# Amazon Inspector SBOM Generator
A Software Bill of Materials (SBOM) is [a formally structured list of components, libraries, and modules](https://docs.aws.amazon.com/whitepapers/latest/practicing-continuous-integration-continuous-delivery/software-bill-of-materials-sbom.html) required to build a piece of software. The Amazon Inspector SBOM Generator (Sbomgen) is a tool that produces an SBOM for archives, container images, directories, local systems, and compiled Go and Rust binaries. Sbomgen scans for files that contain information about installed packages. When Sbomgen finds a relevant file, it extracts package names, versions, and other metadata. Sbomgen then transforms package metadata into a CycloneDX SBOM. You can use Sbomgen to generate the CycloneDX SBOM as a file or in STDOUT and send SBOMs to Amazon Inspector for vulnerability detection. You can also use Sbomgen as part of [the CI/CD integration](https://docs.aws.amazon.com/inspector/latest/user/scanning-cicd.html), which scans container images automatically as part of your deployment pipeline.
## Supported packages types
Sbomgen collects inventory for the following package types:
+ Alpine APK
+ Debian/Ubuntu DPKG
+ Red Hat RPM
+ C\$1
+ Go
+ Java
+ Node.js
+ PHP
+ Python
+ Ruby
+ Rust
## Supported container image configuration checks
Sbomgen can scan standalone Dockerfiles and build history from exisiting images for security issues. For more information, see [Amazon Inspector Dockerfile checks](https://docs.aws.amazon.com/inspector/latest/user/dockerfile-checks.html).
## Installing Sbomgen
Sbomgen is only available for Linux operating systems.
You must have Docker installed if you want Sbomgen to analyze locally cached images. Docker isn't required to analyze images exported as `.tar` files or images hosted in remote container registries.
Amazon Inspector recommends that you run Sbomgen from a system with at least the following hardware specs:
+ 4x core CPU
+ 8 GB RAM
**To install Sbomgen**
1. Download the latest Sbomgen zip file from the correct URL for your architecture:
Linux AMD64: [https://amazon-inspector-sbomgen.s3.amazonaws.com/latest/linux/amd64/inspector-sbomgen.zip](https://amazon-inspector-sbomgen.s3.amazonaws.com/latest/linux/amd64/inspector-sbomgen.zip)
Linux ARM64: [https://amazon-inspector-sbomgen.s3.amazonaws.com/latest/linux/arm64/inspector-sbomgen.zip](https://amazon-inspector-sbomgen.s3.amazonaws.com/latest/linux/arm64/inspector-sbomgen.zip)
Alternatively, you can download [previous versions of the Amazon Inspector SBOM Generator zip file](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator-versions.html).
1. Unzip the download using the following command:
`unzip inspector-sbomgen.zip`
1. Check for the following files in the extracted directory:
+ `inspector-sbomgen` – This is the tool you will execute to generate SBOMs.
+ `README.txt` – This is the documentation for using Sbomgen.
+ `LICENSE.txt` – This file contains the software license for Sbomgen.
+ `licenses` – This folder contains license info for third party packages used by Sbomgen.
+ `checksums.txt` – This file provides hashes of the Sbomgen tool.
+ `sbom.json` – This is a CycloneDX SBOM for the Sbomgen tool.
+ `WhatsNew.txt` – This file contains a summarized change log, so you can view major changes and improvements between Sbomgen versions quickly.
1. (Optional) Verify the authenticity and integrity of the tool using the following command:
`sha256sum < inspector-sbomgen`
1. Compare the results with the contents of the `checksums.txt` file.
1. Grant executable permissions to the tool using the following command:
`chmod +x inspector-sbomgen`
1. Verify that Sbomgen is successfully installed using the following command:
`./inspector-sbomgen --version`
You should see the output similar to the following:
`Version: 1.X.X `
## Using Sbomgen
This section describes different ways you can use Sbomgen. You can learn more about how to use Sbomgen through built-in examples. To view these examples, run the `list-examples` command:
```
./inspector-sbomgen list-examples
```
### Generate an SBOM for a container image and output the result
You can use Sbomgen to generate SBOMs for container images and output the result to a file. This capability can be enabled using the `container` subcommand.
**Example command**
In the following snippet, you can replace *`image:tag`* with the ID of your image and *`output_path.json`* with the path to the output you want to save.
```
# generate SBOM for container image
./inspector-sbomgen container --image image:tag -o output_path.json
```
**Note**
Scan time and performance depends on the image size and how small the number of layers are. Smaller images not only improve Sbomgen performance, but also reduce the potential attack surface. Smaller images also improve image build, download, and upload times.
When using Sbomgen with [https://docs.aws.amazon.com/inspector/v2/APIReference/API_scan_ScanSbom.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_scan_ScanSbom.html), the Amazon Inspector Scan API won't process SBOMs that contain more than 5,000 packages. In this scenario, the Amazon Inspector Scan API returns an HTTP 400 response.
If an image includes bulk media files or directories, consider excluding them from Sbomgen using the `--skip-files` argument.
**Example: Common error cases**
Container image scanning can fail due to the following errors:
+ `InvalidImageFormat` – Occurs when scanning malformed container images with corrupt TAR headers, manifest files, or config files .
+ `ImageValidationFailure` – Occurs when checksum or content-length validation fails for container image components, such as mismatched Content-Length headers, incorrect manifest digests, or failed SHA256 checksum verification.
+ `ErrUnsupportedMediaType` – Occurs when image components include unsupported media types. For information about supported media types, see [Supported operating systems and media types](https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html#ecr-supported-media).
Amazon Inspector does not support the `application/vnd.docker.distribution.manifest.list.v2+json` media type. However, Amazon Inspector does support manifest lists. When scanning images that use manifest lists, you can explicitly specify which platform to use with the `--platform` argument. If the `--platform` argument is not specified, the Amazon Inspector SBOM Generator automatically selects the manifest based on the platform where its running.
### Generate an SBOM from directories and archives
You can use Sbomgen to generate SBOMs from directories and archives. This capability can be enabled using the `directory` or `archive` subcommands. Amazon Inspector recommends using this feature when you want to generate an SBOM from a project folder, such as a downloaded git repository.
