Full Disk Images: Linux Based

This approach extracts the ISO, scans it for software components, generates the SBOM, then removes the temporary files to keep your workspace clean.

bzdtar is the utility we use to unpack the iso image, so that we can access the root filesystem to then generate the SBOM. It is included by default on many unix systems, including Mac and Linux but not on all distributions of linux.

We will eventually add these full workflows to the Manifest CLI to help orchestrate SBOM generation and want to ensure you have the capability in the meantime.

mkdir iso-extracted

bsdtar -xf debian-sample.iso -C ./iso-extracted

manifest-cli sbom ./iso-extracted -f local-filename.json -n "Name of Asset in Platform" 

rm -rf iso-extracted

Explanation:

• mkdir iso-extracted - Creates a working directory for the extracted ISO contents
• bsdtar -xf debian-sample.iso -C ./iso-extracted - Extracts the ISO file into your working directory so you can access the filesystem
• manifest-cli sbom ./iso-extracted - Scans the extracted ISO contents to generate the SBOM
• -f local-filename.json - Specifies what to name the SBOM file locally
• -n "Name of Asset in Platform" - Sets how this asset will appear in your Manifest dashboard
• rm -rf iso-extracted - Cleans up the temporary extraction directory after the SBOM is generated

To upload directly to Manifest Platform:

manifest-cli sbom ./iso-extracted -f local-filename.json -n "Name of Asset in Platform" --publish -k $your_api_token_key

• --publish - Uploads the SBOM to your Manifest account automatically
• -k $your_api_token_key - Provides your API credentials for the upload