使用 Amazon Inspector 导出 SBOM
软件物料清单(SBOM)是您代码库中所有开源和第三方软件组件的嵌套清单。Amazon Inspector 为环境中的各个资源提供 SBOM。可以使用 Amazon Inspector 控制台或 Amazon Inspector API 为资源生成 SBOM。可以为 Amazon Inspector 支持和监控的所有资源导出 SBOM。导出的 SBOM 将提供有关软件供应的信息。可以通过评测 Amazon 环境的覆盖率来查看资源的状态。本部分介绍如何配置和导出 SBOM。
一些软件组件和程序包管理器使用版本范围或动态引用,而不是固定版本来实现依赖关系。这种做法会产生未解析的哈希值,其中 Amazon Inspector 会识别哈希或 jar 文件,但无法将其映射到特定的名称和版本以进行漏洞检测。Amazon Inspector 现在会将这些未解析的哈希值包含在软件物料清单(SBOM)导出中。虽然无法对这些程序包进行漏洞扫描,但它们的哈希值可在导出的组件列表中找到。
注意
目前,Amazon Inspector 不支持为 Windows Amazon EC2 实例导出 SBOM。
Amazon Inspector
Amazon Inspector 支持以 CycloneDX 1.4 和 SPDX 2.3 兼容格式导出 SBOM。Amazon Inspector 将 SBOM 以 JSON 文件格式导出到您选择的 Amazon S3 存储桶。
注意
从 Amazon Inspector 导出的 SPDX 格式与使用 SPDX 2.3 的系统兼容,但它们不包含无权利保留协议 (CC0) 字段。这是因为包含此字段将允许用户重新分发或编辑材料。
{ "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "metadata": { "timestamp": "2023-06-02T01:17:46Z", "component": null, "properties": [ { "name": "imageId", "value": "sha256:c8ee97f7052776ef223080741f61fcdf6a3a9107810ea9649f904aa4269fdac6" }, { "name": "architecture", "value": "arm64" }, { "name": "accountId", "value": "111122223333" }, { "name": "resourceType", "value": "AWS_ECR_CONTAINER_IMAGE" } ] }, "components": [ { "type": "library", "name": "pip", "purl": "pkg:pypi/pip@22.0.4?path=usr/local/lib/python3.8/site-packages/pip-22.0.4.dist-info/METADATA", "bom-ref": "98dc550d1e9a0b24161daaa0d535c699" }, { "type": "application", "name": "libss2", "purl": "pkg:dpkg/libss2@1.44.5-1+deb10u3?arch=ARM64&epoch=0&upstream=libss2-1.44.5-1+deb10u3.src.dpkg", "bom-ref": "2f4d199d4ef9e2ae639b4f8d04a813a2" }, { "type": "application", "name": "liblz4-1", "purl": "pkg:dpkg/liblz4-1@1.8.3-1+deb10u1?arch=ARM64&epoch=0&upstream=liblz4-1-1.8.3-1+deb10u1.src.dpkg", "bom-ref": "9a6be8907ead891b070e60f5a7b7aa9a" }, { "type": "application", "name": "mawk", "purl": "pkg:dpkg/mawk@1.3.3-17+b3?arch=ARM64&epoch=0&upstream=mawk-1.3.3-17+b3.src.dpkg", "bom-ref": "c2015852a729f97fde924e62a16f78a5" }, { "type": "application", "name": "libgmp10", "purl": "pkg:dpkg/libgmp10@6.1.2+dfsg-4+deb10u1?arch=ARM64&epoch=2&upstream=libgmp10-6.1.2+dfsg-4+deb10u1.src.dpkg", "bom-ref": "52907290f5beef00dff8da77901b1085" }, { "type": "application", "name": "ncurses-bin", "purl": "pkg:dpkg/ncurses-bin@6.1+20181013-2+deb10u3?arch=ARM64&epoch=0&upstream=ncurses-bin-6.1+20181013-2+deb10u3.src.dpkg", "bom-ref": "cd20cfb9ebeeadba3809764376f43bce" } ], "vulnerabilities": [ { "id": "CVE-2022-40897", "affects": [ { "ref": "a74a4862cc654a2520ec56da0c81cdb3" }, { "ref": "0119eb286405d780dc437e7dbf2f9d9d" } ] } ] }
