SbomReport
An instance of the SbomReport represents the latest sbom (software bill of metarials) found in a container image of a given
Kubernetes workload. It consists of a list of OS package and application bil of metarial with a summary of
components and dependencies. For a multi-container workload trivy-operator creates multiple instances
of SbomReports in the workload's namespace with the owner reference set to that workload.
Each report follows the naming convention <workload kind>-<workload name>-<container-name>
.
The following listing shows a sample SbomReport associated with the Pod named kube-apiserver-kind-control-plane
in the
kube-system
namespace that has the kube-apiserver
container.
apiVersion: aquasecurity.github.io/v1alpha1
kind: SbomReport
metadata:
creationTimestamp: "2023-07-10T09:37:21Z"
generation: 1
labels:
resource-spec-hash: 796669cd5d
trivy-operator.container.name: kube-apiserver
trivy-operator.resource.kind: Pod
trivy-operator.resource.name: kube-apiserver-kind-control-plane
trivy-operator.resource.namespace: kube-system
name: pod-kube-apiserver-kind-control-plane-kube-apiserver
namespace: kube-system
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: false
controller: true
kind: Pod
name: kube-apiserver-kind-control-plane
uid: 732b4aa7-91f8-40a3-8b21-9627a98a910b
resourceVersion: "6148"
uid: 2a5000fe-b97e-46d0-9de7-62fb5fbc6555
report:
artifact:
repository: kube-apiserver
tag: v1.21.1
components:
bomFormat: CycloneDX
components:
- bom-ref: 9464f5f9-750d-4ea0-8705-c8d067b25b29
name: debian
properties:
- name: aquasecurity:trivy:Class
value: os-pkgs
- name: aquasecurity:trivy:Type
value: debian
supplier: {}
type: operating-system
version: "10.9"
- bom-ref: pkg:deb/debian/base-files@10.3+deb10u9?arch=amd64&distro=debian-10.9
licenses:
- expression: GPL-3.0
license: {}
name: base-files
properties:
- name: aquasecurity:trivy:LayerDiffID
value: sha256:417cb9b79adeec55f58b890dc9831e252e3523d8de5fd28b4ee2abb151b7dc8b
- name: aquasecurity:trivy:LayerDigest
value: sha256:5dea5ec2316d4a067b946b15c3c4f140b4f2ad607e73e9bc41b673ee5ebb99a3
- name: aquasecurity:trivy:PkgID
value: base-files@10.3+deb10u9
- name: aquasecurity:trivy:PkgType
value: debian
- name: aquasecurity:trivy:SrcName
value: base-files
- name: aquasecurity:trivy:SrcVersion
value: 10.3+deb10u9
purl: pkg:deb/debian/base-files@10.3+deb10u9?arch=amd64&distro=debian-10.9
supplier:
name: Santiago Vila <sanvila@debian.org>
type: library
version: 10.3+deb10u9
- bom-ref: pkg:deb/debian/netbase@5.6?arch=all&distro=debian-10.9
licenses:
- expression: GPL-2.0
license: {}
name: netbase
properties:
- name: aquasecurity:trivy:LayerDiffID
value: sha256:417cb9b79adeec55f58b890dc9831e252e3523d8de5fd28b4ee2abb151b7dc8b
- name: aquasecurity:trivy:LayerDigest
value: sha256:5dea5ec2316d4a067b946b15c3c4f140b4f2ad607e73e9bc41b673ee5ebb99a3
- name: aquasecurity:trivy:PkgID
value: netbase@5.6
- name: aquasecurity:trivy:PkgType
value: debian
- name: aquasecurity:trivy:SrcName
value: netbase
- name: aquasecurity:trivy:SrcVersion
value: "5.6"
