Inspecting artifact SBOMs

A software bill of materials (SBOM) provides greater transparency for your software supply chain. Konflux provides build SBOMs, which list all the software libraries that a component uses. Those libraries can enable specific functionality or facilitate development.

You can use an SBOM to better understand the composition of your software. In particular, you can use various tools to scan your SBOM and determine if any of your dependencies have known vulnerabilities. Furthermore, to comply with cybersecurity regulations, your organization might need to provide its customers with the SBOM for your application’s components. For example, in the United States, the Executive Order on Improving the Nation’s Cybersecurity requires vendors to provide SBOMs, and in Europe, the Cyber Resilience Act does the same.

Viewing an SBOM in the web UI

Prerequisites

You must have a component that Konflux has successfully built.

Procedure

In the console, complete the following steps to download the SBOM for a component:

Navigate to the Activity > Pipeline runs tab.
For the component whose SBOM you want to view, select its most recent pipeline run.
On the Pipeline run details page, select View SBOM.
1. You can use your web browser to immediately search the SBOM for terms that indicate vulnerabilities in your software supply chain. For example, try searching for "log4j".
2. You can select Download to download the SBOM, or Expand to view it full-screen.

The SBOM is unsigned so there is no way to verify whether it has been tampered with after being pushed to the registry. Additional integrity verification should be performed before distributing the artifact if needed.

Downloading an SBOM in the CLI

Prerequisites

Install the Cosign CLI tool.
Install the jq CLI tool.
Login to Konflux.
You have found the image for a recently completed build pipeline and exported the value to the IMAGE environment variable.

Procedure

In the CLI, complete the following steps to download the SBOM for a component:

Use Cosign to download the SBOM. Pass the IMAGE environment variable as an argument into Cosign’s download sbom command.
Example
```
$ cosign download sbom $IMAGE
```
1. (Optional) To view the full SBOM in a searchable format, you can redirect the output:
```
$ cosign download sbom $IMAGE > sbom.txt
```

Reading the SBOM

In the SBOM, as the following sample excerpt shows, you can see four characteristics of each library that a component uses:

Its author or publisher
Its name
Its version
Its licenses

This information helps you verify that individual libraries are safely-sourced, updated, and compliant.

{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:89146fc4-342f-496b-9cc9-07a6a1554220",
    "version": 1,
    "metadata": {
        ...
    },
    "components": [
        {
            "bom-ref": "pkg:pypi/flask@2.1.0?package-id=d6ad7ed5aac04a8",
            "type": "library",
            "author": "Armin Ronacher <armin.ronacher@active-4.com>", (1)
            "name": "Flask", (2)
            "version": "2.1.0", (3)
            "licenses": [ (4)
                {
                    "license": {
                        "id": "BSD-3-Clause"
                    }
                }
            ],
            "cpe": "cpe:2.3:a:armin-ronacher:python-Flask:2.1.0:*:*:*:*:*:*:*",
            "purl": "pkg:pypi/Flask@2.1.0",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "python-package-cataloger"
                    ...