What's on this page

Downloading Linkerd SBOMs for BEL

Every release of Buoyant Enterprise for Linkerd is accompanied by a Software Bill of Materials (SBOM) that lists the software components and their versions that are included in the release. SBOMs are available for each Docker image, along with Go and Rust dependencies.

Prerequisites

Docker installed on your local machine
Credentials to access the BEL Azure Container Registry (ACR) provided on the Buoyant portal
ORAS CLI
jq

Docker image SBOMs

To download SBOMs for BEL Docker images:

# Docker SBOMs
export BEL_VERSION=enterprise-2.15.2
for component in controller policy-controller proxy proxy-init; do
  image=buoyant.azurecr.io/enterprise-linkerd/$component:$BEL_VERSION
  sbom_digest=$(
    oras discover -o json \
      --artifact-type sbom/example \
      $image | jq -r ".manifests[0].digest"
  )
  oras pull -o ./ $image@$sbom_digest
done

Go and Rust SBOMs

To download SBOMs for Go and Rust components:

export BEL_VERSION=enterprise-2.15.2
id=$(docker create buoyant.azurecr.io/cli:$BEL_VERSION --entrypoint)
docker cp $id:enterprise-linkerd.$BEL_VERSION.spdx.json enterprise-linkerd.$BEL_VERSION.spdx.json

Rust Cargo SBOMs

To download the Rust Cargo SBOMs:

id=$(docker create buoyant.azurecr.io/cli:latest --entrypoint)
sboms=$(docker export $id | tar t | grep spdx.json)
for sbom in $sboms; do
  docker cp $id:$sbom $sbom
done