After recent supply chain attacks and with ever increasing security automation especially the software inventory management becomes more and more important.

Governments and other regulated industries now require publishing a so called Software Bill Of Materials (SBOM) to software products.

Various SBOM formats have appeared in the market.

SUSE has started to publish SBOM in the two kind of formats used most prominent for Operating System vendors, SPDX 2.0 and CycloneDX.

SPDX 2.0 has even been standardized in ISO/IEC 5962:2021.

SUSE SBOM Deliveries

1. For SUSE Linux Enterprise product media

For our product media (ISO images), the SBOM materials are available on our download website in both SPDX 2.0 and CycloneDX formats.

The granularity of this data is at RPM level.

2. For container images

The SBOM data is delivered in the sigstore attestation blob in SPDX 2.0 format.

Manual retrieval is possible, but due to multi-arch container manifests it is a two step operation.

Example call using the external "crane" tool to extract the x86_64 container part, the "cosign" tool to retrieve and verify the attestation and the "jq" tool to extract the SPDX 2.0 SBOM data.

- crane digest --platform linux/amd64

Example result: sha256:c8aeb5a7662c38716d303fb854c5baa2329afccb4637c0f3c7c44b971181fdbb

Then run this into this commandline

- cosign verify-attestation --type spdxjson --key /usr/share/pki/containers/suse-container-key.pem | jq '.payload | @base64d | fromjson | .predicate'