Skip to content
/ demo-java-sbom Public

Demo of Java SBOM verification for different JDK / JRE

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nirmata/demo-java-sbom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.github/workflows
.github/workflows
 
 
azul11
azul11
 
 
correto17
correto17
 
 
openjdk11
openjdk11
 
 
policies
policies
 
 
ubuntujre7
ubuntujre7
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

demo-java-sbom

Demo of Java SBOM verification for different JDK / JRE

Checking SBOMs

Newer Java versions have a jrt-fs that contains information on the vendor:

    {
      "id": "ade8b7bfaa7d1871",
      "name": "jrt-fs",
      "version": "17.0.13",
      "type": "java-archive",
      "foundBy": "java-archive-cataloger",
      "locations": [
        {
          "path": "/usr/lib/jvm/java-17-amazon-corretto/lib/jrt-fs.jar",
          "layerID": "sha256:e71d1c13c6c83d7462ac9547188722b5dbbbfdf6f108b27f675b4929b5cc9f0a",
          "accessPath": "/usr/lib/jvm/java-17-amazon-corretto/lib/jrt-fs.jar",
          "annotations": {
            "evidence": "primary"
          }
        }
      ],
      "licenses": [],
      "language": "java",
      "cpes": [ 
        // trimmed ..
      ],
      "purl": "pkg:maven/jrt-fs/[email protected]",
      "metadataType": "java-archive",
      "metadata": {
        "virtualPath": "/usr/lib/jvm/java-17-amazon-corretto/lib/jrt-fs.jar",
        "manifest": {
          "main": [
            {
              "key": "Manifest-Version",
              "value": "1.0"
            },
            {
              "key": "Specification-Title",
              "value": "Java Platform API Specification"
            },
            {
              "key": "Specification-Version",
              "value": "17"
            },
            {
              "key": "Specification-Vendor",
              "value": "Oracle Corporation"
            },
            {
              "key": "Implementation-Title",
              "value": "Java Runtime Environment"
            },
            {
              "key": "Implementation-Version",
              "value": "17.0.13"
            },
            {
              "key": "Implementation-Vendor",
              "value": "Amazon.com Inc."
            },
            {
              "key": "Created-By",
              "value": "17.0.12 (Amazon.com Inc.)"
            }
          ]
        },

        // trimmed ...
      }
    }

Package URL's for different images.

cat openjdk11.json | jq ".artifacts[].purl"

