A Software Bill-of-Materials (BOM) provides information necessary to know what’s inside your container and how it was constructed.
Cloud Native Buildpacks provide two forms of Bill-of-Materials.
BOM information about the dependencies they have provided.Use the following tutorial to add a Bill-of-Materials using buildpacks.
Adding bill of materials
You can use this command to inspect your app for it’s Bill-of-Materials.
pack inspect-image your-image-name --bom
It can also be accessed by looking at the label io.buildpacks.build.metadata. For example, running Docker CLI, jq and using the following command.
docker inspect your-image-name | jq -r '.[0].Config.Labels["io.buildpacks.build.metadata"] | fromjson'
Following is the the information listed in io.buildpacks.build.metadata for Sample Java App obtained by building the app using buildpacks and running the above command.
For this output:
bom is the buildpack populated bom.buildpacks is the list of buildpacks.{
"bom": [
{
"name": "java",
"metadata": {
"version": "11.0.12+7"
},
"buildpack": {
"id": "google.java.runtime",
"version": "0.9.1"
}
}
],
"buildpacks": [
{
"id": "google.java.runtime",
"version": "0.9.1"
},
{
"id": "google.java.maven",
"version": "0.9.0"
},
{
"id": "google.java.entrypoint",
"version": "0.9.0"
},
{
"id": "google.utils.label",
"version": "0.0.1"
}
],
"launcher": {
"version": "0.11.1",
"source": {
"git": {
"repository": "github.com/buildpacks/lifecycle",
"commit": "75df86c"
}
}
},
"processes": [
{
"type": "web",
"command": "java",
"args": ["-jar", "/workspace/target/sample-0.0.1-SNAPSHOT.jar"],
"direct": true,
"buildpackID": "google.java.entrypoint"
}
],
"buildpack-default-process-type": "web"
}