**Example command 1**
The following snippet shows a subcommand that generates an SBOM from a directory file.
```
# generate SBOM from directory
./inspector-sbomgen directory --path /path/to/dir -o /tmp/sbom.json
```
**Example command 2**
The following snippet shows a subcommand that generates an SBOM from an archive file. The only supported archive formats are `.zip`, `.tar`, and `.tar.gz`.
```
# generate SBOM from archive file (tar, tar.gz, and zip formats only)
./inspector-sbomgen archive --path testData.zip -o /tmp/sbom.json
```
### Generate an SBOM from Go or Rust compiled binaries
You can use Sbomgen to generate SBOMs from compiled Go and Rust binaries. You can enable this cabapility through the `binary` subcommand:
```
./inspector-sbomgen binary --path /path/to/your/binary
```
### Generate an SBOM from mounted volumes
You can use Amazon Inspector SBOM Generator to generate SBOMs from mounted volumes. This capability can be enabled using the `volume` subcommand. We recommend using this feature when you want to analyze storage volumes, such as Amazon EBS volumes that have been mounted to your system. Unlike the directory subcommand, mounted volume scanning detects OS packages and OS information.
You can scan an Amazon EBS volume by attaching it to an Amazon EC2 instance where Amazon Inspector SBOM Generator is installed and mounting it on that instance. For Amazon EBS volumes that are currently in use by other Amazon EC2 instances, you can create an Amazon EBS snapshot of the volume and then create a new Amazon EBS volume from that snapshot for scanning purposes. For more information about Amazon EBS, see [What is Amazon EBS?](https://docs.aws.amazon.com/ebs/latest/userguide/what-is-ebs.html) in the *Amazon Elastic Block Store User Guide*.
**Example command**
The following snippet shows a subcommand that generates an SBOM from a mounted volume. The `--path` argument should specify the root directory where the volume is mounted.
```
# generate SBOM from mounted volume
./inspector-sbomgen volume --path /mount/point/of/volume/root
```
**Example command**
The following snippet shows a subcommand that generates an SBOM from a mounted volume while excluding specific file paths with the `--exclude-suffix` argument. The `--exclude-suffix` argument is particularly useful when a volume contains bulk files (such as log files or media files). Files and directories whose paths end with the specified suffixes will be excluded from scanning, which can reduce scan time and memory usage.
```
# generate SBOM from mounted volume with exclusions
./inspector-sbomgen volume --path /mount/point/of/volume/root \
--exclude-suffix .log \
--exclude-suffix cache
```
All file paths in the target volume are normalized to their original paths. For example, when scanning a volume mounted at `/mnt/volume` that contains a file at `/mnt/volume/var/lib/rpm/rpmdb.sqlite`, the path will be normalized to `/var/lib/rpm/rpmdb.sqlite` in the generated SBOM.
### Send an SBOM to Amazon Inspector for vulnerability identification
In addition to generating an SBOM, you can send an SBOM for scanning with a single command from the Amazon Inspector Scan API. Amazon Inspector evaluates the contents of the SBOM for vulnerabilites before returning findings to Sbomgen. Depending on your input, the findings can be displayed or written to a file.
**Note**
You must have an active AWS account with read permissions to `InspectorScan-ScanSbom` to use this capability.
To enable this capability, you pass the `--scan-sbom` argument to the Sbomgen CLI. You can also pass the `--scan-sbom` argument to any of the following Sbomgen subcommands: `archive`, `binary`, `container`, `directory`, `localhost`.
**Note**
The Amazon Inspector Scan API doesn't process SBOMs with more than 5,000 packages. In this scenario, the Amazon Inspector Scan API returns an HTTP 400 response.
You can authenticate to Amazon Inspector through an AWS profile or an IAM role with the following AWS CLI arguments:
```
--aws-profile profile
--aws-region region
--aws-iam-role-arn role_arn
```
You can also authenticate to Amazon Inspector by providing the following environment variables to Sbomgen.
```
AWS_ACCESS_KEY_ID=$access_key \
AWS_SECRET_ACCESS_KEY=$secret_key \
AWS_DEFAULT_REGION=$region \
./inspector-sbomgen arguments
```
To specify the response format, use the `--scan-sbom-output-format cyclonedx` argument or `--scan-sbom-output-format inspector` argument.
**Example command 1**
This command creates an SBOM for the latest Alpine Linux release, scans the SBOM, and writes the vulnerability results to a JSON file.
```
./inspector-sbomgen container --image alpine:latest \
--scan-sbom \
--aws-profile your_profile \
--aws-region your_region \
--scan-sbom-output-format cyclonedx \
--outfile /tmp/inspector_scan.json
```
**Example command 2**
This command authenticates to Amazon Inspector using AWS credentials as environment variables.
```
AWS_ACCESS_KEY_ID=$your_access_key \
AWS_SECRET_ACCESS_KEY=$your_secret_key \
AWS_DEFAULT_REGION=$your_region \
./inspector-sbomgen container --image alpine:latest \
-o /tmp/sbom.json \
--scan-sbom \
--scan-sbom-output-format inspector
```
**Example command 3**
This command authenticates to Amazon Inspector using the ARN for an IAM role.
```
./inspector-sbomgen container --image alpine:latest \
--scan-sbom \
--aws-profile your_profile \
--aws-region your_region \
--outfile /tmp/inspector_scan.json
--aws-iam-role-arn arn:aws:iam::123456789012:role/your_role
```
### Use additional scanners to enhance detection capabilities
The Amazon Inspector SBOM Generator applies predefined scanners based on the command being used.
**Default scanner groups**
Each Amazon Inspector SBOM Generator subcommand applies the following default scanner groups automatically.
+ For the `directory` subcommand: binary, programming-language-packages, dockerfile scanner groups
+ For the `localhost` subcommand: os, programming-language-packages, extra-ecosystems scanner groups
+ For the `container` subcommand: os, programming-language-packages, extra-ecosystems, dockerfile, binary scanner groups
**Special scanners**
To include scanners beyond the default scanner groups, use the `--additional-scanners` option followed by the name of the scanner to be added. The following is an example command showing how to do this.
