SBOM
Introduction
This article provides information about Software Bill of Materials (SBOM) and how to leverage Torizon for easy compliance and traceability using SBOMs.
What are SBOMs?
The SBOMs are important pieces of information within software development and cybersecurity, similar to a parts list for software. They list all the components and dependencies that are part of a software system. The SBOMs are essential for tracking, assessing, and securing software assets in the face of growing cybersecurity threats and regulatory demands. The SBOMs can be required for some compliance processes and for generating the CVE report for a piece of software.
Contact Us if you need help with SBOMs and CVEs.
Manifest and SBOM Files
The manifest files provide an easy-to-read list of every package used in a particular software. You can check an example: Packages from a Torizon OS Image for Verdin iMX8M Plus.
The SBOMs files can feature different standard formats, which includes SPDX, CycloneDX, and CPE (Common Platform Enumeration). These formats provide a structured way to represent the components and dependencies, making it easier to process the information and manage the security risks associated with those components.
Torizon provides SBOMS in SPDX® (Software Package Data Exchange) format. It is an ISO/IEC standard for sharing information about software components, licenses, copyrights, and security details in multiple file formats.
How to Find SBOM for Torizon OS Builds?
We provide the .spdx SBOM files within our Torizon OS Builds. Check the following example on how to find those files inside a Torizon OS Image for the Verdin iMX8M Plus.
Initiramfs index:
<your-image-path>/oedeploy/initramfs-ostree-torizon-image-verdin-imx8mp.spdx.index.json
Initfamfs tarball:
<your-image-path>/oedeploy/initramfs-ostree-torizon-image-verdin-imx8mp.spdx.tar.zst
Torizon OS image index:
<your-image-path>/oedeploy/torizon-core-docker-verdin-imx8mp.spdx.index.json
Torizon OS image tarball:
<your-image-path>/oedeploy/torizon-core-docker-verdin-imx8mp.spdx.tar.zst
How to find SBOM for Official Torizon Containers?
SBOM is currently enabled only for release candidate builds, tagged with rc or rc-bookworm for the base Debian image instead of the usual semantic versioning.
SBOM artifacts are stored at DockerHub along with each corresponding image. To get these artifacts, use the imagetools command from buildx:
$ docker buildx imagetools inspect torizon/<image-name>:<image-tag> --format '{{ json (index .SBOM "<arch>").SPDX}}'
For example, to get the SBOM in the SPDX format for the debian base image, run
$ docker buildx imagetools inspect torizon/debian:4-bookworm-rc --format '{{ json (index .SBOM "linux/arm64").SPDX}}'
More detailed reports can be obtained using different Go Templates with the --format flag, as described in the official format command documentation, for example, to list all the installed packages in a given container image and their respective versions:
$ docker buildx imagetools inspect torizon/debian:4-bookworm-rc --format '{{ range (index .SBOM "linux/arm64").SPDX.packages}}{{println .name .versionInfo}}{{end}}' | sort