Software Bill of Materials

Software Bill of Materials (SBOM) is a manifest of software components and dependencies that makes up an application. The Bombastic service allows you to publish, retrieve, and search for SBOM documents by using a REST API. Bombastic supports searching SBOM data by using the sikula simple query language. Publishing and retrieving an SBOM document uses a product’s identification in the Common Platform Enumeration (CPE) format, or by a package URL (pURL).

Publishing a Software Bill of Materials document

You can publish SBOM documents by using CycloneDX version 1.3, or Software Package Data Exchange (SPDX) version 2.2 formats, and the SBOM document must be in a JSON file format.

A document can take between a few seconds to minutes before appearing in search results.
Prerequisite

  • An SBOM document.

Procedure

  1. To publish an SBOM document to Trustification:

    Syntax
    curl -H "transfer-encoding: chunked" --json FILE_NAME https://sbom.trustification.dev/api/v1/sbom?id=SBOM_NAME
    Example
    $ curl -H "transfer-encoding: chunked" --json sbom-example.json https://sbom.trustification.dev/api/v1/sbom?id=my-sbom-example

    A 201 Created response means the document was successfully published.

Additional resources

  • See the OpenAPI documentation for more details on potential responses.

Retrieving a Software Bill of Materials

You can retrieve SBOM documents by specifying a product’s identification.

Prerequisite

  • A CPE identifier or pURL.

Procedure

  1. To retrieve an SBOM document from Trustification:

    Syntax
    curl https://sbom.trustification.dev/api/v1/sbom?id=SBOM_NAME
    Example
    $ curl https://sbom.trustification.dev/api/v1/sbom?id=my-sbom-example

Search for Software Bill of Materials document

By default, queries search for identifiers, titles, and descriptions within the SBOM document, and returns the matching results ordered by relevance.

See the sikula simple query language for more details on the search syntax.

Search qualifiers

The following table has a list of the search qualifiers you can use when searching the Bombastic service.

Qualifier

Description

Matching Type

Example

package

Search in by package identifiers

Exact, Partial

package:"pkg:maven/io.seedwing/seedwing-java-example@1.0.0-SNAPSHOT?type=jar"

type

Search by type

Exact

type:oci

namespace

Search by namespace

Exact

namespace:io.quarkus

version

Search by version

Exact, Partial

2.13 in:version

description

Search by description

Term

description:how

created

Search by created date

Exact, Range

created:2022-01-01..2023-01-01

digest

Search by SBOM digest

Exact

digest:5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03

license

Search by license

Exact

license:Apache-2.0

supplier

Search by supplier

Exact, Partial

"Red Hat" in:supplier

qualifier

Search in package URL qualifiers

Exact

qualifier:tag:7.9-1057

dependency

Search in package dependencies

Exact, Partial

dependency:openssl

The four matching types are:

  • An Exact match has the exact value.

  • A Partial match is a prefix value.

  • A Term match is text matching.

  • A Range match is values within a range.

You can also enforce an ordering on the results for the created field, for example, ubi9 sort:created or ubi9 -sort:created.

Use cases

The following uses cases illustrate how you can search Trustification to find SBOM documents.

Enable Complex searching before running these queries.

Searching for packages that contain openssl and has the Apache 2.0 license

Example
dependency:openssl license:"Apache-2.0"

Searching for all container packages

Example
type:oci

Reference

See the full Bombastic API documentation for more details.

Creating an SBOM manifest file

Trustification can analyze both CycloneDX and Software Package Data Exchange (SPDX) SBOM formats using the JSON file format. Many open-source tools are available to you for creating Software Bill of Materials (SBOM) manifest files from container images, or for your application. For this procedure we are going to use the Syft tool.

Currently, Trustification only supports CycloneDX version 1.3, and SPDX version 2.2.
Prerequisites

  • Install Syft for your workstation platform.

Procedure

  1. To create an SBOM by using a container image.

    CycloneDX format:

    Syntax
    syft IMAGE_PATH -o cyclonedx-json
    Example
    $ syft registry:example/image:tag -o cyclonedx-json

    SPDX format:

    Syntax
    syft IMAGE_PATH -o spdx-json
    Example
    $ syft registry:example/image:tag -o spdx-json
    Syft supports many types of container image sources. See the official supported source list on Syft’s GitHub site.

  2. To create an SBOM by scanning the local file system.

    CycloneDX format:

    Syntax
    syft dir: DIRECTORY_PATH -o cyclonedx-json
syft file: FILE_PATH -o cyclonedx-json
    Example
    $ syft dir:. -o cyclonedx-json
$ syft file:/example-binary -o cyclonedx-json

    SPDX format:

    Syntax
    syft dir: DIRECTORY_PATH -o spdx-json
syft file: FILE_PATH -o spdx-json
    Example
    $ syft dir:. -o spdx-json
$ syft file:/example-binary -o spdx-json
Additional resources