本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
SBOMs使用亚马逊 Inspector 导出
软件物料清单 (SBOM) 是您的代码库中所有开源和第三方软件组件的嵌套清单。Amazon Inspect SBOMs or 在您的环境中提供单个资源。你可以使用 Amazon Inspector 控制台或 Amazon Inspec API tor SBOMs 为你的资源生成。您可以导出 SBOMs Amazon Inspector 支持和监控的所有资源。已导出SBOMs提供有关您的软件供应的信息。您可以通过评估 AWS 环境覆盖范围来查看资源状态。本节介绍如何配置和导出SBOMs。
注意
目前,Amazon Inspector 不SBOMs支持导出 Windows 亚马逊EC2实例。
Amazon Inspector
Amazon Inspector 支持SBOMs以 CycloneDX 1.4 和 SPDX2.3 兼容格式导出。Amazon Inspector SBOMs 作为JSON文件导出到您选择的 Amazon S3 存储桶。
注意
SPDX从 Amazon Inspector 导出的格式与使用 SPDX2.3 的系统兼容,但它们不包含知识共享零 (CC0) 字段。这是因为包含此字段将允许用户重新分发或编辑材料。
{ "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "metadata": { "timestamp": "2023-06-02T01:17:46Z", "component": null, "properties": [ { "name": "imageId", "value": "sha256:c8ee97f7052776ef223080741f61fcdf6a3a9107810ea9649f904aa4269fdac6" }, { "name": "architecture", "value": "arm64" }, { "name": "accountId", "value": "111122223333" }, { "name": "resourceType", "value": "AWS_ECR_CONTAINER_IMAGE" } ] }, "components": [ { "type": "library", "name": "pip", "purl": "pkg:pypi/pip@22.0.4?path=usr/local/lib/python3.8/site-packages/pip-22.0.4.dist-info/METADATA", "bom-ref": "98dc550d1e9a0b24161daaa0d535c699" }, { "type": "application", "name": "libss2", "purl": "pkg:dpkg/libss2@1.44.5-1+deb10u3?arch=ARM64&epoch=0&upstream=libss2-1.44.5-1+deb10u3.src.dpkg", "bom-ref": "2f4d199d4ef9e2ae639b4f8d04a813a2" }, { "type": "application", "name": "liblz4-1", "purl": "pkg:dpkg/liblz4-1@1.8.3-1+deb10u1?arch=ARM64&epoch=0&upstream=liblz4-1-1.8.3-1+deb10u1.src.dpkg", "bom-ref": "9a6be8907ead891b070e60f5a7b7aa9a" }, { "type": "application", "name": "mawk", "purl": "pkg:dpkg/mawk@1.3.3-17+b3?arch=ARM64&epoch=0&upstream=mawk-1.3.3-17+b3.src.dpkg", "bom-ref": "c2015852a729f97fde924e62a16f78a5" }, { "type": "application", "name": "libgmp10", "purl": "pkg:dpkg/libgmp10@6.1.2+dfsg-4+deb10u1?arch=ARM64&epoch=2&upstream=libgmp10-6.1.2+dfsg-4+deb10u1.src.dpkg", "bom-ref": "52907290f5beef00dff8da77901b1085" }, { "type": "application", "name": "ncurses-bin", "purl": "pkg:dpkg/ncurses-bin@6.1+20181013-2+deb10u3?arch=ARM64&epoch=0&upstream=ncurses-bin-6.1+20181013-2+deb10u3.src.dpkg", "bom-ref": "cd20cfb9ebeeadba3809764376f43bce" } ], "vulnerabilities": [ { "id": "CVE-2022-40897", "affects": [ { "ref": "a74a4862cc654a2520ec56da0c81cdb3" }, { "ref": "0119eb286405d780dc437e7dbf2f9d9d" } ] } ] }
