Introduction to docker SBOM

Time:2022-6-20

Released last monthDocker Desktop v4.7.0In, a new cli plug-in has been added-docker/sbom-cli-plugin, which adds a subcommand to docker cli-sbomTo view the software bill of materials (SBOM) of docker container image.

What is SBOM?

First, let’s introduce what SBOM (software bill of materials) is. We call it software bill of materials, which is a term in the software supply chain. The software supply chain is a list of components, libraries and tools used to build software applications (software products), while the bill of materials declares the lists of these components and libraries, which is similar to the ingredient list of food. Software bill of materials can help organizations or individuals avoid using software with security vulnerabilities.

Introduction to docker SBOM

Docker SBOM command

be careful: from docker desktop version 4.7.0 to now,docker sbomThe command is still experimental. This function may be deleted and changed in later versions. Currently, the docker cli of Linux does not contain this subcommand.

docker sbomThe command is used to produce a software bill of materials (SBOM) for a container image

WSL - mengz  docker sbom --help

Usage:  docker sbom [OPTIONS] COMMAND

View the packaged-based Software Bill Of Materials (SBOM) for an image.

EXPERIMENTAL: The flags and outputs of this command may change. Leave feedback on https://github.com/docker/sbom-cli-plugin.

Examples:

 docker sbom alpine:latest                                          a summary of discovered packages
 docker sbom alpine:latest --format syft-json                       show all possible cataloging details
 docker sbom alpine:latest --output sbom.txt                        write report output to a file
 docker sbom alpine:latest --exclude /lib  --exclude '**/*.db'      ignore one or more paths/globs in the image


Options:
 -D, --debug                 show debug logging
     --exclude stringArray   exclude paths from being scanned using a glob expression
     --format string         report output format, options=[syft-json cyclonedx-xml cyclonedx-json github-0-json spdx-tag-value spdx-json table text] (default "table")
     --layers string         [experimental] selection of layers to catalog, options=[squashed all] (default "squashed")
 -o, --output string         file to write the default report output to (default is STDOUT)
     --platform string       an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
     --quiet                 suppress all non-report output
 -v, --version               version for sbom

Commands:
 version     Show Docker sbom version information

Run 'docker sbom COMMAND --help' for more information on a command.

From the help information of the command, you can see that in addition to directly generating SBOM output in tabular form, the--formatSpecify multiple types of output formats.

We try to mirrorneo4j:4.4.5Generate sbom:

WSL - mengz  docker sbom neo4jh:4.4.5
Syft v0.43.0
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [385 packages]
NAME                                VERSION                                    TYPE
CodePointIM                         11.0.15                                    java-archive  
FastInfoset                         1.2.16                                     java-archive
FileChooserDemo                     11.0.15                                    java-archive
Font2DTest                          11.0.15                                    java-archive
HdrHistogram                        2.1.9                                      java-archive
J2Ddemo                             11.0.15                                    java-archive
Metalworks                          11.0.15                                    java-archive
...
libuuid1                            2.36.1-8+deb11u1                           deb
libxxhash0                          0.8.0-2                                    deb
libzstd1                            1.4.8+dfsg-2.1                             deb
listenablefuture                    9999.0-empty-to-avoid-conflict-with-guava  java-archive
log4j-api                           2.17.1                                     java-archive
log4j-core                          2.17.1                                     java-archive
login                               1:4.8.1-1                                  deb
...

In the intercepted part of the above output table, we can see that in the list, in addition to the system package (DEB type), there are also Java software packages, includinglog4jFrom this information, we can know whether the container image contains dependencies and software packages with security vulnerabilities, which enhances the security of deploying applications using software images.

You can also see from the above informationSyft v0.43.0, because the current SBOM cli plug-in uses anchorSyft projectTo scan the image layer. Later versions may read SBOM information through other methods.

Let’s try to output a mirroredSPDXSBOM file in format:

WSL - mengz  docker sbom --form spdx-json --output hugo-sbom.json mengzyou/hugo:latest
Syft v0.43.0
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages

WSL - mengz  cat hugo-sbom.jso
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "mengzyou/hugo-latest",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
   "created": "2022-05-09T10:55:06.6343529Z",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-[not provided]"
   ],
   "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://anchore.com/syft/image/mengzyou/hugo-latest-162a6a05-379c-49f0-a7f2-b4b738a63d1b",
  "packages": [
   {
    "SPDXID": "SPDXRef-ed18f2a986e77aab",
    "name": "alpine-baselayout",
    "licenseConcluded": "GPL-2.0-only",
    "description": "Alpine base dir structure and init scripts",
    "downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
 ...
   }
}

Because the generated file is long, only a small part is output above.

supplement-Spdx (software package data exception) is an open standard for describing SBOM information, which will contain software components, license copyright information and related security references. Spdx simplifies and provides compliance by reducing redundant work by providing companies and communities with a common format for sharing important data.

summary

Here we briefly introduce SBOM and the experimental subcommand of docker cli – SBOM, which can generate SBOM information in various formats of R container image, so that developers and O & M personnel who need to deploy services using container image can easily obtain the SBOM information of the image, so as to understand the security information of the image, so as to meet the use compliance.
At the same time, it can also be considered to add the tool to the ci/cd pipeline of the company’s delivered applications as the security inspection of the image products.

Also published in【Mengz’s Blog