本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 Amazon Inspector 导出 SBOM
软件物料清单 (SBOM) 是您的代码库中所有开源和第三方软件组件的嵌套清单。Amazon Inspector 为环境中的各个资源提供 SBOM。
你可以使用 Amazon Inspector 控制台或 Amazon Inspector API 为您的资源生成 SBOM。本主题介绍如何导出 SBOM。您可以导出 Amazon Inspector 支持和监控的所有资源的 SBOM。
导出的 SBOM 提供有关您的软件供应的信息,例如您最常用的软件包和整个组织中的相关漏洞。您可以通过 评估 Amazon Inspector 对您 Amazon 环境的覆盖范围 查看资源的状态。
注意
目前,Amazon Inspector 不支持导出 Windows 亚马逊 EC2 实例的 SBOM。
Amazon Inspector
Amazon Inspector 支持以 CycloneDX 1.4 和 SPDX 2.3 兼容格式导出 SBOM。Amazon Inspector 将 SBOM 以 JSON 文件格式导出到您选择的 Amazon S3 存储桶。
注意
从 Amazon Inspector 导出的 SPDX 格式与使用 SPDX 2.3 的系统兼容,但它们不包含无权利保留协议 (CC0) 字段。这是因为包含此字段将允许用户重新分发或编辑材料。
{ "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "metadata": { "timestamp": "2023-06-02T01:17:46Z", "component": null, "properties": [ { "name": "imageId", "value": "sha256:c8ee97f7052776ef223080741f61fcdf6a3a9107810ea9649f904aa4269fdac6" }, { "name": "architecture", "value": "arm64" }, { "name": "accountId", "value": "111122223333" }, { "name": "resourceType", "value": "AWS_ECR_CONTAINER_IMAGE" } ] }, "components": [ { "type": "library", "name": "pip", "purl": "pkg:pypi/pip@22.0.4?path=usr/local/lib/python3.8/site-packages/pip-22.0.4.dist-info/METADATA", "bom-ref": "98dc550d1e9a0b24161daaa0d535c699" }, { "type": "application", "name": "libss2", "purl": "pkg:dpkg/libss2@1.44.5-1+deb10u3?arch=ARM64&epoch=0&upstream=libss2-1.44.5-1+deb10u3.src.dpkg", "bom-ref": "2f4d199d4ef9e2ae639b4f8d04a813a2" }, { "type": "application", "name": "liblz4-1", "purl": "pkg:dpkg/liblz4-1@1.8.3-1+deb10u1?arch=ARM64&epoch=0&upstream=liblz4-1-1.8.3-1+deb10u1.src.dpkg", "bom-ref": "9a6be8907ead891b070e60f5a7b7aa9a" }, { "type": "application", "name": "mawk", "purl": "pkg:dpkg/mawk@1.3.3-17+b3?arch=ARM64&epoch=0&upstream=mawk-1.3.3-17+b3.src.dpkg", "bom-ref": "c2015852a729f97fde924e62a16f78a5" }, { "type": "application", "name": "libgmp10", "purl": "pkg:dpkg/libgmp10@6.1.2+dfsg-4+deb10u1?arch=ARM64&epoch=2&upstream=libgmp10-6.1.2+dfsg-4+deb10u1.src.dpkg", "bom-ref": "52907290f5beef00dff8da77901b1085" }, { "type": "application", "name": "ncurses-bin", "purl": "pkg:dpkg/ncurses-bin@6.1+20181013-2+deb10u3?arch=ARM64&epoch=0&upstream=ncurses-bin-6.1+20181013-2+deb10u3.src.dpkg", "bom-ref": "cd20cfb9ebeeadba3809764376f43bce" } ], "vulnerabilities": [ { "id": "CVE-2022-40897", "affects": [ { "ref": "a74a4862cc654a2520ec56da0c81cdb3" }, { "ref": "0119eb286405d780dc437e7dbf2f9d9d" } ] } ] }
