CycloneDX · prabhu · Jan 12, 2025 · Jan 12, 2025 · Jan 12, 2025 · Jan 12, 2025
@@ -453,6 +453,44 @@ jobs:
           tags: ghcr.io/cyclonedx/cdxgen-debian-ruby34:v11
           labels: ${{ steps.meta-cdxgen-debian-ruby34.outputs.labels }}
 
+  debian-ruby18-image:
+    if: github.repository == 'CycloneDX/cdxgen'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta-debian-ruby18
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/cyclonedx/debian-ruby18
+
+      - name: Build and push Docker images
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ci/base-images/debian/Dockerfile.ruby18
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta-debian-ruby18.outputs.tags }}
+          labels: ${{ steps.meta-debian-ruby18.outputs.labels }}
+
   sle-dotnet7-image:
     if: github.repository == 'CycloneDX/cdxgen'
     runs-on: ubuntu-latest

@@ -144,18 +144,18 @@ docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghc
 
 ### Ruby applications
 
-Use the custom image `ghcr.io/cyclonedx/cdxgen-ruby34:v11`.
+Use the custom image `ghcr.io/cyclonedx/cdxgen-debian-ruby34:v11`.
 
 Ruby 3.3.6 (debian version)
 
 ```shell
-docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ruby33:v11 -r /app -o /app/bom.json -t ruby
+docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-debian-ruby33:v11 -r /app -o /app/bom.json -t ruby
 ```
 
 Ruby 3.4.1 (debian version)
 
 ```shell
-docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ruby34:v11 -r /app -o /app/bom.json -t ruby
+docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-debian-ruby34:v11 -r /app -o /app/bom.json -t ruby
 ```
 
 Ruby 2.5.0 (SLE version)
@@ -171,9 +171,28 @@ Pass any Ruby version with the type argument to make cdxgen automatically instal
 Example: Pass `-t ruby3.3.1` to install Ruby 3.3.1
 
 ```shell
-docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ruby34:v11 -r /app -o /app/bom.json -t ruby3.3.1
+docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-debian-ruby34:v11 -r /app -o /app/bom.json -t ruby3.3.1
 ```
 
+Working with Ruby 1.8 applications? We have a Ruby 1.8 image that uses `debian:jessie` as the base image. Unfortunately, we couldn't find a way to install nodejs >= 20 in jessie, so we need a split workflow:
+
+1. Perform bundle install with our debian-ruby18 image.
+
+```shell
+docker run --rm -v /tmp:/tmp:rw -e GEM_HOME=/tmp/gems -v $(pwd):/app:rw -w /app -t ghcr.io/cyclonedx/debian-ruby18:master bundle install
+
+# Optionally, pass any bundle install args to build those stubborn projects
+# docker run --rm -v /tmp:/tmp:rw -e GEM_HOME=/tmp/gems -e "BUNDLE_INSTALL_ARGS=--without test" -v $(pwd):/app:rw -w /app -t ghcr.io/cyclonedx/debian-ruby18:master bundle install
+```
+
+2. Run cdxgen using ruby25 image.
+
+```shell
+docker run --rm -e CDXGEN_DEBUG_MODE=debug -e CDXGEN_GEM_HOME=/tmp/gems -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-ruby25:v11 -r /app -o /app/bom.json -t ruby --lifecycle pre-build
+```
+
+Notice the use of `GEM_HOME` and `CDXGEN_GEM_HOME` environment variables. `--deep` mode is currently not supported for Ruby 1.8.
+
 ## Troubleshooting
 
 ### .Net restore crashes

@@ -19,8 +19,8 @@ ENV PATH=${PATH}:/root/.nvm/versions/node/v${NODE_VERSION}/bin:${JAVA_HOME}/bin:
 
 COPY ci/base-images/debian/install.sh /tmp/
 
-RUN apt-get update && apt-get install -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
-    && apt-get install -y build-essential mono-devel mono-xbuild nuget python3 python3-pip python3-dev \
+RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
+    && apt-get install -qq -y build-essential mono-devel mono-xbuild nuget python3 python3-pip python3-dev locales \
     && chmod +x /tmp/install.sh \
     && ./tmp/install.sh && rm /tmp/install.sh \
     && node -v \

@@ -19,8 +19,8 @@ ENV PATH=${PATH}:/root/.nvm/versions/node/v${NODE_VERSION}/bin:${JAVA_HOME}/bin:
 
