Today, it’s hard to find any software built from the scratch. Most of the application built today uses the combination of components, development frameworks, libraries either downloaded or compiled from the 3rd party sources. Said that, more companies are seeking deeper transparency into the software components entering their software supply chain.
SBOMs: The New Entry to the DevSecOps Pipeline
SBOMs are quickly becoming foundational data sources for a variety of DevSecOps use cases. Even though there are multitude of security scanning tools available in the internet that can be used to identify software components, they don’t efficiently provide you with the detailed information. With this open source collaboration between Anchore and Docker, the ability to create and store an SBOM independently from running any higher-level function like vulnerability scanning or license detection is possible.
Docker Desktop 4.7.0 introduces the Docker Software Bill of Materials (SBOM) CLI plugin(`docker sbom`) for the first time. The new CLI docker sbom lists all the components that were used to build the software.
An SBOM is a full listing of every package and dependency that goes into making a container image. For container images, this includes:
- the operating system packages that are installed (for example, ca-certificates)
- language-specific packages that the software depends on (for example, Log4j).
- Include subset of this information or even more details, like the versions of components and their source.
Thanks to Anchore’s Syft project
The Docker SBOM is currently experimental and you can find the project hosted under the GITHUB repository. The functionality was developed as an open source collaboration with Anchore using their Syft project.
Kudos to Anchore’s Syft team – Now you can pull down images and extract a full SBOM very quickly. Once you have that SBOM, you can present it to those who need the list, so they can verify everything included in the image meets company requirements and/or security policies. The tool doesn’t just list the name of the included package, it also adds the version number. That means every single package installed can be verified for security
Please Note: Docker Desktop allows you to view the SBOM output in standard formats like SPDX and CycloneDX along with the Syft and GitHub formats using the
--formatoption.
In this blog, we will focus on the Docker SBOM primarily and see what all SBOM output formats are available.
Getting Started with SBOM
Ensure that you have Docker Desktop 4.7.0 up and running on your Macbook.
In case you are running the older version of Docker Desktop, follow the below steps:
Upgrade your Docker desktop
If you’re running Docker desktop 4.6.1, then you might have to upgrade it to 4.7.0 as shown in the following way:
Click “Download Update” to install the latest version.
% docker sbom
Usage: docker sbom [OPTIONS] COMMAND
View the packaged-based Software Bill Of Materials (SBOM) for an image.
EXPERIMENTAL: The flags and outputs of this command may change. Leave feedback on https://github.com/docker/sbom-cli-plugin.
Examples:
docker sbom alpine:latest a summary of discovered packages
docker sbom alpine:latest --format syft-json show all possible cataloging details
docker sbom alpine:latest --output sbom.txt write report output to a file
docker sbom alpine:latest --exclude /lib --exclude '**/*.db' ignore one or more paths/globs in the image
Options:
-D, --debug show debug logging
--exclude stringArray exclude paths from being scanned using a glob expression
--format string report output format, options=[syft-json cyclonedx-xml cyclonedx-json github-0-json spdx-tag-value spdx-json
table text] (default "table")
--layers string [experimental] selection of layers to catalog, options=[squashed all] (default "squashed")
-o, --output string file to write the default report output to (default is STDOUT)
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64',
'linux')
--quiet suppress all non-report output
-v, --version version for sbom
Commands:
version Show Docker sbom version information
Run 'docker sbom COMMAND --help' for more information on a command.
an image argument is required
Running the SBOM command for a Redis Docker Image
docker sbom redis
Syft v0.43.0
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [99 packages]
NAME VERSION TYPE
adduser 3.118 deb
apt 2.2.4 deb
base-files 11.1+deb11u3 deb
base-passwd 3.5.51 deb
bash 5.1-2+b3 deb
bsdutils 1:2.36.1-8+deb11u1 deb
coreutils 8.32-4+b1 deb
dash 0.5.11+git20200708+dd9ef66-5 deb
s 4.11.2 deb
diffutils 1:3.7-5 deb
dpkg 1.20.9 deb
e2fsprogs 1.46.2-2 deb
...
libgcc-s1 10.2.1-6 deb
libgcrypt20 1.8.7-6 deb
libgmp10 2:6.2.1+dfsg-1+deb11u1 deb
libgnutls30 3.7.1-5 deb
libgpg-error0 1.38-2 deb
libgssapi-krb5-2 1.18.3-6+deb11u1 deb
libhogweed6 3.7.3-1 deb
..