purl: pkg:deb/debian/netbase@5.6?arch=all&distro=debian-10.9
supplier:
name: Marco d'Itri <md@linux.it>
type: library
version: "5.6"
- bom-ref: pkg:deb/debian/tzdata@2021a-0+deb10u1?arch=all&distro=debian-10.9
name: tzdata
properties:
- name: aquasecurity:trivy:LayerDiffID
value: sha256:417cb9b79adeec55f58b890dc9831e252e3523d8de5fd28b4ee2abb151b7dc8b
- name: aquasecurity:trivy:LayerDigest
value: sha256:5dea5ec2316d4a067b946b15c3c4f140b4f2ad607e73e9bc41b673ee5ebb99a3
- name: aquasecurity:trivy:PkgID
value: tzdata@2021a-0+deb10u1
- name: aquasecurity:trivy:PkgType
value: debian
- name: aquasecurity:trivy:SrcName
value: tzdata
- name: aquasecurity:trivy:SrcRelease
value: 0+deb10u1
- name: aquasecurity:trivy:SrcVersion
value: 2021a
purl: pkg:deb/debian/tzdata@2021a-0+deb10u1?arch=all&distro=debian-10.9
supplier:
name: GNU Libc Maintainers <debian-glibc@lists.debian.org>
type: library
version: 2021a-0+deb10u1
dependencies:
- dependsOn:
- pkg:deb/debian/base-files@10.3+deb10u9?arch=amd64&distro=debian-10.9
- pkg:deb/debian/netbase@5.6?arch=all&distro=debian-10.9
- pkg:deb/debian/tzdata@2021a-0+deb10u1?arch=all&distro=debian-10.9
ref: 9464f5f9-750d-4ea0-8705-c8d067b25b29
- dependsOn: []
ref: pkg:deb/debian/base-files@10.3+deb10u9?arch=amd64&distro=debian-10.9
- dependsOn: []
ref: pkg:deb/debian/netbase@5.6?arch=all&distro=debian-10.9
- dependsOn: []
ref: pkg:deb/debian/tzdata@2021a-0+deb10u1?arch=all&distro=debian-10.9
- dependsOn:
- 9464f5f9-750d-4ea0-8705-c8d067b25b29
ref: pkg:oci/kube-apiserver@sha256:53a13cd1588391888c5a8ac4cef13d3ee6d229cd904038936731af7131d193a9?repository_url=k8s.gcr.io%2Fkube-apiserver&arch=amd64
metadata:
component:
bom-ref: pkg:oci/kube-apiserver@sha256:53a13cd1588391888c5a8ac4cef13d3ee6d229cd904038936731af7131d193a9?repository_url=k8s.gcr.io%2Fkube-apiserver&arch=amd64
name: k8s.gcr.io/kube-apiserver:v1.21.1
properties:
- name: aquasecurity:trivy:DiffID
value: sha256:417cb9b79adeec55f58b890dc9831e252e3523d8de5fd28b4ee2abb151b7dc8b,sha256:b50131762317bbe47def2d426d5c78a353a08b966d36bed4a04aee99dde4e12b,sha256:1e6ed7621dee7e03dd779486ed469a65af6fb13071d13bd3a89c079683e3b1f0
- name: aquasecurity:trivy:ImageID
value: sha256:771ffcf9ca634e37cbd3202fd86bd7e2df48ecba4067d1992541bfa00e88a9bb
- name: aquasecurity:trivy:RepoDigest
value: k8s.gcr.io/kube-apiserver@sha256:53a13cd1588391888c5a8ac4cef13d3ee6d229cd904038936731af7131d193a9
- name: aquasecurity:trivy:RepoTag
value: k8s.gcr.io/kube-apiserver:v1.21.1
- name: aquasecurity:trivy:SchemaVersion
value: "2"
purl: pkg:oci/kube-apiserver@sha256:53a13cd1588391888c5a8ac4cef13d3ee6d229cd904038936731af7131d193a9?repository_url=k8s.gcr.io%2Fkube-apiserver&arch=amd64
supplier: {}
type: container
timestamp: "2023-07-10T09:37:21+00:00"
tools:
- name: trivy
vendor: aquasecurity
serialNumber: urn:uuid:50dbce86-28c5-4caf-9d08-a4aadf23233e
specVersion: 1.4
version: 1
registry:
server: k8s.gcr.io
scanner:
name: Trivy
vendor: Aqua Security
version: 0.45.0
summary:
componentsCount: 5
dependenciesCount: 5
updateTimestamp: "2023-07-10T09:37:21Z"