github.com/Racer159/jackal@v0.32.7-0.20240401174413-0bd2339e4f2e/docs/3-create-a-jackal-package/6-package-sboms.md

github.com/Racer159/jackal@v0.32.7-0.20240401174413-0bd2339e4f2e/docs/3-create-a-jackal-package/6-package-sboms.md (about)

     1  # Package SBOMs
     2  
     3  Jackal builds [Software Bill of Materials (SBOM)](https://www.linuxfoundation.org/tools/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness/) into packages to help with the management of software being brought into the air gap.  This page goes into detail of how these SBOMs are created and what within a package will get an associated SBOM.  If you would like to see how to interact with SBOMs after they are built into a package, see the [View SBOMs page](../4-deploy-a-jackal-package/4-view-sboms.md) under Deploy a Jackal Package.
     4  
     5  ## How SBOMs are Generated
     6  
     7  Jackal uses [Syft](https://github.com/anchore/syft) under the hood to provide SBOMs for container `images`, as well as `files` and `dataInjections` included in components.  This is run during the final step of package creation with the SBOM information for a package being placed within an `sboms` directory at the root of the Jackal Package tarball.  Additionally, the SBOMs are created in the Syft `.json` format which is a superset of all of the information that Syft can discover and is used so that we can provide the most information possible even when performing [lossy conversions to formats like `spdx-json` or `cyclonedx-json`](../4-deploy-a-jackal-package/4-view-sboms.md#sboms-built-into-packages).
     8  
     9  If you were using the Syft CLI to create these SBOM files manually this would be equivalent to the following commands:
    10  
    11  ```bash
    12  # For `images` contained within the package
    13  $ syft packages oci-dir:path/to/yourimage -o json > my-sbom.json
    14  ```
    15  
    16  ```bash
    17  # For `files` or `dataInjections` contained within the package
    18  $ syft packages file:path/to/yourproject/file -o json > my-sbom.json
    19  ```
    20  
    21  :::note
    22  
    23  Jackal uses the `file:` Syft SBOM scheme even if given a directory as the `files` or `dataInjection` source since this generally provides more information (at the cost of execution speed).
    24  
    25  :::
    26  
    27  :::tip
    28  
    29  Given the Syft CLI is vendored into Jackal you can run these commands with the Jackal binary as well:
    30  
    31  ```bash
    32  # Syft is vendored as `jackal tools sbom`
    33  $ jackal tools sbom scan file:path/to/yourproject/file -o json > my-sbom.json
    34  ```
    35  
    36  :::