We Built the Kubernetes SBOM and Now You Can Write Your Own!


Authors:   Adolfo García Veytia


The presentation discusses the creation of a software bill of materials (S-BOM) for Kubernetes releases using SPDX and a custom tool.
  • The S-BOM includes source code, container images, binaries, packages, and dependencies.
  • The tool packages the S-BOM into more consumable documents for different tools to use.
  • The tool also generates an attestation file for compliance purposes.
  • Future directions include adding RPM and dev file analysis, merging efforts with the SPDX community, and adding validation and verification capabilities.
The speaker demonstrated the tool by running it and showing the resulting S-BOM and attestation file. They also discussed the need for consensus among different toolmakers on interpreting S-BOMs.


At the end of 2020, SIG Release set a goal to produce a Software Bill of Materials for Kubernetes to provide the community and downstream consumers with a verifiable manifest to attest the completeness and consistency of the artifacts built and published with each release. Adolfo will tell how the Release Engineering team built the Kubernetes SBOM and how this effort resulted in a set of libraries and tools which can be leveraged by software developers and other projects to create their own SPDX-compliant Bill of Materials out of files and container images with automatic license detection. He will address the role an SBOM plays in the software supply chain puzzle, enumerating its benefits for developers and operators. He will do a review of the SPDX standard (Software Package Data Exchange) and the rich relationships between software components it can express. The session will feature a live demo of building an SPDX SBOM using said tools which are already available to download.