{ "name": "409870544328/EC2/i-022fba820db137c64/ami-074ea14c08effb2d8", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-06-02T21:19:22Z", "creators": [ "Organization: 409870544328", "Tool: Amazon Inspector SBOM Generator" ] }, "documentNamespace": "EC2://i-022fba820db137c64/AMAZON_LINUX_2/null/x86_64", "comment": "", "packages": [{ "name": "elfutils-libelf", "versionInfo": "0.176-2.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/elfutils-libelf@0.176-2.amzn2?arch=X86_64&epoch=0&upstream=elfutils-libelf-0.176-2.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463" }, { "name": "libcurl", "versionInfo": "7.79.1-1.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/libcurl@7.79.1-1.amzn2.0.1?arch=X86_64&epoch=0&upstream=libcurl-7.79.1-1.amzn2.0.1.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2022-32205" } ], "SPDXID": "SPDXRef-Package-rpm-libcurl-710fb33829bc5106559bcd380cddb7d5" }, { "name": "hunspell-en-US", "versionInfo": "0.20121024-6.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/hunspell-en-US@0.20121024-6.amzn2.0.1?arch=NOARCH&epoch=0&upstream=hunspell-en-US-0.20121024-6.amzn2.0.1.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-hunspell-en-US-de19ae0883973d6cea5e7e079d544fe5" }, { "name": "grub2-tools-minimal", "versionInfo": "2.06-2.amzn2.0.6", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/grub2-tools-minimal@2.06-2.amzn2.0.6?arch=X86_64&epoch=1&upstream=grub2-tools-minimal-2.06-2.amzn2.0.6.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2021-3981" } ], "SPDXID": "SPDXRef-Package-rpm-grub2-tools-minimal-c56b7ea76e5a28ab8f232ef6d7564636" }, { "name": "unixODBC-devel", "versionInfo": "2.3.1-14.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/unixODBC-devel@2.3.1-14.amzn2?arch=X86_64&epoch=0&upstream=unixODBC-devel-2.3.1-14.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2" } ], "relationships": [{ "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-yajl-8476ce2db98b28cfab2b4484f84f1903", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2", "relationshipType": "DESCRIBES" } ], "SPDXID": "SPDXRef-DOCUMENT" }
SBOM 筛选条件
导出 SBOM 时,可以使用筛选条件,为特定资源子集创建报告。如果您不提供筛选条件,则会导出所有活动、受支持的资源的 SBOM。而且,如果您是委托管理员,这还包括所有成员的资源。可使用以下筛选条件:
-
AccountID — 此筛选条件可用于导出与特定账户 ID 关联的资源的 SBOM。
-
EC2 实例标签 — 此筛选条件可用于导出带有特定标签的 EC2 实例的 SBOM。
-
函数名称 — 此筛选条件可用于导出特定 Lambda 函数的 SBOM。
-
映像标签 — 此筛选条件可用于导出带有特定标签的容器映像的 SBOM。
-
Lambda 函数标签 — 此筛选条件可用于导出带有特定标签的 Lambda 函数的 SBOM。
-
资源类型 — 此筛选条件可用于筛选资源类型:EC2/ECR/Lambda。
-
资源 ID — 此筛选条件可用于导出特定资源的 SBOM。
-
存储库名称 — 此筛选条件可用于为特定存储库中的容器映像生成 SBOM。
配置和导出 SBOM
要导出 SBOM,必须先配置 Amazon S3 存储桶和允许 Amazon Inspector 使用的 Amazon KMS 密钥。您可以使用筛选条件为资源的特定子集导出 SBOM。要为 Amazon 组织中的多个账户导出 SBOM,请在以 Amazon Inspector 委托管理员的身份登录后执行以下步骤。
先决条件
Amazon Inspector 主动监测的受支持资源。
配置了策略的 Amazon S3 存储桶,允许 Amazon Inspector 向存储桶添加对象。有关配置策略的信息,请参阅配置导出权限。
配置了策略的 Amazon KMS 密钥,允许 Amazon Inspector 使用该策略来加密报告。有关配置策略的信息,请参阅配置用于导出的 Amazon KMS 密钥。
注意
如果您之前配置了 Amazon S3 存储桶和用于调查发现导出的 Amazon KMS 密钥,则可以将这些存储桶和密钥用于 SBOM 导出。
选择您的首选访问方法来导出 SBOM。