Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 1. Downloading, converting, and analyzing your SBOM
The following procedure explains how to inspect your SBOM with TPA. Specifically, it outlines how to download an SBOM, convert the SBOM into a compatible format, and analyze the SBOM with TPA.
Procedure:
In your container registry, find the full address of the container image whose SBOM you want to inspect. The address has the format registry/namespace/image:tag. For example, quay.io/app/app-image:ff59e21cc…
NoteDo not use the address of the SBOM image, which ends with
.sbom
. Use the address of the image for the actual application.In your CLI, use cosign to download the SBOM. Redirect the output to a file you can reference later. Make sure the new filename ends with
.json
.cosign download sbom quay.io/redhat/rhtap-app:8d34c03188cf294a77339b2a733b1f6811263a369b309e6b170d9b489abc0334 > /tmp/sbom.json
(Optional) Your SBOM ultimately appears in the TPA UI with a name listed in this .json file. By default, Syft creates that name based on the filepath of the SBOM. If you want your SBOM to appear in the TPA UI with a more meaningful name, you must manually change it in the .json file you just downloaded. Specifically, you must replace the name in the
.metadata.component
object. You can optionally add aversion
field here, if you wish.$ vim /tmp/sbom.json "component": { "bom-ref": "fdef64df97f1d419", "type": "file", "name": "/var/lib/containers/storage/vfs/dir/3b3009adcd335d2b3902c5a7014d22b2beb6392b1958f1d9c7aabe24acab2deb" #Replace this with a meaningful name }
Run the following command to store the Bombastic API URL as an environment variable.
$ bombastic_api_url="https://$(oc -n rhtap get route --selector app.kubernetes.io/name=bombastic-api -o jsonpath='{.items[].spec.host}')"
NoteIn this command and the next command, after
-n
, be sure to enter the namespace in which you installed RHTAP. The examples assume you used a namespace calledrhtap
.In your CLI, create a new
token_issuer_url
environment variable with the following value.$ token_issuer_url=https://$(oc -n rhtap get route --selector app.kubernetes.io/name=keycloak -o jsonpath='{.items[].spec.host}')/realms/chicken/protocol/openid-connect/token
Next, you need to set the TPA__OIDC__WALKER_CLIENT_SECRET environment variable. If you have access to the private.env file, which your organization generated while installing RHTAP, you can simply source that file. If you do not have access to that file, ask whomever installed RHTAP to provide your with the TPA OIDC Walker client secret.
If you have access to the
private.env
file:$ source private.env
Or, once you have obtained the secret from whomever installed RHTAP:
$ TPA__OIDC__WALKER_CLIENT_SECRET=<secret value>
Run the following command to obtain a token for the BOMbastic API. The token allows you to upload the SBOM.
$ tpa_token=$(curl \ -d 'client_id=walker' \ -d "client_secret=$TPA__OIDC__WALKER_CLIENT_SECRET" \ -d 'grant_type=client_credentials' \ "$token_issuer_url" \ | jq -r .access_token)
Try to upload the SBOM.
curl \ -H "authorization: Bearer $tpa_token" \ -H "transfer-encoding: chunked" \ -H "content-type: application/json" \ --data @/tmp/sbom.json \ "$bombastic_api_url/api/v1/sbom?id=my-sbom"
If you receive the error message
storage error: invalid storage content
, use Syft to convert your SBOM to an earlier CycloneDX, 1.4. You can disregard warnings about merging packages with different pURLs; they indicate that Syft might discard some data from the original SBOM, but that data is not crucial.$ syft convert /tmp/sbom.json -o cyclonedx-json@1.4=/tmp/sbom-1-4.json
Then try to upload the SBOM again:
$ curl \ -H "authorization: Bearer $tpa_token" \ -H "transfer-encoding: chunked" \ -H "content-type: application/json" \ --data @/tmp/sbom-1-4.json \ "$bombastic_api_url/api/v1/sbom?id=my-sbom"
- Access your cluster that is running RHTAP through the OpenShift Console.
-
In the rhtap project, navigate to Networking > Routes. Open the URL listed on the same row as the
spog-ui
service. - Use the Register button to create a new account and authenticate to TPA.
Select your SBOM (the most recent upload) and see what insights TPA has provided about your application based on that SBOM.
- Go to the Dependency Analytics Report tab to view vulnerabilities and remediations.
Additional resources
- Parts of this document are based on the Trustification documentation for SBOMs.
Revised on 2024-07-01 13:32:01 UTC