Join our Discord Server
Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 570+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 8900+ members and discord server close to 2200+ members. You can follow him on Twitter(@ajeetsraina).

Docker Desktop 4.7.0 introduces the SBOM for Docker Images for the first time

4 min read

Today, it’s hard to find any software built from the scratch. Most of the application built today uses the combination of components, development frameworks, libraries either downloaded or compiled from the 3rd party sources. Said that, more companies are seeking deeper transparency into the software components entering their software supply chain. 

SBOMs: The New Entry to the DevSecOps Pipeline

SBOMs are quickly becoming foundational data sources for a variety of DevSecOps use cases.  Even though there are multitude of security scanning tools available in the internet that can be used to identify software components, they don’t efficiently provide you with the detailed information. With this open source collaboration between Anchore and Docker,  the ability to create and store an SBOM independently from running any higher-level function like vulnerability scanning or license detection is possible.

Docker Desktop 4.7.0 introduces  the Docker Software Bill of Materials (SBOM) CLI plugin(`docker sbom`) for the first time. The new CLI docker sbom lists all the components that were used to build the software.

 

An SBOM is a full listing of every package and dependency that goes into making a container image. For container images, this includes:

  • the operating system packages that are installed (for example, ca-certificates) 
  • language-specific packages that the software depends on (for example, Log4j).
  • Include subset of this information or even more details, like the versions of components and their source.

Thanks to Anchore’s Syft project

The Docker SBOM is currently experimental and you can find the project hosted under the GITHUB repository. The functionality was developed as an open source collaboration with Anchore using their Syft project.

Kudos to Anchore’s Syft team – Now you can pull down images and extract a full SBOM very quickly. Once you have that SBOM, you can present it to those who need the list, so they can verify everything included in the image meets company requirements and/or security policies. The tool doesn’t just list the name of the included package, it also adds the version number. That means every single package installed can be verified for security

Please Note:  Docker Desktop allows you to view the SBOM output in standard formats like SPDX and CycloneDX along with the Syft and GitHub formats using the --format option.

In this blog, we will focus on the Docker SBOM primarily and see what all SBOM output formats are available. 

Getting Started with SBOM

Ensure that you have Docker Desktop 4.7.0 up and running on your Macbook.

In case you are running the older version of Docker Desktop, follow the below steps:

Upgrade your Docker desktop

If you’re running Docker desktop 4.6.1, then you might have to upgrade it to 4.7.0 as shown in the following way:

Click “Download Update” to install the latest version.

% docker sbom

Usage:  docker sbom [OPTIONS] COMMAND

View the packaged-based Software Bill Of Materials (SBOM) for an image.

EXPERIMENTAL: The flags and outputs of this command may change. Leave feedback on https://github.com/docker/sbom-cli-plugin.

Examples:

  docker sbom alpine:latest                                          a summary of discovered packages
  docker sbom alpine:latest --format syft-json                       show all possible cataloging details
  docker sbom alpine:latest --output sbom.txt                        write report output to a file
  docker sbom alpine:latest --exclude /lib  --exclude '**/*.db'      ignore one or more paths/globs in the image


Options:
  -D, --debug                 show debug logging
      --exclude stringArray   exclude paths from being scanned using a glob expression
      --format string         report output format, options=[syft-json cyclonedx-xml cyclonedx-json github-0-json spdx-tag-value spdx-json
                              table text] (default "table")
      --layers string         [experimental] selection of layers to catalog, options=[squashed all] (default "squashed")
  -o, --output string         file to write the default report output to (default is STDOUT)
      --platform string       an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64',
                              'linux')
      --quiet                 suppress all non-report output
  -v, --version               version for sbom

Commands:
  version     Show Docker sbom version information

Run 'docker sbom COMMAND --help' for more information on a command.
an image argument is required

 

Running the SBOM command for a Redis Docker Image

 

 docker sbom redis
Syft v0.43.0
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [99 packages]

NAME                            VERSION                             TYPE
adduser                         3.118                               deb
apt                             2.2.4                               deb
base-files                      11.1+deb11u3                        deb
base-passwd                     3.5.51                              deb
bash                            5.1-2+b3                            deb
bsdutils                        1:2.36.1-8+deb11u1                  deb
coreutils                       8.32-4+b1                           deb
dash                            0.5.11+git20200708+dd9ef66-5        deb
s                     4.11.2                              deb
diffutils                       1:3.7-5                             deb
dpkg                            1.20.9                              deb
e2fsprogs                       1.46.2-2                            deb
...
libgcc-s1                       10.2.1-6                            deb
libgcrypt20                     1.8.7-6                             deb
libgmp10                        2:6.2.1+dfsg-1+deb11u1              deb
libgnutls30                     3.7.1-5                             deb
libgpg-error0                   1.38-2                              deb
libgssapi-krb5-2                1.18.3-6+deb11u1                    deb
libhogweed6                     3.7.3-1                             deb
..
libss2                          1.46.2-2                            deb
libssl1.1                       1.1.1n-0+deb11u1                    deb
libstdc++6                      10.2.1-6                            deb
libsystemd0                     247.3-7                             deb
libtasn1-6                      4.16.0-2                            deb
..
sysvinit-utils                  2.96-7+deb11u1                      deb
tar                             1.34+dfsg-1                         deb
tzdata                          2021a-1+deb11u3                     deb
util-linux                      2.36.1-8+deb11u1                    deb
zlib1g                          1:1.2.11.dfsg-2                     deb