```
# Add WordPress installation scanner to directory scan
./inspector-sbomgen directory --path /path/to/directory/ --additional-scanners wordpress-installation -o output.json
```
The following is an example command showing how to add multiple scanners with a comma-separated list.
```
./inspector-sbomgen container --image image:tag --additional-scanners scanner1,scanner2 -o output.json
```
### Optimize container scans by adjusting maximum file size to scan
When you analyze and process a container image, Sbomgen scans files that are 200 MB or less by default. Files larger than 200 MB rarely contain package metadata. You can encounter misses when you inventory a Go or Rust binary that exceeds 200MB. To adjust the size limit, use the `--max-file-size` argument. This allows you to increase the limit to include large files and decrease the limit to reduce resource usage by excluding large files.
**Example**
The following example shows how to use the `--max-file-size` argument to increase the file size.
```
# Increase the file size limit to scan files up to 300 MB
./inspector-sbomgen container --image alpine:latest \
--outfile /tmp/sbom.json \
--max-file-size 300000000
```
Adjusting this setting helps control disk usage, memory consumption, and overall scan duration.
### Disable progress indicator
Sbomgen displays a spinning progress indicator that can result in excessive slash characters in CI/CD environments.
```
INFO[2024-02-01 14:58:46]coreV1.go:53: analyzing artifact
|
\
/
|
\
/
INFO[2024-02-01 14:58:46]coreV1.go:62: executing post-processors
```
You can disable the progress indicator using the `--disable-progress-bar` arguement:
```
./inspector-sbomgen container --image alpine:latest \
--outfile /tmp/sbom.json \
--disable-progress-bar
```
## Authenticating to private registries with Sbomgen
By providing your private registry authentication credentials, you can generate SBOMs from containers that are hosted in private registries. You can provide these credentials through the following methods:
### Authenticate using cached credentials (recommended)
For this method, you authenticate to your container registry. For example, if using Docker, you can authenticate to your container registry using the Docker loging command: `docker login`.
1. Authenticate to your container registry. For example, if using Docker, you can authenticate to your registry using the Docker `login` command:
1. After you authenticate to your container registry, use Sbomgen on a container image that's in the registry. To use the following example, replace *`image:tag`* with the name of the image to scan:
```
./inspector-sbomgen container --image image:tag
```
### Authenticate using the interactive method
For this method, provide your username as a parameter, and Sbomgen will prompt you for secure password entry when needed.
To use the following example, replace *`image:tag`* with the name of the image that you want to scan and *`your_username`* with a username that has access to the image:
```
./inspector-sbomgen container --image image:tag --username your_username
```
### Authenticate using the non-interactive method
For this method, store your password or registry token in a `.txt` file.
**Note**
The current user should only be able to read this file. The file should also contain your password or token on a single line.
To use the following example, replace *`your_username`* with your username, *`password.txt`* with the `.txt` file that includes your password or token on a single line, and *`image:tag`* with the name of the image to scan:
```
INSPECTOR_SBOMGEN_USERNAME=your_username \
INSPECTOR_SBOMGEN_PASSWORD=`cat password.txt` \
./inspector-sbomgen container --image image:tag
```
## Example outputs from Sbomgen
The following is an example of an SBOM for a container image inventoried using Sbomgen.
### Container image SBOM
```
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:828875ef-8c32-4777-b688-0af96f3cf619",
"version": 1,
"metadata": {
"timestamp": "2023-11-17T21:36:38Z",
"tools": [
{
"vendor": "Amazon Web Services, Inc. (AWS)",
"name": "Amazon Inspector SBOM Generator",
"version": "1.0.0",
"hashes": [
{
"alg": "SHA-256",
"content": "10ab669cfc99774786301a745165b5957c92ed9562d19972fbf344d4393b5eb1"
}
]
}
],
"component": {
"bom-ref": "comp-1",
"type": "container",
"name": "fedora:latest",
"properties": [
{
"name": "amazon:inspector:sbom_generator:image_id",
"value": "sha256:c81c8ae4dda7dedc0711daefe4076d33a88a69a28c398688090c1141eff17e50"
},
{
"name": "amazon:inspector:sbom_generator:layer_diff_id",
"value": "sha256:eddd0d48c295dc168d0710f70364581bd84b1dda6bb386c4a4de0b61de2f2119"
}
]
}
},
"components": [
{
"bom-ref": "comp-2",
"type": "library",
"name": "dnf",
"version": "4.18.0",
"purl": "pkg:pypi/dnf@4.18.0",
"properties": [
{
"name": "amazon:inspector:sbom_generator:source_file_scanner",
"value": "python-pkg"
},
{
"name": "amazon:inspector:sbom_generator:source_package_collector",
"value": "python-pkg"
},
{
"name": "amazon:inspector:sbom_generator:source_path",
"value": "/usr/lib/python3.12/site-packages/dnf-4.18.0.dist-info/METADATA"
},
{
"name": "amazon:inspector:sbom_generator:is_duplicate_package",
"value": "true"
},
{
"name": "amazon:inspector:sbom_generator:duplicate_purl",
"value": "pkg:rpm/fedora/python3-dnf@4.18.0-2.fc39?arch=noarch&distro=39&epoch=0"
}
]
},
{
"bom-ref": "comp-3",
"type": "library",
"name": "libcomps",
"version": "0.1.20",
"purl": "pkg:pypi/libcomps@0.1.20",
"properties": [
{
"name": "amazon:inspector:sbom_generator:source_file_scanner",
"value": "python-pkg"
},
{
"name": "amazon:inspector:sbom_generator:source_package_collector",
"value": "python-pkg"
},
{
"name": "amazon:inspector:sbom_generator:source_path",
"value": "/usr/lib64/python3.12/site-packages/libcomps-0.1.20-py3.12.egg-info/PKG-INFO"
},
{
"name": "amazon:inspector:sbom_generator:is_duplicate_package",
"value": "true"
},
{
"name": "amazon:inspector:sbom_generator:duplicate_purl",
"value": "pkg:rpm/fedora/python3-libcomps@0.1.20-1.fc39?arch=x86_64&distro=39&epoch=0"
}
]
}
]
}
```
# Previous versions of the Amazon Inspector SBOM Generator
This topic includes links to the latest and previous versions of the Amazon Inspector SBOM Generator. For information about installing Sbomgen, see [Installing Sbomgen](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen).
