September 27-30, 2021
Seattle, Washington, USA + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit + Embedded Linux Conference + OSPOCon 2021 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Wednesday, September 29 • 11:30am - 12:20pm
(VIRTUAL) Back to the Drawing Board: Building Containers with SBoMs - Nisha Kumar, VMware

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
A Software Bill of Materials or SBoM is a list of software components that comprise a software artifact, be it firmware, OS, a VM, and yes, a container. We can generate an SBoM for container images post build using image scanners like Claire, Trivy, Tern, and Syft. This method is not foolproof, however, as they rely on metadata existing in the container filesystem (such as package manifests) in order to report on them. If a container goes through a multistage build or tools like Docker-slim to reduce the attack surface of the container, all that metadata is gone. How do we get more accurate and consistent SBoMs for containers? We generate them at container build time. This talk demonstrates how we can do that with tools like Tern, Buildah, and the OCI specification. We will get back to the basics of building containers, learn about the OCI specification, and make a container builder which can generate an SBoM at build time.

Why should you care about this? Software Industry concerns like Software Supply Chain Security, Data and Legal compliance, and build repeatability, can be addressed with an SBoM. Although this is generally straightforward for software built from scratch, 99% of software used today relies on Open Source components. This is especially hard for container creators as containers are not patched, but rebuilt, are based on previously built containers, and are often exposed to the internet in order to make an application “work”. If the ecosystem could be repurposed to include accurate SBoMs at container build time, container developers will not need to rely on file level static analyzers or guess work in order to reason about the security and compliance posture and maintainability of their containers.


Nisha Kumar

Security Engineer, Oracle
Nisha is a Security Engineer at Oracle. She has been a DevOps engineer for embedded systems and a Radio Frequency Engineer in semiconductor manufacturing. She has been involved in Open Source for more than 15 years. You can follow her work on Twitter at @_ctlfsh

oss 2021 pptx

Wednesday September 29, 2021 11:30am - 12:20pm PDT
MeetingPlay Platform + Virtual Learning Lab