Fetching SBOM
What is SBOM?
An SBOM is a formal list that enumerates the components and dependencies of a software package. It provides a comprehensive inventory of the software components that are present in the package, including open-source software, commercial components, and proprietary code.
SBOMs are essential for software security and compliance because they enable users to identify vulnerabilities and track the origins of software components. By providing an SBOM for our Docker images, we enable our users to have better visibility into the software components used in our product.
Downloading the Cimon SBOM
To download the full SBOM file for the Cimon image, you can use the cosign tool. Here are the steps to follow:
- Install the
cosigntool by following the instructions provided in the official cosign documentation: https://github.com/sigstore/cosign#installation - Downloading the SBOM for the desired image:
cosign download sbom cycodelabs/cimon:<version> > cimon-<version>.sbom.spdx.json
Replace "version" with the version of Cimon image you want to download the SBOM file for. You can identify the latest version of Cimon used by inspecting the tags in https://github.com/cycodelabs/cimon-action/tags
- The SBOM file will be downloaded and saved in the current working directory with the name
cimon-<version>.sbom.spdx.json.
$ cat cimon-<version>.sbom.spdx.json
{
"SPDXID": "SPDXRef-DOCUMENT",
...
}