Export SBOM contained in native-image

[mhalbritter]

GraalVM's native-image has a feature where it can create a SBOM on native image build time and embed it. You can then use the native-image-inspect to extract the SBOM from the native image.

The GraalVM team would be open to expose an API in the graal-sdk to get the SBOM directly without the need of the native-image-inspect. We could add support for that in our actuator SBOM endpoint.

[mhalbritter]

@fniephaus Would it be possible to expose the embedded SBOM via a standard Java mechanism, e.g. a readable resource on the classpath or some custom URL scheme? Then we wouldn't need to add the dependency on the GraalVM SDK and it would work right now with Boot 3.3.0-RC1.

[fniephaus]

@mhalbritter I think that's technically feasible. Can you give an example or two how SBOMs are otherwise accessible via classpath/modulepath or a custom URL scheme?

[mhalbritter]

Sure. Take a look at this documentation here. If the SBOM would be on the classpath, you could just use classpath:sbom.json in the config to read it from /sbom.json.

[mhalbritter]

Native images now expose their SBOM under META-INF/native-image/sbom.json. We should take a look if it makes sense to automatically discover them.

[fniephaus]

The new SBOM on classpath feature is available in EA build 19 of Oracle GraalVM:

sdk install java 23.ea.19-graal

If you add --enable-sbom=classpath to the build arguments, the native image should contain a SBOM based on the static analysis under META-INF/native-image/sbom.json. Feel free to give this a go and let us know if there's any problem :)

[mhalbritter]

Until Spring Boot adds built-in support, here are the steps to get that working with the current Spring Boot version:

1. Add the flag

graalvmNative {
    binaries {
        main {
            buildArgs.add("--enable-sbom=classpath")
        }
    }
}

2. Make the SBOM known to Spring Boot:

management.endpoint.sbom.additional.native-image.location=optional:classpath:META-INF/native-image/sbom.json

Then a curl http://localhost:8080/actuator/sbom/native-image returns the SBOM.

[mhalbritter]

GraalVM 23 has been released and it contains the SBOM feature.

[mhalbritter]

With this implemented, all you need to do is

graalvmNative {
    binaries {
        main {
            buildArgs.add("--enable-sbom=classpath")
        }
    }
}

and Spring Boot will expose the SBOM with the native-image id.

[wilkinsona]

I wonder if we should configure this by default as a reaction to the native image plugin being applied. WDYT, @mhalbritter?

[mhalbritter]

We have to see if we can find out the GraalVM version used, as --enable-sbom=classpath only works with Graal 23 and above. I'll investigate.