SBOM for Image Index

The Mobster tool is capable of generating SBOMs for OCI image indexes based on the guidelines from the Red Hat Product Security.

Usage

# First get index manifest using buildah
buildah manifest inspect registry.redhat.io/ubi10-beta/ubi@sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc > ./index-image-manifest.json

# Then generate SBOM using Mobster
mobster generate \
    --output index.sbom.spdx.json \
    oci-index \
    --index-image-pullspec "registry.redhat.io/ubi10-beta/ubi:latest" \
    --index-image-digest "sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc" \
    --index-manifest-path ./index-image-manifest.json

List of arguments:

• --index-image-pullspec
• Must be in the format repository/image:tag
• Example value registry.redhat.io/ubi10-beta/ubi:latest
• --index-image-digest
• Must be in the format algorithm:hexvalue
• Example value sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc
• --index-manifest-path
• Path to a file containing a json output of buildah manifest inspect command
• File contents MUST be a valid JSON
• See example in index_manifest.json
• --output
• Path where the SBOM should be written

Example

The example SBOM generated by the above command is available in tests/data/index_manifest_sbom.spdx.json.

Structure of the generated SBOM

The generated SBOM has following structure:

 - SPDXRef-DOCUMENT
    - SPDXRef-image-index (DESCRIBES)
        - Image-amd64 (VARIANT_OF)
        - Image-arm64 (VARIANT_OF)
        - Image-ppc64le (VARIANT_OF)
        - Image-s390x (VARIANT_OF)