| Platform | Version | SHA-256 checksum |
| --- | --- | --- |
| Linux AMD64 Linux ARM64 | [1.12.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.12.1/linux/amd64/inspector-sbomgen.zip) [1.12.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.12.1/linux/arm64/inspector-sbomgen.zip) | 2d698b47d2a6ba0b431c1161bc1fba7bef4d9041546e624086d4b0dfff122a3f c76fe1bd84ffe9270921df1d708fc0e49c53aa7717d29a90d5cec3cee772f0c2 |
| Linux AMD64 Linux ARM64 | [1.12.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.12.0/linux/amd64/inspector-sbomgen.zip) [1.12.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.12.0/linux/arm64/inspector-sbomgen.zip) | 1112b395281ea5d67e20062429bf1603ba6456746d6941f2edfa0ee0812b34b6 25e618000ffc4aceaf002c2fa3e97d0564d376acc34e9e442cdd769f6c805248 |
| Linux AMD64 Linux ARM64 | [1.11.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.11.2/linux/amd64/inspector-sbomgen.zip) [1.11.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.11.2/linux/arm64/inspector-sbomgen.zip) | bef68671bc532e4fb529500b62d7af8360123cd967308d41ad0ce8f43f7762fb 4f11d7037efa443f442c4edf7ba28774c4fa706fb7622e4fba645bb3ad3958c9 |
| Linux AMD64 Linux ARM64 | [1.11.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.11.1/linux/amd64/inspector-sbomgen.zip) [1.11.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.11.1/linux/arm64/inspector-sbomgen.zip) | 809eb7cb80d24fbf6ffdd124438d53a907632c222e924913ebd61044ca949490 057f9e4c9970aeda4bda0685e7e02436fd5223fbe81cec65138551c63ed77ba0 |
| Linux AMD64 Linux ARM64 | [1.11.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.11.0/linux/amd64/inspector-sbomgen.zip) [1.11.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.11.0/linux/arm64/inspector-sbomgen.zip) | 5172a5556cf46f9fbc5cf1d35bd382919fb6b41aca1ec938db3a75530060b0cf c9e2da7b076dc89dc39a962a7dd9c7d1fd29230a4eec7eb95f951d6a179093d0 |
| Linux AMD64 Linux ARM64 | [1.10.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.10.1/linux/amd64/inspector-sbomgen.zip) [1.10.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.10.1/linux/arm64/inspector-sbomgen.zip) | 9e33622a7874adfe719ab7db75a1e44f4b5fae3573374068b501c89f0accfcfe 78d5a7f800fc26ba86adab5b634431a91c007075e06d6ce46e50687d5156184e |
| Linux AMD64 Linux ARM64 | [1.10.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.10.0/linux/amd64/inspector-sbomgen.zip) [1.10.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.10.0/linux/arm64/inspector-sbomgen.zip) | 0b7a553d7d2d17c40a62f1a11013bc46fa2c3814f407c11130e15af3fe313769 5ce9e315a4f8f90ff5eed7ab058efc8dbff6593d66d3fc455f1c37e882ec6466 |
| Linux AMD64 Linux ARM64 | [1.9.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.9.1/linux/amd64/inspector-sbomgen.zip) [1.9.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.9.1/linux/arm64/inspector-sbomgen.zip) | d0ef4c14fec6c42e70ae55b3e44d17d027132947596e8ef861c0efc3c0e5a871 2d8145011c13f5611fc30f4510785d53e98b911717f6dbe69616af4d4b0df61f |
| Linux AMD64 Linux ARM64 | [1.9.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.9.0/linux/amd64/inspector-sbomgen.zip) [1.9.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.9.0/linux/arm64/inspector-sbomgen.zip) | 78b377b2730eb15476173e40885454ae191e953663af3e0928dddfb8608f4655 985bdc06d25eccb87c4a81995c8a2d3c78e1c02beea309a620b2de4954767591 |
| Linux AMD64 Linux ARM64 | [1.8.3](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.3/linux/amd64/inspector-sbomgen.zip) [1.8.3](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.3/linux/arm64/inspector-sbomgen.zip) | 54eed5a772f68320f3906bec5920e3a19da904abdace10f985b87859015eef89 febd74a397fb0cdd3356072503f08465ab872d1620d59a2ab7d83bdb076c929d |
| Linux AMD64 Linux ARM64 | [1.8.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.2/linux/amd64/inspector-sbomgen.zip) [1.8.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.2/linux/arm64/inspector-sbomgen.zip) | 2e4e3c754e230046349dd975feb48fa953ea5a2de190cbbc17c1c85043936b5a 449a49e222a2bdffe0353435d7b04b0556b35a391c7b9714ce46d1a5382bc3e2 |
| Linux AMD64 Linux ARM64 | [1.8.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.1/linux/amd64/inspector-sbomgen.zip) [1.8.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.1/linux/arm64/inspector-sbomgen.zip) | 9ff7958e298d2b228b0c7617f0a9a873254587fc26aee9826c37273650b389e9 6737584fd2c7d24b56777d02846d1737f47d0121344baea217a3e5368fd98fcc |
| Linux AMD64 Linux ARM64 | [1.8.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.0/linux/amd64/inspector-sbomgen.zip) [1.8.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.0/linux/arm64/inspector-sbomgen.zip) | ef32e7fb4ee0af1e47d6b528b47293fc7127c7a7539f7354e84452626a4c204d 0b82ddc691a517bb8fc6ccd67b80ca566b117a1bb410c05764c9b7e3ba76c510 |
| Linux AMD64 Linux ARM64 | [1.7.3](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.7.3/linux/amd64/inspector-sbomgen.zip) [1.7.3](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.7.3/linux/arm64/inspector-sbomgen.zip) | 3fba95d44aaea55ad06d3c7635a671662c483474578376d3f11e84474f8de25f 1f4b52e3d80de87b92b563a78bac4a2d898e7af82db5b6791d899d516e97cfbb |
