Upload SBOM using anchorectl

I’m trying to upload an SBOM to my Anchore Enterprise 5.8.0 demo instance (15d free).

/opt/quest # anchorectl --version
anchorectl 5.8.0
/opt/quest # anchorectl sbom upload --file sbom.json --name my-maven-project
Error: unknown command "sbom" for "anchorectl"

anchorectl was installed as per the documentation at Deploying AnchoreCTL | Anchore Enterprise Product Documentation.

The ultimate goal is to create an SBOM for a Java/Maven application in a GitLab CI pipeline and upload it to Anchore. I use syft for the 1st task and thought anchorectl would allow me to simplify interaction through the Anchore API.

Hiya! Thanks for the question.

I think this maybe just a typo or simple misunderstanding. From the --help of anchorectl I think you probably missed the image part, which tells the utility you want to get not upload an sbom from enterprise for an image you upload.

anchorectl image sbom  --help
Get image sbom in the native Anchore format

Usage:
  anchorectl image sbom IMAGE [flags]

Arguments:
  IMAGE:  the image reference (ID, digest, name:tag)

Flags:
  -f, --file string     write the SBOM content to a file (instead of STDOUT) (env: ANCHORECTL_FILE)
  -h, --help            help for sbom
  -o, --output string   report output format, options=[cyclonedx-json cyclonedx-xml spdx-json spdx-tag-value syft-json table text] (default "syft-json")
      --overwrite       write over existing SBOM files (env: ANCHORECTL_OVERWRITE)

For help regarding global flags, run --help on the root command

So probably something along the lines of:

anchorectl image add (imagename) ...

then

anchorectl image sbom (imagename) ...

There’s a blog post here which works through some examples.

Thanks for your feedback, much appreciated!

I think this maybe just a typo or simple misunderstanding.

Nope, that anchorectl sbom upload command comes straight from your blog at Anchore Enterprise Now Supports SBOM Import From ‘docker sbom’ | Anchore. Maybe outdated ie. newer versions don’t support this anymore?

I don’t have an image.

It’s my understanding that Anchore can manage software components I release even though we don’t build images as release artifacts. Hence, I would use syft to first produce an SBOM (works just fine) and let Anchore take it from there. The Q then is, how to get the SBOM into Anchore both the first time i.e. for a new component and for subsequent releases i.e. new version for existing component.

1 Like

Oof, that blog is even older. I’ll mark it for review. Apologies.

Are these the docs you’re looking for?

It uses the newer syntax for uploading an already existing SBOM, which looks like what you’re after, using anchorectl source add ...?

I was wondering… In Anchore terms, what is this thing that I want to manage in Anchore?

You pointed to “source”. Yet, I don’t actually care about source repository, branch, author, etc. I don’t need to see this in Anchore.

In my lingo I have “applications”, consisting of one or many “components” like backend, frontend of which I create releases. With every release I create one SBOM per component of said application. In software delivery terms, there is likely one package/deliverable per component.

This appears to align well with what I learned through Application Components | Anchore Enterprise Product Documentation

So, forgetting about that old sbom upload, I probably need to start with anchorectl application add <name> --description <description>? Yet, this a dead end as well and --verbose does not give me any more clues as for the root cause.

❯ env | grep -i anchore
ANCHORECTL_URL=http://ec2-more-numbers-here.compute-1.amazonaws.com:3000
ANCHORECTL_USERNAME=_api_key
ANCHORECTL_PASSWORD=anc:v1:rather-long-token-here
❯ ./anchorectl application --verbose add quest --description desc
[0000]  INFO anchorectl version: 5.8.0
error: 1 error occurred:
	* unable to add application: <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /v2/applications</pre>
</body>
</html>

Accessing http://ec2-more-numbers-here.compute-1.amazonaws.com:3000/admin/dashboard in the browser works ok.

There is a problem with your anchorectl config.

ANCHORECTL_URL is pointing towards your web ui and instead it needs to point towards the api (typically on port 8228). Also make sure your ALB or load balancer has exposed that port and/or is forwarding v2 to the api anchore service.

I also put some examples together on application / source code SBOM visibility here:

2 Likes

Spot on, thanks! I didn’t know that the web UI and the API are instances on different ports. Those who installed Anchore only gave me the URL to the web UI. I now asked for the API URL.

1 Like

This is gold. Exactly what I needed, thank you.

1 Like