|
1 | 1 | +++ |
2 | | -title="Bill of Materials" |
3 | | -summary="A Software `Bill-of-Materials` (`BOM`) gives you a layer-by-layer view of what's inside your container in a variety of formats including `JSON`." |
| 2 | +title="Software Bill of Materials" |
| 3 | +summary="A Software `Software Bill-of-Materials` (`SBoM`) gives you a layer-by-layer view of what's inside your container in a variety of formats." |
4 | 4 | +++ |
5 | 5 |
|
6 | 6 | ## Summary |
7 | 7 |
|
8 | | -A Software **Bill-of-Materials** (`BOM`) provides information necessary to know what's inside your container and how it was constructed. |
9 | | -Cloud Native Buildpacks provide two forms of Bill-of-Materials. |
| 8 | +A **Software-Bill-of-Materials** (`SBoM`) lists all the software components included in an image. Cloud Native Buildpacks provides all the transparency you need to have confidence in your image supply chain. Software-Bill-of-Materials in [CycloneDX](https://cyclonedx.org/), [Syft](https://github.com/anchore/syft) and [Spdx](https://spdx.dev/) formats are supported. |
10 | 9 |
|
11 | | -1. Buildpacks can populate `BOM` information about the dependencies they have provided. |
12 | | -2. A list of what buildpacks were used to build the application. |
13 | | - |
14 | | -## Adding Bill of Materials |
15 | | - |
16 | | -Use the following tutorial to add a `Bill-of-Materials` using buildpacks. <br/> |
17 | | -[Adding bill of materials][adding-bill-of-materials] |
| 10 | +1. Buildpacks can populate `SBoM` information about the dependencies they have provided. |
18 | 11 |
|
19 | 12 | ## Viewing Bill of Materials |
20 | 13 |
|
21 | | -You can use this command to inspect your app for it's `Bill-of-Materials`. |
| 14 | +You can use the `sbom download` command to inspect your app for its Software-Bill-of-Materials. The following command will download the application layer containing the `SBoM` files to `./layers/sbom/...` on your local filesystem. |
22 | 15 |
|
23 | 16 | ```bash |
24 | | -pack inspect-image your-image-name --bom |
| 17 | +pack sbom download your-image-name |
25 | 18 | ``` |
26 | 19 |
|
27 | | -It can also be accessed by looking at the label `io.buildpacks.build.metadata`. For example, running Docker CLI, jq and using the following command. |
| 20 | +You can also choose to download the `SBoM` from an image hosted in a remote registry, as opposed to an image hosted in a Docker daemon. You use the `--remote` flag to do so. |
28 | 21 |
|
29 | 22 | ```bash |
30 | | -docker inspect your-image-name | jq -r '.[0].Config.Labels["io.buildpacks.build.metadata"] | fromjson' |
| 23 | +pack sbom download your-image-name --remote |
31 | 24 | ``` |
32 | 25 |
|
33 | | -Following is the the information listed in `io.buildpacks.build.metadata` for [Sample Java App](https://github.com/buildpacks/samples/tree/main/apps/java-maven) obtained by building the app using buildpacks and running the above command. |
| 26 | +The following example demonstrates running `pack sbom download ...` on an image containing an `SBoM` in `syft` format. Running `pack sbom download ...` creates a `layers/sbom` directory and populates that directory with `sbom.syft.json` files. The combined metadata from all of the `sbom.syft.json` files is the image `SBoM`. Where an image generates CycloneDX `SBoM` metadata, the files a named `sbom.cdx.json`. Similarly, Spdx files are named `sbom.cdx.json`. |
| 27 | + |
| 28 | +```bash |
| 29 | +layers |
| 30 | + └── sbom |
| 31 | + └── launch |
| 32 | + └── paketo-buildpacks_ca-certificates |
| 33 | + ├── helper |
| 34 | + │ └── sbom.syft.json |
| 35 | + └── sbom.syft.json |
| 36 | +``` |
34 | 37 |
|
35 | | -For this output: |
| 38 | +## Adding Bill of Materials |
36 | 39 |
|
37 | | -1. `bom` is the buildpack populated bom. |
38 | | -2. `buildpacks` is the list of buildpacks. |
| 40 | +[`pack`](https://github.com/buildpacks/pack), [`kpack`](https://github.com/pivotal/kpack) and [tekton](https://tekton.dev/) users will find that images created using these tools contain an SBoM. |
39 | 41 |
|
40 | | -```json |
41 | | -{ |
42 | | - "bom": [ |
43 | | - { |
44 | | - "name": "java", |
45 | | - "metadata": { |
46 | | - "version": "11.0.12+7" |
47 | | - }, |
48 | | - "buildpack": { |
49 | | - "id": "google.java.runtime", |
50 | | - "version": "0.9.1" |
51 | | - } |
52 | | - } |
53 | | - ], |
54 | | - "buildpacks": [ |
55 | | - { |
56 | | - "id": "google.java.runtime", |
57 | | - "version": "0.9.1" |
58 | | - }, |
59 | | - { |
60 | | - "id": "google.java.maven", |
61 | | - "version": "0.9.0" |
62 | | - }, |
63 | | - { |
64 | | - "id": "google.java.entrypoint", |
65 | | - "version": "0.9.0" |
66 | | - }, |
67 | | - { |
68 | | - "id": "google.utils.label", |
69 | | - "version": "0.0.1" |
70 | | - } |
71 | | - ], |
72 | | - "launcher": { |
73 | | - "version": "0.11.1", |
74 | | - "source": { |
75 | | - "git": { |
76 | | - "repository": "github.com/buildpacks/lifecycle", |
77 | | - "commit": "75df86c" |
78 | | - } |
79 | | - } |
80 | | - }, |
81 | | - "processes": [ |
82 | | - { |
83 | | - "type": "web", |
84 | | - "command": "java", |
85 | | - "args": ["-jar", "/workspace/target/sample-0.0.1-SNAPSHOT.jar"], |
86 | | - "direct": true, |
87 | | - "buildpackID": "google.java.entrypoint" |
88 | | - } |
89 | | - ], |
90 | | - "buildpack-default-process-type": "web" |
91 | | -} |
92 | | -``` |
| 42 | +Developers writing a new buildpack or updating an existing buildpack should use the [Adding bill of materials][adding-bill-of-materials] tutorial to incorporate a `Bill-of-Materials` in their buildpack. |
93 | 43 |
|
94 | 44 | [adding-bill-of-materials]: /docs/buildpack-author-guide/create-buildpack/adding-bill-of-materials/ |
0 commit comments