{ "name": "409870544328/EC2/i-022fba820db137c64/ami-074ea14c08effb2d8", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-06-02T21:19:22Z", "creators": [ "Organization: 409870544328", "Tool: Amazon Inspector SBOM Generator" ] }, "documentNamespace": "EC2://i-022fba820db137c64/AMAZON_LINUX_2/null/x86_64", "comment": "", "packages": [{ "name": "elfutils-libelf", "versionInfo": "0.176-2.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/elfutils-libelf@0.176-2.amzn2?arch=X86_64&epoch=0&upstream=elfutils-libelf-0.176-2.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463" }, { "name": "libcurl", "versionInfo": "7.79.1-1.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/libcurl@7.79.1-1.amzn2.0.1?arch=X86_64&epoch=0&upstream=libcurl-7.79.1-1.amzn2.0.1.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2022-32205" } ], "SPDXID": "SPDXRef-Package-rpm-libcurl-710fb33829bc5106559bcd380cddb7d5" }, { "name": "hunspell-en-US", "versionInfo": "0.20121024-6.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/hunspell-en-US@0.20121024-6.amzn2.0.1?arch=NOARCH&epoch=0&upstream=hunspell-en-US-0.20121024-6.amzn2.0.1.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-hunspell-en-US-de19ae0883973d6cea5e7e079d544fe5" }, { "name": "grub2-tools-minimal", "versionInfo": "2.06-2.amzn2.0.6", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/grub2-tools-minimal@2.06-2.amzn2.0.6?arch=X86_64&epoch=1&upstream=grub2-tools-minimal-2.06-2.amzn2.0.6.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2021-3981" } ], "SPDXID": "SPDXRef-Package-rpm-grub2-tools-minimal-c56b7ea76e5a28ab8f232ef6d7564636" }, { "name": "unixODBC-devel", "versionInfo": "2.3.1-14.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/unixODBC-devel@2.3.1-14.amzn2?arch=X86_64&epoch=0&upstream=unixODBC-devel-2.3.1-14.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2" } ], "relationships": [{ "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-yajl-8476ce2db98b28cfab2b4484f84f1903", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2", "relationshipType": "DESCRIBES" } ], "SPDXID": "SPDXRef-DOCUMENT" }
过滤器用于 SBOMs
导出时,SBOMs您可以添加筛选器来为特定资源子集创建报告。如果您不提供筛选条件,则会导SBOMs出所有处于活动状态且支持的资源。而且,如果您是委托管理员,这还包括所有成员的资源。可使用以下筛选条件:
-
Acco untID — 此筛选器可用于SBOMs导出与特定账户 ID 关联的任何资源。
-
EC2实例标签-此筛选器SBOMs可用于导出带有特定标签的EC2实例。
-
函数名称-此筛选器SBOMs可用于导出特定 Lambda 函数。
-
图像标签-此过滤器SBOMs可用于导出带有特定标签的容器镜像。
-
Lambda 函数标签 — 此筛选器可用于导出带有特定标签的 SBOMs Lambda 函数。
-
资源类型-此筛选器可用于筛选资源类型:ECR/EC2/Lambda。
-
资源 ID-此筛选器可用于SBOM为特定资源导出。
-
存储库名称-此筛选器SBOMs可用于生成特定存储库中的容器镜像。
配置和导出 SBOMs
要导出SBOMs,您必须先配置一个 Amazon S3 存储桶和一个允许 Amazon Inspector 使用的 AWS KMS 密钥。您可以使用筛选器SBOMs为资源的特定子集进行导出。要SBOMs为 AWS 组织中的多个账户导出,请在以 Amazon Inspector 委托管理员身份登录后按照以下步骤操作。
先决条件
Amazon Inspector 主动监测的受支持资源。
配置了策略的 Amazon S3 存储桶,允许 Amazon Inspector 向存储桶添加对象。有关配置策略的信息,请参阅配置导出权限。
一种配置有策略的 AWS KMS 密钥,允许 Amazon Inspector 使用该策略来加密您的报告。有关配置策略的信息,请参阅配置用于导出的 AWS KMS 密钥。
注意
如果您之前配置了 Amazon S3 存储桶和用于导出结果的 AWS KMS 密钥,则可以使用相同的存储桶和密钥进行SBOM导出。
选择您首选的访问方法来导出SBOM。
