This topic tells you how to use the Software Bill of Materials (commonly known as SBOM) supported by Tanzu Buildpacks.

What is Software Bill of Materials?

A Software Bill of Materials (SBOM) is an industry standard mechanism of surfacing metadata about dependencies in images or applications. For more details, see SBOM Paketo docs.

Which Tanzu buildpacks include support of SBOM?

The following Tanzu Buildpacks include support for SBOM:

Name ID
Tanzu Go Buildpack tanzu-buildpacks/go
Tanzu Java Buildpack tanzu-buildpacks/java
Tanzu Java Native Image Buildpack tanzu-buildpacks/java-native-image
Tanzu Node.js Buildpack tanzu-buildpacks/nodejs
Tanzu PHP Buildpack tanzu-buildpacks/php
Tanzu Python Buildpack tanzu-buildpacks/python

How to Access SBOM?

A buildpack can generate SBOMs in different formats. The primary supported SBOMs are in Syft, SPDX, and CycloneDX JSON formats.

Access Syft, CycloneDX, and SPDX SBOMs

Let's demonstrate this with an example

  1. Build a Node.js demo-app image using Paketo samples as follows:
git clone \
&& cd samples/nodejs/npm

From the sample app directory, use the pack CLI to build an app image.

pack build demo-app --buildpack <tanzu-nodejs-buildpack>
  1. Use the pack CLI to retrieve the software bill of materials files
pack sbom download demo-app --output-dir /tmp/demo-app-sbom
  1. The SBOM files will be in the specified output directory, /tmp/demo-app-sbom. Easily find all generated SBOM files with:
find /tmp/demo-app-sbom/layers/sbom -name "*.json"


TAP cli does not yet provide a mechanism to view the buildpack generated SBOM for launch-time app dependencies. Users can however use docker to retrieve the SBOM from the image reference.

On the TAP UI, find the image reference from the Image Scanner stage of the supply chain. In this doc, we'll use $IMAGE to represent the image reference.

  1. Pull the image and create a container
docker pull $IMAGE

container_id=$(docker create $IMAGE)
  1. Copy the SBOM from the container to a new directory app-sbom
docker cp $container_id:/layers/sbom ./app-sbom
  1. You can use any tools depending on your usecase to view the SBOM JSON files. You'll find them under launch/<buildpack> sub-directories.

For e.g., you may use a vulnerability scanner like grype to read the Syft JSON from a .NET Core App as follows:

grype sbom:./app-sbom/launch/tanzu-buildpacks_dotnet-execute/sbom.syft.json

See Build-time Dependencies in the SBOM

Syft, CycloneDX, and SPDX SBOMs

Syft, CycloneDX, and SPDX SBOMs that are retrieved using pack sbom download <image> only contain SBOM entries for launch-time app dependencies.

To access SBOM entries for build-time app dependencies, SBOMs must be extracted at build time.

  1. Run the build and extract the generated SBOMs to a local directory:
pack build demo-app --sbom-output-dir /tmp/build-time-sbom
  1. When the build completes, inspect SBOMs in the output directory:
find /tmp/build-time-sbom/layers/sbom -name "*.json"

SBOMs that are inside the /tmp/build-time-sbom/layers/sbom/build subdirectory contain entries for build-time dependencies.

  1. List only the build-time SBOMs:
find /tmp/build-time-sbomlayers/sbom/build -name "*.json"
check-circle-line exclamation-circle-line close-line
Scroll to top icon