本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
SBOMs 使用亚马逊 Inspector 导出
软件物料清单(SBOM)是您代码库中所有开源和第三方软件组件的嵌套清单。Amazon Inspect SBOMs or 为您的环境提供单个资源。你可以使用 Amazon Inspector 控制台或 Amazon Inspector API SBOMs 为你的资源生成。您可以导出 SBOMs Amazon Inspector 支持和监控的所有资源。已导出 SBOMs 提供有关您的软件供应的信息。您可以通过评估 Amazon 环境覆盖范围来查看资源状态。本节介绍如何配置和导出 SBOMs。
注意
目前,Amazon Inspector 不 SBOMs 支持导出 Windows 亚马逊 EC2 实例。
Amazon Inspector
Amazon Inspector 支持 SBOMs 以 CycloneDX 1.4 和 SPD X 2.3 兼容格式导出。Amazon Inspector SBOMs 作为JSON文件导出到您选择的 Amazon S3 存储桶。
注意
从 Amazon Inspector 导出的 SPDX 格式与使用 SPDX 2.3 的系统兼容,但它们不包含无权利保留协议 (CC0) 字段。这是因为包含此字段将允许用户重新分发或编辑材料。
{ "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "metadata": { "timestamp": "2023-06-02T01:17:46Z", "component": null, "properties": [ { "name": "imageId", "value": "sha256:c8ee97f7052776ef223080741f61fcdf6a3a9107810ea9649f904aa4269fdac6" }, { "name": "architecture", "value": "arm64" }, { "name": "accountId", "value": "111122223333" }, { "name": "resourceType", "value": "AWS_ECR_CONTAINER_IMAGE" } ] }, "components": [ { "type": "library", "name": "pip", "purl": "pkg:pypi/pip@22.0.4?path=usr/local/lib/python3.8/site-packages/pip-22.0.4.dist-info/METADATA", "bom-ref": "98dc550d1e9a0b24161daaa0d535c699" }, { "type": "application", "name": "libss2", "purl": "pkg:dpkg/libss2@1.44.5-1+deb10u3?arch=ARM64&epoch=0&upstream=libss2-1.44.5-1+deb10u3.src.dpkg", "bom-ref": "2f4d199d4ef9e2ae639b4f8d04a813a2" }, { "type": "application", "name": "liblz4-1", "purl": "pkg:dpkg/liblz4-1@1.8.3-1+deb10u1?arch=ARM64&epoch=0&upstream=liblz4-1-1.8.3-1+deb10u1.src.dpkg", "bom-ref": "9a6be8907ead891b070e60f5a7b7aa9a" }, { "type": "application", "name": "mawk", "purl": "pkg:dpkg/mawk@1.3.3-17+b3?arch=ARM64&epoch=0&upstream=mawk-1.3.3-17+b3.src.dpkg", "bom-ref": "c2015852a729f97fde924e62a16f78a5" }, { "type": "application", "name": "libgmp10", "purl": "pkg:dpkg/libgmp10@6.1.2+dfsg-4+deb10u1?arch=ARM64&epoch=2&upstream=libgmp10-6.1.2+dfsg-4+deb10u1.src.dpkg", "bom-ref": "52907290f5beef00dff8da77901b1085" }, { "type": "application", "name": "ncurses-bin", "purl": "pkg:dpkg/ncurses-bin@6.1+20181013-2+deb10u3?arch=ARM64&epoch=0&upstream=ncurses-bin-6.1+20181013-2+deb10u3.src.dpkg", "bom-ref": "cd20cfb9ebeeadba3809764376f43bce" } ], "vulnerabilities": [ { "id": "CVE-2022-40897", "affects": [ { "ref": "a74a4862cc654a2520ec56da0c81cdb3" }, { "ref": "0119eb286405d780dc437e7dbf2f9d9d" } ] } ] }
