Skip to content

PBM-1710-SBOMS for PBM #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rasika-chivate wants to merge 18 commits into
base: 2.15.0
Choose a base branch
from
+109 −1
Open

PBM-1710-SBOMS for PBM #369

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
2b58524
PBM-1710-SBOMS for PBM
rasika-chivate Jun 4, 2026
dd2262e
Create sboms-pbm.md
rasika-chivate Jun 4, 2026
5d21078
Update sboms-pbm.md
rasika-chivate Jun 4, 2026
6dae0b2
Update sboms-pbm.md
rasika-chivate Jun 8, 2026
b46e093
Update variables.yml
rasika-chivate Jun 8, 2026
f5e2ba7
Potential fix for pull request finding
rasika-chivate Jun 8, 2026
a4814be
Potential fix for pull request finding
rasika-chivate Jun 8, 2026
757051a
Potential fix for pull request finding
rasika-chivate Jun 8, 2026
d81878a
Pin Vale version in CI workflow
Copilot Jun 8, 2026
b146e66
Potential fix for pull request finding
rasika-chivate Jun 8, 2026
0e98fb2
Update sboms-pbm.md
rasika-chivate Jun 8, 2026
c11a1ae
Merge branch 'PBM-1710-SBOMS-for-PBM' of https://github.com/percona/p…
rasika-chivate Jun 8, 2026
c93e78a
update the variable "version"
rasika-chivate Jun 8, 2026
9841aec
Potential fix for pull request finding
rasika-chivate Jun 8, 2026
dd753bd
Potential fix for pull request finding
rasika-chivate Jun 8, 2026
1958a34
Update variables.yml
rasika-chivate Jun 8, 2026
8ac3948
Merge branch 'PBM-1710-SBOMS-for-PBM' of https://github.com/percona/p…
rasika-chivate Jun 8, 2026
b190e6d
Merge branch '2.15.0' into PBM-1710-SBOMS-for-PBM
rasika-chivate Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 108 additions & 0 deletions docs/reference/sboms-pbm.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# Software Bill of Materials

Check warning on line 1 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L1 

[Google.Headings] 'Software Bill of Materials' should use sentence-style capitalization.
Raw output 
{"message": "[Google.Headings] 'Software Bill of Materials' should use sentence-style capitalization.", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 1, "column": 3}}}, "severity": "WARNING"}

A Software Bill of Materials (SBOM) is a machine-readable inventory of the components and dependencies included in a software release. It helps you understand what is included in a build and assess potential security or compliance risks.

Starting with version <version>, every Percona Backup for MongoDB (PBM) release includes a [CycloneDX 1.6 :octicons-link-external-16:](https://cyclonedx.org/specification/overview/){:target="_blank"} SBOM in JSON format.
Comment thread
rasika-chivate marked this conversation as resolved.
Outdated
Comment thread
rasika-chivate marked this conversation as resolved.
Outdated

Comment on lines +5 to +6
## Why it matters

An SBOM helps you:

- Identify the components and dependencies included in a PCSM release.
Comment thread
rasika-chivate marked this conversation as resolved.
Outdated
- Assess known vulnerabilities using SBOM-compatible security scanners.
- Support security reviews, compliance processes, and software supply chain requirements.
- Verify the contents of deployed software artifacts.

## Where to find the SBOM

| Distribution method | SBOM location |
|---|---|
| Binary tarball | `Percona Backup for MongoDB.cdx.json` at the archive root |
Comment thread
rasika-chivate marked this conversation as resolved.
Outdated
| RPM package | `/usr/share/doc/percona-backup-mongodb/percona-backup-mongodb-<version>.cdx.json` |
| DEB package | `/usr/share/doc/percona-backup-mongodb/percona-backup-mongodb-<version>.cdx.json` |
| Docker image | Embedded in the image and available as an attached OCI artifact. See [Docker images](#docker-images).|


## Verifying and scanning the SBOM

The examples below use [Trivy :octicons-link-external-16:](https://trivy.dev/){:target="_blank"}. You can also use other CycloneDX-compatible scanners, such as [Grype :octicons-link-external-16:](https://github.com/anchore/grype){:target="_blank"} or Snyk.

Check warning on line 28 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L28 

[Vale.Spelling] Did you really mean 'Trivy'?
Raw output 
{"message": "[Vale.Spelling] Did you really mean 'Trivy'?", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 28, "column": 25}}}, "severity": "WARNING"}

Check warning on line 28 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L28 

[Vale.Spelling] Did you really mean 'Grype'?
Raw output 
{"message": "[Vale.Spelling] Did you really mean 'Grype'?", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 28, "column": 162}}}, "severity": "WARNING"}

Check warning on line 28 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L28 

[Vale.Spelling] Did you really mean 'Snyk'?
Raw output 
{"message": "[Vale.Spelling] Did you really mean 'Snyk'?", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 28, "column": 252}}}, "severity": "WARNING"}

### Binary tarball

```bash
# Confirm the SBOM is bundled
tar tzf percona-backup-mongodb-<version>-x86_64.tar.gz | grep cdx.json

# Extract and scan
tar xzf percona-backup-mongodb-<version>-x86_64.tar.gz \
-C /tmp percona-backup-mongodb-<version>/percona-backup-mongodb-<version>.cdx.json
trivy sbom --severity HIGH,CRITICAL --ignore-unfixed \
/tmp/percona-backup-mongodb-<version>/percona-backup-mongodb-<version>.cdx.json
```

### RPM package

Check warning on line 43 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L43 