 COPY ci/base-images/debian/install.sh /tmp/
 
-RUN apt-get update && apt-get install -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
-    && apt-get install -y build-essential python3 python3-pip python3-dev \
+RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
+    && apt-get install -qq -y build-essential python3 python3-pip python3-dev locales \
     && chmod +x /tmp/install.sh \
     && ./tmp/install.sh && rm /tmp/install.sh \
     && node -v \

@@ -19,8 +19,8 @@ ENV PATH=${PATH}:/root/.nvm/versions/node/v${NODE_VERSION}/bin:${JAVA_HOME}/bin:
 
 COPY ci/base-images/debian/install.sh /tmp/
 
-RUN apt-get update && apt-get install -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
-    && apt-get install -y build-essential python3 python3-pip python3-dev \
+RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
+    && apt-get install -qq -y build-essential python3 python3-pip python3-dev locales \
     && chmod +x /tmp/install.sh \
     && ./tmp/install.sh && rm /tmp/install.sh \
     && node -v \

@@ -0,0 +1,53 @@
+FROM debian:jessie
+
+ARG JAVA_VERSION=23.0.1-tem
+ARG NODE_VERSION=20.17.0
+ARG ATOM_RUBY_VERSION=3.4.1
+ARG BUNDLER_VERSION=1.17.3
+ARG RAKE_VERSION=0.7.3
+ARG RMAGICK_VERSION=2.16.0
+ARG NOKOGIRI_VERSION=1.5.11
+
+ENV JAVA_VERSION=$JAVA_VERSION \
+    JAVA_HOME="/opt/java/${JAVA_VERSION}" \
+    ATOM_RUBY_VERSION=$ATOM_RUBY_VERSION \
+    RUBY_VERSION=1.8.7-p374 \
+    BUNDLER_VERSION=$BUNDLER_VERSION \
+    RAKE_VERSION=$RAKE_VERSION \
+    RMAGICK_VERSION=$RMAGICK_VERSION \
+    BUNDLE_SILENCE_ROOT_WARNING=true \
+    LC_ALL=en_US.UTF-8 \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US.UTF-8 \
+    NVM_DIR="/root/.nvm"
+ENV PATH=/usr/local/rvm/gems/ruby-${RUBY_VERSION}/bin:/usr/local/rvm/gems/ruby-${RUBY_VERSION}@global/bin:/usr/local/rvm/rubies/ruby-${RUBY_VERSION}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/rvm/bin:${PATH}:/root/.nvm/versions/node/v${NODE_VERSION}/bin:/usr/local/bin:/root/.local/bin:/root/.rbenv/bin:
+
+COPY ci/base-images/debian/install.sh /tmp/
+
+RUN set -ex \
+    && rm /etc/apt/sources.list \
+    && echo "deb http://archive.debian.org/debian-security jessie/updates main" >> /etc/apt/sources.list.d/jessie.list \
+    && echo "deb http://archive.debian.org/debian jessie main" >> /etc/apt/sources.list.d/jessie.list \
+    && apt-get -o Acquire::Check-Valid-Until=false update && apt-get install -qq -y --force-yes --no-install-recommends curl bash bzip2 git-core zip unzip make gawk gnupg2 nodejs \
+    && apt-get install -qq -y --force-yes build-essential python3 python3-pip python3-dev libmagic-dev locales autoconf automake bison libffi-dev libgdbm-dev \
+        libncurses5-dev libsqlite3-dev libtool libyaml-dev pkg-config sqlite3 zlib1g-dev libgmp-dev libreadline6-dev libssl-dev libc-dev libxslt-dev libmagickwand-dev \
+    && command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import - \
+    && command curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import - \
+    && echo "export rvm_max_time_flag=20" >> ~/.rvmrc \
+    && curl -sSL https://get.rvm.io | bash -s stable --ruby=${RUBY_VERSION} \
+    && rvm use ruby-${RUBY_VERSION} \
+    && ruby --version \
+    && gem install bundler -v ${BUNDLER_VERSION} --no-ri --no-rdoc \
+    && gem install rake -v ${RAKE_VERSION} --no-ri --no-rdoc \
+    && gem install slimgems --no-ri --no-rdoc \
+    && gem install nokogiri -v ${NOKOGIRI_VERSION} \
+    && gem install rmagick -v ${RMAGICK_VERSION} \
+    && gem install eventmachine -v 1.2.7 \
+    && gem install sqlite3-ruby -v 1.2.4 \
+    && gem install sqlite3 -v 1.3.13 \
+    && chmod +x /tmp/install.sh \
+    && SKIP_PYTHON=yes SKIP_NODEJS=yes ./tmp/install.sh && rm /tmp/install.sh \
+    && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+    && rm -rf /var/lib/apt/lists/*
+
+CMD /bin/bash
@@ -7,6 +7,7 @@ ARG ATOM_RUBY_VERSION=3.4.1
 ENV JAVA_VERSION=$JAVA_VERSION \
     JAVA_HOME="/opt/java/${JAVA_VERSION}" \
     ATOM_RUBY_VERSION=$ATOM_RUBY_VERSION \
+    BUNDLE_SILENCE_ROOT_WARNING=true \
     LC_ALL=en_US.UTF-8 \
     LANG=en_US.UTF-8 \
     LANGUAGE=en_US.UTF-8 \
@@ -15,13 +16,13 @@ ENV PATH=${PATH}:/root/.nvm/versions/node/v${NODE_VERSION}/bin:/usr/local/bin:/r
 
