[native-image-utils] Add extract embedded SBOM tool

[jerboaa]

Feature request

The GraalVM docs describe a tool for extracting embedded SBOMs from a built native image. Namely:

native-image-utils extract-sbom --image-path=/path/to/image

Unfortunately, the tool doesn't seem to be part of GraalVM CE and we'd like to contribute such a tool.

Is your feature request related to a problem? Please describe.

Oracle GraalVM supports the --enable-sbom option and embeds an SBOM in the produce native image in the binary. A similar feature is being discussed to get added to Mandrel 25 (embed an SBOM in native image that Quarkus generated). Provided somebody was able to generate a native image with an SBOM embedded it's hard to extract it from the binary. Having such a tool available would be helpful.

Describe the solution you'd like.

Add a tool, part of GraalVM, that works as described by the GraalVM docs to extract an gzip-compressed SBOM using the sbom and sbom_length symbols in an native image.

Describe who do you think will benefit the most.

All native-image users who care about what ended up in a native image binary (by the app dependencies).

Describe alternatives you've considered.

Use Oracle GraalVM, but that's not open source unfortunately. An alternative would be to open-source the Oracle GraalVM tool.

Aditional Context
An initial implementation should at least support Linux.

Express whether you'd like to help contributing this feature
We have a prototype of this for Linux (using libelf) and would be willing to contribute it. The tool could be optionally built (depending on the downstream distributor).

[jerboaa]

@thomaswue Thoughts? Would you be willing to accept such a contribution (or open source the respective Oracle GraalVM tool)?

[jerboaa]

/cc @vjovanov @zakkak

[thomaswue]

@jerboaa Can you share the sources of what you have currently in terms of SBOM generation and extraction? This would help us determine how to best merge in such functionality. We have no issue in principle with accepting such contribution; or combine it with what we have. We are also discussing the question to what extent native-image-utils should be a separate native-image-inspect/native-image-configure how it is in the previous releases; or a combined binary; or maybe even folded into the native-image binary itself. If you have opinions on this matter, let me know.

[jerboaa]

Thanks for the feedback!

@jerboaa Can you share the sources of what you have currently in terms of SBOM generation and extraction?

Note: this contribution is mainly about an embedded SBOM extraction tool. For us, SBOM generation is done by Quarkus. We'd then take the SBOM and embed it in the image verbatim. It's a larger set of libs which might not even end up in the image, but it's the set that was used as input to generate the native image. So the priority for us is to have a way to extract the embedded sbom (like syft scan does) and that is part of the native image generator bundle.

This would help us determine how to best merge in such functionality. We have no issue in principle with accepting such contribution; or combine it with what we have. We are also discussing the question to what extent native-image-utils should be a separate native-image-inspect/native-image-configure how it is in the previous releases; or a combined binary; or maybe even folded into the native-image binary itself. If you have opinions on this matter, let me know.

Sure. I have a patch for GraalVM 25 and need to finish the port to graal/master. Then will propose a PR. Happy to converge on the same tool you deem most appropriate. The plan is for us to backport to GraalVM 25, so it should be consistent with the docs there.

[jerboaa]

@thomaswue Code in #13394

[matneu]

Do note that we already upstreamed an Anchore Syft cataloger for native image SBOMs a while ago, supporting all major platforms: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go

[jerboaa]

Do note that we already upstreamed an Anchore Syft cataloger for native image SBOMs a while ago, supporting all major platforms: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go

Yes, thanks. It's still useful to have a tool part of the image generator that embeds the sbom. Or at least it would make GraalVM CE consistent with the docs.