libss2 1.46.2-2 deb
libssl1.1 1.1.1n-0+deb11u1 deb
libstdc++6 10.2.1-6 deb
libsystemd0 247.3-7 deb
libtasn1-6 4.16.0-2 deb
..
sysvinit-utils 2.96-7+deb11u1 deb
tar 1.34+dfsg-1 deb
tzdata 2021a-1+deb11u3 deb
util-linux 2.36.1-8+deb11u1 deb
zlib1g 1:1.2.11.dfsg-2 debNote that the output includes the libraries and packages that have been installed inside the image.
Running the SBOM command for an application
I built a Docker image called “HelloWhale” sometimes back that uses Nginx to display a whale on the web browser. Let us try to run the docker sbom for this Docker Image.
docker sbom ajeetraina/hellowhale
Syft v0.43.0
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [109 packages]
NAME VERSION TYPE
adduser 3.115 deb
apt 1.4.8 deb
base-files 9.9+deb9u4 deb
base-passwd 3.5.43 deb
bash 4.4-5 deb
bsdutils 1:2.29.2-1+deb9u1 deb
coreutils 8.26-3 deb
..
nginx 1.13.12-1~stretch deb
nginx-module-geoip 1.13.12-1~stretch deb
nginx-module-image-filter 1.13.12-1~stretch deb
nginx-module-njs 1.13.12.0.2.0-1~stretch deb
nginx-module-xslt 1.13.12-1~stretch deb
passwd 1:4.4-4.1 deb
perl-base 5.24.1-3+deb9u2 deb
sed 4.4-1 deb
sensible-utils 0.0.9+deb9u1 deb
sysvinit-utils 2.88dsf-59.9 deb
tar 1.29b-1.1 deb
tzdata 2018c-0+deb9u1 deb
ucf 3.0036 deb
util-linux 2.29.2-1+deb9u1 deb
zlib1g 1:1.2.8.dfsg-5 debOutput Formatting
You can view the SBOM output in standard formats like SPDX and CycloneDX along with the Syft and GitHub formats using the --format option.
{
"spdxElementId": "SPDXRef-ad1f336b41c75784",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-a060f4a61f216170"
},
{
"spdxElementId": "SPDXRef-ad1f336b41c75784",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-b919fe37cff91b9d"
},
{
"spdxElementId": "SPDXRef-ffd3339e6fb9862f",
"relationshipType": "OTHER",
"relatedSpdxElement": "SPDXRef-497d20e5993aef2d",
"comment": "ownership-by-file-overlap: indicates that the parent package claims ownership of a child package since the parent metadata indicates overlap with a location that a cataloger found the child package by"
}
]
}Saving the output to JSON
docker sbom --format cyclonedx-json --output bash.json ajeetraina/hellowhale
Syft v0.43.0
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [109 packages]ajeetraina@Ajeets-MacBook-Pro ~ % cat bash.json | head -n 50
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:9e62ba5a-15bd-4a0b-b168-305a213e2315",
"version": 1,
"metadata": {
"timestamp": "2022-04-11T12:46:12+05:30",
"tools": [
{
"vendor": "anchore",
"name": "syft",
"version": "[not provided]"
}
],
"component": {
"bom-ref": "5a6d84c7edc26a6c",
"type": "container",
"name": "ajeetraina/hellowhale:latest",
"version": "sha256:ba5c0b1d6b484fc763e505585448e6e31a5d899a6deca90d6d21aed18ac0b19a"
}
},
"components": [
{
"type": "library",
"publisher": "Debian Adduser Developers \u003cadduser-devel@lists.alioth.debian.org\u003e",
"name": "adduser",
"version": "3.115",
"licenses": [
{
"license": {
"id": "GPL-2.0"
}
}
],
"cpe": "cpe:2.3:a:adduser:adduser:3.115:*:*:*:*:*:*:*",
"purl": "pkg:deb/debian/adduser@3.115?arch=all\u0026distro=debian-9",
"properties": [
{
"name": "syft:package:foundBy",
"value": "dpkgdb-cataloger"
},
{
"name": "syft:package:metadataType",
"value": "DpkgMetadata"
},
{
"name": "syft:package:type",
"value": "deb"
},
{
Comments are closed.