fix temp directories are no longer cleared (#1553)

* fix temp directories are no longer cleared

Signed-off-by: Roshan Kumar <[email protected]>

* Updated ENV.md with CDXGEN_TEMP_DIR

Signed-off-by: Roshan Kumar <[email protected]>

* added CDXGEN_TEMP_DIR to dckertests and repotests

Signed-off-by: Roshan Kumar <[email protected]>

* fixed getTmpDir

Signed-off-by: Roshan Kumar <[email protected]>

---------

Signed-off-by: Roshan Kumar <[email protected]>

.github/workflows/dockertests.yml

@@ -45,6 +45,7 @@ jobs:
           mkdir -p bomresults repotests
         env:
           CI: true
+          CDXGEN_TEMP_DIR: ${{ runner.temp }}/cdxgen-dockertests
       - uses: actions/checkout@v4
         with:
           repository: 'grafana-operator/grafana-operator'

.github/workflows/repotests.yml

@@ -56,6 +56,7 @@ jobs:
           mkdir -p denoresults
         env:
           CI: true
+          CDXGEN_TEMP_DIR: ${{ runner.temp }}/cdxgen-repotests
       - name: Setup Android SDK
         uses: android-actions/setup-android@v3
         if: matrix.os != 'self-hosted'

bin/cdxgen.js

@@ -2,7 +2,6 @@
 
 import crypto from "node:crypto";
 import fs from "node:fs";
-import { tmpdir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import process from "node:process";
 import { URL } from "node:url";
@@ -22,7 +21,7 @@ import {
   printSummary,
   printTable,
 } from "../lib/helpers/display.js";
-import { ATOM_DB, dirNameStr } from "../lib/helpers/utils.js";
+import { ATOM_DB, dirNameStr, getTmpDir } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
 import { prepareEnv } from "../lib/stages/pregen/pregen.js";
@@ -541,9 +540,9 @@ const checkPermissions = (filePath) => {
     );
     return false;
   }
-  if (!process.permission.has("fs.write", tmpdir())) {
+  if (!process.permission.has("fs.write", getTmpDir())) {
     console.log(
-      `FileSystemWrite permission required. Please invoke with the argument --allow-fs-write="${tmpdir()}"`,
+      `FileSystemWrite permission required. Please invoke with the argument --allow-fs-write="${getTmpDir()}"`,
     );
     return false;
   }

bin/repl.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import fs from "node:fs";
-import { homedir, tmpdir } from "node:os";
+import { homedir } from "node:os";
 import { join } from "node:path";
 import process from "node:process";
 import repl from "node:repl";
@@ -19,6 +19,7 @@ import {
   printTable,
   printVulnerabilities,
 } from "../lib/helpers/display.js";
+import { getTmpDir } from "../lib/helpers/utils.js";
 import { validateBom } from "../lib/helpers/validator.js";
 
 const options = {
@@ -107,7 +108,7 @@ cdxgenRepl.defineCommand("create", {
   help: "create an SBOM for the given path",
   async action(sbomOrPath) {
     this.clearBufferedCommand();
-    const tempDir = fs.mkdtempSync(join(tmpdir(), "cdxgen-repl-"));
+    const tempDir = fs.mkdtempSync(join(getTmpDir(), "cdxgen-repl-"));
     const bomFile = join(tempDir, "bom.json");
     const bomNSData = await createBom(sbomOrPath, {
       multiProject: true,

contrib/bulk-generate/index.js

@@ -11,10 +11,10 @@ import {
   rmSync,
   writeFileSync,
 } from "node:fs";
-import { tmpdir } from "node:os";
 import { basename, dirname, join } from "node:path";
 import process from "node:process";
 import { fileURLToPath } from "node:url";
+import { getTmpDir } from "../../lib/helpers/utils.js";
 
 let url = import.meta.url;
 if (!url.startsWith("file://")) {
@@ -112,7 +112,7 @@ function main(argvs) {
     console.log("USAGE: node index.js <csv file> <output directory>");
     process.exit(1);
   }
-  const tempDir = mkdtempSync(join(tmpdir(), "bulk-generate-"));
+  const tempDir = mkdtempSync(join(getTmpDir(), "bulk-generate-"));
   const reposList = readcsv(argvs[0], argvs[1]);
   for (const repoArgs of reposList) {
     if (!repoArgs?.project?.length) {