| Linux AMD64 Linux ARM64 | [1.7.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.7.2/linux/amd64/inspector-sbomgen.zip) [1.7.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.7.2/linux/arm64/inspector-sbomgen.zip) | c44ba9bf1cfeb3ea2d6d0b15d25816800a5045a438474f2f77c390bac41ae4cb d37c5b1605bf82260da0b0f36311c83b1646a4327c3fd8169ba4b3a978470c9c |
| Linux AMD64 Linux ARM64 | [1.7.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.7.1/linux/amd64/inspector-sbomgen.zip) [1.7.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.7.1/linux/arm64/inspector-sbomgen.zip) | b0beb602a6ae439d4e307bd99682bc8a419fd7d5e78a278bfc718eb18e00b05e 95ff2d9df2fcd1982dd705df1e763f57a0b499b6fe06801e9a80869e2e464831 |
| Linux AMD64 Linux ARM64 | [1.7.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.7.0/linux/amd64/inspector-sbomgen.zip) [1.7.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.7.0/linux/arm64/inspector-sbomgen.zip) | a6316c2ecd5fde7091d1099335f45f0e2400b3977c92ee4d72bd1eb359320e61 9751ba5e5c6c6c0aef7d29b1c4adbd4088da3a07bb77eaa7de3f04aa33ad8562 |
| Linux AMD64 Linux ARM64 | [1.6.3](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.6.3/linux/amd64/inspector-sbomgen.zip) [1.6.3](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.6.3/linux/arm64/inspector-sbomgen.zip) | b6a309e879aaa78d7d8e224eb5214df5fd415244d370885e6c8876db5a4181d2 59ed0b7eb7d1eadadb691f058d32634a03a856ba03ac2ddb8cd3599ceb55cb9a |
| Linux AMD64 Linux ARM64 | [1.6.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.6.2/linux/amd64/inspector-sbomgen.zip) [1.6.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.6.2/linux/arm64/inspector-sbomgen.zip) | 8d8ba06535be614a4d44b1bd74c66d1fd4874ff9ab788ad5e23aa5229db9c687 2bd7b4a88b9c6b041a6ff82f7f9bc116b76cf410bf6eb896fc8d68e717b55f2a |
| Linux AMD64 Linux ARM64 | [1.6.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.6.1/linux/amd64/inspector-sbomgen.zip) [1.6.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.6.1/linux/arm64/inspector-sbomgen.zip) | 3e3d62dc794b31d9d2de1904592cf42f25e9f42c30eb90cc53385a60b42f1a63 ad89f670908fb0b48bca0242f3ac58e7179f6fabfcc9a2b3fd0e5c3d79e27539 |
| Linux AMD64 Linux ARM64 | [1.6.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.6.0/linux/amd64/inspector-sbomgen.zip) [1.6.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.6.0/linux/arm64/inspector-sbomgen.zip) | ffe671c2c1d1c2142a4af056d1c179eaffbc3925f5afaa6f3d655bd495ce5e1c a733c0b00c7225369c68ad47c57846b4546e2c9f47580ab98394baefc765c134 |
| Linux AMD64 Linux ARM64 | [1.5.5](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.5/linux/amd64/inspector-sbomgen.zip) [1.5.5](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.5/linux/arm64/inspector-sbomgen.zip) | ebcfbe565631de5bc61b1d55d70a2d15b965f628678a2b60cffd01cd0c3443f1 a8e018ceee3a76dd4271f966015c216438b11ee807fcd970753e786baa335b56 |
| Linux AMD64 Linux ARM64 | [1.5.4](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.4/linux/amd64/inspector-sbomgen.zip) [1.5.4](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.4/linux/arm64/inspector-sbomgen.zip) | aa8c1ffacc563b87975497f53eddec0b29397a898fac19f4902b8acb7eeb347b c6ba98d441aa88d3d3150449c098cd13ce3baeccee45ad4c9a1326f8bb8f87fc |
| Linux AMD64 Linux ARM64 | [1.5.3](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.3/linux/amd64/inspector-sbomgen.zip) [1.5.3](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.3/linux/arm64/inspector-sbomgen.zip) | d493c23121101c9c3df888e717bf81d7f7b81809754f3492e1ae52f02b089b68 8dfa5c97b3bd45da487706e95d1894290f53b113247bbb89b9fac16dab8184b6 |
| Linux AMD64 Linux ARM64 | [1.5.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.2/linux/amd64/inspector-sbomgen.zip) [1.5.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.2/linux/arm64/inspector-sbomgen.zip) | ff6233d7da9f7e963589a0eb8f07bee2ca375360365cb6b6e354585cf1371910 fd31efb6031754b2bc8414d7fe9dd14a067767704145af0559b3500cc437c7ee |
| Linux AMD64 Linux ARM64 | [1.5.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.1/linux/amd64/inspector-sbomgen.zip) [1.5.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.1/linux/arm64/inspector-sbomgen.zip) | 391fcc52117fed79cae6e92a9e225732166a6df2582aa7f6b5230149761f6732 f9bc90d18724f93db0f5ca3b79136adb7b49fa33fa179a5e87b4d512f256b56b |
| Linux AMD64 Linux ARM64 | [1.5.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.0/linux/amd64/inspector-sbomgen.zip) [1.5.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.5.0/linux/arm64/inspector-sbomgen.zip) | d7b6cb84053358e462d76488d019140ecd05ad405217a60a96b727fb062880fe 067dcf5c302160a5270f89aed3f941bb0571dcb8a59f75dddb1b7747c2a82ec7 |
| Linux AMD64 Linux ARM64 | [1.4.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.4.0/linux/amd64/inspector-sbomgen.zip) [1.4.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.4.0/linux/arm64/inspector-sbomgen.zip) | c8ca73761afd742e1deb98b04eb5714c9c2a574b652a763b18e23560e66aea24 188d9757782278653e65605aaf186feda104345ba2f9de438873e568f1ff6204 |
| Linux AMD64 Linux ARM64 | [1.3.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.3.2/linux/amd64/inspector-sbomgen.zip) [1.3.2](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.3.2/linux/arm64/inspector-sbomgen.zip) | 57dd5d135600e84690706cfe95860e78149988d37cf81429ce97b9256d179fb4 91526ecdafc6cc3718fabe75b2693ace5effb9c0af3327b484b7f5a154929997 |
