The BlueSpice Software Bill of Materials (SBOM) is upated for every release. It is formatted according to the SPDX specification and serialized as a JSON file.
Accessing the SBOM
There are several steps to access and scan the SBOM. The necessary commands expect the following parameters:
| Parameter | Possible values |
|---|---|
| edition | pro, farm, free |
| version | e.g. 5.1, 5.4.3 |
| service | Services differ depending on edition and version. Common services are:
wiki-task, proxy, cache, pdf, search, formula, diagram,... |
First, pull the application image for the desired edition and version:
docker pull docker.bluespice.com/bluespice/$edition/wiki:$version
Then, inspect the attachments with ORAS (oras requires login data):
oras discover docker.bluespice.com/bluespice/$edition/wiki:$version
Do the same for service images:
Pull the image:
docker pull docker.bluespice.com/bluespice/$service:$version
Inspect the attachments:
oras discover docker.bluespice.com/bluespice/$service:$version
Download the attachments (provide the actual sha-string):
oras pull docker.bluespice.com/bluespice/$edition/wiki@sha265'shaofattachements'
or for services:
oras pull docker.bluespice.com/bluespice/$service@sha265'shaofattachements'
The SBOM file is located in your current folder as sbom.json.
You can now scan your SBOM files. Below is a scanning example for Trivy:
docker run --rm \ -v "$PWD:/work:ro" \ aquasec/trivy:0.72.0 \ sbom \ --severity CRITICAL \ --ignore-unfixed \ --exit-code 1 \ /work/sbom.json