[Google.Headings] 'RPM package' should use sentence-style capitalization.
Raw output 
{"message": "[Google.Headings] 'RPM package' should use sentence-style capitalization.", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 43, "column": 5}}}, "severity": "WARNING"}

```bash
# Confirm the package installs the SBOM
rpm -ql percona-backup-mongodb | grep cdx.json

# Scan it (replace 9.x with your RHEL/OL version)
trivy sbom --severity HIGH,CRITICAL --ignore-unfixed --distro redhat/9.x \
/usr/share/doc/percona-backup-mongodb/percona-backup-mongodb-<version>.cdx.json
```

### DEB package

Check warning on line 54 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L54 

[Google.Headings] 'DEB package' should use sentence-style capitalization.
Raw output 
{"message": "[Google.Headings] 'DEB package' should use sentence-style capitalization.", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 54, "column": 5}}}, "severity": "WARNING"}

```bash
# Confirm the package installs the SBOM
dpkg -L percona-backup-mongodb | grep cdx.json

# Scan it
trivy sbom --severity HIGH,CRITICAL --ignore-unfixed \
/usr/share/doc/percona-backup-mongodb/percona-backup-mongodb-<version>.cdx.json
```

### Docker images

Each PBM Docker image (Docker Hub `percona/percona-backup-mongodb`, PerconaLab `perconalab/percona-backup-mongodb`) ships with **two** CycloneDX 1.6 SBOMs that describe overlapping scopes:

Check warning on line 67 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L67 

[Vale.Spelling] Did you really mean 'SBOMs'?
Raw output 
{"message": "[Vale.Spelling] Did you really mean 'SBOMs'?", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 67, "column": 150}}}, "severity": "WARNING"}

| SBOM | Scope | How to access |
|---|---|---|
| **Embedded** | PBM binary and Go modules only | Inside the image filesystem |
| **OCI-attached** | Full image — PBM and UBI9 base OS packages | Registry-side, via the OCI Referrers API |

Check failure on line 72 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L72 

[Google.EmDash] Don't put a space before or after a dash.
Raw output 
{"message": "[Google.EmDash] Don't put a space before or after a dash.", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 72, "column": 32}}}, "severity": "ERROR"}

Comment thread
rasika-chivate marked this conversation as resolved.

#### Scan via OCI Referrers API (recommended)

`trivy image --sbom-sources oci` fetches the attached SBOM via the OCI Referrers API and scans it, without pulling the image:

```bash
trivy image --severity HIGH,CRITICAL --ignore-unfixed --sbom-sources oci \
docker.io/percona/percona-backup-mongodb:<version>
```



#### Scan the embedded SBOM

Check warning on line 86 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L86 

[Google.Headings] 'Scan the embedded SBOM' should use sentence-style capitalization.
Raw output 
{"message": "[Google.Headings] 'Scan the embedded SBOM' should use sentence-style capitalization.", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 86, "column": 6}}}, "severity": "WARNING"}

To scan the embedded SBOM from inside the container image:

```bash
docker run --rm -it --entrypoint cat \
docker.io/percona/percona-backup-mongodb:<version> \
/usr/share/doc/percona-backup-mongodb/percona-backup-mongodb-<version>.cdx.json \
| trivy sbom --severity HIGH,CRITICAL --ignore-unfixed -
Comment on lines +90 to +93
```

#### Advanced: Inspect OCI-attached SBOMs with ORAS

Check warning on line 97 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L97 

[Google.Headings] 'Advanced: Inspect OCI-attached SBOMs with ORAS' should use sentence-style capitalization.
Raw output 
{"message": "[Google.Headings] 'Advanced: Inspect OCI-attached SBOMs with ORAS' should use sentence-style capitalization.", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 97, "column": 6}}}, "severity": "WARNING"}

Check warning on line 97 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L97 

[Vale.Spelling] Did you really mean 'SBOMs'?
Raw output 
{"message": "[Vale.Spelling] Did you really mean 'SBOMs'?", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 97, "column": 37}}}, "severity": "WARNING"}

You can use the [ORAS CLI :octicons-link-external-16:](https://oras.land/){:target="_blank"} to discover and download OCI-attached SBOMs.

Check warning on line 99 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L99 

[Google.WordList] Use 'command-line tool' instead of 'CLI'.
Raw output 
{"message": "[Google.WordList] Use 'command-line tool' instead of 'CLI'.", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 99, "column": 23}}}, "severity": "WARNING"}

Check warning on line 99 in docs/reference/sboms-pbm.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/reference/sboms-pbm.md#L99 

[Vale.Spelling] Did you really mean 'SBOMs'?
Raw output 
{"message": "[Vale.Spelling] Did you really mean 'SBOMs'?", "location": {"path": "docs/reference/sboms-pbm.md", "range": {"start": {"line": 99, "column": 132}}}, "severity": "WARNING"}

```bash
# Use the per-architecture tag to resolve directly to the image manifest
oras discover --format tree \
docker.io/percona/percona-backup-mongodb:<version>-amd64

# Pull the SBOM artifact using the digest from the discover output
oras pull docker.io/percona/percona-backup-mongodb@sha256:<referrer-digest>
```
1 change: 1 addition & 0 deletions mkdocs-base.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,7 @@ nav:
- 'Percona Backup for MongoDB 0.5.0 (2019-06-17)': 'release-notes/0.5.0.md'
- Reference:
- "About Percona Backup for MongoDB documentation": about-docs.md
- sboms-pbm.md
Comment thread
rasika-chivate marked this conversation as resolved.
Outdated
- reference/glossary.md
- Contribution guidelines: 'https://github.com/percona/pbm-docs/blob/main/CONTRIBUTING.md'
- Copyright and licensing: copyright.md
Expand Down
Loading