creating-docker-sboms.md

Creating SBOMs from Containers using Docker Scout SBOM

Introduction

This tutorial illustrates how to create SBOMs from container images using the Docker Scout SBOM CLI utility.

Requirements

• Docker CLI with Docker Scout (included).

Verification

Run the command:

docker scout sbom --help

You should see the resultant output:

 Generate or display SBOM of an image

Usage
  docker scout sbom [IMAGE|DIRECTORY|ARCHIVE]

Description
The docker scout sbom command analyzes a software artifact to generate the corresponding Software Bill Of Materials (SBOM).

The SBOM can be used to list all packages, or the ones from a specific type (as dep, maven, etc).

If no image is specified, the most recently built image is used.

The following artifact types are supported:

- Images
- OCI layout directories
- Tarball archives, as created by docker save
- Local directory or file

The tool analyzes the provided software artifact, and generates a vulnerability report.

By default, the tool expects an image reference, such as:

- redis
- curlimages/curl:7.87.0
- mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory,
or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

- image:// (default) use a local image, or fall back to a registry lookup
- local:// use an image from the local image store (don't do a registry lookup)
- registry:// use an image from a registry (don't use a local image)
- oci-dir:// use an OCI layout directory
- archive:// use a tarball archive, as created by docker save
- fs:// use a local directory or file



Flags
      --format string               Output format:
                                    - list: list of packages of the image
                                    - json: json representation of the SBOM
                                    - spdx: spdx representation of the SBOM (default "json")
      --only-package-type strings   Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
                                    Can only be used with --format list
  -o, --output string               Write the report to a file
      --platform string             Platform of image to analyze
      --ref string                  Reference to use if the provided tarball contains multiple references.
                                    Can only be used with archive

Examples
  Display the list of packages
  $ docker scout sbom alpine --format list

  Only display packages of a specific type
  $ docker scout sbom --format list --only-package-type apk alpine

  Display the full SBOM as json of the most recently built image
  $ docker scout sbom

  Write SBOM to a file
  $ docker scout sbom --output alpine.sbom alpine

Learn More
  Read docker scout cli reference at https://docs.docker.com/engine/reference/commandline/scout/

Report Issues
  Raise bugs and feature requests at https://github.com/docker/scout-cli/issues

Send Feedback
  Send feedback with docker feedback

Usage

To create an SBOM, run:

docker scout sbom --format <FORMAT> <IMAGE> -o <FILENAME>

Where:

FORMAT is one of:

• List
• JSON
• SPDX

IMAGE is one of:

• A local image. Default, after which the utility searches for a remote image. Preface the image with local:// to ensure a local image search, e.g. local://node.

• A remote image from a registry. Default, after searching for a local image. Preface with registry:// to ensure a registry search, e.g. registry://debian:buster.

• An OCI layout directory. Image OCI directories must be prefaced with oci-dir:// , e.g. oci-dir://ubuntu_latest.

• A tarball archive. Tarball image files must be prefaced with archive:// , e.g. archive://ubuntu_latest.tar.

• A local directory or file. Local image directories must be prefaced with fs:// , e.g. spdx fs://docker.

Notes

• In regards to the output FORMAT, only SPDX is a standard SBOM format. As such, all example SBOMs created from this tool with be provided in SPDX.

• Licenses generated by this SBOM generator may not conform to the SPDX License List, and as such may render the SBOM invalid for analysis.

Example SBOM

This section illustrates SPDX JSON SBOMs of a remote Debian Buster image, a Dockerfile based image, a local Node image, an OCI format Ubuntu image and an archived Ubuntu image, produced via Docker Scout SBOM.

<title>Pretty JSON Display</title> <style> #json-container { height: 400px; /* Set a fixed height */ overflow-y: auto; /* Enable vertical scrolling */ border: 2px solid #ccc; /* Optional: add a border for visibility */ padding: 10px; } #xml-container { height: 400px; /* Set a fixed height */ overflow-y: auto; /* Enable vertical scrolling */ border: 2px solid #ccc; /* Optional: add a border for visibility */ padding: 10px; } pre { margin: 0; white-space: pre-wrap; word-wrap: break-word; } </style>

debian buster remote (json)

debian file (json)

node local (json)

ubuntu latest oci (json)

ubuntu latest archive (json)

<script> function display_json(url, elementid){ fetch(url) .then(response => response.json()) .then(data => { document.getElementById(elementid).textContent = JSON.stringify(data, null, 2); }) .catch(error => console.error('Error fetching JSON:', error)); } function display_xml(url, elementid){ fetch(url) .then(response => response.text()) .then(data => { document.getElementById(elementid).textContent = data; }) .catch(error => console.error('Error fetching JSON:', error)); } display_json('./debian-buster.remote.spdx.json', 'json-display1'); display_json('./docker.file.spdx.json', 'json-display2'); display_json('./node.local.spdx.json', 'json-display3'); display_json('./ubuntu_latest.oci.spdx.json', 'json-display4'); display_json('./ubuntu-latest.archive.spdx.json', 'json-display5'); </script>

References

• Docker Scout Sboms. Docker Documentation. https://docs.docker.com/scout/how-tos/view-create-sboms/

• SPDX License List | Software Package Data Exchange (SPDX). (n.d.). https://spdx.org/licenses/