Software Bill of Materials (SBOM)

SBOM: software bill of materials.

Relevant: Supply Chain Security

Anchore SBOMs

Trying to setup anchore sboms for java packages.

This maven plugin should generate an sbom.json file.

    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.5.3</version>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <projectType>library</projectType>
        <schemaVersion>1.3</schemaVersion>
        <includeBomSerialNumber>true</includeBomSerialNumber>
        <includeCompileScope>true</includeCompileScope>
        <includeProvidedScope>true</includeProvidedScope>
        <includeRuntimeScope>true</includeRuntimeScope>
        <includeSystemScope>true</includeSystemScope>
        <includeTestScope>false</includeTestScope>
        <includeLicenseText>false</includeLicenseText>
        <outputFormat>all</outputFormat>
        <outputName>bom</outputName>
    </configuration>
</plugin>

From there, we should be able to upload that sbom via:

The general anchorectl workflow is:

1. anchorectl application add <org/repo> — register the application
2. anchorectl application version add <app-id> <version> — add a version
3. anchorectl application version artifact add <app-id> <artifact-id> source --uuid <uuid> — link version to source

—

The general workflow for uploading SBOMs to Anchore is:

1. Create an import session via POST /v1/enterprise/imports/sources
2. Upload the SBOM to that session via POST /v1/enterprise/imports/sources/{uuid}/sbom
3. Finalize the import via POST /v1/enterprise/imports/sources/{uuid}/finalize with metadata (branch, repo, revision)