 COPY ci/base-images/debian/install.sh /tmp/
 
-RUN apt-get update && apt-get install -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
-    && apt-get install -y build-essential python3 python3-pip python3-dev libmagic-dev \
+RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
+    && apt-get install -qq -y build-essential python3 python3-pip python3-dev libmagic-dev locales \
     && chmod +x /tmp/install.sh \
     && ./tmp/install.sh && rm /tmp/install.sh \
     && node -v \
     && npm -v \
-    && gem install bundler \
+    && gem install bundler --no-ri --no-rdoc \
     && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
     && rm -rf /var/lib/apt/lists/*
 

@@ -5,6 +5,7 @@ ARG NODE_VERSION=23.6.0
 
 ENV JAVA_VERSION=$JAVA_VERSION \
     JAVA_HOME="/opt/java/${JAVA_VERSION}" \
+    BUNDLE_SILENCE_ROOT_WARNING=true \
     LC_ALL=en_US.UTF-8 \
     LANG=en_US.UTF-8 \
     LANGUAGE=en_US.UTF-8 \
@@ -13,13 +14,13 @@ ENV PATH=${PATH}:/root/.nvm/versions/node/v${NODE_VERSION}/bin:/usr/local/bin:/r
 
 COPY ci/base-images/debian/install.sh /tmp/
 
-RUN apt-get update && apt-get install -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
-    && apt-get install -y build-essential python3 python3-pip python3-dev libmagic-dev \
+RUN apt-get update && apt-get install -qq -y --no-install-recommends curl bash bzip2 git-core zip unzip make gawk \
+    && apt-get install -qq -y build-essential python3 python3-pip python3-dev libmagic-dev locales \
     && chmod +x /tmp/install.sh \
     && ./tmp/install.sh && rm /tmp/install.sh \
     && node -v \
     && npm -v \
-    && gem install bundler \
+    && gem install bundler --no-ri --no-rdoc \
     && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
     && rm -rf /var/lib/apt/lists/*
 

@@ -25,9 +25,14 @@ sdk offline enable
 mv /root/.sdkman/candidates/* /opt/
 rm -rf /root/.sdkman
 
-python3 -m pip install --no-cache-dir --upgrade pip virtualenv
-python3 -m pip install --no-cache-dir --upgrade --user pipenv poetry uv
-curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash
-chmod +x /root/.nvm/nvm.sh
-source /root/.nvm/nvm.sh
-nvm install ${NODE_VERSION}
+if [ x"${SKIP_PYTHON}" != "xyes" ]; then
+  python3 -m pip install --no-cache-dir --upgrade pip virtualenv
+  python3 -m pip install --no-cache-dir --upgrade --user pipenv poetry uv
+fi
+
+if [ x"${SKIP_NODEJS}" != "xyes" ]; then
+  curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash
+  chmod +x /root/.nvm/nvm.sh
+  source /root/.nvm/nvm.sh
+  nvm install ${NODE_VERSION}
+fi
@@ -7,6 +7,7 @@ ENV LC_ALL=en_US.UTF-8 \
     LANGUAGE=en_US.UTF-8 \
     ATOM_RUBY_VERSION=$ATOM_RUBY_VERSION \
     ATOM_RUBY_HOME=/root/.rbenv/versions/${ATOM_RUBY_VERSION} \
+    BUNDLE_SILENCE_ROOT_WARNING=true \
     JAVA_OPTIONS="-Dhttps.protocols=TLSv1.1,TLSv1.2"
 
 ENV PATH=${PATH}:/usr/local/bin:/root/.local/bin:/root/.rbenv/bin:

