The ultimate goal is to create an SBOM for a Java/Maven application in a GitLab CI pipeline and upload it to Anchore. I use syft for the 1st task and thought anchorectl would allow me to simplify interaction through the Anchore API.
I think this maybe just a typo or simple misunderstanding. From the --help of anchorectl I think you probably missed the image part, which tells the utility you want to get not upload an sbom from enterprise for an image you upload.
anchorectl image sbom --help
Get image sbom in the native Anchore format
Usage:
anchorectl image sbom IMAGE [flags]
Arguments:
IMAGE: the image reference (ID, digest, name:tag)
Flags:
-f, --file string write the SBOM content to a file (instead of STDOUT) (env: ANCHORECTL_FILE)
-h, --help help for sbom
-o, --output string report output format, options=[cyclonedx-json cyclonedx-xml spdx-json spdx-tag-value syft-json table text] (default "syft-json")
--overwrite write over existing SBOM files (env: ANCHORECTL_OVERWRITE)
For help regarding global flags, run --help on the root command
So probably something along the lines of:
anchorectl image add (imagename) ...
then
anchorectl image sbom (imagename) ...
There’s a blog post here which works through some examples.
It’s my understanding that Anchore can manage software components I release even though we don’t build images as release artifacts. Hence, I would use syft to first produce an SBOM (works just fine) and let Anchore take it from there. The Q then is, how to get the SBOM into Anchore both the first time i.e. for a new component and for subsequent releases i.e. new version for existing component.
I was wondering… In Anchore terms, what is this thing that I want to manage in Anchore?
You pointed to “source”. Yet, I don’t actually care about source repository, branch, author, etc. I don’t need to see this in Anchore.
In my lingo I have “applications”, consisting of one or many “components” like backend, frontend of which I create releases. With every release I create one SBOM per component of said application. In software delivery terms, there is likely one package/deliverable per component.
So, forgetting about that old sbom upload, I probably need to start with anchorectl application add <name> --description <description>? Yet, this a dead end as well and --verbose does not give me any more clues as for the root cause.
ANCHORECTL_URL is pointing towards your web ui and instead it needs to point towards the api (typically on port 8228). Also make sure your ALB or load balancer has exposed that port and/or is forwarding v2 to the api anchore service.
I also put some examples together on application / source code SBOM visibility here:
Spot on, thanks! I didn’t know that the web UI and the API are instances on different ports. Those who installed Anchore only gave me the URL to the web UI. I now asked for the API URL.