GraalVM's native-image has a feature where it can create a SBOM on native image build time and embed it. You can then use the native-image-inspect to extract the SBOM from the native image.
The GraalVM team would be open to expose an API in the graal-sdk to get the SBOM directly without the need of the native-image-inspect. We could add support for that in our actuator SBOM endpoint.
Comment From: mhalbritter
@fniephaus Would it be possible to expose the embedded SBOM via a standard Java mechanism, e.g. a readable resource on the classpath or some custom URL scheme? Then we wouldn't need to add the dependency on the GraalVM SDK and it would work right now with Boot 3.3.0-RC1.
Comment From: fniephaus
@mhalbritter I think that's technically feasible. Can you give an example or two how SBOMs are otherwise accessible via classpath/modulepath or a custom URL scheme?
Comment From: mhalbritter
Sure. Take a look at this documentation here. If the SBOM would be on the classpath, you could just use classpath:sbom.json in the config to read it from /sbom.json.
Comment From: mhalbritter
Native images now expose their SBOM under META-INF/native-image/sbom.json. We should take a look if it makes sense to automatically discover them.
Comment From: fniephaus
The new SBOM on classpath feature is available in EA build 19 of Oracle GraalVM:
sdk install java 23.ea.19-graal
If you add --enable-sbom=classpath to the build arguments, the native image should contain a SBOM based on the static analysis under META-INF/native-image/sbom.json. Feel free to give this a go and let us know if there's any problem :)
Comment From: mhalbritter
Until Spring Boot adds built-in support, here are the steps to get that working with the current Spring Boot version:
- Add the flag
graalvmNative {
binaries {
main {
buildArgs.add("--enable-sbom=classpath")
}
}
}
- Make the SBOM known to Spring Boot:
management.endpoint.sbom.additional.native-image.location=optional:classpath:META-INF/native-image/sbom.json
Then a curl http://localhost:8080/actuator/sbom/native-image returns the SBOM.
Comment From: mhalbritter
GraalVM 23 has been released and it contains the SBOM feature.
Comment From: mhalbritter
With this implemented, all you need to do is
graalvmNative {
binaries {
main {
buildArgs.add("--enable-sbom=classpath")
}
}
}
and Spring Boot will expose the SBOM with the native-image id.
Comment From: wilkinsona
I wonder if we should configure this by default as a reaction to the native image plugin being applied. WDYT, @mhalbritter?
Comment From: mhalbritter
We have to see if we can find out the GraalVM version used, as --enable-sbom=classpath only works with Graal 23 and above. I'll investigate.