Skip to content

Component-level SBOM update via the augment commands

Build-time SBOMs generated by Konflux can be further augmented, to include information that is only known during a Konflux release, after the push-snapshot Task. This information comes from a "mapped snapshot spec" file, created by the apply-mapping task in a Konflux release pipeline. Examples include OCI image tags or the image's release repository.

You can perform the augmentation via the mobster command: augment oci-image.

Augment oci-image

You can either augment a specific OCI image by providing the optional --reference argument, or augment SBOMs for all images in the supplied snapshot:

$ mobster augment oci-image --output sboms/ oci-image \
    --reference quay.io/repo/image@sha256:<digest> \
    --snapshot snapshot.json

$ mobster augment oci-image --output sboms/ oci-image \
    --snapshot snapshot.json

Augmentation examples

Here is an example of what gets updated by mobster augment oci-image. The following example uses the SPDX-2.3 format and a single-arch image. Let's assume we have the following snapshot spec file:

{
  "components": [
    {
      "name": "mobster-demo",
      "containerImage": "quay.io/redhat-prod/mobster-demo@sha256:<digest>",
      "rh-registry-repo": "registry.redhat.io/mobster-demo",
      "repository": "quay.io/redhat-prod/mobster-demo",
      "tags": ["1.0", "latest"]
    }
  ]
}

The following is an excerpt from the build-time SBOM, specifically the SPDX package for our single-arch component:

{
  ...
  "SPDXID": "SPDXRef-image",
  "externalRefs": [
    {
      "referenceLocator": "pkg:oci/mobster-demo@sha256:<digest>?repository_url=quay.io/redhat-user-workloads/mobster-demo",
      "referenceType": "purl",
      "referenceCategory": "PACKAGE-MANAGER"
    }
  ]
  ...
}

We can now run the command:

$ mobster augment oci-image --output sboms/ snapshot \
    --snapshot snapshot.json

Mobster now parses the snapshot and fetches the build-time SBOM of all the images in it using cosign, based on the containerImage field. It then parses SBOM the SBOM and updates it with the data provided in the snapshot. That same package in the SBOM will look this after the augmentation:

{
  ...
  "SPDXID": "SPDXRef-image",
  "externalRefs": [
    {
      "referenceLocator": "pkg:oci/mobster-demo@sha256:<digest>?repository_url=registry.redhat.io/mobster-demo&tag=1.0",
      "referenceType": "purl",
      "referenceCategory": "PACKAGE-MANAGER"
    },
    {
      "referenceLocator": "pkg:oci/mobster-demo@sha256:<digest>?repository_url=registry.redhat.io/mobster-demo&tag=latest",
      "referenceType": "purl",
      "referenceCategory": "PACKAGE-MANAGER"
    }
  ]
  ...
}

Notice that an additional ref was added to account for two tags and the repository_url field in the PURLs was updated with our release repository.