![]() Now that we have an SBOM, we can use grype to check for vulnerabilities. Some of the packages are Go modules, others are packages that have been installed with apk (Alpine Linux's package manager). We can see that it found 39 packages, including the OpenFaaS gateway itself. These are all the components that syft found in the container image. prometheus/client_model v0.2.0 go-module prometheus/client_golang v1.13.0 go-module openfaas/faas-provider v0.19.1 go-module matttproud/golang_protobuf_extensions v1.0.1 go-module docker/distribution v2.8.1+incompatible go-module Now we can introduce one of those tags to syft: syft ghcr.io/openfaas/gateway:0.26.2 We can browse the GitHub UI to find the latest revision, or we can use Google's crane tool: crane ls ghcr.io/openfaas/gateway | tail -n 5 Let's pick a container image from the Community Edition of OpenFaaS like the container image for the OpenFaaS gateway. It's maintained by open source developers, and is free to use. ![]() OpenFaaS Community Edition (CE) is a popular open source serverless platform for Kubernetes. grype - a command line tool that can be used to scan an SBOM for vulnerabilities.syft - a command line tool that can be used to generate an SBOM for a container image.Check out an SBOM for yourselfĪnchore provides commercial solutions for creating, managing and inspecting SBOMs, however they also have two very useful open source tools that we can try out for free. So if SBOMs are included in the software they purchase or consume from vendors, then it can be used to determine if the software is compliant with their specific license requirements, lowering legal and compliance risk.ĭocker's enhancements to Docker Desktop and their open source Buildkit tool were the result of a collaboration with Anchore, a company that provides a commercial SBOM solution. Many organisations are also required to company with certain Open Source Software (OSS) licenses. The version is important because it can be cross-reference with a vulnerability database to determine if the component has any known vulnerabilities. It is a list of the components that make up a software application including the version of each component. In April 2022 Justin Cormack, CTO of Docker announced that Docker was adding support to generate a Software Bill of Materials (SBOM) for container images.Īn SBOM is an inventory of the components that make up a software application. What is a Software Bill of Materials (SBOM)?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |