SBOM

The BlueSpice Software Bill of Materials (SBOM) is upated for every release. It is formatted according to the SPDX specification and serialized as a JSON file.

Accessing the SBOM

There are several steps to access and scan the SBOM. The necessary commands expect the following parameters:

Parameter Possible values
edition pro, farm, free
version e.g. 5.1, 5.4.3
service Services differ depending on edition and version. Common services are:

wiki-task, proxy, cache, pdf, search, formula, diagram,...

First, pull the application image for the desired edition and version:

docker pull docker.bluespice.com/bluespice/$edition/wiki:$version

Then, inspect the attachments with ORAS (oras requires login data):

oras discover docker.bluespice.com/bluespice/$edition/wiki:$version

Do the same for service images:
Pull the image:

docker pull docker.bluespice.com/bluespice/$service:$version

Inspect the attachments:

oras discover docker.bluespice.com/bluespice/$service:$version


Download the attachments (provide the actual sha-string):

oras pull docker.bluespice.com/bluespice/$edition/wiki@sha265'shaofattachements'

or for services:

oras pull docker.bluespice.com/bluespice//$service@sha265'shaofattachements'


The SBOM file is located in your current folder as sbom.json.


You can now scan your SBOM files. Below is a scanning example for Trivy:

docker run --rm \ -v "$PWD:/work:ro" \ aquasec/trivy:0.72.0 \ sbom \ --severity CRITICAL \ --ignore-unfixed \ --exit-code 1 \ /work/sbom.json


PDF exclude - start

To submit feedback about this documentation, visit our community forum.

PDF exclude - end