Inspecting artifact SBOMs

A software bill of materials (SBOM) provides greater transparency for your software supply chain. Konflux provides build SBOMs, which list all the software libraries that a component uses. Those libraries can enable specific functionality or facilitate development.

You can use an SBOM to better understand the composition of your software. In particular, you can use various tools to scan your SBOM and determine if any of your dependencies have known vulnerabilities. Furthermore, to comply with cybersecurity regulations, your organization might need to provide its customers with the SBOM for your application’s components. For example, in the United States, the Executive Order on Improving the Nation’s Cybersecurity requires vendors to provide SBOMs, and in Europe, the Cyber Resilience Act does the same.

Types of SBOMs produced by Konflux

Konflux produces build-time and release-time SBOMs. Build-time SBOMs are created directly during the build phase of the component. Release-time SBOMs are augmented with additional information which is known only during the release phase of the component. This includes information about the repository to the component was released to.

Both of these formats correspond to the build SBOM specification by CISA (only information about deployment-independent parameters is present in SBOMs created). Release-time SBOMs are only available for products released to registry.redhat.io.

Managing SBOMs with Mobster

In Konflux, SBOMs are generated and managed by the Mobster tool. Mobster provides a unified interface to generate, augment, validate, and distribute SBOMs throughout their lifecycle, and supports operational needs such as incident response. All SBOM-related activities in Konflux should be performed with Mobster. For details, see Mobster - SBOM management tool.

Viewing an SBOM in the web UI

Prerequisites

  • You must have a component that Konflux has successfully built.

Procedure

In the console, complete the following steps to download the SBOM for a component:

  1. Navigate to the Activity > Pipeline runs tab.

  2. For the component whose SBOM you want to view, select its most recent pipeline run.

  3. On the Pipeline run details page, select View SBOM.

    1. You can use your web browser to immediately search the SBOM for terms that indicate vulnerabilities in your software supply chain. For example, try searching for "log4j".

    2. You can select Download to download the SBOM, or Expand to view it full-screen.

The SBOM is unsigned so there is no way to verify whether it has been tampered with after being pushed to the registry. Additional integrity verification should be performed before distributing the artifact if needed.

Downloading build-time SBOMs in the CLI

Prerequisites
Procedure

In the CLI, complete the following steps to download the build-time SBOM for a component:

  1. Use Cosign to download the SBOM. Pass the IMAGE environment variable as an argument into Cosign’s download sbom command.

    Example
    $ cosign download sbom --platform linux/amd64 $IMAGE

    1. (Optional) To view the full SBOM in a searchable format, you can redirect the output:

    $ cosign download sbom --platform linux/amd64 $IMAGE > sbom.txt

Downloading release-time SBOMs in the CLI

Konflux also supports release-time SBOMs that are attached to the image registry as in-toto attestations. These SBOMs can be downloaded and verified using cosign verify-attestation with the appropriate type and a public key.

Release-time SBOMs are only available for products released to registry.redhat.io.
Prerequisites

  • Install the Cosign CLI tool.

  • Install the jq CLI tool.

  • You have the reference to the released component in the format <repository url>@sha256:<digest>.

  • (Optional) You have the public key for verification of the signatures created by the signing key referenced in the field .sign.cosignSecretName in the ReleasePlanAdmission saved to public-key.pub. If this prerequisite is not met, you can switch to using cosign download attestation instead of cosign verify-attestation. Remember that the argument --type changes to --predicate-type with cosign download attestation.

Procedure

In the CLI, complete the following steps to download and verify the release-time SBOM for a component:

  1. Use Cosign to verify and download the SBOM attestation. Pass the IMAGE environment variable and specify the SBOM predicate type (valid options are "spdxjson" and "cyclonedx"):

    Example
    $ cosign verify-attestation --insecure-ignore-tlog=true --type=spdxjson --key=public-key.pub $IMAGE

    1. Extract the SBOM content from the attestation payload using jq:

      $ cosign verify-attestation --insecure-ignore-tlog=true --type=spdxjson --key=public-key.pub $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate'

    2. (Optional) To save the SBOM to a file:

      $ cosign verify-attestation --insecure-ignore-tlog=true --type spdxjson --key public-key.pub $IMAGE | jq -r '.payload | @base64d | fromjson | .predicate' > release-sbom.json

Release-time SBOMs are cryptographically signed and can be verified for authenticity and integrity using a public key. This provides stronger security guarantees compared to unsigned build-time SBOMs.

Reading the SBOM

In the SBOM, as the following sample excerpt shows, you can see four characteristics of each library that a component uses:

  1. Its author or publisher

  2. Its name

  3. Its version

  4. Its licenses

This information helps you verify that individual libraries are safely-sourced, updated, and compliant.

{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:89146fc4-342f-496b-9cc9-07a6a1554220",
    "version": 1,
    "metadata": {
        ...
    },
    "components": [
        {
            "bom-ref": "pkg:pypi/flask@2.1.0?package-id=d6ad7ed5aac04a8",
            "type": "library",
            "author": "Armin Ronacher <armin.ronacher@active-4.com>", (1)
            "name": "Flask", (2)
            "version": "2.1.0", (3)
            "licenses": [ (4)
                {
                    "license": {
                        "id": "BSD-3-Clause"
                    }
                }
            ],
            "cpe": "cpe:2.3:a:armin-ronacher:python-Flask:2.1.0:*:*:*:*:*:*:*",
            "purl": "pkg:pypi/Flask@2.1.0",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "python-package-cataloger"
                    ...