Inspecting SBOMs
Software bill of materials
A software bill of materials (SBOM) provides greater transparency for your software supply chain. In Konflux, an SBOM lists all the software libraries that a component uses. Those libraries can enable specific functionality or facilitate development.
You can use an SBOM to better understand the composition of your software, identify vulnerabilities, and assess the potential impact of any security issues that may arise. Also, to comply with cybersecurity regulations, you might need to provide your customers with the SBOM for your application’s components.
Viewing an SBOM in the web UI
-
You must have an application that Konflux has successfully built and deployed.
In the console, complete the following steps to download the SBOM for a component:
-
Navigate to the Activity > Pipeline runs tab.
-
For the component whose SBOM you want to view, select its most recent pipeline run.
-
On the Pipeline run details page, select View SBOM.
-
You can use your web browser to immediately search the SBOM for terms that indicate vulnerabilities in your software supply chain. For example, try searching for "log4j".
-
You can select Download to download the SBOM, or Expand to view it full-screen.
-
|
This SBOM is unsigned. You can still use it for standard business processes, like providing an SBOM to your customers. However, do not use this unsigned SBOM as a legal document. |
Downloading an SBOM in the CLI
In the CLI, complete the following steps to download the SBOM for a component:
-
List your components.
$ oc get componentsExample outputNAME AGE STATUS REASON TYPE devfile-sample-go-basic-8wqt 8m54s True OK Updated devfile-sample-python-basic-ikch 20d True OK Updated -
Choose which component’s SBOM you want to download. Then use
oc getand the jq CLI tool to get the component image path.$ oc get component <component name> -ojson | jq '.status.containerImage'Example$ oc get component devfile-sample-python-basic-ikch -ojson | jq '.status.containerImage' "quay.io/redhat-appstudio/user-workload@sha256:<output omitted>" -
Use Cosign to download the SBOM. From the output of the last command, pass the image path as an argument into Cosign’s
download sbomcommand. Be sure to delete any quotation marks around the image path.Example$ cosign download sbom quay.io/redhat-appstudio/user-workload@sha256:<output omitted>Because the SBOM is unsigned, Cosign displays a warning about its authenticity. You can still use this SBOM for standard business processes, like providing an SBOM to your customers. However, do not use this unsigned SBOM as a legal document.
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.-
(Optional) To view the full SBOM in a searchable format, you can redirect the output:
$ cosign download sbom quay.io/redhat-appstudio/user-workload@sha256:<output omitted> > sbom.txt -
Reading the SBOM
In the SBOM, as the following sample excerpt shows, you can see four characteristics of each library that a component uses:
-
Its author or publisher
-
Its name
-
Its version
-
Its licenses
This information helps you verify that individual libraries are safely-sourced, updated, and compliant.
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:89146fc4-342f-496b-9cc9-07a6a1554220",
"version": 1,
"metadata": {
...
},
"components": [
{
"bom-ref": "pkg:pypi/flask@2.1.0?package-id=d6ad7ed5aac04a8",
"type": "library",
"author": "Armin Ronacher <armin.ronacher@active-4.com>", (1)
"name": "Flask", (2)
"version": "2.1.0", (3)
"licenses": [ (4)
{
"license": {
"id": "BSD-3-Clause"
}
}
],
"cpe": "cpe:2.3:a:armin-ronacher:python-Flask:2.1.0:*:*:*:*:*:*:*",
"purl": "pkg:pypi/Flask@2.1.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "python-package-cataloger"
...