Skip to content

Quickstart

Prerequisites

First ensure that mdsbom is installed and any required container engine configuration is applied.

For this example we will manually create a SBOM report using Syft and a SCA report using Grype. These are free and open source (with commercial support options) SBOM/SCA tools from Anchore. (No affiliation or endoresment is implied, we just like these tools).

Please download and install the syft and grype binaries somewhere in your PATH from the corresponding project's release page.

Run a container

Now that mdsbom is installed and configured, we can run a container on the host to populate the log with some data.

For this example, we will use the official redis image from Docker Hub as an example.

Create and run a container with docker run redis:latest (or similar, if an alternative container engine is in use).

Create a SBOM report

Using syft, create a SBOM report in SPDX format using e.g. syft packages docker:redis:latest --output spdx-json=redis_sbom.spdx.json.

Please feel free to inspect the generated SPDX output to see what is generated.

Create a SCA report

Using grype, create a SCA report in CycloneDX format from the above SBOM report using e.g. grype sbom:./redis_sbom.spdx.json --add-cpes-if-none --output cyclonedx-json=redis_sca.cyclonedx.json.

Be aware that Grype may automatically fetch an updated vulnerability database when run.

Please feel free to inspect the generated CycloneDX output to see what is generated.

Augment the generated reports with MDSBOM

We can now generate annotated versions of the provided SBOM and SCA reports containing evidence observed from the running instance of the container we created in step 1.

To do this, run 

mdsbom report --full-summary \
    --sbom-report-source redis_sbom.spdx.json \
    --sca-report-source redis_sca.cyclonedx.json \
    --sbom-report-out redis_sbom_out.spdx.json \
    --sca-report-out redis_sca_out.cyclonedx.json \
    redis:latest

We should see output such as:

SBOM source report created with id: clorg2f0b00onro300lpr0fgw
SCA source report created with id: clorg2f5300opro300lf2uzvc
SBOM derived report created with id: clorg2fa600orro30w9s7t4zz
Downloading SBOM derived report clorg2fa600orro30w9s7t4zz to redis_mdsbom.spdx
SCA derived report created with id: clorg2fe700otro30m0f1s738
Downloading SCA derived report clorg2fe700otro30m0f1s738 to redis_mdsbom.cyclonedx

Of 104 packages, 8 were observed in use at runtime (96 unused)
Of 179 vulnerabilities, 32 were observed in packages in use at runtime (147 unobserved)

  UNKNOWN     133 -> 31 (102 unobserved) 
    LOW       5 -> 1 (4 unobserved)      
  MEDIUM      26 -> 0 (26 unobserved)    
   HIGH       14 -> 0 (14 unobserved)    
 CRITICAL     1 -> 0 (1 unobserved)

Along with a full table of detected packages and vulnerabilities, together with information about if they were observed in use or not in our running container.

Please inspect the generated results and the two new report files to see the information MDSBOM has added.

Next steps

Check out our page on results to learn more about what information MDSBOM outputs.

Check out our page on deployment to learn about what scenarios MDSBOM can be deployed in, and how to configuring syncing to the Mayhem platform.

Check out our page on integrations to learn about shortcuts to make working with particular SBOM/SCA tools more convenient.