SUSE Linux Enterprise and SBOM support

Share
Share

After recent supply chain attacks and with ever increasing security automation especially the software inventory management becomes more and more important.

Governments and other regulated industries now require publishing a so called Software Bill Of Materials (SBOM) to software products.

Various SBOM formats have appeared in the market.
SUSE has started to publish SBOM in the two kind of formats used most prominent for Operating System vendors, SPDX 2.0 and CycloneDX.

SPDX 2.0 has even been standardized in ISO/ICE 5962:2021.

For SUSE Linux Enterprise product media

For our product media (ISO images), the SBOM materials are available on our download website in both SPDX 2.0 and CycloneDX formats.

The granularity of this data is currently at RPM level.

For SUSE Linux Enterprise BCI container images

The SBOM data is delivered in the sigstore attestation blob in SPDX 2.0 format.

The data is supposed to be processed automatically, but manual retrieval is also possible, due to multi-arch container manifests it is a two step operation.

Example call using the external “crane” tool to extract the x86_64 container part, the “cosign” tool to retrieve and verify the attestation and the “jq”
tool to extract the SPDX 2.0 SBOM data.

crane digest --platform linux/amd64 registry.suse.com/suse/sle15:15.4

Example result: sha256:c8aeb5a7662c38716d303fb854c5baa2329afccb4637c0f3c7c44b971181fdbb

Then run this into this command line:

cosign verify-attestation --type spdxjson --key /usr/share/pki/containers/suse-container-key.pem registry.suse.com/suse/sle15@sha256:c8aeb5a7662c38716d303fb854c5baa2329afccb4637c0f3c7c44b971181fdbb | jq '.payload | @base64d | fromjson | .predicate'

Share
(Visited 29 times, 1 visits today)
Avatar photo
5,272 views