Skip to content

Commit 81f31fd

Browse files
AlldaAllda
authored
Merge pull request #9 from konflux-ci/ISV-5859
feat(ISV-5859): Add index image SBOM generator
2 parents 8f93ffe + 795c1ef commit 81f31fd

File tree

10 files changed

+984
-7
lines changed

10 files changed

+984
-7
lines changed

.yamllint

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,3 +21,4 @@ ignore:
2121
- ansible/vaults/
2222
- .venv
2323
- node_modules/
24+
- .tekton/ # Directory managed by Konflux

docs/img/index-image.spdx.svg

Lines changed: 143 additions & 0 deletions
Loading

docs/sboms/oci_image_sbom.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# SBOM for Image Index
2+
3+
The Mobster tool is capable of generating SBOMs for OCI image indexes based
4+
on the guidelines from the
5+
[Red Hat Product Security](https://github.com/RedHatProductSecurity/security-data-guidelines).
6+
7+
## Usage
8+
9+
```bash
10+
# First get index manifest using buildah
11+
buildah manifest inspect registry.redhat.io/ubi10-beta/ubi@sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc > ./index-image-manifest.json
12+
13+
# Then generate SBOM using Mobster
14+
mobster generate \
15+
--output index.sbom.spdx.json \
16+
oci-index \
17+
--index-image-pullspec "registry.redhat.io/ubi10-beta/ubi:latest" \
18+
--index-image-digest "sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc" \
19+
--index-manifest-path ./index-image-manifest.json
20+
```
21+
22+
23+
**List of arguments:**
24+
25+
- `--index-image-pullspec`
26+
- Must be in the format `repository/image:tag`
27+
- Example value `registry.redhat.io/ubi10-beta/ubi:latest`
28+
- `--index-image-digest`
29+
- Must be in the format `algorithm:hexvalue`
30+
- Example value `sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc`
31+
- `--index-manifest-path`
32+
- Path to a file containing a json output of `buildah manifest inspect` command
33+
- File contents MUST be a valid JSON
34+
- See example in [index_manifest.json](../../tests/data/index_manifest.json)
35+
- `--output`
36+
- Path where the SBOM should be written
37+
38+
39+
## Example
40+
41+
The example SBOM generated by the above command is available in
42+
[tests/data/index_manifest_sbom.spdx.json](../../tests/data/index_manifest_sbom.spdx.json).
43+
44+
# Structure of the generated SBOM
45+
46+
The generated SBOM has following structure:
47+
```
48+
- SPDXRef-DOCUMENT
49+
- SPDXRef-image-index
50+
- Image-amd64 (VARIANT_OF)
51+
- Image-arm64 (VARIANT_OF)
52+
- Image-ppc64le (VARIANT_OF)
53+
- Image-s390x (VARIANT_OF)
54+
```
55+
56+
![index-sbom](../img/index-image.spdx.svg)

0 commit comments

Comments
 (0)