Ajeet Raina Docker Captain, ARM Innovator & Docker Bangalore Community Leader.

Docker Desktop 4.7.0 introduces the SBOM for Docker Images for the first time

4 min read

Today, it’s hard to find any software built from the scratch. Most of the application built today uses the combination of components, development frameworks, libraries either downloaded or compiled from the 3rd party sources. Said that, more companies are seeking deeper transparency into the software components entering their software supply chain. 

SBOMs: The New Entry to the DevSecOps Pipeline

SBOMs are quickly becoming foundational data sources for a variety of DevSecOps use cases.  Even though there are multitude of security scanning tools available in the internet that can be used to identify software components, they don’t efficiently provide you with the detailed information. With this open source collaboration between Anchore and Docker,  the ability to create and store an SBOM independently from running any higher-level function like vulnerability scanning or license detection is possible.

Docker Desktop 4.7.0 introduces  the Docker Software Bill of Materials (SBOM) CLI plugin(`docker sbom`) for the first time. The new CLI docker sbom lists all the components that were used to build the software.

 

An SBOM is a full listing of every package and dependency that goes into making a container image. For container images, this includes:

  • the operating system packages that are installed (for example, ca-certificates) 
  • language-specific packages that the software depends on (for example, Log4j).
  • Include subset of this information or even more details, like the versions of components and their source.

Thanks to Anchore’s Syft project

The Docker SBOM is currently experimental and you can find the project hosted under the GITHUB repository. The functionality was developed as an open source collaboration with Anchore using their Syft project.

Kudos to Anchore’s Syft team – Now you can pull down images and extract a full SBOM very quickly. Once you have that SBOM, you can present it to those who need the list, so they can verify everything included in the image meets company requirements and/or security policies. The tool doesn’t just list the name of the included package, it also adds the version number. That means every single package installed can be verified for security

Please Note:  Docker Desktop allows you to view the SBOM output in standard formats like SPDX and CycloneDX along with the Syft and GitHub formats using the --format option.

In this blog, we will focus on the Docker SBOM primarily and see what all SBOM output formats are available. 

Getting Started with SBOM

Ensure that you have Docker Desktop 4.7.0 up and running on your Macbook.

In case you are running the older version of Docker Desktop, follow the below steps:

Upgrade your Docker desktop

If you’re running Docker desktop 4.6.1, then you might have to upgrade it to 4.7.0 as shown in the following way:

Click “Download Update” to install the latest version.

% docker sbom

Usage:  docker sbom [OPTIONS] COMMAND

View the packaged-based Software Bill Of Materials (SBOM) for an image.

EXPERIMENTAL: The flags and outputs of this command may change. Leave feedback on https://github.com/docker/sbom-cli-plugin.

Examples:

  docker sbom alpine:latest                                          a summary of discovered packages
  docker sbom alpine:latest --format syft-json                       show all possible cataloging details
  docker sbom alpine:latest --output sbom.txt                        write report output to a file
  docker sbom alpine:latest --exclude /lib  --exclude '**/*.db'      ignore one or more paths/globs in the image


Options:
  -D, --debug                 show debug logging
      --exclude stringArray   exclude paths from being scanned using a glob expression
      --format string         report output format, options=[syft-json cyclonedx-xml cyclonedx-json github-0-json spdx-tag-value spdx-json
                              table text] (default "table")
      --layers string         [experimental] selection of layers to catalog, options=[squashed all] (default "squashed")
  -o, --output string         file to write the default report output to (default is STDOUT)
      --platform string       an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64',
                              'linux')
      --quiet                 suppress all non-report output
  -v, --version               version for sbom

Commands:
  version     Show Docker sbom version information

Run 'docker sbom COMMAND --help' for more information on a command.
an image argument is required

 

Running the SBOM command for a Redis Docker Image

 

 docker sbom redis
Syft v0.43.0
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [99 packages]

