Software Bill of Materials (SBOM) for Netdata Cloud On-Prem
What is an SBOM?
A Software Bill of Materials (SBOM) is like an ingredient list for your software. It's a detailed inventory that shows exactly what components, libraries, and dependencies make up your Netdata Cloud On-Prem installation, including their versions, licenses, and often contains any known security vulnerabilities.
Why SBOMs Matter for Your Security
SBOMs help you maintain a secure and compliant infrastructure:
| Benefit | How It Helps You |
|---|---|
| Security Management | When a new vulnerability is discovered in any software component, you can quickly check if your installation is affected and take action immediately |
| Compliance Requirements | Many regulatory frameworks now require SBOMs to ensure supply chain security and transparency in your software stack |
| License Compliance | Know exactly which software licenses apply to your installation, helping you avoid conflicts and ensure legal compliance |
| Supply Chain Visibility | Get a complete picture of your software dependencies, allowing you to identify and manage risks from third-party components |
| Reproducible Deployments | Ensure consistent installations by knowing exactly which components and versions are included |
How Netdata Provides SBOMs
Click to see the chart that represents the SBOM creation flow.
Netdata Cloud On-Prem includes digitally signed SBOMs for all container images. These SBOMs are generated using Trivy (a trusted open-source security scanner), formatted in CycloneDX JSON for easy machine processing, digitally signed using the same security mechanism as the container images, and stored securely in Amazon ECR alongside the corresponding images.
This ensures the SBOM you download exactly matches the container image you're running.
Verify and Access Your SBOM
What You'll Need
Before starting, make sure you have the required tools installed and your AWS credentials are configured for ECR access:
- oras - For downloading artifacts from registries
- jq - For processing JSON data
- notation - For signature verification
Click to see the Step-by-Step process
Step 1: Identify Your Container Image and use it's URI to verify:
image_uri="362923047827.dkr.ecr.us-east-1.amazonaws.com/onprem-cloud-metrics-exporter:1.0.4"
Step 2: Find the SBOM Reference associated with the image to locate the manifest
sbom_image=$(oras discover --format json $image_uri --artifact-type "application/vnd.example.sbom.v1+json" | jq -r '.manifests[].reference')
Step 3: Verify Digital Signature
notation verify $sbom_image --plugin-config aws-region=us-east-1
Success means the SBOM is authentic. Any errors indicate potential tampering.
Step 4: Download the SBOM
Pull the verified SBOM to your local machine:
oras pull $sbom_image
This downloads the SBOM as sbom.cdx.json in your current directory.
Step 5: Review Your Software Components
Examine the complete component list to see all components, versions, and licenses in your Netdata installation.
cat sbom.cdx.json
Security Best Practice: Regularly verify and review your SBOMs, especially when updating Netdata Cloud On-Prem or when new security vulnerabilities are announced.
Next Steps
After downloading your SBOM, you can:
- Import it into security tools for vulnerability scanning
- Share it with compliance teams for regulatory requirements
- Monitor for new vulnerabilities in the listed components
- Archive it for audit and compliance purposes
For container image signature verification details, see our Container Image Signature Verification guide.
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.