| Linux AMD64 Linux ARM64 | [1.3.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.3.1/linux/amd64/inspector-sbomgen.zip) [1.3.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.3.1/linux/arm64/inspector-sbomgen.zip) | 097ec83907c459a36de11c92d016fffd64f1c33fd4bcbf2af465e0979b0d9237 aa93a3d402abc4a986a9ad9d3de8fcca81ee25a55596ac6dc4502ed1d6819502 |
| Linux AMD64 Linux ARM64 | [1.3.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.3.0/linux/amd64/inspector-sbomgen.zip) [1.3.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.3.0/linux/arm64/inspector-sbomgen.zip) | 21439f92c314daf136832ca6676a65d288768aa69fc6dcd2014a3038b2701eeb 4a41779b0c3b32242eedef288de6c1bf40fda0d4246b32fd0cd8d4e51e58f94b |
| Linux AMD64 Linux ARM64 | [1.2.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.2.1/linux/amd64/inspector-sbomgen.zip) [1.2.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.2.1/linux/arm64/inspector-sbomgen.zip) | e022e95e59f1790949bca8dbbb6478a5d3fb677ccd45aa4ba30ebd91ae86ad65 824acc5bb5b0210954fe9ab089d9461453a4975d34292cc0c676837c3a7279b4 |
| Linux AMD64 Linux ARM64 | [1.2.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.2.0/linux/amd64/inspector-sbomgen.zip) [1.2.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.2.0/linux/arm64/inspector-sbomgen.zip) | 9625b1a8ae1937ca2179c2535a0ffceca934138e0b66feac9ba3e34ffaa22ec5 7f387e560b41571fb52efd9e620bf2b9e3a067ca781e88aaa977b2b8acdebf35 |
| Linux AMD64 Linux ARM64 | [1.1.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.1.1/linux/amd64/inspector-sbomgen.zip) [1.1.1](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.1.1/linux/arm64/inspector-sbomgen.zip) | 6809b7e46675c66e3af354c53433dc46c4d1ddaf258e05ba15e38e784ea0285e 6361e59fb2448c66c4698ea33979ecaaefc2af4420034aabbbe741242f60dbdd |
| Linux AMD64 Linux ARM64 | [1.1.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.1.0/linux/amd64/inspector-sbomgen.zip) [1.1.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.1.0/linux/arm64/inspector-sbomgen.zip) | f84c8815413d451490b38509950235f88713c0c61c7259a4831934995664bd8f aaffefb5e44195dc55d5fd3289e511720f64c130644cbd58103cf7f36e96f058 |
| Linux AMD64 Linux ARM64 | [1.0.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.0.0/linux/amd64/inspector-sbomgen.zip) [1.0.0](https://amazon-inspector-sbomgen.s3.amazonaws.com/1.0.0/linux/arm64/inspector-sbomgen.zip) | cc126e24962f1a6497cf17679b3e3b73be68963c47e3968a56e73caacf045b5c 5d5bf97a4acfeaaa73ad6c918738188e0c822e475ef37a334e49d77ba907b08a |
# Amazon Inspector SBOM Generator comprehensive operating system collection
The Amazon Inspector SBOM Generator scans different operating systems to guarantee a robust and detailed analysis of system components. Generating an SBOM helps you understand the composition of your operating system, so you can identify vulnerabilities in system managed packages. This topic describes key features of different operating system package collections the Amazon Inspector SBOM Generator supports. For information about the operating systems that Amazon Inspector supports, see [Supported operating systems and programming languages for Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/supported.html).
## Supported operating system artifacts
The Amazon Inspector SBOM Generator supports the following operating system artifacts:
| Platform | Binary | Source | Stream |
| --- | --- | --- | --- |
| Alma Linux | N/A | Yes | Yes |
| Alpine Linux | Yes | Yes | N/A |
| Amazon Linux | N/A | Yes | N/A |
| CentOS | N/A | Yes | N/A |
| Chainguard | Yes | Yes | N/A |
| Debian | Yes | Yes | N/A |
| Distroless | Yes | Yes | N/A |
| Fedora | N/A | Yes | N/A |
| MinimOS | Yes | Yes | N/A |
| OpenSUSE | N/A | Yes | N/A |
| Oracle Linux | N/A | Yes | N/A |
| Photon OS | N/A | Yes | N/A |
| RHEL | N/A | Yes | Yes |
| Rocky Linux | N/A | Yes | Yes |
| SLES | N/A | Yes | N/A |
| Ubuntu | Yes | Yes | N/A |
| Windows | N/A | N/A | N/A |
## APK-based OS package collection
This section includes the supported platforms and key features for the APK-based OS package collection. For more information, see [Alpine Package Keeper](https://wiki.alpinelinux.org/wiki/Alpine_Package_Keeper) on the Alpine Linux website.
### Supported platforms
The following are supported platforms.
+ Alpine Linux
**Note**
For APK-based systems, the Amazon Inspector SBOM Generator collects package metadata from the [https://wiki.alpinelinux.org/wiki/Apk_spec](https://wiki.alpinelinux.org/wiki/Apk_spec) file.
### Key features
+ **Package name collection** – Extracts the name of each installed package
+ **Version collection** – Extracts the version of each installed package
+ **Source package identification** – Identifies the source package for each installed package
### Example
The following snippet is an example of an APK database file.
```
C:Q1JlboSJkrN4qkDcokr4zenpcWEXQ=
P:zlib
V:1.2.13-r1
A:x86_64
S:54253
I:110592
T:A compression/decompression Library
U:https://zlib.net/
L:Zlib
o:zlib
```
## DPKG-based OS package collection
This section includes the supported platforms and key features for the DPKG-based OS package collection. For more information, see [Debian Package](https://wiki.debian.org/dpkg) on the Debian website.
### Supported platforms
The following platforms are supported.