"pkg:deb/debian/[email protected]?arch=all&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u4?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&distro=debian-11"
"pkg:deb/debian/bsdutils@1:2.36.1-8%2Bdeb11u1?arch=arm64&upstream=util-linux%402.36.1-8%2Bdeb11u1&distro=debian-11"
"pkg:deb/debian/ca-certificates@20210119?arch=all&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bgit20200708%2Bdd9ef66-5?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=all&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=all&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/diffutils@1:3.7-5?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=gcc-10&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=gcc-9&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u2?arch=arm64&upstream=gnupg2&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=all&distro=debian-11"
"pkg:maven/jrt-fs/[email protected]"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=acl&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=apt&distro=debian-11"
"pkg:deb/debian/libattr1@1:2.4.48-6?arch=arm64&upstream=attr&distro=debian-11"
"pkg:deb/debian/libaudit-common@1:3.0-2?arch=all&upstream=audit&distro=debian-11"
"pkg:deb/debian/libaudit1@1:3.0-2?arch=arm64&upstream=audit&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=util-linux&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=bzip2&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u3?arch=arm64&upstream=glibc&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u3?arch=arm64&upstream=glibc&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bb1?arch=arm64&upstream=libcap-ng%400.7.9-2.2&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=e2fsprogs&distro=debian-11"
"pkg:deb/debian/libcrypt1@1:4.4.18-4?arch=arm64&upstream=libxcrypt&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdfsg1-0.8?arch=arm64&upstream=db5.3&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=cdebconf&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=e2fsprogs&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=libffi&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=gcc-10&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/libgmp10@2:6.2.1%2Bdfsg-1%2Bdeb11u1?arch=arm64&upstream=gmp&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=gnutls28&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=libgpg-error&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=krb5&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=nettle&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=libidn2&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=krb5&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=keyutils&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=krb5&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=krb5&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=lz4&distro=debian-11"
"pkg:deb/debian/[email protected]~deb11u1?arch=arm64&upstream=xz-utils&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=util-linux&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=nettle&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=libnsl&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=p11-kit&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=pam&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=pam&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=all&upstream=pam&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=pam&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=pcre2&distro=debian-11"
"pkg:deb/debian/libpcre3@2:8.39-13?arch=arm64&upstream=pcre3&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=libseccomp&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=libselinux&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=all&upstream=libsemanage&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bb2?arch=arm64&upstream=libsemanage%403.1-1&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=libsepol&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=util-linux&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=e2fsprogs&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u3?arch=arm64&upstream=openssl&distro=debian-11"
"pkg:deb/debian/libstdc%2B%[email protected]?arch=arm64&upstream=gcc-10&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=systemd&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]%2B20201114-2?arch=arm64&upstream=ncurses&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=all&upstream=libtirpc&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=libtirpc&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=systemd&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=libunistring&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=util-linux&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=xxhash&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdfsg-2.1?arch=arm64&upstream=libzstd&distro=debian-11"
"pkg:deb/debian/login@1:4.8.1-1?arch=arm64&upstream=shadow&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=e2fsprogs&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=all&upstream=lsb&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=util-linux&distro=debian-11"
"pkg:deb/debian/[email protected]%2B20201114-2?arch=all&upstream=ncurses&distro=debian-11"
"pkg:deb/debian/[email protected]%2B20201114-2?arch=arm64&upstream=ncurses&distro=debian-11"
"pkg:generic/oracle/[email protected]"
"pkg:deb/debian/[email protected]%2Bdeb11u3?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&upstream=p11-kit&distro=debian-11"
"pkg:deb/debian/passwd@1:4.8.1-1?arch=arm64&upstream=shadow&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u2?arch=arm64&upstream=perl&distro=debian-11"
"pkg:deb/debian/[email protected]?arch=arm64&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&upstream=sysvinit&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdfsg-1?arch=arm64&distro=debian-11"
"pkg:deb/debian/tzdata@2021a-1%2Bdeb11u4?arch=all&distro=debian-11"
"pkg:deb/debian/[email protected]%2Bdeb11u1?arch=arm64&distro=debian-11"
"pkg:deb/debian/zlib1g@1:1.2.11.dfsg-2%2Bdeb11u1?arch=arm64&upstream=zlib&distro=debian-11"


cat correto17.json | jq ".artifacts[].purl"

