|
| 1 | +--- |
| 2 | +layout: ni-docs |
| 3 | +toc_group: how-to-guides |
| 4 | +link_title: Embed an SBOM in a Native Executable to Identify Its Dependencies |
| 5 | +permalink: /reference-manual/native-image/guides/use-sbom-support/ |
| 6 | +--- |
| 7 | + |
| 8 | +# Embed an SBOM in a Native Executable to Identify Its Dependencies |
| 9 | + |
| 10 | +Native Image can embed a Software Bill of Materials (SBOM). |
| 11 | +An SBOM is an inventory of all the components, libraries, and modules that make up your application. |
| 12 | +It provides detailed information about all open-source and proprietary libraries used by the application and their versions. |
| 13 | +Use the `--enable-sbom` option to incorporate an SBOM into a native executable. |
| 14 | +It supports the CycloneDX format by default. |
| 15 | +(Not available in GraalVM Community Edition.) |
| 16 | + |
| 17 | +### Prerequisites |
| 18 | + |
| 19 | +* Make sure you have installed Oracle GraalVM. |
| 20 | +The easiest way to get started is with [SDKMAN!](https://sdkman.io/jdks#graal). |
| 21 | +For other installation options, visit the [Downloads section](https://www.graalvm.org/downloads/). |
| 22 | +* [Syft](https://github.com/anchore/syft) |
| 23 | + |
| 24 | +## Generate an SBOM at Build Time |
| 25 | + |
| 26 | +For the demo application, you will use the `jwebserver` tool, and package it as a native executable with an embedded SBOM. |
| 27 | + |
| 28 | +> `jwebserver` is a minimal HTTP server for serving static files from a single directory hierarchy, included in the JDK. It was [added in Java 18](https://blogs.oracle.com/javamagazine/post/java-18-simple-web-server). |
| 29 | +
|
| 30 | +1. Save the following code to a file named _index.html_, so the web server has content to serve: |
| 31 | + ```html |
| 32 | + <!DOCTYPE html> |
| 33 | + <html> |
| 34 | + <head> |
| 35 | + <title>jwebserver</title> |
| 36 | + </head> |
| 37 | + <body> |
| 38 | + <h2>Hello, GraalVM user!<p> |
| 39 | + </body> |
| 40 | + </html> |
| 41 | + ``` |
| 42 | + |
| 43 | +2. From the directory where you saved _index.html_, run the following command to create a native executable and embed an SBOM: |
| 44 | + ```bash |
| 45 | + native-image --enable-sbom=cyclonedx -m jdk.httpserver -o jwebserver |
| 46 | + ``` |
| 47 | + Native Image compiles `jwebserver` from the `jdk.httpserver` module, provided with the JDK, by passing the `-m` option. |
| 48 | + It produces a native executable containing a GZIP format compressed SBOM. |
| 49 | + |
| 50 | +3. (Optional) Run the compiled `jwebserver` executable and go to _localhost:8000_ in a browser: |
| 51 | + ```bash |
| 52 | + ./jwebserver |
| 53 | + ``` |
| 54 | + |
| 55 | +## Extract the Embedded SBOM |
| 56 | + |
| 57 | +There are two possible ways to extract the compressed SBOM contents into a human-readable format: |
| 58 | +- using [Syft](https://github.com/anchore/syft) |
| 59 | +- using the [Native Image Inspect tool](../InspectTool.md) |
| 60 | + |
| 61 | +### Syft |
| 62 | + |
| 63 | +Syft, `syft`, is an open source tool maintained by [Anchore](https://anchore.com/). |
| 64 | +Syft can extract an embedded SBOM which it can present in both a native Syft format or CycloneDX. |
| 65 | +Thanks to a contribution from the GraalVM team, `syft` can now extract an SBOM given within a native executable, built for Linux, macOS, or Windows. |
| 66 | + |
| 67 | +Run `syft` on the native executable to read its SBOM contents: |
| 68 | +```bash |
| 69 | +syft jwebserver |
| 70 | +``` |
| 71 | +It lists all of the Java libraries included in it. |
| 72 | + |
| 73 | +### Native Image Inspect Tool |
| 74 | + |
| 75 | +GraalVM Native Image provides the [Inspect Tool](../InspectTool.md) to retrieve an SBOM embedded in a native executable. |
| 76 | +The Inspect Tool is a viable alternative if you prefer not to install `syft`. |
| 77 | + |
| 78 | +Run the following command to read the SBOM contents using the Inspect Tool: |
| 79 | +```bash |
| 80 | +native-image-inspect --sbom jwebserver |
| 81 | +``` |
| 82 | + |
| 83 | +To take it further, you can submit the SBOM to any available vulnerability scanner, and check if the recorded libraries have known security vulnerabilities. |
| 84 | +Vulnerability scanners cross-reference the components listed in an SBOM with CVEs in vulnerability databases. |
| 85 | + |
| 86 | +This guide demonstrated how you can get insights on your application supply chain to help assess risks associated with the third-party dependencies. |
| 87 | +Native Image can embed an SBOM into a native executable or shared library at build time. |
| 88 | + |
| 89 | +### Related Documentation |
| 90 | + |
| 91 | +* [Security Considerations in Native Image](../../../security/security-guide.md) |
| 92 | +* [Using GraalVM Native Image SBOM Support for Vulnerability Scanning](https://medium.com/graalvm/using-graalvm-native-image-sbom-support-for-vulnerability-scanning-4211c747376) |
0 commit comments