NAME                            VERSION                             TYPE
adduser                         3.118                               deb
apt                             2.2.4                               deb
base-files                      11.1+deb11u3                        deb
base-passwd                     3.5.51                              deb
bash                            5.1-2+b3                            deb
bsdutils                        1:2.36.1-8+deb11u1                  deb
coreutils                       8.32-4+b1                           deb
dash                            0.5.11+git20200708+dd9ef66-5        deb
s                     4.11.2                              deb
diffutils                       1:3.7-5                             deb
dpkg                            1.20.9                              deb
e2fsprogs                       1.46.2-2                            deb
...
libgcc-s1                       10.2.1-6                            deb
libgcrypt20                     1.8.7-6                             deb
libgmp10                        2:6.2.1+dfsg-1+deb11u1              deb
libgnutls30                     3.7.1-5                             deb
libgpg-error0                   1.38-2                              deb
libgssapi-krb5-2                1.18.3-6+deb11u1                    deb
libhogweed6                     3.7.3-1                             deb
..
libss2                          1.46.2-2                            deb
libssl1.1                       1.1.1n-0+deb11u1                    deb
libstdc++6                      10.2.1-6                            deb
libsystemd0                     247.3-7                             deb
libtasn1-6                      4.16.0-2                            deb
..
sysvinit-utils                  2.96-7+deb11u1                      deb
tar                             1.34+dfsg-1                         deb
tzdata                          2021a-1+deb11u3                     deb
util-linux                      2.36.1-8+deb11u1                    deb
zlib1g                          1:1.2.11.dfsg-2                     deb

Note that the output includes the libraries and packages that have been installed inside the image.

Running the SBOM command for an application

I built a Docker image called “HelloWhale” sometimes back that uses Nginx to display a whale on the web browser. Let us try to run the docker sbom for this Docker Image. 

docker sbom ajeetraina/hellowhale
Syft v0.43.0
 ✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [109 packages]
NAME                       VERSION                  TYPE
adduser                    3.115                    deb
apt                        1.4.8                    deb
base-files                 9.9+deb9u4               deb
base-passwd                3.5.43                   deb
bash                       4.4-5                    deb
bsdutils                   1:2.29.2-1+deb9u1        deb
coreutils                  8.26-3                   deb
..
                
nginx                      1.13.12-1~stretch        deb
nginx-module-geoip         1.13.12-1~stretch        deb
nginx-module-image-filter  1.13.12-1~stretch        deb
nginx-module-njs           1.13.12.0.2.0-1~stretch  deb
nginx-module-xslt          1.13.12-1~stretch        deb
passwd                     1:4.4-4.1                deb
perl-base                  5.24.1-3+deb9u2          deb
sed                        4.4-1                    deb
sensible-utils             0.0.9+deb9u1             deb
sysvinit-utils             2.88dsf-59.9             deb
tar                        1.29b-1.1                deb
tzdata                     2018c-0+deb9u1           deb
ucf                        3.0036                   deb
util-linux                 2.29.2-1+deb9u1          deb
zlib1g                     1:1.2.8.dfsg-5           deb

Output Formatting

You can view the SBOM output in standard formats like SPDX and CycloneDX along with the Syft and GitHub formats using the --format option.

 

 {
   "spdxElementId": "SPDXRef-ad1f336b41c75784",
   "relationshipType": "CONTAINS",
   "relatedSpdxElement": "SPDXRef-a060f4a61f216170"
  },
  {
   "spdxElementId": "SPDXRef-ad1f336b41c75784",
   "relationshipType": "CONTAINS",
   "relatedSpdxElement": "SPDXRef-b919fe37cff91b9d"
  },
  {
   "spdxElementId": "SPDXRef-ffd3339e6fb9862f",
   "relationshipType": "OTHER",
   "relatedSpdxElement": "SPDXRef-497d20e5993aef2d",
   "comment": "ownership-by-file-overlap: indicates that the parent package claims ownership of a child package since the parent metadata indicates overlap with a location that a cataloger found the child package by"
  }
 ]
}

