SupportConsoleDevelopersStart a trialContact

Reference Guide

Red Hat Trusted Profile Analyzer 1

Additional reference information for Red Hat Trusted Profile Analyzer

Red Hat Trusted Documentation Team

Abstract

This Reference Guide gives users additional information about Red Hat's Trusted Profile Analyzer service.
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright's message

Preface

Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Reference Guide!

In this guide you can find general reference material regarding the Trusted Profile Analyzer service.

Chapter 1. Creating a software bill of materials manifest file

Red Hat Trusted Profile Analyzer can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM formats by using the JSON file format. Many open source tools are available to you for creating Software Bill of Materials (SBOM) manifest files from container images, or for your application. For this procedure we are going to use the Syft tool.

Important

Currently, Trusted Profile Analyzer only supports CycloneDX version 1.3, 1.4, and 1.5, along with SPDX version 2.2, and 2.3.

Prerequisites

Procedure

  1. To create an SBOM by using a container image.

    CycloneDX format:

    Syntax

    syft IMAGE_PATH -o cyclonedx-json@1.5

    Example

    $ syft registry:example.io/hello-world:latest -o cyclonedx-json@1.5

    SPDX format:

    Syntax

    syft IMAGE_PATH -o spdx-json@2.3

    Example

    $ syft registry:example.io/hello-world:latest -o spdx-json@2.3

    Note

    Syft supports many types of container image sources. See the official supported source list on Syft’s GitHub site.

  2. To create an SBOM by scanning the local file system.

    CycloneDX format:

    Syntax

    syft dir: DIRECTORY_PATH -o cyclonedx-json@1.5
syft file: FILE_PATH -o cyclonedx-json@1.5

    Example

    $ syft dir:. -o cyclonedx-json@1.5
$ syft file:/example-binary -o cyclonedx-json@1.5

    SPDX format:

    Syntax

    syft dir: DIRECTORY_PATH -o spdx-json@2.3
syft file: FILE_PATH -o spdx-json@2.3

    Example

    $ syft dir:. -o spdx-json@2.3
$ syft file:/example-binary -o spdx-json@2.3

Additional resources

Chapter 2. Frequently asked questions

Do you have questions about Trusted Profile Analyzer? Here is a collection of common questions and their answers to help you understand more about Red Hat’s Trusted Profile Analyzer service.

Q:

What is Red Hat’s Trusted Profile Analyzer service?

A:

Red Hat’s Trusted Profile Analyzer service is a proactive service that helps you evaluate the security and vulnerability risks of using Open Source Software (OSS) packages and dependencies in your application stack.

Q:

How can I use Red Hat’s Trusted Profile Analyzer service?

A:

There are two ways you can use Red Hat’s Trusted Profile Analyzer service. First, by using the Dependency Analytics extension for integrated development environment (IDE) platforms, such as Microsoft’s Visual Studio Code, or Jet Brains' IntelliJ IDEA. Using Dependency Analytics gives you in-line guidance on vulnerabilities as you write your application. Second, by searching for Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) information for Red Hat products on Red Hat’s Hybrid Cloud Console.

Q:

What kind of content will be available with the Trusted Profile Analyzer service?

A:

You have access to application libraries for Java, NodeJS, Python, Go, and Red Hat Enterprise Linux packages. Vulnerability information about open source packages comes directly from internal Red Hat resources, Red Hat’s partner ecosystem, such as Snyk, and open source community data sources.

Q:

What content will be available with the Trusted Profile Analyzer Service Preview release?

A:

The following content will be available for Service Preview:

  • Quarkus Java Framework for Java Archive (JAR) files with associated SBOM files.
  • Red Hat Enterprise Linux Universal Base Image (UBI) version 8 and 9 with associated SBOM files.
  • Vulnerability information about open source Java packages.
Q:

How does a Trusted Profile Analyzer SBOM help me?

A:

A Trusted Profile Analyzer Software Bill of Materials (SBOM) can help you by understanding the software components within an application stack, and any related vulnerabilities those software components can have. An SBOM can improve visibility and transparency of open source code within the software supply chain by component’s provenance, license information, and attestation of how it was built.

Q:

Who is using Red Hat’s Trusted Profile Analyzer service?

A:

The primary audience for Red Hat’s Trusted Profile Analyzer service is Quarkus Java developers, and cloud-native container image builders that uses the Red Hat Enterprise Linux UBI.

Q:

To use Red Hat’s Trusted Profile Analyzer service, do I need to learn anything new, or change my development workflows and processes?

A:

No.

Q:

I am not a Quarkus Java developer, can I still gain any value from Red Hat’s Trusted Profile Analyzer service?

A:

Yes. The Trusted Profile Analyzer service still provides security risk information about open source packages that are not currently included in the Trusted Profile Analyzer repository.

Chapter 3. Glossary

Common terms and definitions for Red Hat’s Trusted Profile Analyzer service.

Exhort
The backend endpoint of Trusted Profile Analyzer where all the API requests get sent, to retrieve the necessary data to analyze, including package dependencies and vulnerabilities. The Red Hat Dependency Analytics (RHDA) integrated development environment (IDE) plug-in uses this endpoint to generate vulnerability reports within the IDE framework.
Software Bill of Materials
Also known by the acronym, SBOM. A manifest of dependent software packages needed for a particular application.
Single Pane of Glass
Also known by the acronym, SPOG. The RESTful application programming interface (API) for the Trusted Profile Analyzer web dashboard, and notifications.
Vulnerability Exploitability eXchange
Also known by the acronym, VEX. A security advisory issued by a software provider for specific vulnerabilities within a product.
Common Vulnerability and Exposures
Also known by the acronym, CVE. A CVE indicates a product’s exposure to attacks and malicious activities by giving it a score 1-10, where 1 is the lowest exposure level and 10 is the highest exposure level.
Common Vulnerability Score System
Also known by the acronym CVSS. The CVSS calculates CVE scores according to specific formulas when trying to calculate CVEs in a broad range of products and networks.

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.