SBOM
Introduction
This article provides information about Software Bill of Materials (SBOM) and how to leverage Torizon for easy compliance and traceability using SBOMs.
What are SBOMs?
The SBOMs are important pieces of information within software development and cybersecurity, similar to a parts list for software. They list all the components and dependencies that are part of a software system. The SBOMs are essential for tracking, assessing, and securing software assets in the face of growing cybersecurity threats and regulatory demands. The SBOMs can be required for some compliance processes and for generating the CVE report for a piece of software.
Contact Us if you need help with SBOMs and CVEs.
SBOM Files
The SBOMs files can feature different standard formats, which includes SPDX, CycloneDX, and CPE (Common Platform Enumeration). These formats provide a structured way to represent the components and dependencies, making it easier to process the information and manage the security risks associated with those components.
Torizon provides SBOMS in SPDX® (Software Package Data Exchange) format. It is an ISO/IEC standard for sharing information about software components, licenses, copyrights, and security details in multiple file formats.
How to Find SBOM for Torizon OS Builds?
For each build of Torizon OS, we publish a merged SBOM to Toradex's Artifactory instance.
You can download and parse this document using any tools supporting the SPDX® format, such as cve-bin-tool
:
$ wget https://artifacts.toradex.com:443/artifactory/torizoncore-oe-prerelease-frankfurt/kirkstone-6.x.y/nightly/655/verdin-imx8mm/torizon/torizon-core-docker/oedeploy/torizon-core-docker-verdin-imx8mm-20240911024445.spdx -O sbom.spdx
$ cve-bin-tool --sbom spdx --sbom-file sbom.spdx
Note that running a certain software that has an active vulnerability listed as a CVE is not an indication of a system being exploitable by that particular CVE.
When building Torizon OS from source, a SBOM will be generated for each of the packages built into the final image (a non-merged SBOM). You can find this collection of many different SBOMs in the build directory under the deploy/spdx/<machine>
directory.
How to find SBOM for Official Torizon Containers?
SBOM artifacts are stored at DockerHub along with each corresponding image. To get these artifacts, use the imagetools
command from buildx
:
$ docker buildx imagetools inspect torizon/<image-name>:<image-tag> --format '{{ json (index .SBOM "<arch>").SPDX}}'
For example, to get the SBOM in the SPDX format for the debian
base image, run
$ docker buildx imagetools inspect torizon/debian:3-bookworm --format '{{ json (index .SBOM "linux/arm64").SPDX}}'
More detailed reports can be obtained using different Go Templates with the --format
flag, as described in the official format command documentation, for example, to list all the installed packages in a given container image and their respective versions:
$ docker buildx imagetools inspect torizon/debian:3-bookworm --format '{{ range (index .SBOM "linux/arm64").SPDX.packages}}{{println .name .versionInfo}}{{end}}' | sort