This topic tells you how to use the Software Bill of Materials (commonly known as SBOM) supported by Tanzu Buildpacks.
What is Software Bill of Materials?
A Software Bill of Materials (SBOM) is an industry standard mechanism of surfacing metadata about dependencies in images or applications. For more details, see SBOM Paketo docs.
Which Tanzu buildpacks include support of SBOM?
The following Tanzu Buildpacks include support for SBOM:
| Name | ID |
|---|---|
| Tanzu Go Buildpack | tanzu-buildpacks/go |
| Tanzu Java Buildpack | tanzu-buildpacks/java |
| Tanzu Java Native Image Buildpack | tanzu-buildpacks/java-native-image |
| Tanzu Node.js Buildpack | tanzu-buildpacks/nodejs |
| Tanzu PHP Buildpack | tanzu-buildpacks/php |
| Tanzu Python Buildpack | tanzu-buildpacks/python |
How to Access SBOM?
A buildpack can generate SBOMs in different formats. The primary supported SBOMs are in Syft, SPDX, and CycloneDX JSON formats.
Access Syft, CycloneDX, and SPDX SBOMs
Let's demonstrate this with an example
- Build a Node.js
demo-appimage using Paketo samples as follows:
git clone https://github.com/paketo-buildpacks/samples \
&& cd samples/nodejs/npm
From the sample app directory, use the pack CLI to build an app image.
pack build demo-app --buildpack <tanzu-nodejs-buildpack>
- Use the pack CLI to retrieve the software bill of materials files
pack sbom download demo-app --output-dir /tmp/demo-app-sbom
- The SBOM files will be in the specified output directory,
/tmp/demo-app-sbom. Easily find all generated SBOM files with:
find /tmp/demo-app-sbom/layers/sbom -name "*.json"
TAP
TAP cli does not yet provide a mechanism to view the buildpack generated SBOM for launch-time app dependencies. Users can however use docker to retrieve the SBOM from the image reference.
On the TAP UI, find the image reference from the Image Scanner stage of the supply chain. In this doc, we'll use $IMAGE to represent the image reference.
- Pull the image and create a container
docker pull $IMAGE
container_id=$(docker create $IMAGE)
- Copy the SBOM from the container to a new directory
app-sbom
docker cp $container_id:/layers/sbom ./app-sbom
- You can use any tools depending on your usecase to view the SBOM JSON files. You'll find them under
launch/<buildpack>sub-directories.
For e.g., you may use a vulnerability scanner like grype to read the Syft JSON from a .NET Core App as follows:
grype sbom:./app-sbom/launch/tanzu-buildpacks_dotnet-execute/sbom.syft.json
See Build-time Dependencies in the SBOM
Syft, CycloneDX, and SPDX SBOMs
Syft, CycloneDX, and SPDX SBOMs that are retrieved using pack sbom download <image> only contain SBOM entries for launch-time app dependencies.
To access SBOM entries for build-time app dependencies, SBOMs must be extracted at build time.
- Run the build and extract the generated SBOMs to a local directory:
pack build demo-app --sbom-output-dir /tmp/build-time-sbom
- When the build completes, inspect SBOMs in the output directory:
find /tmp/build-time-sbom/layers/sbom -name "*.json"
SBOMs that are inside the /tmp/build-time-sbom/layers/sbom/build subdirectory contain entries for build-time dependencies.
- List only the build-time SBOMs:
find /tmp/build-time-sbomlayers/sbom/build -name "*.json"
