docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19747 from dvdksn/remove-sbom 

chore: fully remove the sbom page
This commit is contained in:
David Karlsson 2024-04-08 11:14:15 +02:00 committed by GitHub
parent 4b74397d7a 2f1ba5da9c
commit d7b61bf28f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 3 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/desktop/release-notes.md
View File

@ -1762,7 +1762,7 @@ For frequently asked questions about Docker Desktop releases, see [FAQs](faqs/re
### New
- IT Administrators can now install Docker Desktop remotely using the command line.
- Add the Docker Software Bill of Materials (SBOM) CLI plugin. The new CLI plugin enables users to generate SBOMs for Docker images. For more information, see [Docker SBOM](../engine/sbom/index.md).
- Add the Docker Software Bill of Materials (SBOM) CLI plugin. The new CLI plugin enables users to generate SBOMs for Docker images.
- Use [cri-dockerd](https://github.com/Mirantis/cri-dockerd) for new Kubernetes clusters instead of `dockershim`. The change is transparent from the user's point of view and Kubernetes containers run on the Docker Engine as before. `cri-dockerd` allows Kubernetes to manage Docker containers using the standard [Container Runtime Interface](https://github.com/kubernetes/cri-api#readme), the same interface used to control other container runtimes. For more information, see [The Future of Dockershim is cri-dockerd](https://www.mirantis.com/blog/the-future-of-dockershim-is-cri-dockerd/).
### Updates

97
content/engine/sbom/_index.md
View File

@ -1,97 +0,0 @@
---
title: Generate the SBOM for Docker images
description: Viewing the Software Bill of Materials (SBOM) for Docker images
keywords: Docker, sbom, Anchore, images, Syft, security
toc_min: 1
toc_max: 2
---
A Software Bill Of Materials (SBOM) is analogous to a packing list for a shipment. It lists all the components that make up the software, or were used to build it. For container images, this includes the operating system packages that are installed (for example, ca-certificates) along with language-specific packages that the software depends on (for example, Log4j). The SBOM could include a subset of this information or even more details, like the versions of components and their source.
> **Warning**
>
> The `docker sbom` command is currently experimental. This may change or be removed from future releases.
{ .warning }
The experimental `docker sbom` command allows you to generate the SBOM of a container image. Today, it does this by scanning the layers of the image using the [Syft project](https://github.com/anchore/syft) but in future it may read the SBOM from the image itself or elsewhere.
## Simple use
To output a tabulated SBOM for an image, use `docker sbom <image>:<tag>`:
```console
$ docker sbom neo4j:4.4.5
Syft v0.43.0
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [385 packages]
NAME VERSION TYPE
...
bsdutils 1:2.36.1-8+deb11u1 deb
ca-certificates 20210119 deb
...
log4j-api 2.17.1 java-archive
log4j-core 2.17.1 java-archive
...
```
The output includes both system packages and software libraries used by applications in the container image.
## Output formatting and saving outputs
You can view the SBOM output in standard formats like [SPDX](https://spdx.dev) and [CycloneDX](https://cyclonedx.org) along with the Syft and GitHub formats using the `--format` option.
```console
$ docker sbom --format spdx-json alpine:3.15
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "alpine-3.15",
"spdxVersion": "SPDX-2.2",
"creationInfo": {
"created": "2022-04-06T21:13:32.035571Z",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-[not provided]"
],
"licenseListVersion": "3.16"
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://anchore.com/syft/image/alpine-3.15-4b1b99d8-bbb5-4426-af8e-c510189134ab",
"packages": [
{
"SPDXID": "SPDXRef-1e3f3285636676f3",
"name": "alpine-baselayout",
"licenseConcluded": "GPL-2.0-only",
"description": "Alpine base dir structure and init scripts",
"downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
"externalRefs": [
{
...
}
```
These outputs are more verbose and contain more information than the default tabulated output.
By default, the command outputs the SBOM to stdout. You can save the output to a file by specifying one with the `--output` flag.
```console
$ docker sbom --format spdx-json --output sbom.json alpine:3.15
Syft v0.43.0
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [14 packages]
$ cat sbom.json
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "alpine-3.15",
"spdxVersion": "SPDX-2.2",
...
}
```
## Feedback
Thanks for trying the Docker SBOM CLI plugin. Wed love to hear from you. You can provide feedback and report any bugs through the Issues tracker in the
[docker/sbom-cli-plugin](https://github.com/docker/sbom-cli-plugin) GitHub repository.

2
content/scout/sbom.md
View File

@ -2,6 +2,8 @@
title: Docker Scout SBOMs
description: Use Docker Scout to extract the SBOM for your project.
keywords: scout, supply chain, sbom, software bill of material, spdx
aliases:
- /engine/sbom/
---
[Image analysis](./image-analysis.md) uses image SBOMs to understand what packages and versions an image contains.