Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Downloading, converting, and analyzing your SBOM

The following procedure explains how to inspect your SBOM with TPA. Specifically, it outlines how to download an SBOM, convert the SBOM into a compatible format, and analyze the SBOM with TPA.

Note

You shouldn’t require this procedure because RHTAP 1.5 automatically publishes your SBOM to TPA when building your application with any of the supported CI providers: Tekton, Jenkins, GitLab CI, and GitHub Actions. Note that GitHub Actions is a Technology Preview feature and has not been fully tested.

Follow this procedure if you prefer to extract the SBOM manually and keep a local copy.

Prerequisites:

Procedure:

  1. In your container registry, find the full address of the container image whose SBOM you want to inspect. The address has the format registry/namespace/image:tag. For example, quay.io/app/app-image:ff59e21cc…

    Note

    Do not use the address of the SBOM image, which ends with .sbom. Use the address of the image for the actual application.

  2. In your CLI, use cosign to download the SBOM. Redirect the output to a file you can reference later. Make sure the new filename ends with .json. 

    cosign download sbom quay.io/redhat/rhtap-app:8d34c03188cf294a77339b2a733b1f6811263a369b309e6b170d9b489abc0334 > /tmp/sbom.json
    Copy to Clipboard Toggle word wrap

  3. (Optional) Your SBOM ultimately appears in the TPA UI with a name listed in this .json file. By default, Syft creates that name based on the filepath of the SBOM. If you want your SBOM to appear in the TPA UI with a more meaningful name, you must manually change it in the .json file you just downloaded. Specifically, you must replace the name in the .metadata.component object. You can optionally add a version field here, if you wish. 

    $ vim /tmp/sbom.json
"component": {
      "bom-ref": "fdef64df97f1d419",
      "type": "file",
      "name": "/var/lib/containers/storage/vfs/dir/3b3009adcd335d2b3902c5a7014d22b2beb6392b1958f1d9c7aabe24acab2deb" #Replace this with a meaningful name
    }
    Copy to Clipboard Toggle word wrap

  4. Run the following command to store the Bombastic API URL as an environment variable: 

    $ bombastic_api_url="https://$(oc -n rhtap-tpa get route --selector app.kubernetes.io/name=bombastic-api -o jsonpath='{.items[].spec.host}')"
    Copy to Clipboard Toggle word wrap
    Note

    In this command and the next command, after -n, be sure to enter the namespace in which you installed RHTAP. The examples assume you used a namespace called rhtap.

  5. In your CLI, create a new token_issuer_url environment variable with the following value: 

    $ token_issuer_url=https://$(oc -n rhtap-keycloak get route --selector app=keycloak -o  jsonpath='{.items[].spec.host}')/realms/chicken/protocol/openid-connect/token
    Copy to Clipboard Toggle word wrap

  6. Set the TPA__OIDC__WALKER_CLIENT_SECRET environment variable and provide your TPA OIDC Walker client secret as its value: 

    $ TPA__OIDC__WALKER_CLIENT_SECRET=$(kubectl get -n rhtap secrets/rhtap-trustification-integration --template={{.data.oidc_client_secret}} | base64 -d)
    Copy to Clipboard Toggle word wrap

  7. Run the following command to obtain a token for the BOMbastic API. The token allows you to upload the SBOM. 

    $ tpa_token=$(curl \
    -d 'client_id=walker' \
    -d "client_secret=$TPA__OIDC__WALKER_CLIENT_SECRET" \
    -d 'grant_type=client_credentials' \
    "$token_issuer_url" \
| jq -r .access_token)
    Copy to Clipboard Toggle word wrap

  8. Try to upload the SBOM. 

    curl \
    -H "authorization: Bearer $tpa_token" \
    -H "transfer-encoding: chunked" \
    -H "content-type: application/json" \
    --data @/tmp/sbom.json \
    "$bombastic_api_url/api/v1/sbom?id=my-sbom"
    Copy to Clipboard Toggle word wrap

    1. If you receive the error message storage error: invalid storage content, use Syft to convert your SBOM to an earlier CycloneDX, 1.4. You can disregard warnings about merging packages with different pURLs; they indicate that Syft might discard some data from the original SBOM, but that data is not crucial. 

      $ syft convert /tmp/sbom.json -o cyclonedx-json@1.4=/tmp/sbom-1-4.json
      Copy to Clipboard Toggle word wrap

    2. Then try to upload the SBOM again: 

      $ curl \
    -H "authorization: Bearer $tpa_token" \
    -H "transfer-encoding: chunked" \
    -H "content-type: application/json" \
    --data @/tmp/sbom-1-4.json \
    "$bombastic_api_url/api/v1/sbom?id=my-sbom"
      Copy to Clipboard Toggle word wrap
  9. Access your cluster that is running RHTAP through the OpenShift Console.
  10. In the rhtap project, navigate to Networking > Routes. Open the URL listed on the same row as the spog-ui service.
  11. Use the Register button to create a new account and authenticate to TPA.

  12. Select your SBOM (the most recent upload) and see what insights TPA has provided about your application based on that SBOM.

    1. Go to the Dependency Analytics Report tab to view vulnerabilities and remediations.





Revised on 2025-04-30 03:56:00 UTC

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat