Just a friendly wrapper for getting the sbom for an image.
$ ./get-sbom cgr.dev/chainguard/busybox:latest | ./sbom-to-manifest
alpine-baselayout-data 3.6.5-r0
alpine-keys 2.4-r1
alpine-release 3.20.0-r0
busybox 1.36.1-r29
ca-certificates-bundle 20240226-r0
libcrypto3 3.3.0-r2
libssl3 3.3.0-r2
musl 1.2.5-r1
ssl_client 1.36.1-r29
| #!/bin/sh | |
| # from | |
| # https://edu.chainguard.dev/chainguard/chainguard-images/images-features/retrieve-image-sboms/ | |
| Usage() { | |
| cat <<EOF | |
| ${0##*/} url | |
| download the sbom from url | |
| $ ${0##*/} k3d-k3d.localhost:5005/busybox:latest | |
| EOF | |
| } | |
| rq() { | |
| local rc="" | |
| "$@" && return 0 | |
| rc=$? | |
| echo "failed [$rc] $*" 1>&2 | |
| return $rc | |
| } | |
| [ $# -eq 0 ] && { Usage 1>&2; exit 1; } | |
| [ "$1" = "-h" -o "$1" = "--help" ] && { Usage ; exit 0; } | |
| url="$1" | |
| tmpd=$(mktemp -d) | |
| trap "rm -Rf '$tmpd'" EXIT | |
| rq \ | |
| cosign download attestation \ | |
| --platform=linux/amd64 \ | |
| --predicate-type=https://spdx.dev/Document \ | |
| "$url" > "$tmpd/raw" || exit | |
| jq -r .payload < "$tmpd/raw" | base64 -d | jq .predicate |
| #!/bin/sh | |
| tmpf=$(mktemp) | |
| trap "rm -f '$tmpf'" EXIT | |
| jq -r ' | |
| .packages.[] | | |
| select(.name | startswith("sha256:") | not) | | |
| select(.SPDXID | startswith("SPDXRef-Package")) | | |
| .name + "\t" + .versionInfo' > "$tmpf" || exit 1 | |
| sort < "$tmpf" |