docs/ENV.md

@@ -91,3 +91,4 @@ The following environment variables are available to configure the bom generatio
 | BUNDLE_INSTALL_ARGS | Additional arguments to pass to bundle install command. |
 | BUNDLE_UPDATE_ARGS | Additional arguments to pass to bundle update command. |
 | CDXGEN_GEM_HOME | Customize the GEM_HOME directory to use, while collecting the module names for all the gems in deep mode. This could be different from the system gems directory too. Can be used in addition to `GEM_PATH` environment variable too to improve the success rate. |
+| CDXGEN_TEMP_DIR | Specifies the parent temporary directory used for storing intermediate files during SBOM generation. The directory is automatically cleaned up after the process completes. |

lib/cli/index.js

@@ -13,7 +13,7 @@ import {
   unlinkSync,
   writeFileSync,
 } from "node:fs";
-import { platform as _platform, arch, homedir, tmpdir } from "node:os";
+import { platform as _platform, arch, homedir } from "node:os";
 import { basename, dirname, join, resolve, sep } from "node:path";
 import process from "node:process";
 import { URL } from "node:url";
@@ -76,6 +76,7 @@ import {
   getPyModules,
   getSwiftPackageMetadata,
   getTimestamp,
+  getTmpDir,
   hasAnyProjectType,
   includeMavenTestScope,
   isFeatureEnabled,
@@ -1236,7 +1237,7 @@ export async function createJarBom(path, options) {
   if (hpiFiles.length) {
     jarFiles = jarFiles.concat(hpiFiles);
   }
-  const tempDir = mkdtempSync(join(tmpdir(), "jar-deps-"));
+  const tempDir = mkdtempSync(join(getTmpDir(), "jar-deps-"));
   for (const jar of jarFiles) {
     if (DEBUG_MODE) {
       console.log(`Parsing ${jar}`);
@@ -1250,7 +1251,7 @@ export async function createJarBom(path, options) {
     }
   }
   // Clean up
-  if (tempDir?.startsWith(tmpdir()) && rmSync) {
+  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
     rmSync(tempDir, { recursive: true, force: true });
   }
   pkgList = pkgList.concat(convertJarNSToPackages(nsMapping));
@@ -1277,7 +1278,7 @@ export function createAndroidBom(path, options) {
  * @param {Object} options Parse options from the cli
  */
 export function createBinaryBom(path, options) {
-  const tempDir = mkdtempSync(join(tmpdir(), "blint-tmp-"));
+  const tempDir = mkdtempSync(join(getTmpDir(), "blint-tmp-"));
   const binaryBomFile = join(tempDir, "bom.json");
   getBinaryBom(path, binaryBomFile, options.deep);
   if (existsSync(binaryBomFile)) {
@@ -1317,14 +1318,14 @@ export async function createJavaBom(path, options) {
       if (DEBUG_MODE) {
         console.log(`Retrieving packages from ${path}`);
       }
-      const tempDir = mkdtempSync(join(tmpdir(), "war-deps-"));
+      const tempDir = mkdtempSync(join(getTmpDir(), "war-deps-"));
       jarNSMapping = await collectJarNS(tempDir);
       pkgList = await extractJarArchive(path, tempDir, jarNSMapping);
       if (pkgList.length) {
         pkgList = await getMvnMetadata(pkgList);
       }
       // Clean up
-      if (tempDir?.startsWith(tmpdir()) && rmSync) {
+      if (tempDir?.startsWith(getTmpDir()) && rmSync) {
         console.log(`Cleaning up ${tempDir}`);
         rmSync(tempDir, { recursive: true, force: true });
       }
@@ -1478,7 +1479,7 @@ export async function createJavaBom(path, options) {
         result?.status !== 0 ||
         result?.error
       ) {
-        const tempDir = mkdtempSync(join(tmpdir(), "cdxmvn-"));
+        const tempDir = mkdtempSync(join(getTmpDir(), "cdxmvn-"));
         const tempMvnTree = join(tempDir, "mvn-tree.txt");
         const tempMvnParentTree = join(tempDir, "mvn-parent-tree.txt");
         let mvnTreeArgs = ["dependency:tree", `-DoutputFile=${tempMvnTree}`];
@@ -2125,8 +2126,8 @@ export async function createJavaBom(path, options) {
       const useSlashSyntax = !sbtVersion || gte(sbtVersion, "1.5.0");
       const isDependencyTreeBuiltIn =
         sbtVersion != null && gte(sbtVersion, "1.4.0");
-      const tempDir = mkdtempSync(join(tmpdir(), "cdxsbt-"));
-      const tempSbtgDir = mkdtempSync(join(tmpdir(), "cdxsbtg-"));
+      const tempDir = mkdtempSync(join(getTmpDir(), "cdxsbt-"));
+      const tempSbtgDir = mkdtempSync(join(getTmpDir(), "cdxsbtg-"));
       mkdirSync(tempSbtgDir, { recursive: true });
       // Create temporary plugins file
       const tempSbtPlugins = join(tempSbtgDir, "dep-plugins.sbt");
@@ -2931,7 +2932,7 @@ export async function createPythonBom(path, options) {
   let dependencies = [];
   let pkgList = [];
   let formulationList = [];
-  const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-venv-"));
+  const tempDir = mkdtempSync(join(getTmpDir(), "cdxgen-venv-"));
   let parentComponent = createDefaultParentComponent(path, "pypi", options);
   // We are checking only the root here for pipenv
   const pipenvMode = existsSync(join(path, "Pipfile"));
@@ -3385,7 +3386,7 @@ export async function createPythonBom(path, options) {
     }
   }
   // Clean up
-  if (tempDir?.startsWith(tmpdir()) && rmSync) {
+  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
     rmSync(tempDir, { recursive: true, force: true });
   }
   // Re-compute the component scope
@@ -4497,7 +4498,7 @@ export async function createJenkinsBom(path, options) {
     `${options.multiProject ? "**/" : ""}*.hpi`,
     options,
   );
-  const tempDir = mkdtempSync(join(tmpdir(), "hpi-deps-"));
+  const tempDir = mkdtempSync(join(getTmpDir(), "hpi-deps-"));
   if (hpiFiles.length) {
     for (const f of hpiFiles) {
       if (DEBUG_MODE) {
@@ -4522,7 +4523,7 @@ export async function createJenkinsBom(path, options) {
     }
   }
   // Clean up
-  if (tempDir?.startsWith(tmpdir()) && rmSync) {
+  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
     console.log(`Cleaning up ${tempDir}`);
     rmSync(tempDir, { recursive: true, force: true });
   }
@@ -5310,7 +5311,7 @@ export async function createRubyBom(path, options) {
         );
       }
       // Clean up
-      if (process.env?.CDXGEN_GEM_HOME?.startsWith(tmpdir())) {
+      if (process.env?.CDXGEN_GEM_HOME?.startsWith(getTmpDir())) {
         rmSync(process.env.CDXGEN_GEM_HOME, { recursive: true, force: true });
       }
     } else {
@@ -5678,7 +5679,7 @@ export async function createCsharpBom(path, options) {
     // Perform deep analysis using dosai
     if (options.deep) {
       const slicesFile = resolve(
-        options.depsSlicesFile || join(tmpdir(), "dosai.json"),
+        options.depsSlicesFile || join(getTmpDir(), "dosai.json"),
       );
       // Create the slices file if it doesn't exist
       if (!existsSync(slicesFile)) {
@@ -6424,7 +6425,7 @@ export async function createMultiXBom(pathList, options) {
   }
   // some cleanup, but not complete
   for (const path of pathList) {
-    if (path.startsWith(join(tmpdir(), "docker-images-"))) {
+    if (path.startsWith(join(getTmpDir(), "docker-images-"))) {
       if (rmSync) {
         rmSync(path, { recursive: true, force: true });
       }