@@ -86,3 +86,8 @@ The following environment variables are available to configure the bom generatio
 | GRADLE_ARGS                       | A space-separated list of additional arguments passed to Gradle commands. Useful for providing custom profiles, configurations, or settings for builds.                                                                                                |
 | SDKMAN_VERSION                    | Specifies the version of SDKMAN to use. Useful for managing SDKs and ensuring compatibility with tools and environments.                                                                                                                              |
 | NVM_DIR                           | Defines the directory where Node Version Manager (NVM) is installed. Used to locate and manage Node.js versions in environments where NVM is utilized.                                                                                                |
+| RBENV_CMD | rbenv command to use |
+| RBENV_ROOT | Set the rbenv root directory for custom rbenv installations. |
+| BUNDLE_INSTALL_ARGS | Additional arguments to pass to bundle install command. |
+| BUNDLE_UPDATE_ARGS | Additional arguments to pass to bundle update command. |
+| CDXGEN_GEM_HOME | Customize the GEM_HOME directory to use, while collecting the module names for all the gems in deep mode. This could be different from the system gems directory too. Can be used in addition to `GEM_PATH` environment variable too to improve the success rate. |
@@ -5296,6 +5296,11 @@ export async function createRubyBom(path, options) {
           console.log(
             "Unable to collect the module names for all the gems. Resolve the errors reported and re-run cdxgen.",
           );
+          if (DEBUG_MODE) {
+            console.log(
+              "Tried everything to get the `--deep` mode working? Please create an issue with a sample repo to reproduce this problem. https://github.com/CycloneDX/cdxgen/issues",
+            );
+          }
           break;
         }
       }
@@ -5309,9 +5314,15 @@ export async function createRubyBom(path, options) {
         rmSync(process.env.CDXGEN_GEM_HOME, { recursive: true, force: true });
       }
     } else {
-      console.log(
-        "Set the environment variable CDXGEN_GEM_HOME or GEM_HOME to collect the module names for installed gems.",
-      );
+      if (process.env.CDXGEN_GEM_HOME) {
+        console.log(
+          `${process.env.CDXGEN_GEM_HOME} was empty. Ensure "bundle install" command was successful prior to invoking cdxgen.`,
+        );
+      } else {
+        console.log(
+          "Set the environment variable CDXGEN_GEM_HOME or GEM_HOME to collect the module names for installed gems.",
+        );
+      }
     }
   }
   return buildBomNSData(options, pkgList, "gem", {

@@ -746,6 +746,9 @@ export function bundleInstallWithDocker(rubyVersion, cdxgenGemHome, filePath) {
  * @param filePath File path
  */
 export function installRubyVersion(rubyVersion, filePath) {
+  if (!rubyVersion) {
+    return { fullToolBinDir: undefined, status: false };
+  }
   const existingRuby = collectRubyInfo(filePath);
   if (existingRuby?.version?.startsWith(`ruby ${rubyVersion} `)) {
     return { fullToolBinDir: undefined, status: true };
@@ -773,6 +776,21 @@ export function installRubyVersion(rubyVersion, filePath) {
       return { fullToolBinDir, status: true };
     }
   }
+  // Check if we're trying to install Ruby 1.x or 2.x
+  if (rubyVersion.startsWith("1.")) {
+    console.log(
+      `Ruby version ${rubyVersion} requires very old versions of Linux such as debian:8. Consider using the container image "ghcr.io/cyclonedx/debian-ruby18:master" to build the application first and then invoke cdxgen with the arguments "--lifecycle pre-build".`,
+    );
+    console.log("The below install step is likely to fail.");
+  } else if (
+    rubyVersion.startsWith("2.") &&
+    process.env?.CDXGEN_IN_CONTAINER !== "true"
+  ) {
+    console.log(
+      `Installing Ruby version ${rubyVersion} requires specific development libraries. Consider using the custom container image "ghcr.io/cyclonedx/cdxgen-ruby25:v11" instead.`,
+    );
+    console.log("The below install step is likely to fail.");
+  }
   console.log(
     `Attempting to install Ruby ${rubyVersion} using rbenv. This might take a while ...`,
   );
@@ -1007,6 +1025,14 @@ export function performBundleInstall(
         );
       }
     }
+    if (result?.stderr?.includes("Bundler cannot continue")) {
+      console.log(
+        'Bundle install is unable to continue due to a dependency resolution and build issue. Running bundle install without certain groups might work in such instances. Try running cdxgen with the environment variable `BUNDLE_INSTALL_ARGS`. Example: to skip `test` group, set the variable `"BUNDLE_INSTALL_ARGS=--without test"`',
+      );
+      console.log(
+        "NOTE: The generated SBOM would be incomplete with this workaround.",
+      );
+    }
     if (
       !pythonWarningShown &&
       (result?.stderr?.includes("Failed to build gem native extension") ||