# Getting Software Versions from Chainguard Containers

URL: https://edu.chainguard.dev/chainguard/chainguard-images/how-to-use/version-info-chainguard-images.md
Last Modified: July 10, 2023
Tags: Chainguard Containers, Video

Video demonstration of how to get the software version information from Chainguard Containers

 Tools used in this video Docker Cosign Commands used cosign download attestation --platform=linux/amd64 \ --predicate-type=https://spdx.dev/Document \ cgr.dev/chainguard/python:latest | jq -r .payload | base64 -d \ | jq -r &#39;.predicate.packages[] | &#34;\(.name) \(.versionInfo)&#34;&#39;docker run cgr.dev/chainguard/wolfi-base ls /var/lib/db/sbom Transcript Hi, I want to record a very short video on how to get software version information out of Chainguard Containers.
0:14 This is particularly useful if you&rsquo;re using the public tier of Chainguard Containers and only have access to the latest tag and it can be difficult to ascertain the version that this refers to.
0:25 So all Chainguard Containers have an SBOM or Software Bill Of Materials associated with them.
0:31 This is a complex and long document, but we can parse it to extract just the info we are interested in.
0:38 Now the SBOM is stored as an attestation in the container registry.
0:42 And also in the image itself, we can download the SBOM from the registry by using the Cosign tool.
0:50 And let&rsquo;s look at an example of this.
0:53 So we have this script here.
0:57 And what the script is going to do is download the Linux amd64 version of Python — it&rsquo;s not going to get the image itself, but it&rsquo;s actually going to ask for this predicate type which is SPDX, which corresponds to the SBOM type — SPDX is an SBOM standard.
1:18 And once we have that, we&rsquo;re going to pass it through jq and base64 to decode it.
1:24 And then we&rsquo;re going to do a little bit more jq to extract the name and version info for each package.
1:33 So let&rsquo;s see that in action.
1:40 So down at the bottom here, we see the version information for Python, which is the main package we&rsquo;re interested in and we can see its version 3.11.4-r0.
1:53 But there&rsquo;s also full information on all the other packages and the image.
1:58 So you can see things like the version of glibc and readline, etc.
2:03 Now, in this case, I just asked for information on the latest tag.
2:07 If you have a downloaded image, you&rsquo;d want to use a digest of that image to get the correct details from the registry.
2:13 But alternatively, you can get the SBOM data direct from the image itself.
2:19 And let&rsquo;s take a look at an example of that.
2:24 So what I&rsquo;ve done here is run ls on the /var/lib/db/sbom directory inside the container and that&rsquo;s listed a bunch of JSON files, one for each package in the image.
2:39 Now these JSON files are actually SPDX documents, but the file names themselves contain the version info that we&rsquo;re interested in.
2:47 So we can see this image doesn&rsquo;t include a lot except busybox and a few system libraries.
2:55 Now, this works because wolfi-base includes a shell — busybox — with the ls command that we ran. But lots of Chainguard images don&rsquo;t have this.
3:05 So you&rsquo;ll need to either copy this /var/lib/db/sbom directory out with something like docker cp or use a -dev variant of the image that does include a shell and ls.
3:18 But there you have it two easy ways to get full version info on all packages in a Chainguard Container.
3:25 I hope that was helpful to you.