Getting Software Versions from Chainguard Images
Tools used in this video
Commands used
cosign download attestation --platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
cgr.dev/chainguard/python:latest | jq -r .payload | base64 -d \
| jq -r '.predicate.packages[] | "\(.name) \(.versionInfo)"'
docker run cgr.dev/chainguard/wolfi-base ls /var/lib/db/sbom
Transcript
Hi, I want to record a very short video on how to get software version information out of Chainguard Images.
0:14
This is particularly useful if you’re using the public tier of Chainguard Images and only have
access to the latest
tag and it can be difficult to ascertain the version that this refers to.
0:25 So all Chainguard Images have an SBOM or Software Bill Of Materials associated with them.
0:31 This is a complex and long document, but we can parse it to extract just the info we are interested in.
0:38 Now the SBOM is stored as an attestation in the container registry.
0:42 And also in the image itself, we can download the SBOM from the registry by using the Cosign tool.
0:50 And let’s look at an example of this.
0:53 So we have this script here.
0:57 And what the script is going to do is download the Linux amd64 version of Python — it’s not going to get the image itself, but it’s actually going to ask for this predicate type which is SPDX, which corresponds to the SBOM type — SPDX is an SBOM standard.
1:18 And once we have that, we’re going to pass it through jq and base64 to decode it.
1:24 And then we’re going to do a little bit more jq to extract the name and version info for each package.
1:33 So let’s see that in action.
1:40 So down at the bottom here, we see the version information for Python, which is the main package we’re interested in and we can see its version 3.11.4-r0.
1:53 But there’s also full information on all the other packages and the image.
1:58 So you can see things like the version of glibc and readline, etc.
2:03 Now, in this case, I just asked for information on the latest tag.
2:07 If you have a downloaded image, you’d want to use a digest of that image to get the correct details from the registry.
2:13 But alternatively, you can get the SBOM data direct from the image itself.
2:19 And let’s take a look at an example of that.
2:24 So what I’ve done here is run ls on the /var/lib/db/sbom directory inside the container and that’s listed a bunch of Jason files, one for each package in the image.
2:39 Now these JSON files are actually SPDX documents, but the file names themselves contain the the version info that we’re interested in.
2:47 So we can see this image doesn’t include a lot except busybox and a few system libraries.
2:55 Now, this works because wolfi-base includes a shell — busybox — with the ls command that we ran. But lots of Chainguard images don’t have this.
3:05
So you’ll need to either copy this /var/lib/db/sbom directory out with something like docker cp
or
use a -dev
variant of the image that does include a shell and ls.
3:18 But there you have it two easy ways to get full version info on all packages in a Chainguard Image.
3:25 I hope that was helpful to you.
Last updated: 2023-07-10 15:21