This topic tells you how to use the Software Bill of Materials (commonly known as SBOM) supported by Tanzu Buildpacks.
A Software Bill of Materials (SBOM) is an industry standard mechanism of surfacing metadata about dependencies in images or applications. For more details, see SBOM Paketo docs.
The following Tanzu Buildpacks include support for SBOM:
|Tanzu Go Buildpack||tanzu-buildpacks/go|
|Tanzu Java Buildpack||tanzu-buildpacks/java|
|Tanzu Java Native Image Buildpack||tanzu-buildpacks/java-native-image|
|Tanzu Node.js Buildpack||tanzu-buildpacks/nodejs|
|Tanzu PHP Buildpack||tanzu-buildpacks/php|
|Tanzu Python Buildpack||tanzu-buildpacks/python|
Let's demonstrate this with an example
demo-appimage using Paketo samples as follows:
git clone https://github.com/paketo-buildpacks/samples \ && cd samples/nodejs/npm
From the sample app directory, use the pack CLI to build an app image.
pack build demo-app --buildpack <tanzu-nodejs-buildpack>
pack sbom download demo-app --output-dir /tmp/demo-app-sbom
/tmp/demo-app-sbom. Easily find all generated SBOM files with:
find /tmp/demo-app-sbom/layers/sbom -name "*.json"
TAP cli does not yet provide a mechanism to view the buildpack generated SBOM for launch-time app dependencies. Users can however use
docker to retrieve the SBOM from the image reference.
On the TAP UI, find the image reference from the
Image Scanner stage of the supply chain. In this doc, we'll use
$IMAGE to represent the image reference.
docker pull $IMAGE container_id=$(docker create $IMAGE)
docker cp $container_id:/layers/sbom ./app-sbom
For e.g., you may use a vulnerability scanner like
grype to read the Syft JSON from a .NET Core App as follows:
Syft, CycloneDX, and SPDX SBOMs that are retrieved using
pack sbom download <image> only contain SBOM entries for launch-time app dependencies.
To access SBOM entries for build-time app dependencies, SBOMs must be extracted at build time.
pack build demo-app --sbom-output-dir /tmp/build-time-sbom
find /tmp/build-time-sbom/layers/sbom -name "*.json"
SBOMs that are inside the
/tmp/build-time-sbom/layers/sbom/build subdirectory contain entries for build-time dependencies.
find /tmp/build-time-sbomlayers/sbom/build -name "*.json"