Monday, 28 November 2022

Container images and Software Bill Of Materials (SBOM)

Today, I'll mainly be reading about, and tinkering with, Software Bill Of Materials (SBOM), in the context of container images.

I'm starting with this: -

Generate the SBOM for Docker images

A Software Bill Of Materials (SBOM) is analogous to a packing list for a shipment. It lists all the components that make up the software, or were used to build it. For container images, this includes the operating system packages that are installed (for example, ca-certificates) along with language-specific packages that the software depends on (for example, Log4j). The SBOM could include a subset of this information or even more details, like the versions of components and their source.

and this: -

How to Use “docker sbom” to Index Your Docker Image’s Packages

Software supply chain security has become topical in the wake of high profile dependency-based attacks. Producing an SBOM for your software artifacts can help you identify weaknesses and trim down the number of packages you rely on.

A new Docker feature integrates support for SBOM generation into the docker CLI. This lets you produce an SBOM alongside your build, then distribute it to consumers of your image.

and am now building the sbom-cli-plugin on my Mac and Ubuntu boxes ....


No comments:

Reminder - installing podman and skopeo on Ubuntu 22.04

This follows on from: - Lest I forget - how to install pip on Ubuntu I had reason to install podman  and skopeo  on an Ubuntu box: - lsb_rel...