-dotnet:main gacutil -l

Sample output:

System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.ComponentModel.Composition, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.ComponentModel.DataAnnotations, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Data.DataSetExtensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Data.Services.Client, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.DirectoryServices.Protocols, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.IdentityModel.Selectors, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Json, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
System.Json.Microsoft, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Messaging, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Net, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Net.Http.Formatting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
System.Net.Http.WebRequest, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Numerics.Vectors, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Reactive.Core, Version=2.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Testing arm64 from x64 machines

• Install Rancher Desktop and setup nerdctl instead of docker
• Setup multi-platform by following this doc

Include the below argument with the nerdctl run command.

--platform=linux/arm64

Example:

nerdctl run --rm --platform=linux/arm64 -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-node20:v11 -r /app -o /app/bom.json -t js

License

MIT

NOTE: No FREE support will be offered for users of these images. Pull Requests are NOT accepted.

Useful links

• Identifying .Net vs .Net Framework