# K8s BOM * bom 是一個實用程序，可讓您建立、檢視和轉換軟體物料清單 (SBOM)。bom 是作為為 Kubernetes 專案建立 SBOM 專案的一部分而建立的。主要就是檢視 image 的物料清單。 ## bom 實做 * 安裝 bom ``` $ curl -sL $(curl -sL https://api.github.com/repos/kubernetes-sigs/bom/releases/latest | jq -r .assets[].browser_download_url | grep 'bom-amd64-linux$') -o bom install -o root -g root -m 0755 bom /usr/local/bin/bom rm -r bom* $ bom version ______ _____ ___ ___ | ___ \| _ || \/ | | |_/ /| | | || . . | | ___ \| | | || |\/| | | |_/ /\ \_/ /| | | | \____/ \___/ \_| |_/ bom: A tool for working with SPDX manifests GitVersion: v0.6.0 GitCommit: 9be3ab7 GitTreeState: clean BuildDate: 2024-01-15T06:35:50Z GoVersion: go1.21.6 Compiler: gc Platform: linux/amd64 ``` * 透過 bom 工具 scan nginx image 來生成 SBOM 清單 ``` $ bom generate --image=nginx@sha256:54809b2f36d0ff38e8e5362b0239779e4b75c2f19ad70ef047ed050f01506bb4 -o nginx.spdx ``` * 根據 SBOM 清單可以獲得 nginx image 相關的軟體套件名稱、版本 ``` $ bom document outline nginx.spdx _ ___ _ __ __| |_ __ / __| '_ \ / _` \ \/ / \__ \ |_) | (_| |> < |___/ .__/ \__,_/_/\_\ |_| 📂 SPDX Document SBOM-SPDX-05ff03a8-9a8b-41ec-9aae-e058af6ff44c │ │ 📦 DESCRIBES 1 Packages │ ├ sha256:54809b2f36d0ff38e8e5362b0239779e4b75c2f19ad70ef047ed050f01506bb4 │ │ 🔗 7 Relationships │ ├ CONTAINS PACKAGE sha256:6e909acdb790c5a1989d9cfc795fda5a246ad6664bb27b5c688e2b734b2c5fad │ ├ CONTAINS PACKAGE sha256:5eaa34f5b9c2a13ef2217ceb966953dfd5c3a21a990767da307be1f57e5a1e4f │ │ │ 🔗 149 Relationships │ │ ├ CONTAINS PACKAGE adduser@3.134 │ │ ├ CONTAINS PACKAGE apt@2.6.1 │ │ ├ CONTAINS PACKAGE base-files@12.4+deb12u10 │ │ ├ CONTAINS PACKAGE base-passwd@3.6.1 │ │ ├ CONTAINS PACKAGE bash@5.2.15-2+b7 │ │ ├ CONTAINS PACKAGE bsdutils@1:2.38.1-5+deb12u3 │ │ ├ CONTAINS PACKAGE ca-certificates@20230311 │ │ ├ CONTAINS PACKAGE coreutils@9.1-1 │ │ ├ CONTAINS PACKAGE curl@7.88.1-10+deb12u12 ``` * 直接掃描螢幕輸出 ``` $ bom generate -i docker.io/library/alpine:3.18.4 ``` ## 參考 https://github.com/kubernetes-sigs/bom