Downloading Linkerd SBOMs for Buoyant Enterprise for Linkerd

Every release of Buoyant Enterprise for Linkerd is accompanied by a Software Bill of Materials (SBOM) that lists the software components and their versions that are included in the release. SBOMs are available for each Docker image, along with Go and Rust dependencies.

  • Docker installed on your local machine
  • Credentials to access the BEL Azure Container Registry (ACR) provided on the Buoyant portal
  • ORAS CLI
  • jq

To download SBOMs for BEL Docker images:

# Docker SBOMs
export BEL_VERSION=enterprise-2.15.1
for component in controller policy-controller proxy proxy-init; do
  image=buoyant.azurecr.io/enterprise-linkerd/$component:$BEL_VERSION
  sbom_digest=$(
    oras discover -o json \
      --artifact-type sbom/example \
      $image | jq -r ".manifests[0].digest"
  )
  oras pull -o ./ $image@$sbom_digest
done

To download SBOMs for Go and Rust components:

export BEL_VERSION=enterprise-2.15.1
id=$(docker create buoyant.azurecr.io/cli:$BEL_VERSION --entrypoint)
docker cp $id:enterprise-linkerd.$BEL_VERSION.spdx.json enterprise-linkerd.$BEL_VERSION.spdx.json

To download the Rust Cargo SBOMs:

id=$(docker create buoyant.azurecr.io/cli:latest --entrypoint)
sboms=$(docker export $id | tar t | grep spdx.json)
for sbom in $sboms; do
  docker cp $id:$sbom $sbom
done