Skip to content

feat(ISV-5859): Add index image SBOM generator #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Allda merged 1 commit into from
May 12, 2025
Merged

feat(ISV-5859): Add index image SBOM generator #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .yamllint
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ ignore:
- ansible/vaults/
- .venv
- node_modules/
- .tekton/ # Directory managed by Konflux
143 changes: 143 additions & 0 deletions docs/img/index-image.spdx.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
56 changes: 56 additions & 0 deletions docs/sboms/oci_image_sbom.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# SBOM for Image Index

The Mobster tool is capable of generating SBOMs for OCI image indexes based
on the guidelines from the
[Red Hat Product Security](https://github.com/RedHatProductSecurity/security-data-guidelines).

## Usage

```bash
# First get index manifest using buildah
buildah manifest inspect registry.redhat.io/ubi10-beta/ubi@sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc > ./index-image-manifest.json

# Then generate SBOM using Mobster
mobster generate \
--output index.sbom.spdx.json \
oci-index \
--index-image-pullspec "registry.redhat.io/ubi10-beta/ubi:latest" \
--index-image-digest "sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc" \
--index-manifest-path ./index-image-manifest.json
```


**List of arguments:**

- `--index-image-pullspec`
- Must be in the format `repository/image:tag`
- Example value `registry.redhat.io/ubi10-beta/ubi:latest`
- `--index-image-digest`
- Must be in the format `algorithm:hexvalue`
- Example value `sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc`
- `--index-manifest-path`
- Path to a file containing a json output of `buildah manifest inspect` command
- File contents MUST be a valid JSON
- See example in [index_manifest.json](../../tests/data/index_manifest.json)
- `--output`
- Path where the SBOM should be written


## Example

The example SBOM generated by the above command is available in
[tests/data/index_manifest_sbom.spdx.json](../../tests/data/index_manifest_sbom.spdx.json).

# Structure of the generated SBOM

The generated SBOM has following structure:
```
- SPDXRef-DOCUMENT
- SPDXRef-image-index
- Image-amd64 (VARIANT_OF)
- Image-arm64 (VARIANT_OF)
- Image-ppc64le (VARIANT_OF)
- Image-s390x (VARIANT_OF)
```

![index-sbom](../img/index-image.spdx.svg)
Loading