Skip to content

Generate OCI Image

This utility allows users to generate SBOMs related to Container Images.

Architecture

The scripts accepts any number of SBOMs generated by SYFT and at most one SBOM generated by Hermeto (previously known as Cachi2), with the requirement that at least one SBOM is provided in total. It combines these SBOMs and takes them as a context of the built image.

The script also parses a JSON-ified Dockerfile of the image, parses its content and determines which base images were used to build the image. It identifies builder images as well as a parent image which is the latest image in the Dockerfile (or the base image for the stage identified by the build target).

Additionally, you can also supply additional builder images on top of those already parsed from the Dockerfile.

All provided SBOMs must be in the same specification! This script does not support combining SPDX and CycloneDX SBOMs.

Usage

mobster --verbose  generate oci-image \
--from-syft tests/sbom/test_merge_data/cyclonedx/syft-sboms/pip-e2e-test.bom.json \
--from-syft tests/sbom/test_merge_data/cyclonedx/syft-sboms/ubi-micro.bom.json \
--from-hermeto tests/sbom/test_merge_data/cyclonedx/cachi2.bom.json \
--image-pullspec quay.io/foobar/examplecontainer:v10 \
--image-digest sha256:1 \
--parsed-dockerfile-path tests/data/dockerfiles/somewhat_believable_sample/parsed.json \
--dockerfile-target build \
--additional-base-image quay.io/ubi9:latest@sha256:123456789012345678901234567789012

List of arguments

  • --from-syft -- points to an SBOM file (in a JSON format) created by Syft, can be used multiple times
  • --from-hermeto -- points to an SBOM file (in a JSON format) created by Hermeto
  • --image-pullspec -- the pullspec of the image processed in the format <registry>/<repository>:<tag>
  • --image-digest -- the digest of the image processed in the format sha256:<digest value>
  • --parsed-dockerfile-path -- points to a dockerfile processed by dockerfile-json
  • --base-image-digest-file -- points to a file with digests for images used in Dockerfile. if omitted, the references will be fetched via oras. The expected format of the file is <registry>/<repository>:<tag> <registry>/<repository>:<tag>@sha256:<digest>
  • --dockerfile-target -- if a build target was used for multi-stage build, use this argument to specify the build target
  • --additional-base-images -- optionally add references to other build images outside the parsed Dockerfile. expects the format <registry>/<repository>:<tag>@sha256:<digest value>
  • --contextualize -- NOT IMPLEMENTED YET
  • --output -- where to save the SBOM. prints it to STDOUT if this is not specified

Structure of the generated SBOM

The generated SBOM has following structure:

 - SPDXRef-DOCUMENT
    - SPDXRef-image (DESCRIBES)
        - package A (CONTAINS)
        - package B (CONTAINS)
        - base image (DESCENDANT_OF)
        - builder image 1 (BUILD_TOOL_OF)
        - builder image 2 (BUILD_TOOL_OF)