Note that the output includes the libraries and packages that have been installed inside the image.

Running the SBOM command for an application

I built a Docker image called “HelloWhale” sometimes back that uses Nginx to display a whale on the web browser. Let us try to run the docker sbom for this Docker Image. 

docker sbom ajeetraina/hellowhale
Syft v0.43.0
 ✔ Pulled image
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [109 packages]
NAME                       VERSION                  TYPE
adduser                    3.115                    deb
apt                        1.4.8                    deb
base-files                 9.9+deb9u4               deb
base-passwd                3.5.43                   deb
bash                       4.4-5                    deb
bsdutils                   1:2.29.2-1+deb9u1        deb
coreutils                  8.26-3                   deb
..
                
nginx                      1.13.12-1~stretch        deb
nginx-module-geoip         1.13.12-1~stretch        deb
nginx-module-image-filter  1.13.12-1~stretch        deb
nginx-module-njs           1.13.12.0.2.0-1~stretch  deb
nginx-module-xslt          1.13.12-1~stretch        deb
passwd                     1:4.4-4.1                deb
perl-base                  5.24.1-3+deb9u2          deb
sed                        4.4-1                    deb
sensible-utils             0.0.9+deb9u1             deb
sysvinit-utils             2.88dsf-59.9             deb
tar                        1.29b-1.1                deb
tzdata                     2018c-0+deb9u1           deb
ucf                        3.0036                   deb
util-linux                 2.29.2-1+deb9u1          deb
zlib1g                     1:1.2.8.dfsg-5           deb

Output Formatting

You can view the SBOM output in standard formats like SPDX and CycloneDX along with the Syft and GitHub formats using the --format option.

 

 {
   "spdxElementId": "SPDXRef-ad1f336b41c75784",
   "relationshipType": "CONTAINS",
   "relatedSpdxElement": "SPDXRef-a060f4a61f216170"
  },
  {
   "spdxElementId": "SPDXRef-ad1f336b41c75784",
   "relationshipType": "CONTAINS",
   "relatedSpdxElement": "SPDXRef-b919fe37cff91b9d"
  },
  {
   "spdxElementId": "SPDXRef-ffd3339e6fb9862f",
   "relationshipType": "OTHER",
   "relatedSpdxElement": "SPDXRef-497d20e5993aef2d",
   "comment": "ownership-by-file-overlap: indicates that the parent package claims ownership of a child package since the parent metadata indicates overlap with a location that a cataloger found the child package by"
  }
 ]
}

Saving the output to JSON

docker sbom --format cyclonedx-json --output bash.json ajeetraina/hellowhale
Syft v0.43.0
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [109 packages]
ajeetraina@Ajeets-MacBook-Pro ~ % cat bash.json | head -n 50
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:9e62ba5a-15bd-4a0b-b168-305a213e2315",
  "version": 1,
  "metadata": {
    "timestamp": "2022-04-11T12:46:12+05:30",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "[not provided]"
      }
    ],
    "component": {
      "bom-ref": "5a6d84c7edc26a6c",
      "type": "container",
      "name": "ajeetraina/hellowhale:latest",
      "version": "sha256:ba5c0b1d6b484fc763e505585448e6e31a5d899a6deca90d6d21aed18ac0b19a"
    }
  },
  "components": [
    {
      "type": "library",
      "publisher": "Debian Adduser Developers \u003cadduser-devel@lists.alioth.debian.org\u003e",
      "name": "adduser",
      "version": "3.115",
      "licenses": [
        {
          "license": {
            "id": "GPL-2.0"
          }
        }
      ],
      "cpe": "cpe:2.3:a:adduser:adduser:3.115:*:*:*:*:*:*:*",
      "purl": "pkg:deb/debian/adduser@3.115?arch=all\u0026distro=debian-9",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "dpkgdb-cataloger"
        },
        {
          "name": "syft:package:metadataType",
          "value": "DpkgMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "deb"
        },
        {

Further References:

Have Queries? Join https://launchpass.com/collabnix

Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 570+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 8900+ members and discord server close to 2200+ members. You can follow him on Twitter(@ajeetsraina).
Join our Discord Server
Index