+ Debian
+ Ubuntu
**Note**
For DPKG-based systems, the Amazon Inspector SBOM Generator collects package metadata from the [https://www.debian.org/doc/manuals/debian-reference/ch02.en.html](https://www.debian.org/doc/manuals/debian-reference/ch02.en.html) file.
### Key features
The following are key features for DPKG-based OS packages.
+ **Package name collection** – Extracts the name of each installed package
+ **Version collection** – Extracts the version of each installed package
+ **[Source package identification](https://www.debian.org/doc/debian-policy/ch-source.html)** – Identifies the source package for each installed package
### Example
The following snippet is an example of a `/var/lib/dpkg/` file.
```
Package: zlib1g
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 168
Maintainer: Mark Brown
Architecture: amd64
Multi-Arch: same
Source: zlib
Version: 1:1.2.13.dfsg-1
Provides: libz1
Depends: libc6 (>= 2.14)
Breaks: libxml2 (<< 2.7.6.dfsg-2), texlive-binaries (<< 2009-12)
Conflicts: zlib1 (<= 1:1.0.4-7)
Description: compression library - runtime
zlib is a library implementing the deflate compression method found
in gzip and PKZIP. This package includes the shared library.
Homepage: http://zlib.net/
```
## RPM-based OS package collection
This section includes the supported platforms and key features for the RPM-based OS package collection. For more information, see [RPM Package Manager](https://rpm.org/) on the RPM website.
### Supported platforms
The following platforms are supported.
+ Alma Linux
+ Amazon Linux
+ CentOS
+ Fedora
+ OpenSUSE
+ Oracle Linux
+ PhotonOS
+ RedHat Enterprise Linux
+ Rocky Linux
+ SUSE Linux Enterprise Server
**Note**
For RPM-based systems, the Amazon Inspector SBOM Generator collects package metadata from the [https://access.redhat.com/solutions/439953](https://access.redhat.com/solutions/439953) file.
### Key features
The following are key features for RPM-based OS package collections.
+ **Package name collection** – Extracts the name of each installed package
+ **Version collection** – Extracts the version of each installed package
+ **[Source package identification](https://www.debian.org/doc/debian-policy/ch-source.html)** – Identifies the source package for each installed package
+ **[Stream support](https://www.redhat.com/en/blog/introduction-appstreams-and-modules-red-hat-enterprise-linux)** – Extracts stream metadata of each installed package
### Example
The following is an example of an RPM database file snippet.
```
/usr/lib/sysimage/rpm/rpmdb.sqlite
/usr/lib/sysimage/rpm/Packages
/usr/lib/sysimage/rpm/Packages.db
/var/lib/rpm/rpmdb.sqlite
/var/lib/rpm/Packages
/var/lib/rpm/Packages.db
```
## Windows OS version collection
Unlike Linux-based operating systems, Windows does not use a package management system for the operating system itself. The Amazon Inspector SBOM Generator collects only the Windows OS version information. For Windows application scanning, use the windows-apps scanner instead. The windows-apps scanner collects information about installed applications on Windows systems. For more information, See [Microsoft applications ecosystem collection](sbom-generator-ecosystem-collection.md#microsoft-app-ecosystem-collection).
### Key features
+ **OS version collection** – Extracts the Windows OS version from the Windows Registry. The extracted OS version is used for vulnerability detection for Windows OS.
### Registry keys and values
The following Windows Registry keys and values are used to collect OS name and version information.
+ **Registry Key**
```
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
```
+ **Registry Value**
+ ProductName – OS name and edition (e.g., "Windows Server 2025 Datacenter")
+ CurrentMajorVersionNumber – the major version of OS
+ CurrentMinorVersionNumber – The minor version of OS
+ CurrentBuild – The build number of OS
+ UBR – The revision number of OS
## Chainguard image package collection
This section includes the supported platforms and key features for Chainguard image package collection. For more information, see [Images](https://edu.chainguard.dev/chainguard/chainguard-images/) on the Chainguard website.
### Supported platforms
The following platforms are supported
+ Wolfi Linux
**Note**
For Chainguard images, the Amazon Inspector SBOM Generator collects package metadata from the `/lib/apk/db/installed` file.
### Key features
The following are key features.
+ **Package name collection** – Extracts the name of each installed package
+ **Version collection** – Extracts the version of each installed package
+ **Source package identification** – Identifies the source package for each installed package
### Example
The following snippet is an example of a Chainguard image file.
```
P:wolfi-keys
V:1-r8
A:x86_64
L:MIT
T:Wolfi signing keyring
o:wolfi-keys
```
## Distroless image package collection
Distroless containers are container images that exclude package managers, shells, and other utilities in Linux distributions. Distroless containers only include essential dependencies required to run the application and improve performance and security.
**Note**
For [Distroless images](https://edu.chainguard.dev/chainguard/chainguard-images/about/getting-started-distroless/), the Amazon Inspector SBOM Generator collects package metadata from the `/var/lib/dpkg/status.d` file. Only Debian and Ubuntu-based distributions are supported. These can be identified by the `NAME` field in the `/etc/os-release` file system, which shows "Debian" or "Ubuntu."
### Key features
+ **Package name collection** – Extracts the name of each installed package
+ **Version collection** – Extracts the version of each installed package
### Example
The following is an example of a Distroless image file.
```
Package: tzdata
Version: 2021a-1+deb11u10
Architecture: all
Maintainer: GNU Libc Maintainers
Installed-Size: 3413
Depends: debconf (>= 0.5) | debconf-2.0
Provides: tzdata-bullseye
Section: localization
Priority: required
Multi-Arch: foreign
Homepage: https://www.iana.org/time-zones
Description: time zone and daylight-saving time data
This package contains data required for the implementation of
standard local time for many representative locations around the
globe. It is updated periodically to reflect changes made by
political bodies to time zone boundaries, UTC offsets, and
daylight-saving rules.
```
## MinimOS package collection
This section includes the supported platforms and key features for Minimus image package collection. For more information, see the [Minimus](https://www.minimus.io/) website.
**Supported platforms**
The following platforms are supported.
