Chapter 3. Creating a software bill of materials manifest file
Red Hat Trusted Profile Analyzer can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM formats by using the JSON file format. Many open source tools are available to you for creating Software Bill of Materials (SBOM) manifest files from container images, or for your application. For this procedure we are going to use the Syft tool.
Currently, Trusted Profile Analyzer only supports CycloneDX version 1.3, 1.4 and SPDX version 2.2.
Prerequisites
Install Syft for your workstation platform:
Procedure
To create an SBOM by using a container image.
CycloneDX format:
Syntax
syft IMAGE_PATH -o cyclonedx-json@1.4Example
$ syft registry:example.io/hello-world:latest -o cyclonedx-json@1.4
SPDX format:
Syntax
syft IMAGE_PATH -o spdx-json@2.2Example
$ syft registry:example.io/hello-world:latest -o spdx-json@2.2
NoteSyft supports many types of container image sources. See the official supported source list on Syft’s GitHub site.
To create an SBOM by scanning the local file system.
CycloneDX format:
Syntax
syft dir: DIRECTORY_PATH -o cyclonedx-json@1.4 syft file: FILE_PATH -o cyclonedx-json@1.4
Example
$ syft dir:. -o cyclonedx-json@1.4 $ syft file:/example-binary -o cyclonedx-json@1.4
SPDX format:
Syntax
syft dir: DIRECTORY_PATH -o spdx-json@2.2 syft file: FILE_PATH -o spdx-json@2.2
Example
$ syft dir:. -o spdx-json@2.2 $ syft file:/example-binary -o spdx-json@2.2
Additional resources
- Scanning an SBOM manifest file by using the Red Hat Trusted Profile Analyzer managed service.
- National Telecommunications and Information Administration’s (NTIA) How-to Guide on SBOM generation.
