Question 18: SBOM

Problem Statement

Solve this question on: ssh cks8930

Your team received Software Bill Of Materials (SBOM) requests and you have been selected to generate some documents and scans:

Tasks:

  1. Using bom:
    • Generate a SPDX-Json SBOM of image registry.k8s.io/kube-apiserver:v1.31.0
    • Store it at /opt/course/18/sbom1.json on cks8930
  2. Using trivy:
    • Generate a CycloneDX SBOM of image registry.k8s.io/kube-controller-manager:v1.31.0
    • Store it at /opt/course/18/sbom2.json on cks8930
  3. Using trivy:
    • Scan the existing SPDX-Json SBOM at /opt/course/18/sbom_check.json on cks8930 for known vulnerabilities
    • Save the result in Json format at /opt/course/18/sbom_check_result.json on cks8930

Solution

Step 1: Create SBOM with Bom

First, let's check the bom tool's capabilities:

➜ ssh cks8930

➜ candidate@cks8930:~$ bom
bom (Bill of Materials)
...
Usage:
  bom [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  document    bom document → Work with SPDX documents
  generate    bom generate → Create SPDX SBOMs
  help        Help about any command
  validate    bom validate → Check artifacts against an sbom
  version     Prints the version
  ...

Generate the SPDX-Json SBOM for the kube-apiserver image:

➜ candidate@cks8930:~$ bom generate --image registry.k8s.io/kube-apiserver:v1.31.0 --format json --output /opt/course/18/sbom1.json
INFO bom v0.6.0: Generating SPDX Bill of Materials 
INFO Processing image reference: registry.k8s.io/kube-apiserver:v1.31.0 
INFO Reference registry.k8s.io/kube-apiserver:v1.31.0 points to an index 
INFO Reference image index points to 4 manifests  
INFO Adding image registry.k8s.io/kube-apiserver@sha256:64c595846c29945f619a1c3d420a8bfac87e93cb8d3641e222dd9ac412284001 (amd64/linux) 
...

Verify the generated SBOM:

➜ candidate@cks8930:~$ vim /opt/course/18/sbom1.json
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "SBOM-SPDX-4b2df9c5-0526-471a-88d4-72cd41408f6e",
  "spdxVersion": "SPDX-2.3",
  "creationInfo": {
    "created": "2024-09-10T16:27:49Z",
    "creators": [
      "Tool: bom-v0.6.0"
    ],
    "licenseListVersion": "3.21"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://spdx.org/spdxdocs/k8s-releng-bom-5389c436-97e9-448c-95b0-bceaa602b4c0",
  "documentDescribes": [
    "SPDXRef-Package-sha256-470179274deb9dc3a81df55cfc24823ce153147d4ebf2ed649a4f271f51eaddf"
  ],
  "packages": [
    {
      ...
    }
  ]
}
Step 2: Create SBOM with Trivy

First, let's check trivy's capabilities for SBOM generation: 

➜ candidate@cks8930:~$ trivy image --help | grep format
  $ trivy image --format json --output result.json alpine:3.15
  # Generate a report in the CycloneDX format
  $ trivy image --format cyclonedx --output result.cdx alpine:3.15
  -f, --format string              format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")

Generate the CycloneDX SBOM for the kube-controller-manager image: 

➜ candidate@cks8930:~$ trivy image --format cyclonedx --output /opt/course/18/sbom2.json registry.k8s.io/kube-controller-manager:v1.31.0
2024-09-10T16:20:21Z    INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-09-10T16:20:24Z    INFO    Detected OS     family="debian" version="12.5"
2024-09-10T16:20:24Z    INFO    Number of language-specific files       num=2

Verify the generated SBOM:

➜ candidate@cks8930:~$ vim /opt/course/18/sbom2.json
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:70b535ca-0033-47aa-8648-27095d982eca",
  "version": 1,
  "metadata": {
    "timestamp": "2024-09-10T16:20:24+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.51.2"
        }
      ]
    },
    ...
  }
}
Step 3: Scan SBOM with Trivy

Scan the existing SPDX-Json SBOM for vulnerabilities:

➜ candidate@cks8930:~$ trivy sbom --format json --output /opt/course/18/sbom_check_result.json /opt/course/18/sbom_check.json
2024-09-10T16:50:56Z    INFO    Need to update DB
2024-09-10T16:50:56Z    INFO    Downloading DB...       repository="ghcr.io/aquasecurity/trivy-db:2"
52.89 MiB / 52.89 MiB [---------------------------------------------------------------------------------------------------------------------] 100.00% 9.90 MiB p/s 5.5s
2024-09-10T16:51:02Z    INFO    Vulnerability scanning is enabled
2024-09-10T16:51:02Z    INFO    Detected SBOM format    format="spdx-json"
2024-09-10T16:51:03Z    INFO    Detected OS     family="debian" version="11.8"
2024-09-10T16:51:03Z    INFO    [debian] Detecting vulnerabilities...   os_version="11" pkg_num=3
2024-09-10T16:51:03Z    INFO    Number of language-specific files       num=6
2024-09-10T16:51:03Z    INFO    [gobinary] Detecting vulnerabilities...

Verify the scan results:

➜ candidate@cks8930:~$ vim /opt/course/18/sbom_check_result.json
{
  "SchemaVersion": 2,
  "CreatedAt": "2024-09-10T16:51:03.311963768Z",
  "ArtifactName": "/opt/course/18/sbom_check.json",
  "ArtifactType": "spdx",
  "Metadata": {
    "OS": {
      "Family": "debian",
      "Name": "11.8"
    },
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      ...
    }
  ]
}
Summary of tasks completed:
  • Generated SPDX-Json SBOM for kube-apiserver using bom
  • Generated CycloneDX SBOM for kube-controller-manager using trivy
  • Scanned existing SPDX-Json SBOM for vulnerabilities using trivy
  • Saved all results in the required locations
Security Note: SBOMs are crucial for software supply chain security. They provide transparency about the components and dependencies in your software, making it easier to identify and address security vulnerabilities.
Back to Questions List