Software supply chain security comprises everything required to build, deliver and run software anywhere with confidence. It ensures that not only software but the infrastructure, operating systems, source code repositories, registries, developers who wrote it, and the cloud services it uses don’t pose any threats.
The Software Bill of Materials (SBOM) has emerged as the first step to ensure software security.
What is SBOM and how does it help businesses?
An SBOM(Software Bill of Materials) is a list of software components that build the software product. It details the software package, content, license, and certificate information, just like packaged food items contain ingredients and other information.
SBOMs help organizations know and keep track of all software components along with other details, such as:
- Determining all the runtime dependencies of the software.
- Keeping track of critical updates and patches.
- Reducing supply chain attacks and ensuring the organization doesn’t use vulnerable components.
- Detecting license and certificate-related issues.
The National Telecommunications and Information Administration (NTIA) has listed the minimum requirements for the SBOM, which are:
- Software supplier and author of SBOM.
- Information about software vendors.
- Software component name and its version.
- Unique identifier for each component.
- Relationship of the component with other components and packages.
- Timestamp of SBOM creation.
To make organizations adopt SBOM quickly, several standards have been defined for generating them. A defined schema provides a format for listing software components, and the most widely used are Software Package Data Exchange (SPDX) and CycloneDX.
SPDX is an SBOM format developed by the Linux Foundation. It shows relationships between software components, licenses, and copyrights associated with the software. It can be stored in different file formats, such as SPDX and JSON. It defines three elements: documents (metadata about the SBOM), packages (groups of elements), and files (single files).
This lightweight SBOM standard is maintained by the OWASP community and built on top of SPDX. It gives security-related information such as supplier, manufacturer, target components, etc. It can be stored in different file formats, such as XML and JSON. It gets divided into components, services, and dependencies.
Docker, too, has recently introduced an SBOM format for container images. It has announced the docker sbom CLI command in Docker Desktop 4.7.0 as a CLI plugin, which lists all the components of the container image. It is an experimental functionality for now, which has been developed as an open-source collaboration with Anchore through the Syft tool.
Installation of the Docker CLI plugin
- As a pre-requisite, Docker/Docker Desktop must be installed on your system. Upgrade the Docker desktop if its version is less than 4.7.0.
apt update && apt install docker.io -y
mkdir -p /root/.docker/cli-plugins
- Install the docker sbom plugin.
curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s --
- Check its version and verify installation:
docker sbom version
Different Docker SBOM commands
- To check all options related to docker sbom
docker sbom --help
- To list the software components of an
docker sbom nginx:latest
By default, the output will be in a table format. From the output given below, it can be inferred that the first image is pulled if not present locally, then it’s loaded and processed further, and then the software elements get listed along with its version and package type.
- To list the software components of a particular Node.js application, type:
docker sbom oshi36/nodeapp_test:latest
One will get the similar output as shown below
- To write the SBOM report to a file, use the output flag:
docker sbom oshi36/nodeapp_test:latest --output nodeapp_report
Open the output file
- To skip paths from docker sbom to scan, use the exclude flag
docker sbom oshi36/nodeapp_test:latest --exclude /usr/local
From the output given below, it can be seen that docker sbom leaves the elements to be scanned at the
- To get the SBOM of platform-specific container images such as linux/arm64, arm64, etc, use the platform flag:
docker sbom nginx:alpine --platform linux/arm64
- To get the SBOM report in different SBOM formats such as
syft-json, etc, use the
docker sbom oshi36/nodeapp_test:latest --format spdx-json
In this format, a unique identifier SPDXID is provided for each package and file, along with information about the license. One will get similar output as shown below.
docker sbom oshi36/nodeapp_test:latest --format cyclonedx-json
This format has details about the supplier, manufacturer, and BOM creation tools, along with the component type and its version in the hash. One will get similar output as shown below.
docker sbom oshi36/nodeapp_test:latest --format syft-json
It outputs the SBOM report in Syft’s native JSON format. One will get similar output as shown below.
Log4j 2 vulnerability use case
Log4j 2 is a logging library by Apache and its vulnerability CVE-2021-44228 allows remote code execution from a context that is easily available to an attacker. This vulnerability has been found in Minecraft servers. It allows commands to be typed in chat logs and then sent to the logger.
Currently, CVE-2021-44228 impacts all versions of Log4j 2.x <= 2.14.1. If the container image has Log4j, then
docker sbom can help in finding out its version and deciding whether it’s vulnerable or not.
- To list the components of jboss/wildfly application server and find whether its Log4j version is vulnerable or not.
docker sbom jboss/wildfly| grep log4j
From the output given below it can be seen clearly that Log4j is vulnerable to CVE-2021-44228 due to its version.
To sum up, docker sbom helps in generating the SBOM for the container image, which helps identify and solve any dependency issues.