SUSE Linux Enterprise and SBOM support
After recent supply chain attacks and with ever increasing security automation especially the software inventory management becomes more and more important.
Governments and other regulated industries now require publishing a so called Software Bill Of Materials (SBOM) to software products.
Various SBOM formats have appeared in the market.
SUSE has started to publish SBOM in the two kind of formats used most prominent for Operating System vendors, SPDX 2.0 and CycloneDX.
SPDX 2.0 has even been standardized in ISO/ICE 5962:2021.
For SUSE Linux Enterprise product media
For our product media (ISO images), the SBOM materials are available on our download website in both SPDX 2.0 and CycloneDX formats.
The granularity of this data is currently at RPM level.
For SUSE Linux Enterprise BCI container images
The SBOM data is delivered in the sigstore attestation blob in SPDX 2.0 format.
The data is supposed to be processed automatically, but manual retrieval is also possible, due to multi-arch container manifests it is a two step operation.
Example call using the external “crane” tool to extract the x86_64 container part, the “cosign” tool to retrieve and verify the attestation and the “jq”
tool to extract the SPDX 2.0 SBOM data.
crane digest --platform linux/amd64 registry.suse.com/suse/sle15:15.4
Example result: sha256:c8aeb5a7662c38716d303fb854c5baa2329afccb4637c0f3c7c44b971181fdbb
Then run this into this command line:
cosign verify-attestation --type spdxjson --key /usr/share/pki/containers/suse-container-key.pem registry.suse.com/suse/sle15@sha256:c8aeb5a7662c38716d303fb854c5baa2329afccb4637c0f3c7c44b971181fdbb | jq '.payload | @base64d | fromjson | .predicate'
Related Articles
Oct 18th, 2024