In the previous release of Docker Desktop v4.7.0, a new CLI plugin was added - docker/sbom- cli-plugin, which adds a subcommand to the Docker CLI - sbom - for viewing the Software Bill of Materials (SBOM) of Docker container images.

What is SBOM?

First of all, let’s introduce what is SBOM (Software Bill of Materials), which we call Software Bill of Materials, is a term used in the software supply chain. Software supply chain is the list of components, libraries and tools used to build software applications (software products), and Bill of Materials declares the list of these components, libraries, similar to the list of ingredients in food. Software bill of materials can help organizations or individuals avoid using software that has security vulnerabilities.

SBOM

DOCKER SBOM command

Note : From Docker Desktop version 4.7.0 until now, the docker sbom command is still experimental, this feature may be removed and changed in later versions, the current Docker CLI for Linux does not yet include this subcommand.

The docker sbom command is used to produce a software bill of materials (SBOM) of a container image.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
WSL - mengz  docker sbom --help

Usage:  docker sbom [OPTIONS] COMMAND

View the packaged-based Software Bill Of Materials (SBOM) for an image.

EXPERIMENTAL: The flags and outputs of this command may change. Leave feedback on https://github.com/docker/sbom-cli-plugin.

Examples:

 docker sbom alpine:latest                                          a summary of discovered packages
 docker sbom alpine:latest --format syft-json                       show all possible cataloging details
 docker sbom alpine:latest --output sbom.txt                        write report output to a file
 docker sbom alpine:latest --exclude /lib  --exclude '**/*.db'      ignore one or more paths/globs in the image


Options:
 -D, --debug                 show debug logging
     --exclude stringArray   exclude paths from being scanned using a glob expression
     --format string         report output format, options=[syft-json cyclonedx-xml cyclonedx-json github-0-json spdx-tag-value spdx-json table text] (default "table")
     --layers string         [experimental] selection of layers to catalog, options=[squashed all] (default "squashed")
 -o, --output string         file to write the default report output to (default is STDOUT)
     --platform string       an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')
     --quiet                 suppress all non-report output
 -v, --version               version for sbom

Commands:
 version     Show Docker sbom version information

Run 'docker sbom COMMAND --help' for more information on a command.

As you can see from the help information of the command, in addition to generating SBOM output directly in tabular form, there is support for specifying multiple types of output formats using --format.

Let’s try to generate SBOM for images neo4j:4.4.5.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
WSL - mengz  docker sbom neo4jh:4.4.5
Syft v0.43.0
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [385 packages]
NAME                                VERSION                                    TYPE
CodePointIM                         11.0.15                                    java-archive  
FastInfoset                         1.2.16                                     java-archive
FileChooserDemo                     11.0.15                                    java-archive
Font2DTest                          11.0.15                                    java-archive
HdrHistogram                        2.1.9                                      java-archive
J2Ddemo                             11.0.15                                    java-archive
Metalworks                          11.0.15                                    java-archive
...
libuuid1                            2.36.1-8+deb11u1                           deb
libxxhash0                          0.8.0-2                                    deb
libzstd1                            1.4.8+dfsg-2.1                             deb
listenablefuture                    9999.0-empty-to-avoid-conflict-with-guava  java-archive
log4j-api                           2.17.1                                     java-archive
log4j-core                          2.17.1                                     java-archive
login                               1:4.8.1-1                                  deb
...

The above output table of the intercepted part, we can see in the list list, in addition to the system package (deb type), there are java packages, which contains log4j package and its version information, from this information will be able to understand whether the container image contains the existence of security vulnerabilities of the dependencies and packages, enhance the security of using software images to deploy applications.

The above information also shows Syft v0.43.0, which is because the current SBOM CLI plugin uses Anchore’s Syft project for images-level scanning, and later versions may read SBOM information through other methods.

Let’s try to output a imagesed SBOM file in SPDX format again.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
WSL - mengz  docker sbom --form spdx-json --output hugo-sbom.json mengzyou/hugo:latest
Syft v0.43.0
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages

WSL - mengz  cat hugo-sbom.jso
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "mengzyou/hugo-latest",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
   "created": "2022-05-09T10:55:06.6343529Z",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-[not provided]"
   ],
   "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://anchore.com/syft/image/mengzyou/hugo-latest-162a6a05-379c-49f0-a7f2-b4b738a63d1b",
  "packages": [
   {
    "SPDXID": "SPDXRef-ed18f2a986e77aab",
    "name": "alpine-baselayout",
    "licenseConcluded": "GPL-2.0-only",
    "description": "Alpine base dir structure and init scripts",
    "downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
 ...
   }
}

Because the content of the generated file is so long, only a portion of it has been intercepted above.

SPDX (Software Package Data Exchage) is an open standard for describing SBOM information that will contain software components, license copyright information, and associated security references. SPDX simplifies and provides compliance by providing companies and communities with a common format for sharing important data to reduce redundancy.

Summary

Here is a brief introduction to SBOM, and the experimental subcommand of the Docker CLI - sbom, which can be used to generate SBOM information in multiple formats for container images, allowing developers and Ops personnel who need to use container images to deploy services to easily access the SBOM information of the image, and thus the security information of the image for compliance of use. Also, consider adding the tool to the CI/CD pipeline of company-delivered applications as a security check for images artifacts.