{ "name": "409870544328/EC2/i-022fba820db137c64/ami-074ea14c08effb2d8", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-06-02T21:19:22Z", "creators": [ "Organization: 409870544328", "Tool: Amazon Inspector SBOM Generator" ] }, "documentNamespace": "EC2://i-022fba820db137c64/AMAZON_LINUX_2/null/x86_64", "comment": "", "packages": [{ "name": "elfutils-libelf", "versionInfo": "0.176-2.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/elfutils-libelf@0.176-2.amzn2?arch=X86_64&epoch=0&upstream=elfutils-libelf-0.176-2.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463" }, { "name": "libcurl", "versionInfo": "7.79.1-1.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/libcurl@7.79.1-1.amzn2.0.1?arch=X86_64&epoch=0&upstream=libcurl-7.79.1-1.amzn2.0.1.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2022-32205" } ], "SPDXID": "SPDXRef-Package-rpm-libcurl-710fb33829bc5106559bcd380cddb7d5" }, { "name": "hunspell-en-US", "versionInfo": "0.20121024-6.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/hunspell-en-US@0.20121024-6.amzn2.0.1?arch=NOARCH&epoch=0&upstream=hunspell-en-US-0.20121024-6.amzn2.0.1.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-hunspell-en-US-de19ae0883973d6cea5e7e079d544fe5" }, { "name": "grub2-tools-minimal", "versionInfo": "2.06-2.amzn2.0.6", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/grub2-tools-minimal@2.06-2.amzn2.0.6?arch=X86_64&epoch=1&upstream=grub2-tools-minimal-2.06-2.amzn2.0.6.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2021-3981" } ], "SPDXID": "SPDXRef-Package-rpm-grub2-tools-minimal-c56b7ea76e5a28ab8f232ef6d7564636" }, { "name": "unixODBC-devel", "versionInfo": "2.3.1-14.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/unixODBC-devel@2.3.1-14.amzn2?arch=X86_64&epoch=0&upstream=unixODBC-devel-2.3.1-14.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2" } ], "relationships": [{ "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-yajl-8476ce2db98b28cfab2b4484f84f1903", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2", "relationshipType": "DESCRIBES" } ], "SPDXID": "SPDXRef-DOCUMENT" }
过滤器用于 SBOMs
导出时, SBOMs 您可以添加筛选器来为特定资源子集创建报告。如果您不提供筛选条件,则会导 SBOMs 出所有处于活动状态且支持的资源。而且,如果您是委托管理员,这还包括所有成员的资源。可使用以下筛选条件:
-
Acco untID — 此筛选器可用于 SBOMs 导出与特定账户 ID 关联的任何资源。
-
EC2 实例标签-此筛选器 SBOMs 可用于导出带有特定标签的 EC2 实例。
-
函数名称-此筛选器 SBOMs 可用于导出特定 Lambda 函数。
-
图像标签-此过滤器 SBOMs 可用于导出带有特定标签的容器镜像。
-
Lambda 函数标签 — 此筛选器可用于导出带有特定标签的 SBOMs Lambda 函数。
-
资源类型-此筛选器可用于筛选资源类型: EC2/ecr/Lambda。
-
资源 ID — 此筛选条件可用于导出特定资源的 SBOM。
-
存储库名称-此筛选器 SBOMs 可用于生成特定存储库中的容器镜像。
配置和导出 SBOMs
要导出 SBOMs,您必须先配置一个 Amazon S3 存储桶和一个允许 Amazon Inspector 使用的 Amazon KMS 密钥。您可以使用筛选器导 SBOMs 出资源的特定子集。要 SBOMs 为 Amazon 组织中的多个账户导出,请在以 Amazon Inspector 授权管理员的身份登录后执行以下步骤。
先决条件
Amazon Inspector 主动监测的受支持资源。
配置了策略的 Amazon S3 存储桶,允许 Amazon Inspector 向存储桶添加对象。有关配置策略的信息,请参阅配置导出权限。
一种配置有策略的 Amazon KMS 密钥,允许 Amazon Inspector 用来加密您的报告。有关配置策略的信息,请参阅配置用于导出的 Amazon KMS 密钥。
注意
如果您之前配置了 Amazon S3 存储桶和用于导出结果的 Amazon KMS 密钥,则可以将相同的存储桶和密钥用于 SBOM 导出。
选择您的首选访问方法来导出 SBOM。