Saving the output to JSON

docker sbom --format cyclonedx-json --output bash.json ajeetraina/hellowhale
Syft v0.43.0
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [109 packages]
ajeetraina@Ajeets-MacBook-Pro ~ % cat bash.json | head -n 50
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:9e62ba5a-15bd-4a0b-b168-305a213e2315",
  "version": 1,
  "metadata": {
    "timestamp": "2022-04-11T12:46:12+05:30",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "[not provided]"
      }
    ],
    "component": {
      "bom-ref": "5a6d84c7edc26a6c",
      "type": "container",
      "name": "ajeetraina/hellowhale:latest",
      "version": "sha256:ba5c0b1d6b484fc763e505585448e6e31a5d899a6deca90d6d21aed18ac0b19a"
    }
  },
  "components": [
    {
      "type": "library",
      "publisher": "Debian Adduser Developers \u003cadduser-devel@lists.alioth.debian.org\u003e",
      "name": "adduser",
      "version": "3.115",
      "licenses": [
        {
          "license": {
            "id": "GPL-2.0"
          }
        }
      ],
      "cpe": "cpe:2.3:a:adduser:adduser:3.115:*:*:*:*:*:*:*",
      "purl": "pkg:deb/debian/adduser@3.115?arch=all\u0026distro=debian-9",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "dpkgdb-cataloger"
        },
        {
          "name": "syft:package:metadataType",
          "value": "DpkgMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "deb"
        },
        {

Further References:

Have Queries? Join https://launchpass.com/collabnix

Ajeet Raina Docker Captain, ARM Innovator & Docker Bangalore Community Leader.

33 Replies to “Docker Desktop 4.7.0 introduces the SBOM for Docker Images…”

  1. You really make it appear really easy together with your presentation however I find this topic to be actually one thing that I think I might never understand. It sort of feels too complex and very broad for me. I am looking forward on your next put up, I will attempt to get the hang of it!

  2. Thank you, I’ve recently been searching for information about this topic for ages and yours is the greatest I have discovered so far. But, what in regards to the bottom line? Are you positive about the supply?

  3. I liked as much as you’ll receive performed right here. The caricature is tasteful, your authored material stylish. nonetheless, you command get got an edginess over that you wish be delivering the following. sick for sure come further formerly once more as exactly the similar just about very ceaselessly within case you shield this increase.

  4. Excellent post. I was checking continuously this blog and I am impressed! Extremely useful info specifically the last part 🙂 I care for such information much. I was seeking this particular info for a long time. Thank you and good luck.

  5. F*ckin’ awesome things here. I am very glad to see your article. Thanks a lot and i am looking forward to contact you. Will you kindly drop me a mail?

  6. I will right away grab your rss feed as I can not find your e-mail subscription hyperlink or e-newsletter service. Do you’ve any? Please allow me realize so that I may just subscribe. Thanks.

  7. Hi there! Quick question that’s totally off topic. Do you know how to make your site mobile friendly? My site looks weird when browsing from my iphone4. I’m trying to find a theme or plugin that might be able to fix this issue. If you have any suggestions, please share. Cheers!

  8. Someone necessarily help to make critically articles I might state. That is the very first time I frequented your website page and thus far? I amazed with the research you made to make this particular put up amazing. Fantastic activity!

  9. Hello, you used to write fantastic, but the last several posts have been kinda boringK I miss your great writings. Past several posts are just a bit out of track! come on!

  10. Hello just wanted to give you a quick heads up and let you know a few of the images aren’t loading properly. I’m not sure why but I think its a linking issue. I’ve tried it in two different internet browsers and both show the same outcome.

  11. hi!,I love your writing so a lot! proportion we communicate extra about your post on AOL? I require an expert on this space to unravel my problem. Maybe that’s you! Taking a look ahead to see you.

  12. I simply wanted to write a simple word to say thanks to you for those precious guides you are sharing here. My extensive internet research has at the end been recognized with reasonable ideas to exchange with my classmates and friends. I would declare that we visitors are unequivocally blessed to exist in a notable place with very many wonderful professionals with very beneficial points. I feel extremely fortunate to have come across the web page and look forward to many more amazing moments reading here. Thanks once again for a lot of things.

  13. What¦s Happening i’m new to this, I stumbled upon this I have found It positively helpful and it has helped me out loads. I am hoping to give a contribution & help different customers like its aided me. Good job.

  14. Pretty nice post. I just stumbled upon your blog and wanted to say that I have truly enjoyed browsing your blog posts. In any case I will be subscribing to your rss feed and I hope you write again soon!

  15. There are definitely loads of particulars like that to take into consideration. That may be a great point to bring up. I supply the thoughts above as normal inspiration but clearly there are questions like the one you carry up the place the most important factor might be working in honest good faith. I don?t know if finest practices have emerged round issues like that, however I am positive that your job is clearly identified as a fair game. Both girls and boys really feel the affect of only a moment’s pleasure, for the rest of their lives.

Leave a Reply

Your email address will not be published.