In the previous release of Docker Desktop v4.7.0, a new CLI plugin was added - docker/sbom- cli-plugin, which adds a subcommand to the Docker CLI - sbom
- for viewing the Software Bill of Materials (SBOM) of Docker container images.
What is SBOM?
First of all, let’s introduce what is SBOM (Software Bill of Materials), which we call Software Bill of Materials, is a term used in the software supply chain. Software supply chain is the list of components, libraries and tools used to build software applications (software products), and Bill of Materials declares the list of these components, libraries, similar to the list of ingredients in food. Software bill of materials can help organizations or individuals avoid using software that has security vulnerabilities.
DOCKER SBOM command
Note : From Docker Desktop version 4.7.0 until now, the docker sbom
command is still experimental, this feature may be removed and changed in later versions, the current Docker CLI for Linux does not yet include this subcommand.
The docker sbom
command is used to produce a software bill of materials (SBOM) of a container image.
|
|
As you can see from the help information of the command, in addition to generating SBOM output directly in tabular form, there is support for specifying multiple types of output formats using --format
.
Let’s try to generate SBOM for images neo4j:4.4.5
.
|
|
The above output table of the intercepted part, we can see in the list list, in addition to the system package (deb type), there are java packages, which contains log4j
package and its version information, from this information will be able to understand whether the container image contains the existence of security vulnerabilities of the dependencies and packages, enhance the security of using software images to deploy applications.
The above information also shows Syft v0.43.0
, which is because the current SBOM CLI plugin uses Anchore’s Syft project for images-level scanning, and later versions may read SBOM information through other methods.
Let’s try to output a imagesed SBOM file in SPDX format again.
|
|
Because the content of the generated file is so long, only a portion of it has been intercepted above.
SPDX (Software Package Data Exchage) is an open standard for describing SBOM information that will contain software components, license copyright information, and associated security references. SPDX simplifies and provides compliance by providing companies and communities with a common format for sharing important data to reduce redundancy.
Summary
Here is a brief introduction to SBOM, and the experimental subcommand of the Docker CLI - sbom, which can be used to generate SBOM information in multiple formats for container images, allowing developers and Ops personnel who need to use container images to deploy services to easily access the SBOM information of the image, and thus the security information of the image for compliance of use. Also, consider adding the tool to the CI/CD pipeline of company-delivered applications as a security check for images artifacts.