This directory contains the SBOMs for the containers used in the LLM example. An SBOM is a Software Bill of Materials. It is a machine-readable manifest of all the dependencies of a software package or container. The blueprint cross-references every entry in the SBOM for known vulnerabilities and looks at the code implementation to see whether the implementation puts users at risk—just as a security analyst would do. For this reason, starting with an accurate SBOM is an important first step.
The expected SBOM format is a syft-table format, which is a human-readable table containing package information including name, version, and type. While syft supports multiple output formats (JSON, CycloneDX, SPDX), the blueprint expects the syft-table format for compatibility.
To generate an SBOM for a container, you can use syft.
To install syft, you can use the following command:
uv pip install syftThe following steps show how to generate an SBOM for the Morpheus container.
# Save the Morpheus repo directory
export VULN_ANALYSIS_ROOT=$(git rev-parse --show-toplevel)
# Change directory to the SBOMs directory
cd ${VULN_ANALYSIS_ROOT}/data/sboms
# Disable colors for syft
export NO_COLORS=y
# Specify which container to generate an SBOM for
export CONTAINER="nvcr.io/nvidia/morpheus/morpheus:v24.03.02-runtime"
# Generate SBOM
syft scan ${CONTAINER} -o syft-table=${CONTAINER}.sbomTo generate an SBOM for a list of containers, you can use the following script:
# Specify which containers to generate SBOMs for
export CONTAINERS=(
"nvcr.io/nvidia/morpheus/morpheus:24.03-runtime"
"nvcr.io/nvidia/morpheus/morpheus:23.11-runtime"
)
# Generate SBOMs
for CONTAINER in "${CONTAINERS[@]}"; do
syft scan ${CONTAINER} -o syft-table=${CONTAINER}.sbom
doneIf you have an SBOM in a different format, you can convert it to syft-table format using syft's convert command:
syft convert cyclonedx.json -o syft-table=output.sbom