The SBOM Hub UI is now end of life and has been withdrawn as a product.
DataTrails are merging the capabilities of our SBOM Hub product, including the ability to publicly share an SBOM, into the main DataTrails platform. If you are using our SBOM Hub platform to publish SBOMs, you will need to migrate to the main DataTrails platform to be able to continue sharing SBOMs with your customers and partners.
Moving this functionality into DataTrails brings some simplification to the process of creating and sharing the SBOM, either publicly or privately, and provides a better link between those public and private SBOMs.
You can make use of other SBOM repos (list Github, Docker etc) while still using DataTrails as an independently verifiable evidence store for SCITT attestations. You can be as centralized or decentralized as each market demands, while keeping a golden thread of evidence that all can rely upon.
What do I need to do?
There are 2 areas that will change. First, the APIs that are used to upload an SBOM to the platform and, second, the user interface (UI) that provides a graphical interface for viewing and managing the sharing of SBOM assets.
You will need to move to the DataTrails APIs to upload your SBOMs and make them shareable. By using the DataTrails APIs you get access to public and permissioned assets in a single platform, which will simplify things for you and your customers.
To do this, you must login to your DataTrails account and navigate to the “Settings” section.
From there, choose “Integrations”.
Create a new Custom Integrationfor your SBOM uploads and copy the credentials (the Client ID and Secret) to be used in your API requests.
IMPORTANT: You have one chance to copy the secret when you create the app registration. If you leave or refresh the page it will be hidden and must be regenerated. We advise that you use a secure method of storage.
DataTrails uses Open ID Connect Client Credentials Flow standard authentication. This means using the Client ID and Secret from the above step to fetch a JSON Web Token that can be used as a bearer token in REST calls.
To get the JWT, call the auth endpoint:
curl https://app.datatrails.ai/archivist/iam/v1/appidp/token --data-urlencode "grant_type=client_credentials" --data-urlencode "client_id=$CLIENTID" --data-urlencode "client_secret=$SECRET"
This returns a credentials structure with the JWT bearer token and an expiry time:
{
"access_token": "eyJhbGciOiJxYPHt0HCyMPz...0ftMGcRUaeTcepbfhN_HU",
"expires_in": 660,
"token_type": "Bearer"
}
If you have 'jq' and 'tr' available, the following script fragment easily creates a file with the JWT that can be passed to cURL, Postman or the like. The examples below all assume you store the JWT in a local file called '.token'. If you do this, please ensure the file is created with appropriately restricted permissions to prevent misuse.
RESPONSE=$(curl https://app.datatrails.ai/archivist/iam/v1/appidp/token --data-urlencode "grant_type=client_credentials" --data-urlencode "client_id=$CLIENTID" --data-urlencode "client_secret=$SECRET")
TOKEN=$(echo -n $RESPONSE | jq .access_token | tr -d '"')
echo $TOKEN > .token
Privately upload an SBOM for your own private repository storage
To store an SBOM in your private repository, simply POST the file to the 'sboms' endpoint, for example:
curl -X POST -H "Authorization: Bearer $(cat .token)" --data-binary "@C:\path\to\SBOM\json1.txt" "https://app.datatrails.ai/archivist/v2/assets"
As an example, json1.txt could contain:
{
"behaviours": ["Builtin", "RecordEvidence"],
"attributes": {
"arc_display_name": "SP SBOM 6 Private",
"arc_description": "Private Test SBOM from cURL",
"sbom_uuid": "987fg9d6gd78fg6ds87d5fs87fd6",
"sbom_component": "Logger",
"arc_display_type": "Software Package SBOM",
"sbom_version": "1.1.5",
"arc_profile": "Software Package",
"sbom_supplier": "Freemium Inc",
"sbom_author": "Dev team 1"
},
"proof_mechanism": "SIMPLE_HASH",
"public": false
}
If successful this returns the metadata record for the uploaded SBOM asset:
{
"identity": "assets/f53590f9-88eb-4afe-8fa7-6ba896a907b0",
"behaviours": [
"Builtin",
"RecordEvidence"
],
"attributes": {
"arc_profile": "Software Package",
"sbom_uuid": "987fg9d6gd78fg6ds87d5fs87fd6",
"arc_display_name": "SP SBOM 6 Private",
"sbom_author": "Dev team 1",
"sbom_supplier": "Freemium Inc",
"sbom_version": "1.1.5",
"sbom_component": "Logger",
"arc_display_type": "Software Package SBOM",
"arc_description": "Private Test SBOM from cURL"
},
"confirmation_status": "PENDING",
"tracked": "TRACKED",
"owner": "",
"at_time": "2023-04-18T14:54:25Z",
"storage_integrity": "TENANT_STORAGE",
"proof_mechanism": "SIMPLE_HASH",
"chain_id": "8275868384",
"public": false,
"tenant_identity": ""
}
- NOTE: MThis is an example and dos not include the minimal necessary elements as recommended by NTIA. If you need to comply with the NTIA minimum element you can find more information here and they can be included in your json file.
Much of the above has not changed from the existing SBOM workflow, but to share a public view of your SBOMs, you can now make use of our public attestation feature.
Upload an SBOM publicly for wider availability
To create your publicly shareable asset you should use the same API commands as given above, with the “Public” flag set to "true", as shown below:
{
"behaviours": ["Builtin", "RecordEvidence"],
"attributes": {
"arc_display_name": "SP SBOM 6 Private",
"arc_description": "Private Test SBOM from cURL",
"sbom_uuid": "987fg9d6gd78fg6ds87d5fs87fd6",
"sbom_component": "Logger",
"arc_display_type": "Software Package SBOM",
"sbom_version": "1.1.5",
"arc_profile": "Software Package",
"sbom_supplier": "Freemium Inc",
"sbom_author": "Dev team 1"
},
"proof_mechanism": "SIMPLE_HASH",
"public": true
}
This public asset can then be shared anonymously with customers, who can verify its details.
The link to the public asset is available by locating your asset in the DataTrails UI and clicking the “copy” icon, next to the “Public” notation, as shown below:
The DataTrails UI is more powerful, offering a single area to manage not only your private and public SBOMs but also any type of asset that can benefit from attestation.