本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
SBOMs與 Amazon Inspector 出口
軟體材料清單 (SBOM) 是程式碼庫中所有開放原始碼和協力廠商軟體元件的巢狀清單。Amazon Inspector SBOMs 為您環境中的個別資源提供。您可以使用 Amazon Inspector 控制台或 Amazon Inspector API SBOMs 為您的資源生成。您可以匯SBOMs出 Amazon Inspector 支援和監控的所有資源。匯出SBOMs提供有關軟體供應的資訊。您可以透過評估 AWS 環境的涵蓋範圍來檢閱資源的狀態。本節說明如何設定和匯出SBOMs。
注意
目前,Amazon Inspector 不支援匯SBOMs出 Windows Amazon EC2 執行個體。
Amazon Inspector 格式
Amazon Inspector 支持以循環 1.4 和 SPDX2.3 兼容格式導出SBOMs。Amazon Inspector 以JSON文件SBOMs形式導出到您選擇的 Amazon S3 存儲桶。
注意
SPDX來自 Amazon Inspector 的格式匯出與使用 SPDX2.3 的系統相容,但不包含知識共用零 (CC0) 欄位。這是因為包含此字段將允許用戶重新分發或編輯材料。
{ "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "metadata": { "timestamp": "2023-06-02T01:17:46Z", "component": null, "properties": [ { "name": "imageId", "value": "sha256:c8ee97f7052776ef223080741f61fcdf6a3a9107810ea9649f904aa4269fdac6" }, { "name": "architecture", "value": "arm64" }, { "name": "accountId", "value": "111122223333" }, { "name": "resourceType", "value": "AWS_ECR_CONTAINER_IMAGE" } ] }, "components": [ { "type": "library", "name": "pip", "purl": "pkg:pypi/pip@22.0.4?path=usr/local/lib/python3.8/site-packages/pip-22.0.4.dist-info/METADATA", "bom-ref": "98dc550d1e9a0b24161daaa0d535c699" }, { "type": "application", "name": "libss2", "purl": "pkg:dpkg/libss2@1.44.5-1+deb10u3?arch=ARM64&epoch=0&upstream=libss2-1.44.5-1+deb10u3.src.dpkg", "bom-ref": "2f4d199d4ef9e2ae639b4f8d04a813a2" }, { "type": "application", "name": "liblz4-1", "purl": "pkg:dpkg/liblz4-1@1.8.3-1+deb10u1?arch=ARM64&epoch=0&upstream=liblz4-1-1.8.3-1+deb10u1.src.dpkg", "bom-ref": "9a6be8907ead891b070e60f5a7b7aa9a" }, { "type": "application", "name": "mawk", "purl": "pkg:dpkg/mawk@1.3.3-17+b3?arch=ARM64&epoch=0&upstream=mawk-1.3.3-17+b3.src.dpkg", "bom-ref": "c2015852a729f97fde924e62a16f78a5" }, { "type": "application", "name": "libgmp10", "purl": "pkg:dpkg/libgmp10@6.1.2+dfsg-4+deb10u1?arch=ARM64&epoch=2&upstream=libgmp10-6.1.2+dfsg-4+deb10u1.src.dpkg", "bom-ref": "52907290f5beef00dff8da77901b1085" }, { "type": "application", "name": "ncurses-bin", "purl": "pkg:dpkg/ncurses-bin@6.1+20181013-2+deb10u3?arch=ARM64&epoch=0&upstream=ncurses-bin-6.1+20181013-2+deb10u3.src.dpkg", "bom-ref": "cd20cfb9ebeeadba3809764376f43bce" } ], "vulnerabilities": [ { "id": "CVE-2022-40897", "affects": [ { "ref": "a74a4862cc654a2520ec56da0c81cdb3" }, { "ref": "0119eb286405d780dc437e7dbf2f9d9d" } ] } ] }
{ "name": "409870544328/EC2/i-022fba820db137c64/ami-074ea14c08effb2d8", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-06-02T21:19:22Z", "creators": [ "Organization: 409870544328", "Tool: Amazon Inspector SBOM Generator" ] }, "documentNamespace": "EC2://i-022fba820db137c64/AMAZON_LINUX_2/null/x86_64", "comment": "", "packages": [{ "name": "elfutils-libelf", "versionInfo": "0.176-2.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/elfutils-libelf@0.176-2.amzn2?arch=X86_64&epoch=0&upstream=elfutils-libelf-0.176-2.