{ "name": "409870544328/EC2/i-022fba820db137c64/ami-074ea14c08effb2d8", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-06-02T21:19:22Z", "creators": [ "Organization: 409870544328", "Tool: Amazon Inspector SBOM Generator" ] }, "documentNamespace": "EC2://i-022fba820db137c64/AMAZON_LINUX_2/null/x86_64", "comment": "", "packages": [{ "name": "elfutils-libelf", "versionInfo": "0.176-2.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/elfutils-libelf@0.176-2.amzn2?arch=X86_64&epoch=0&upstream=elfutils-libelf-0.176-2.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463" }, { "name": "libcurl", "versionInfo": "7.79.1-1.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/libcurl@7.79.1-1.amzn2.0.1?arch=X86_64&epoch=0&upstream=libcurl-7.79.1-1.amzn2.0.1.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2022-32205" } ], "SPDXID": "SPDXRef-Package-rpm-libcurl-710fb33829bc5106559bcd380cddb7d5" }, { "name": "hunspell-en-US", "versionInfo": "0.20121024-6.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/hunspell-en-US@0.20121024-6.amzn2.0.1?arch=NOARCH&epoch=0&upstream=hunspell-en-US-0.20121024-6.amzn2.0.1.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-hunspell-en-US-de19ae0883973d6cea5e7e079d544fe5" }, { "name": "grub2-tools-minimal", "versionInfo": "2.06-2.amzn2.0.6", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/grub2-tools-minimal@2.06-2.amzn2.0.6?arch=X86_64&epoch=1&upstream=grub2-tools-minimal-2.06-2.amzn2.0.6.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2021-3981" } ], "SPDXID": "SPDXRef-Package-rpm-grub2-tools-minimal-c56b7ea76e5a28ab8f232ef6d7564636" }, { "name": "unixODBC-devel", "versionInfo": "2.3.1-14.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/unixODBC-devel@2.3.1-14.amzn2?arch=X86_64&epoch=0&upstream=unixODBC-devel-2.3.1-14.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2" } ], "relationships": [{ "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-yajl-8476ce2db98b28cfab2b4484f84f1903", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2", "relationshipType": "DESCRIBES" } ], "SPDXID": "SPDXRef-DOCUMENT" }
SBOM 筛选条件
导出 SBOM 时,可以使用筛选条件,为特定资源子集创建报告。如果您不提供筛选条件,则会导出所有活动、受支持的资源的 SBOM。而且,如果您是委托管理员,这还包括所有成员的资源。可使用以下筛选条件:
-
AccountID — 此筛选条件可用于导出与特定账户 ID 关联的资源的 SBOM。
-
EC2 实例标签 — 此筛选条件可用于导出带有特定标签的 EC2 实例的 SBOM。
-
函数名称 — 此筛选条件可用于导出特定 Lambda 函数的 SBOM。
-
映像标签 — 此筛选条件可用于导出带有特定标签的容器映像的 SBOM。
-
Lambda 函数标签 — 此筛选条件可用于导出带有特定标签的 Lambda 函数的 SBOM。
-
资源类型 — 此筛选条件可用于筛选资源类型:EC2/ECR/Lambda。
-
资源 ID — 此筛选条件可用于导出特定资源的 SBOM。
-
存储库名称 — 此筛选条件可用于为特定存储库中的容器映像生成 SBOM。
配置和导出 SBOM
要导出 SBOM,您必须先配置一个 Amazon S3 存储桶和一个允许 Amazon Inspector 使用的 Amazon KMS 密钥。您可以使用筛选条件为资源的特定子集导出 SBOM。要为 Amazon 组织中的多个账户导出 SBOM,请在以 Amazon Inspector 委托管理员的身份登录后执行以下步骤。
先决条件
Amazon Inspector 主动监测的受支持资源。
配置了策略的 Amazon S3 存储桶,允许 Amazon Inspector 向存储桶添加对象。有关配置策略的信息,请参阅配置导出权限。
一种配置有策略的 Amazon KMS 密钥,允许 Amazon Inspector 使用该策略来加密您的报告。有关配置策略的信息,请参阅配置用于导出的 Amazon KMS 密钥。
注意
如果您之前配置了 Amazon S3 存储桶和用于导出结果的 Amazon KMS 密钥,则可以将相同的存储桶和密钥用于 SBOM 导出。
选择您的首选访问方法来导出 SBOM。