lib/evinser/evinser.js

@@ -1,5 +1,4 @@
 import fs from "node:fs";
-import { tmpdir } from "node:os";
 import path, { resolve } from "node:path";
 import process from "node:process";
 import { PackageURL } from "packageurl-js";
@@ -16,6 +15,7 @@ import {
   getGradleCommand,
   getMavenCommand,
   getTimestamp,
+  getTmpDir,
 } from "../helpers/utils.js";
 import { postProcess } from "../stages/postgen/postgen.js";
 import { createSemanticsSlices } from "./swiftsem.js";
@@ -199,7 +199,7 @@ export async function createAndStoreSlice(
       },
     });
   }
-  if (retMap?.tempDir?.startsWith(tmpdir())) {
+  if (retMap?.tempDir?.startsWith(getTmpDir())) {
     fs.rmSync(retMap.tempDir, { recursive: true, force: true });
   }
   return sliceData;
@@ -231,7 +231,7 @@ export async function createSlice(
   }
 
   let sliceOutputDir = fs.mkdtempSync(
-    path.join(tmpdir(), `atom-${sliceType}-`),
+    path.join(getTmpDir(), `atom-${sliceType}-`),
   );
   if (options?.output) {
     sliceOutputDir =
@@ -1298,7 +1298,7 @@ export function createEvinseFile(sliceArtefacts, options) {
       "Unable to identify component evidence for the input SBOM. Only java, javascript, python, swift, and php projects are supported by evinse.",
     );
   }
-  if (tempDir?.startsWith(tmpdir())) {
+  if (tempDir?.startsWith(getTmpDir())) {
     fs.rmSync(tempDir, { recursive: true, force: true });
   }
   // Redo post processing with evinse data