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463" }, { "name": "libcurl", "versionInfo": "7.79.1-1.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/libcurl@7.79.1-1.amzn2.0.1?arch=X86_64&epoch=0&upstream=libcurl-7.79.1-1.amzn2.0.1.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2022-32205" } ], "SPDXID": "SPDXRef-Package-rpm-libcurl-710fb33829bc5106559bcd380cddb7d5" }, { "name": "hunspell-en-US", "versionInfo": "0.20121024-6.amzn2.0.1", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/hunspell-en-US@0.20121024-6.amzn2.0.1?arch=NOARCH&epoch=0&upstream=hunspell-en-US-0.20121024-6.amzn2.0.1.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-hunspell-en-US-de19ae0883973d6cea5e7e079d544fe5" }, { "name": "grub2-tools-minimal", "versionInfo": "2.06-2.amzn2.0.6", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/grub2-tools-minimal@2.06-2.amzn2.0.6?arch=X86_64&epoch=1&upstream=grub2-tools-minimal-2.06-2.amzn2.0.6.src.rpm" }, { "referenceCategory": "SECURITY", "referenceType": "vulnerability", "referenceLocator": "CVE-2021-3981" } ], "SPDXID": "SPDXRef-Package-rpm-grub2-tools-minimal-c56b7ea76e5a28ab8f232ef6d7564636" }, { "name": "unixODBC-devel", "versionInfo": "2.3.1-14.amzn2", "downloadLocation": "NOASSERTION", "sourceInfo": "/var/lib/rpm/Packages", "filesAnalyzed": false, "externalRefs": [{ "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/unixODBC-devel@2.3.1-14.amzn2?arch=X86_64&epoch=0&upstream=unixODBC-devel-2.3.1-14.amzn2.src.rpm" }], "SPDXID": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2" } ], "relationships": [{ "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-elfutils-libelf-ddf56a513c0e76ab2ae3246d9a91c463", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-yajl-8476ce2db98b28cfab2b4484f84f1903", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-rpm-unixODBC-devel-1bb35add92978df021a13fc9f81237d2", "relationshipType": "DESCRIBES" } ], "SPDXID": "SPDXRef-DOCUMENT" }
用於的篩選 SBOMs
匯出時,SBOMs您可以包含篩選器,以針對特定資源子集建立報告。如果您沒有SBOMs為所有活動提供過濾器,則會導出支持的資源。如果您是委派的系統管理員,也會包含所有成員的資源。可用的篩選條件如下:
-
AccountId — 此篩選器可用來匯SBOMs出與特定 AccountID 相關聯的任何資源。
-
EC2實例標籤 — 此過濾器可用於導SBOMs出具有特定標籤的實EC2例。
-
函數名稱 — 此篩選器可用來匯SBOMs出特定 Lambda 函數。
-
圖像標籤-此過濾器可用於導SBOMs出具有特定標籤的容器圖像。
-
Lambda 函數標籤 — 此篩選器可用於匯SBOMs出具有特定標籤的 Lambda 函數。
-
資源類型 — 此篩選器可用來篩選資源類型:EC2/ECR/Lambda。
-
資源 ID — 此篩選器可用於匯SBOM出特定資源的。
-
存放庫名稱 — 此篩選器可用來產生SBOMs特定儲存庫中的容器映像檔。
配置和導出 SBOMs
若要匯出SBOMs,您必須先設定 Amazon S3 儲存貯體和允許 Amazon Inspector 使用的 AWS KMS 金鑰。您可以使用篩選器來匯SBOMs出資源的特定子集。若要匯SBOMs出 AWS 組織中的多個帳戶,請在以 Amazon Inspector 委派的管理員身分登入時遵循下列步驟。
必要條件
支援的資源正由 Amazon Inspector 主動監控。
Amazon S3 儲存貯體設定了允許 Amazon Inspector 將物件新增至的政策。如需有關設定原則的資訊,請參閱設定匯出權限。
使用政策設定的 AWS KMS 金鑰,可讓 Amazon Inspector 用來加密您的報告。如需設定原則的相關資訊,請參閱設定匯出 AWS KMS 金鑰。
注意
如果您之前已設定 Amazon S3 儲存貯體和發現項目匯出的 AWS KMS 金鑰,則可以使用相同的儲存貯體和金鑰進行SBOM匯出。
選擇您偏好的存取方式以匯出SBOM.
