Released last monthDocker Desktop v4.7.0In, a new cli plug-in has been added-docker/sbom-cli-plugin, which adds a subcommand to docker cli-sbomTo view the software bill of materials (SBOM) of docker container image.
What is SBOM?
First, let’s introduce what SBOM (software bill of materials) is. We call it software bill of materials, which is a term in the software supply chain. The software supply chain is a list of components, libraries and tools used to build software applications (software products), while the bill of materials declares the lists of these components and libraries, which is similar to the ingredient list of food. Software bill of materials can help organizations or individuals avoid using software with security vulnerabilities.
Docker SBOM command
be careful: from docker desktop version 4.7.0 to now,docker sbomThe command is still experimental. This function may be deleted and changed in later versions. Currently, the docker cli of Linux does not contain this subcommand.
docker sbomThe command is used to produce a software bill of materials (SBOM) for a container image
WSL - mengz docker sbom --help
Usage: docker sbom [OPTIONS] COMMAND
View the packaged-based Software Bill Of Materials (SBOM) for an image.
EXPERIMENTAL: The flags and outputs of this command may change. Leave feedback on https://github.com/docker/sbom-cli-plugin.
Examples:
docker sbom alpine:latest a summary of discovered packages
docker sbom alpine:latest --format syft-json show all possible cataloging details
docker sbom alpine:latest --output sbom.txt write report output to a file
docker sbom alpine:latest --exclude /lib --exclude '**/*.db' ignore one or more paths/globs in the image
Options:
-D, --debug show debug logging
--exclude stringArray exclude paths from being scanned using a glob expression
--format string report output format, options=[syft-json cyclonedx-xml cyclonedx-json github-0-json spdx-tag-value spdx-json table text] (default "table")
--layers string [experimental] selection of layers to catalog, options=[squashed all] (default "squashed")
-o, --output string file to write the default report output to (default is STDOUT)
--platform string an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
--quiet suppress all non-report output
-v, --version version for sbom
Commands:
version Show Docker sbom version information
Run 'docker sbom COMMAND --help' for more information on a command.From the help information of the command, you can see that in addition to directly generating SBOM output in tabular form, the--formatSpecify multiple types of output formats.
We try to mirrorneo4j:4.4.5Generate sbom:
WSL - mengz docker sbom neo4jh:4.4.5
Syft v0.43.0
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [385 packages]
NAME VERSION TYPE
CodePointIM 11.0.15 java-archive
FastInfoset 1.2.16 java-archive
FileChooserDemo 11.0.15 java-archive
Font2DTest 11.0.15 java-archive
HdrHistogram 2.1.9 java-archive
J2Ddemo 11.0.15 java-archive
Metalworks 11.0.15 java-archive
...
libuuid1 2.36.1-8+deb11u1 deb
libxxhash0 0.8.0-2 deb
libzstd1 1.4.8+dfsg-2.1 deb
listenablefuture 9999.0-empty-to-avoid-conflict-with-guava java-archive
log4j-api 2.17.1 java-archive
log4j-core 2.17.1 java-archive
login 1:4.8.1-1 deb
...In the intercepted part of the above output table, we can see that in the list, in addition to the system package (DEB type), there are also Java software packages, includinglog4jFrom this information, we can know whether the container image contains dependencies and software packages with security vulnerabilities, which enhances the security of deploying applications using software images.
You can also see from the above informationSyft v0.43.0, because the current SBOM cli plug-in uses anchorSyft projectTo scan the image layer. Later versions may read SBOM information through other methods.
Let’s try to output a mirroredSPDXSBOM file in format:
WSL - mengz docker sbom --form spdx-json --output hugo-sbom.json mengzyou/hugo:latest
Syft v0.43.0
✔ Loaded image
✔ Parsed image
✔ Cataloged packages
WSL - mengz cat hugo-sbom.jso
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "mengzyou/hugo-latest",
"spdxVersion": "SPDX-2.2",
"creationInfo": {
"created": "2022-05-09T10:55:06.6343529Z",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-[not provided]"
],
"licenseListVersion": "3.16"
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://anchore.com/syft/image/mengzyou/hugo-latest-162a6a05-379c-49f0-a7f2-b4b738a63d1b",
"packages": [
{
"SPDXID": "SPDXRef-ed18f2a986e77aab",
"name": "alpine-baselayout",
"licenseConcluded": "GPL-2.0-only",
"description": "Alpine base dir structure and init scripts",
"downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
...
}
}Because the generated file is long, only a small part is output above.
supplement-Spdx (software package data exception) is an open standard for describing SBOM information, which will contain software components, license copyright information and related security references. Spdx simplifies and provides compliance by reducing redundant work by providing companies and communities with a common format for sharing important data.
summary
Here we briefly introduce SBOM and the experimental subcommand of docker cli – SBOM, which can generate SBOM information in various formats of R container image, so that developers and O & M personnel who need to deploy services using container image can easily obtain the SBOM information of the image, so as to understand the security information of the image, so as to meet the use compliance.
At the same time, it can also be considered to add the tool to the ci/cd pipeline of the company’s delivered applications as the security inspection of the image products.
Also published in【Mengz’s Blog】