이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Inspecting your SBOM using Red Hat Trusted Profile Analyzer


Red Hat Trusted Application Pipeline 1.3

Learn how to scan your SBOM to gain actionable information about the security posture of your application.

Red Hat Customer Content Services

Abstract

This document provides information about how to review SBOM to gain actionable information about the security posture of your application.

Preface

When Red Hat Trusted Application Pipeline builds your application images, it also provides a software bill of materials (SBOM). The SBOM lists all the software libraries that the image uses. You can use the SBOM to identify security vulnerabilities.

However, the SBOM is long and difficult to read. To turn the raw SBOM into actionable information, you can use Trusted Profile Analyzer (TPA). For example, TPA can identify dependencies in your image that are targets of known Common Vulnerabilities and Exploits (CVEs).

Chapter 1. Downloading, converting, and analyzing your SBOM

The following procedure explains how to inspect your SBOM with TPA. Specifically, it outlines how to download an SBOM, convert the SBOM into a compatible format, and analyze the SBOM with TPA.

Note

You shouldn’t require this procedure because RHTAP 1.3 automatically publishes your SBOM to TPA when building your application with any of the supported CI providers: Tekton, Jenkins, GitLab CI, and GitHub Actions. Note that GitHub Actions is a Technology Preview feature and has not been fully tested.

Follow this procedure if you prefer to extract the SBOM manually and keep a local copy.

Prerequisites:

Procedure:

  1. In your container registry, find the full address of the container image whose SBOM you want to inspect. The address has the format registry/namespace/image:tag. For example, quay.io/app/app-image:ff59e21cc…

    Note

    Do not use the address of the SBOM image, which ends with .sbom. Use the address of the image for the actual application.

  2. In your CLI, use cosign to download the SBOM. Redirect the output to a file you can reference later. Make sure the new filename ends with .json.

    cosign download sbom quay.io/redhat/rhtap-app:8d34c03188cf294a77339b2a733b1f6811263a369b309e6b170d9b489abc0334 > /tmp/sbom.json
  3. (Optional) Your SBOM ultimately appears in the TPA UI with a name listed in this .json file. By default, Syft creates that name based on the filepath of the SBOM. If you want your SBOM to appear in the TPA UI with a more meaningful name, you must manually change it in the .json file you just downloaded. Specifically, you must replace the name in the .metadata.component object. You can optionally add a version field here, if you wish.

    $ vim /tmp/sbom.json
    "component": {
          "bom-ref": "fdef64df97f1d419",
          "type": "file",
          "name": "/var/lib/containers/storage/vfs/dir/3b3009adcd335d2b3902c5a7014d22b2beb6392b1958f1d9c7aabe24acab2deb" #Replace this with a meaningful name
        }
  4. Run the following command to store the Bombastic API URL as an environment variable.

    $ bombastic_api_url="https://$(oc -n rhtap get route --selector app.kubernetes.io/name=bombastic-api -o jsonpath='{.items[].spec.host}')"
    Note

    In this command and the next command, after -n, be sure to enter the namespace in which you installed RHTAP. The examples assume you used a namespace called rhtap.

  5. In your CLI, create a new token_issuer_url environment variable with the following value.

    $ token_issuer_url=https://$(oc -n rhtap get route --selector app.kubernetes.io/name=keycloak -o  jsonpath='{.items[].spec.host}')/realms/chicken/protocol/openid-connect/token
  6. Next, you need to set the TPA__OIDC__WALKER_CLIENT_SECRET environment variable. If you have access to the private.env file, which your organization generated while installing RHTAP, you can simply source that file. If you do not have access to that file, ask whomever installed RHTAP to provide your with the TPA OIDC Walker client secret.

    1. If you have access to the private.env file:

      $ source private.env
    2. Or, once you have obtained the secret from whomever installed RHTAP:

      $ TPA__OIDC__WALKER_CLIENT_SECRET=<secret value>
  7. Run the following command to obtain a token for the BOMbastic API. The token allows you to upload the SBOM.

    $ tpa_token=$(curl \
        -d 'client_id=walker' \
        -d "client_secret=$TPA__OIDC__WALKER_CLIENT_SECRET" \
        -d 'grant_type=client_credentials' \
        "$token_issuer_url" \
    | jq -r .access_token)
  8. Try to upload the SBOM.

    curl \
        -H "authorization: Bearer $tpa_token" \
        -H "transfer-encoding: chunked" \
        -H "content-type: application/json" \
        --data @/tmp/sbom.json \
        "$bombastic_api_url/api/v1/sbom?id=my-sbom"
    1. If you receive the error message storage error: invalid storage content, use Syft to convert your SBOM to an earlier CycloneDX, 1.4. You can disregard warnings about merging packages with different pURLs; they indicate that Syft might discard some data from the original SBOM, but that data is not crucial.

      $ syft convert /tmp/sbom.json -o cyclonedx-json@1.4=/tmp/sbom-1-4.json
    2. Then try to upload the SBOM again:

      $ curl \
          -H "authorization: Bearer $tpa_token" \
          -H "transfer-encoding: chunked" \
          -H "content-type: application/json" \
          --data @/tmp/sbom-1-4.json \
          "$bombastic_api_url/api/v1/sbom?id=my-sbom"
  9. Access your cluster that is running RHTAP through the OpenShift Console.
  10. In the rhtap project, navigate to Networking > Routes. Open the URL listed on the same row as the spog-ui service.
  11. Use the Register button to create a new account and authenticate to TPA.
  12. Select your SBOM (the most recent upload) and see what insights TPA has provided about your application based on that SBOM.

    1. Go to the Dependency Analytics Report tab to view vulnerabilities and remediations.





Revised on 2024-12-13 16:47:28 UTC

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.