lib/helpers/envcontext.js

@@ -1,7 +1,7 @@
 import { Buffer } from "node:buffer";
 import { spawnSync } from "node:child_process";
 import { existsSync } from "node:fs";
-import { arch, homedir, tmpdir } from "node:os";
+import { arch, homedir } from "node:os";
 import { delimiter, dirname, join } from "node:path";
 import process from "node:process";
 import { compareLoose } from "semver";
@@ -20,6 +20,7 @@ import {
   TIMEOUT_MS,
   getJavaCommand,
   getPythonCommand,
+  getTmpDir,
   isMac,
   isWin,
 } from "./utils.js";
@@ -707,7 +708,7 @@ export function bundleInstallWithDocker(rubyVersion, cdxgenGemHome, filePath) {
     "-e",
     "GEM_HOME=/gems",
     "-v",
-    `/tmp:${tmpdir()}:rw`,
+    `/tmp:${getTmpDir()}:rw`,
     "-v",
     `${filePath}:/app:rw`,
     "-v",

lib/helpers/protobom.test.js

@@ -1,11 +1,11 @@
 import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { expect, test } from "@jest/globals";
+import { getTmpDir } from "./utils.js";
 
 import { readBinary, writeBinary } from "./protobom.js";
 
-const tempDir = mkdtempSync(join(tmpdir(), "bin-tests-"));
+const tempDir = mkdtempSync(join(getTmpDir(), "bin-tests-"));
 const testBom = JSON.parse(
   readFileSync("./test/data/bom-java.json", { encoding: "utf-8" }),
 );
@@ -26,7 +26,7 @@ test("proto binary tests", () => {
   expect(bomObject.serialNumber).toEqual(
     "urn:uuid:cc8b5a04-2698-4375-b04c-cedfa4317fee",
   );
-  if (tempDir?.startsWith(tmpdir()) && rmSync) {
+  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
     rmSync(tempDir, { recursive: true, force: true });
   }
 });

lib/helpers/utils.js

@@ -8,6 +8,7 @@ import {
   createReadStream,
   existsSync,
   lstatSync,
+  mkdirSync,
   mkdtempSync,
   readFileSync,
   rmSync,
@@ -234,6 +235,11 @@ if (process.env.LEIN_CMD) {
   LEIN_CMD = process.env.LEIN_CMD;
 }
 
+export let CDXGEN_TEMP_DIR = "temp";
+if (process.env.CDXGEN_TEMP_DIR) {
+  CDXGEN_TEMP_DIR = process.env.CDXGEN_TEMP_DIR;
+}
+
 // On a mac, use xcrun
 // xcrun: Find and execute the named command line tool from the active developer directory
 export const SWIFT_CMD =
@@ -622,6 +628,13 @@ export function getTimestamp() {
   return `${new Date().toISOString().split(".")[0]}Z`;
 }
 
+export function getTmpDir() {
+  if (process.env.CDXGEN_TEMP_DIR && !existsSync(process.env.CDXGEN_TEMP_DIR)) {
+    mkdirSync(process.env.CDXGEN_TEMP_DIR, { recursive: true });
+  }
+  return process.env.CDXGEN_TEMP_DIR || tmpdir();
+}
+
 /**
  * Method to determine if a license is a valid SPDX license expression
  *

lib/managers/binary.js

@@ -8,7 +8,7 @@ import {
   readFileSync,
   rmSync,
 } from "node:fs";
-import { arch as _arch, platform as _platform, homedir, tmpdir } from "node:os";
+import { arch as _arch, platform as _platform, homedir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import process from "node:process";
 import { PackageURL } from "packageurl-js";
@@ -19,6 +19,7 @@ import {
   adjustLicenseInformation,
   dirNameStr,
   findLicenseId,
+  getTmpDir,
   isSpdxLicenseExpression,
 } from "../helpers/utils.js";
 
@@ -381,7 +382,7 @@ export function getOSPackages(src) {
     if (existsSync(src)) {
       imageType = "rootfs";
     }
-    const tempDir = mkdtempSync(join(tmpdir(), "trivy-cdxgen-"));
+    const tempDir = mkdtempSync(join(getTmpDir(), "trivy-cdxgen-"));
     const bomJsonFile = join(tempDir, "trivy-bom.json");
     const args = [
       imageType,
@@ -427,7 +428,7 @@ export function getOSPackages(src) {
         // ignore errors
       }
       // Clean up
-      if (tempDir?.startsWith(tmpdir())) {
+      if (tempDir?.startsWith(getTmpDir())) {
         if (DEBUG_MODE) {
           console.log(`Cleaning up ${tempDir}`);
         }