"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=amazon-linux-extras-2.0.3-1.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=basesystem-10.0-7.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=bash-4.2.46-34.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=bzip2-1.0.6-13.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=ca-certificates-2023.2.68-1.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=chkconfig-1.7.4-1.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=coreutils-8.22-24.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=cpio-2.12-11.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=curl-8.3.0-1.amzn2.0.7.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=cyrus-sasl-2.1.26-24.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=dejavu-fonts-2.33-6.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=dejavu-fonts-2.33-6.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=diffutils-3.3-5.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=elfutils-0.176-2.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=expat-2.1.0-15.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=file-5.11-36.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=filesystem-3.2-25.amzn2.0.4.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&epoch=1&upstream=findutils-4.5.11-6.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=fontconfig-2.13.0-4.3.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=fontpackages-1.44-8.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=freetype-2.8-14.amzn2.1.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=gawk-4.0.2-4.amzn2.1.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&epoch=1&upstream=gdbm-1.13-6.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=glib2-2.56.1-9.amzn2.0.8.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=glibc-2.26-64.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=glibc-2.26-64.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=glibc-2.26-64.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=glibc-2.26-64.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&epoch=1&upstream=gmp-6.0.0-15.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=gnupg2-2.0.22-5.amzn2.0.5.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/gpg-pubkey@b04f24e3-5de94a19?distro=amzn-2"
"pkg:rpm/amzn/gpg-pubkey@c87f5b1a-593863f8?distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=gpgme-1.3.2-5.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=grep-2.20-3.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=texinfo-5.1-5.amzn2.src.rpm&distro=amzn-2"
"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=aarch64&epoch=1&upstream=java-17-amazon-corretto-devel-17.0.13.11-1.src.rpm&distro=amzn-2"
"pkg:maven/jrt-fs/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=keyutils-1.5.8-3.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=krb5-1.15.1-55.amzn2.2.8.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=acl-2.2.51-14.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libassuan-2.1.0-3.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=attr-2.4.46-12.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=util-linux-2.30.2-2.amzn2.0.11.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libcap-2.54-1.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=e2fsprogs-1.42.9-19.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=glibc-2.26-64.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=curl-8.3.0-1.amzn2.0.7.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libdb-5.3.21-24.amzn2.0.5.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libdb-5.3.21-24.amzn2.0.5.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libffi-3.0.13-18.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=gcc-7.3.1-17.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libgcrypt-1.5.3-14.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libgpg-error-1.12-3.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libidn2-2.3.0-1.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libmetalink-0.1.3-13.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=util-linux-2.30.2-2.amzn2.0.11.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nghttp2-1.41.0-1.amzn2.0.5.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&epoch=2&upstream=libpng-1.5.13-8.amzn2.0.5.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libpsl-0.21.5-1.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libselinux-2.5-12.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libsepol-2.5-10.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libssh2-1.4.3-12.amzn2.2.6.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/libstdc%2B%[email protected]?arch=aarch64&upstream=gcc-7.3.1-17.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libtasn1-4.10-1.amzn2.0.6.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libunistring-0.9.3-9.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=util-linux-2.30.2-2.amzn2.0.11.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libverto-0.2.5-4.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=libxml2-2.9.1-6.amzn2.5.13.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=lua-5.1.4-15.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=ncurses-6.0-8.20170212.amzn2.1.8.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=ncurses-6.0-8.20170212.amzn2.1.8.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=ncurses-6.0-8.20170212.amzn2.1.8.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nspr-4.35.0-1.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nss-3.90.0-2.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nss-pem-1.0.3-5.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nss-softokn-3.90.0-6.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nss-softokn-3.90.0-6.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nss-3.90.0-2.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nss-3.90.0-2.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=nss-util-3.90.0-1.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=openldap-2.4.44-25.amzn2.0.7.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&epoch=1&upstream=openssl-1.0.2k-24.amzn2.0.13.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=p11-kit-0.23.22-1.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=p11-kit-0.23.22-1.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=pcre-8.32-17.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=pinentry-0.8.1-17.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=popt-1.13-16.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=pth-2.0.7-23.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=publicsuffix-list-20240208-1.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:pypi/[email protected]"
"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=pygpgme-0.3-9.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=pyliblzma-0.5.3-25.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=python-2.7.18-1.amzn2.0.8.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=python-iniparse-0.4-9.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=python-2.7.18-1.amzn2.0.8.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=python-pycurl-7.19.0-19.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=python-urlgrabber-3.10-9.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=rpm-4.11.3-48.amzn2.0.4.src.rpm&distro=amzn-2"
"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=pyxattr-0.5.1-5.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=readline-6.2-10.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=rpm-4.11.3-48.amzn2.0.4.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=rpm-4.11.3-48.amzn2.0.4.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=rpm-4.11.3-48.amzn2.0.4.src.rpm&distro=amzn-2"
"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=sed-4.2.2-5.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=setup-2.8.71-10.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=shared-mime-info-1.8-4.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=sqlite-3.7.17-8.amzn2.1.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&epoch=1&upstream=system-release-2-16.amzn2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=tzdata-2024a-1.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=noarch&epoch=2&upstream=vim-9.0.2153-1.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&epoch=2&upstream=vim-9.0.2153-1.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=xz-5.2.2-1.amzn2.0.3.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=yum-3.4.3-158.amzn2.0.7.src.rpm&distro=amzn-2"
"pkg:pypi/[email protected]"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=yum-metadata-parser-1.1.4-10.amzn2.0.2.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=yum-utils-1.1.31-46.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=noarch&upstream=yum-utils-1.1.31-46.amzn2.0.1.src.rpm&distro=amzn-2"
"pkg:rpm/amzn/[email protected]?arch=aarch64&upstream=zlib-1.2.7-19.amzn2.0.3.src.rpm&distro=amzn-2"

