Open micahhausler opened 12 months ago
As discussed at the contributor's summit, we will modernize the k8s sboms, so I think I'll build this.
I was also experimenting with bom
utility to see the ingredients of K8s
OCI Image and was wondering the same why it doesn't list the binary. Dumb question, Is there a way to see the packages, files, and binaries part of the OCI image underneath those OCI layers, or perhaps that is not what SBOMs are for?
bom generate --analyze-images --scan-images --format json --image registry.k8s.io/kube-apiserver@sha256:07ec0f29e172784b9fda870d63430a84befade590a2220c1fcce52f17cd24631 | bom document outline -
INFO bom v0.5.1: Generating SPDX Bill of Materials
INFO Processing image reference: registry.k8s.io/kube-apiserver@sha256:07ec0f29e172784b9fda870d63430a84befade590a2220c1fcce52f17cd24631
.........
đ SPDX Document SBOM-SPDX-9e5b46f0-9aa4-4197-a1c0-66ad1450fa2d
â
â đŚ DESCRIBES 1 Packages
â
â sha256:07ec0f29e172784b9fda870d63430a84befade590a2220c1fcce52f17cd24631
â â đ 11 Relationships
â â CONTAINS PACKAGE sha256:a7ca0d9ba68fdce7e15bc0952d3e898e970548ca24d57698725836c039086639
â â CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58
â â CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db
â â CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265
â â CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0
â â CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c
â â CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f
â â CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c
â â CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a
â â CONTAINS PACKAGE go-runner@v2.3.1
â â CONTAINS PACKAGE sha256:6021ef4e32c708f4759a7292b12fa3bb2999cedadbfad2e5c75ed0e08f471f9a
â
â đ DESCRIBES 0 Files
Today, when generating an SBOM for a container image, you get something like the following.
Note that only the OS package database is analyzed, even though there are Go binaries
go-runner
and/usr/local/bin/kube-apiserver
with their own dependencies.When running
go version -m
, go will analyze module information baked into the binary. This functionality is facilitated bydebug/buildinfo.ReadFile()
in the standard library which returns a*runtime/debug.BuildInfo{}
.What would you like to be added:
While it would not be as complete as the current
go.mod
analyzer, it'd be nice to be able to analyze local files or files within an image specified likebom generate -i $IMAGE --scan-images -f /go-runner -f /usr/local/bin/kube-apiserver
to check if they're go binaries and get the module information.Why is this needed:
If I'm a user scanning an image with a Go binary that has module information, I'd like to know the module version information in my SBOM