[GR-69572] Update documentation to reflect 'native-image-inspect' deprecation

PullRequest: graal/22253

Author: rudsberg

docs/reference-manual/native-image/InspectTool.md

@@ -8,9 +8,14 @@ redirect_from: /reference-manual/native-image/inspect/
 
 # Native Image Inspect Tool
 
+> **The Native Image Inspect Tool is deprecated and will be removed in a future release**. To extract embedded SBOMs, use: 
+> ```bash
+> $JAVA_HOME/bin/native-image-configure extract-sbom --image-path=<path_to_binary>
+> ```
+
 The Native Image Inspect Tool extracts embedded Software Bill of Materials (SBOM) from native executables. The functionality for extracting class-level metadata is no longer supported.
 
-## Extracting Embedded SBOM
+## Extracting Embedded SBOM (Deprecated)
 
 Native Image embeds an SBOM at build time to detect any libraries that may be susceptible to known security vulnerabilities.
 (Not available in GraalVM Community Edition.)

docs/reference-manual/native-image/guides/use-sbom-support.md

@@ -54,7 +54,7 @@ For the demo application, you will use the `jwebserver` tool, and package it as
 
 There are two possible ways to extract the compressed SBOM contents into a human-readable format:
 - using [Syft](https://github.com/anchore/syft)
-- using the [Native Image Inspect Tool](../InspectTool.md)
+- using the [Native Image Configure Tool](#native-image-configure-tool)
 
 ### Syft
 
@@ -68,14 +68,14 @@ syft jwebserver
 ```
 It lists all of the Java libraries included in it.
 
-### Native Image Inspect Tool
+### Native Image Configure Tool
 
-GraalVM Native Image provides the [Inspect Tool](../InspectTool.md) to retrieve an SBOM embedded in a native executable.
-The Inspect Tool is a viable alternative if you prefer not to install `syft`.
+GraalVM Native Image provides the `native-image-configure` tool to retrieve an SBOM embedded in a native executable.
+The Configure Tool is a viable alternative if you prefer not to install `syft`.
 
-Run the following command to read the SBOM contents using the Inspect Tool:
+Run the following command to read the SBOM contents using the Configure Tool:
 ```bash
-native-image-inspect --sbom jwebserver
+$JAVA_HOME/bin/native-image-configure extract-sbom --image-path=<path_to_binary>
 ```
 
 To take it further, you can submit the SBOM to any available vulnerability scanner, and check if the recorded libraries have known security vulnerabilities.

docs/security/SBOM.md

@@ -23,18 +23,15 @@ The SBOM feature can be disabled with `--enable-sbom=false`.
 
 ## Extracting SBOM Contents
 
-After embedding the compressed SBOM into the executable, the [Native Image Inspect Tool](../reference-manual/native-image/InspectTool.md) is able to extract the compressed SBOM using the `--sbom` parameter accessible through `$JAVA_HOME/bin/native-image-inspect --sbom <path_to_binary>` from both executables and shared libraries.
-It outputs the SBOM in the following format:
-
 After embedding the compressed SBOM into the image, there are two possible ways to extract the SBOM contents:
-- using the [Native Image Inspect Tool](../reference-manual/native-image/InspectTool.md)
+- using the [Native Image Configure Tool](#native-image-configure-tool)
 - using [Syft](https://github.com/anchore/syft){:target="_blank"}
 
-### Native Image Inspect Tool
+### Native Image Configure Tool
 
-The [Native Image Inspect Tool](../reference-manual/native-image/InspectTool.md) is able to extract the compressed SBOM using the `--sbom` parameter, accessible from both executables and shared libraries:
+The Native Image Configure Tool can extract the compressed SBOM using the `extract-sbom` command from executables and shared libraries.
 ```bash
-native-image-inspect --sbom <path_to_binary>
+$JAVA_HOME/bin/native-image-configure extract-sbom --image-path=<path_to_binary>
 ```
 
 It outputs the contents in the JSON format:
@@ -124,9 +121,9 @@ It also integrates with GitHub Actions, GitLab, and Jenkins Pipelines.
 
 Another popular command-line scanner is `grype`, part of the [Anchore software supply chain management platform](https://anchore.com/){:target="_blank"}.
 With `grype`, you can check whether the libraries listed in your SBOMs have known vulnerabilities documented in Anchore's database.
-The output of the `native-image-inspect` tool can be fed directly into `grype` to scan for vulnerable libraries using the following command:
+The output of the `native-image-configure` tool can be fed directly into `grype` to scan for vulnerable libraries using the following command:
 ```bash
-native-image-inspect --sbom <path_to_binary> | grype
+native-image-configure extract-sbom --image-path=<path_to_binary> | grype
 ```
 It produces the following output:
 ```shell

substratevm/CHANGELOG.md

@@ -7,6 +7,7 @@ This changelog summarizes major changes to GraalVM Native Image.
 * (GR-43070) Add a new API flag `-Werror` to treat warnings as errors.
 * (GR-69280) Allow use of the `graal.` prefix for options without issuing a warning.
 * (GR-2092) Add jitdump support for recording run-time compilation metadata for perf (see PerfProfiling.md). Can be enabled with `-g -H:+RuntimeDebugInfo -H:RuntimeDebugInfoFormat=jitdump`.
+* (GR-69572) Deprecates the `native-image-inspect` tool. To extract embedded SBOMs, use `native-image-configure extract-sbom --image-path=<path_to_binary>`.
 
 ## GraalVM 25
 * (GR-52276) (GR-61959) Add support for Arena.ofShared().