SBOM attestation and verification using Kyverno policy

To sign attestations, install Cosign and generate a public-private key pair.

cosign generate-key-pair

This will generate the cosign.key and cosign.pub files in the current directory.

To sign attestations, use the cosign attest command. This command will sign your attestations and publish them to the OCI registry.

# ${IMAGE} is REPOSITORY/PATH/NAME:TAG
cosign attest --key cosign.key --predicate <file> --type <predicate type>  ${IMAGE}

The following cosign command creates the in-toto format attestation and signs it with the specified credentials using the custom predicate type https://syft.org/BOM/v1:

cosign attest ghcr.io/nirmata/demo-java-sbom:ubuntujre7 --key cosign.key --predicate demo-java-sbom/sboms/ubuntujre7.json --type https://syft.org/BOM/v1

The policy below verifies the package urls of the sbom and blocks pods if any of the package urls match oracle.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: attest-sbom
spec:
  validationFailureAction: Enforce
  background: false
  webhookTimeoutSeconds: 30
  failurePolicy: Fail
  rules:
    - name: attest
      match:
        any:
        - resources:
            kinds:
              - Pod
      verifyImages:
      - imageReferences:
        - "ghcr.io/nirmata*"
        attestations:
          - type: https://syft.org/BOM/v1
            attestors:
            - entries:
              - keys:
                  publicKeys: |-
                    -----BEGIN PUBLIC KEY-----
                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBgIImyAQSO4AI36uPF0FOj133HPJ
                    COAbRQly2B64JDYc+OLhJPhJM8H2BNU5LFAh64Bt79QWKyKaH1vNZRGxUw==
                    -----END PUBLIC KEY-----
            conditions:
              - all:
                - key: "{{ regex_match('^.*oracle.*$', '{{ artifacts[].purl }}') }}"
                  operator: Equals
                  value: false

Verify the package URL for the images.

cat openjdk11.json | jq ".artifacts[].purl" | grep -i oracle
"pkg:generic/oracle/[email protected]"

cat correto17.json | jq ".artifacts[].purl" | grep -i oracle

To verify the policy, deploy the policy and try to run two different images. The openjdk11 image has Oracle in the package urls and will be blocked by the policy.

kubectl run openjdk11-testpod --image=ghcr.io/nirmata/demo-java-sbom:openjdk11
Error from server: admission webhook "mutate.kyverno.svc-fail" denied the request:

resource Pod/default/openjdk11-testpod was blocked due to the following policies

attest-sbom:
  attest: '.attestations[0].attestors[0].entries[0].keys: attestation checks failed
    for ghcr.io/nirmata/demo-java-sbom:openjdk11 and predicate https://syft.org/BOM/v1: '

Try running the correto17 image and it will go through as it does not contain Oracle in the package urls.

kubectl run correto17-testpod --image=ghcr.io/nirmata/demo-java-sbom:correto17
pod/correto17-testpod created

Building

Build images:

make build

Push images:

make push

Generate SBOMs:

make sbom

About

Demo of Java SBOM verification for different JDK / JRE

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 2

  •  
  •  

Languages