Generating SBOMs from SquashFS Archives

Overview

SquashFS archives share many characteristics with ISO files - they're both compressed, read-only filesystem images that package up applications, dependencies, and system files into a single distributable unit. This similarity makes SquashFS archives excellent candidates for Software Bill of Materials (SBOM) generation using the Manifest CLI.

This guide walks you through the process of extracting a SquashFS archive and generating a comprehensive SBOM that captures all components, dependencies, and security-relevant information contained within the filesystem.

Prerequisites

Before you begin, ensure you have:

unsquashfs utility installed (part of the squashfs-tools package on most Linux distributions)
Manifest CLI installed and configured
A valid Manifest API token

The Extraction and SBOM Generation Process

Step 1: Extract the SquashFS Archive

SquashFS archives can be unpacked using the unsquashfs utility, which will recreate the original filesystem structure including all applications, configuration files, and dependencies that were included during the archive creation process.

# Extract the SquashFS archive into a temporary directory
unsquashfs -d manifest-temp-extracted-squash-folder postgis.squashfs

What's happening here:

unsquashfs is the extraction utility for SquashFS archives
-d manifest-temp-extracted-squash-folder specifies the destination directory for extraction
postgis.squashfs is your source SquashFS archive

Step 2: Generate and Upload the SBOM

Once extracted, the Manifest CLI can scan the entire filesystem to catalog all software components, their versions, licenses, and dependencies.

# Generate SBOM from the extracted filesystem and upload to Manifest
manifest-cli sbom manifest-temp-extracted-squash-folder -f UNsquashSBOM.json -n "UNsquash SBOM" --publish -k $your_api_token_key

Step 3: Clean Up Temporary Files

# Remove the temporary extraction directory
rm -rf manifest-temp-extracted-squash-folder

Understanding the Manifest CLI SBOM Command

The manifest-cli sbom command is used to both generate, upload, and sign SBOMs. Here's what each parameter does in this specific command:

# Generate SBOM from the extracted filesystem and upload to Manifest
manifest-cli sbom manifest-temp-extracted-squash-folder -f UNsquashSBOM.json -n "UNsquash SBOM" --publish -k $your_api_token_key

Parameter Breakdown:

Parameter	Purpose	Details
`manifest-cli sbom`	Main command	Runs the SBOM generation command. It can scan source code directories, containers, or filesystems using tools like Syft or Trivy under the hood.
`manifest-temp-extracted-squash-folder`	Target directory	Points to the directory you want to scan. In this case, it's the directory where you extracted the SquashFS contents.
`-f UNsquashSBOM.json`	Output filename	Specifies the local filename for the SBOM output. You'll want to give it a descriptive name that makes sense for your project.
`-n "UNsquash SBOM"`	Asset name	This is what shows up in the Manifest dashboard when you view your assets. Pick something meaningful that your team will recognize.
`--publish`	Upload flag	Tells the tool to upload the SBOM to your Manifest account instead of just creating it locally.
`-k $your_api_token_key`	Authentication	Your API credentials for authenticating with Manifest. You'll get this from your account settings.

Complete Workflow Example

Here's the complete process in a single script:

#!/bin/bash

# Configuration
SQUASHFS_FILE="postgis.squashfs"
TEMP_DIR="manifest-temp-extracted-squash-folder"
SBOM_FILE="postgis-squashfs-sbom.json"
ASSET_NAME="PostGIS SquashFS SBOM"

# Step 1: Extract the SquashFS archive
echo "Extracting SquashFS archive..."
unsquashfs -d "$TEMP_DIR" "$SQUASHFS_FILE"

# Step 2: Generate and upload SBOM
echo "Generating SBOM and uploading to Manifest..."
manifest-cli sbom "$TEMP_DIR" -f "$SBOM_FILE" -n "$ASSET_NAME" --publish -k "$MANIFEST_API_TOKEN"

# Step 3: Clean up
echo "Cleaning up temporary files..."
rm -rf "$TEMP_DIR"

echo "SBOM generation complete! Check your Manifest dashboard to view the results."

Reference: Creating a Sample SquashFS File for testing

For reference, the sample postgis.squashfs file used in this example was created using the following Docker-based workflow:

# Create a temporary container from the PostGIS image
docker create --name temp-postgis postgis/postgis:17-3.5-alpine

# Create directory for extracted filesystem
mkdir postgis-rootfs

# Export container filesystem and extract it
docker export temp-postgis | tar -x -C postgis-rootfs/

# Create SquashFS archive with xz compression
mksquashfs postgis-rootfs/ postgis.squashfs -comp xz

# Clean up
docker rm temp-postgis
rm -rf postgis-rootfs

This approach demonstrates how container images can be converted to SquashFS archives for distribution and subsequent SBOM analysis.

Next Steps: After generating your SBOM, visit the Manifest dashboard to explore the discovered components, review security vulnerabilities, and set up automated monitoring for your SquashFS-based deployment. Please reference our Getting Started guides for this.