This topic tells you how to use the Software Bill of Materials (SBOM) supported by Tanzu Buildpacks.

What is Software Bill of Materials?

An SBOM is an industry standard mechanism of surfacing metadata about dependencies in images or applications. For more information, see the SBOM Paketo documentation.

Which Tanzu buildpacks include support of SBOM?

The following Tanzu Buildpacks include support for SBOM:

Name ID
Tanzu Go Buildpack tanzu-buildpacks/go
Tanzu Java Buildpack tanzu-buildpacks/java
Tanzu Java Native Image Buildpack tanzu-buildpacks/java-native-image
Tanzu Node.js Buildpack tanzu-buildpacks/nodejs
Tanzu PHP Buildpack tanzu-buildpacks/php
Tanzu Python Buildpack tanzu-buildpacks/python

Access SBOMs

A buildpack can generate SBOMs in different formats. The primary supported SBOMs are in Syft, SPDX, and CycloneDX JSON formats.

Access Syft, CycloneDX, and SPDX SBOMs

The following example shows how to access Syft, CycloneDX, and SPDX SBOMs:

  1. Build a Node.js demo-app image using Paketo samples by running:

    git clone https://github.com/paketo-buildpacks/samples \
&& cd samples/nodejs/npm

  2. From the sample app directory, use the pack CLI to build an app image by running:

    pack build demo-app --buildpack <tanzu-nodejs-buildpack>

  3. Retrieve the SBOM files using the pack CLI by running:

    pack sbom download demo-app --output-dir /tmp/demo-app-sbom

  4. The SBOM files will be in the specified output directory /tmp/demo-app-sbom. Find all generated SBOM files by running:

    find /tmp/demo-app-sbom/layers/sbom -name "*.json"

Tanzu Application Platform

The Tanzu CLI does not yet provide a mechanism to view the buildpack generated SBOM for launch-time app dependencies. However, you can use docker to retrieve the SBOM from the image reference.

On the Tanzu Application Platform UI, find the image reference from the Image Scanner stage of the supply chain.

The following steps use $IMAGE to represent the image reference:

  1. Pull the image and create a container by running:

    docker pull $IMAGE
container_id=$(docker create $IMAGE)

  2. Copy the SBOM from the container to the new directory, app-sbom, by running:

    docker cp $container_id:/layers/sbom ./app-sbom

  3. You can use any tools depending on your use case to view the SBOM JSON files. You'll find them under launch/<buildpack> sub-directories.

    For example, you can use a vulnerability scanner like grype to read the Syft JSON from a .NET Core App as follows:

    grype sbom:./app-sbom/launch/tanzu-buildpacks_dotnet-execute/sbom.syft.json

View Build-time Dependencies in the SBOM

Syft, CycloneDX, and SPDX SBOMs

Syft, CycloneDX, and SPDX SBOMs that are retrieved using pack sbom download <image> only contain SBOM entries for launch-time app dependencies.

Important

To access SBOM entries for build-time app dependencies, SBOMs must be extracted at build time.

  1. Run the build and extract the generated SBOMs to a local directory:

    pack build demo-app --sbom-output-dir /tmp/build-time-sbom

  2. When the build completes, inspect SBOMs in the output directory by running:

    find /tmp/build-time-sbom/layers/sbom -name "*.json"

    SBOMs that are inside the /tmp/build-time-sbom/layers/sbom/build subdirectory contain entries for build-time dependencies.

  3. List only the build-time SBOMs by running:

    find /tmp/build-time-sbomlayers/sbom/build -name "*.json"
check-circle-line exclamation-circle-line close-line
Scroll to top icon