Red Hat SummitChapter 3. Creating a software bill of materials manifest file
Create a Software Bill of Materials (SBOM) manifest file to provide Red Hat Trusted Profile Analyzer (RHTPA) with the package data needed for security analysis. RHTPA can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM formats by using the JSON file format. Many open source tools are available to you for creating Software Bill of Materials (SBOM) manifest files from container images, or for your application. For this procedure we are going to use the Syft tool.
Currently, Trusted Profile Analyzer only supports CycloneDX version 1.3, 1.4, 1.5, and 1.6, along with SPDX version 2.2, and 2.3.
The Syft binary is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the support scope for Red Hat Technology Preview features for more details.
Prerequisites
Install Syft for your workstation platform:
Procedure
To create an SBOM by using a container image.
- CycloneDX format
syft IMAGE_PATH -o cyclonedx-json@1.5
syft IMAGE_PATH -o cyclonedx-json@1.5Copy to Clipboard Copied! Toggle word wrap Toggle overflow syft registry:example.io/hello-world:latest -o cyclonedx-json@1.5
$ syft registry:example.io/hello-world:latest -o cyclonedx-json@1.5Copy to Clipboard Copied! Toggle word wrap Toggle overflow - SPDX format
syft IMAGE_PATH -o spdx-json@2.3
syft IMAGE_PATH -o spdx-json@2.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow syft registry:example.io/hello-world:latest -o spdx-json@2.3
$ syft registry:example.io/hello-world:latest -o spdx-json@2.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteSyft supports many types of container image sources. See the official supported source list on Syft’s GitHub site.
To create an SBOM by scanning the local file system.
- CycloneDX format
syft dir: DIRECTORY_PATH -o cyclonedx-json@1.5 syft file: FILE_PATH -o cyclonedx-json@1.5
syft dir: DIRECTORY_PATH -o cyclonedx-json@1.5 syft file: FILE_PATH -o cyclonedx-json@1.5Copy to Clipboard Copied! Toggle word wrap Toggle overflow syft dir:. -o cyclonedx-json@1.5 syft file:/example-binary -o cyclonedx-json@1.5
$ syft dir:. -o cyclonedx-json@1.5 $ syft file:/example-binary -o cyclonedx-json@1.5Copy to Clipboard Copied! Toggle word wrap Toggle overflow - SPDX format
syft dir: DIRECTORY_PATH -o spdx-json@2.3 syft file: FILE_PATH -o spdx-json@2.3
syft dir: DIRECTORY_PATH -o spdx-json@2.3 syft file: FILE_PATH -o spdx-json@2.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow syft dir:. -o spdx-json@2.3 syft file:/example-binary -o spdx-json@2.3
$ syft dir:. -o spdx-json@2.3 $ syft file:/example-binary -o spdx-json@2.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}