+ MinimOS
**Note**
For Minimus images, the Amazon Inspector SBOM Generator collects package metadata from the `/lib/apk/db/installed` file.
**Key features**
The following are key features.
+ Package name collection – Extracts the name of each installed package
+ Version collection – Extracts the name of each installed package
+ Source package identification – Identifies the source package for each installed package
The following is a snippet of a Minimus image file.
```
P:ca-certificates-bundle
V:20241121-r1
A:aarch64
L:MPL-2.0 AND MIT
T:
o:ca-certificates
```
# Programming language dependency collection
The Amazon Inspector SBOM Generator supports different programming languages and frameworks, which make up a robust and detailed collection of dependencies. Generating an SBOM helps you understand the composition of your software, so you can identify vulnerabilities and maintain compliance with security standards. The Amazon Inspector SBOM Generator supports the following programming languages and file formats.
## Go dependency scanning
| Programming language | Package manager | Supported artifacts | Toolchain support | Development dependencies | Transitive dependencies | Private flag | Recursively |
| --- | --- | --- | --- | --- | --- | --- | --- |
| Go | Go | `go.mod` `go.sum` `Go Binaries` `GOMODCACHE` | N/A N/A Yes N/A | N/A N/A N/A N/A | N/A N/A N/A N/A | N/A N/A N/A N/A | Yes Yes Yes No |
### go.mod/go.sum
Use `go.mod` and `go.sum` files to define and lock dependencies in Go projects. The Amazon Inspector SBOM Generator manages these files differently based on the Go toolchain version.
**Key features**
+ Collects dependencies from `go.mod` (if the Go toolchain version is 1.17 or higher)
+ Collects dependencies from `go.sum` (if the Go toolchain version is 1.17 or lower)
+ Parses `go.mod` to identify all declared dependencies and dependency versions
**Example `go.mod` file**
The following is an example of `go.mod` file.
```
module example.com/project
go 1.17
require (
github.com/gin-gonic/gin v1.7.2
golang.org/x/crypto v0.0.0-20210616213533-5cf6c0f8e123
)
```
**Example `go.sum` file**
The following is an example of `go.sum` file.
```
github.com/gin-gonic/gin v1.7.2 h1:VZ7DdRl0sghbA6lVGSkX+UXO2+J0aH7RbsNugG+FA8Q=
github.com/gin-gonic/gin v1.7.2/go.mod h1:ILZ1Ngh2f1pL1ASUj7gGk8lGFeNC8cRTaN2ZhsBNbXU=
golang.org/x/crypto v0.0.0-20210616213533-5cf6c0f8e123 h1:b6rCu+qHze+BUsmC3CZzH8aNu8LzPZTVsNTo64OypSc=
golang.org/x/crypto v0.0.0-20210616213533-5cf6c0f8e123/go.mod h1:K5Dkpb0Q4ewZW/EzWlQphgJcUMBCzoWrLfDOVzpTGVQ=
```
**Note**
Each of these files produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### Go Binaries
The Amazon Inspector SBOM Generator extracts dependencies from compiled Go binaries to provide assurance about the code in use.
**Note**
The Amazon Inspector SBOM Generator supports capturing and evaluating toolchain versions from Go binaries built using the official Go compiler. For more information, see [Download and install](https://go.dev/doc/install) on the Go website. If you are using the Go toolchain from another vendor, such as Red Hat, evaluation might not be accurate due to potential differences in distribution and metadata availability.
**Key features**
+ Extracts dependency information directly from Go binaries
+ Collects dependencies embedded within the binary
+ Detects and extracts the Go toolchain version used for compiling the binary.
### GOMODCACHE
The Amazon Inspector SBOM Generator scans the Go module cache to collect information about installed dependencies. This cache stores downloaded modules to make sure the same versions are used across different builds.
**Key features**
+ Scans the `GOMODCACHE` directory to identify cached modules
+ Extracts detailed metadata, including module names, versions, and source URLs
**Example structure**
The following is an example of the `GOMODCACHE` structure.
```
~/go/pkg/mod/
├── github.com/gin-gonic/gin@v1.7.2
├── golang.org/x/crypto@v0.0.0-20210616213533-5cf6c0f8e123
```
**Note**
This structure produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
## Java dependency scanning
| Programming language | Package manager | Supported artifacts | Toolchain support | Development dependencies | Transitive dependencies | Private flag | Recursively |
| --- | --- | --- | --- | --- | --- | --- | --- |
| Java | Maven | Compiled Java applications (.jar/.war/.ear) `pom.xml` | N/A N/A | N/A N/A | Yes Yes | N/A N/A | Yes Yes |
**Note**
Our vulnerability evaluation feature only supports Maven Central repository. Third-party repositories, such as JBoss Enterprise Maven Repository, are not currently supported.
The Amazon Inspector SBOM Generator performs Java dependency scanning by analyzing compiled Java applications and `pom.xml` files. When scanning compiled applications, the scanner generates SHA–1 hashes for integrity verification, extracts embedded `pom.properties` files, and parses nested `pom.xml` files.
### SHA–1 hash collection (for compiled .jar, .war, .ear files)
The Amazon Inspector SBOM Generator tries to collect SHA–1 hashes for all `.ear`, `.jar`, and `.war` files in a project to guarantee the integrity and traceability of compiled Java artifacts.
**Key features**
+ Generates SHA–1 hashes for all compiled Java artifacts
**Example artifact**
The following is an example of an SHA–1 artifact.
```
{
"bom-ref": "comp-52",
"type": "library",
"name": "jul-to-slf4j",
"version": "2.0.6",
"hashes": [
{
"alg": "SHA-1",
"content": ""
}
],
"purl": "pkg:maven/jul-to-slf4j@2.0.6",
"properties": [
{
"name": "amazon:inspector:sbom_generator:source_path",
"value": "test-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jul-to-slf4j-2.0.6.jar"
}
]
}
```
**Note**
This artifact produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### pom.properties
The `pom.properties` file is used in Maven projects to store project metadata, including package names and package versions. The Amazon Inspector SBOM Generator parses this file to collect project information.
**Key features**
+ Parses and extracts package artifacts, package groups, and package versions
**Example `pom.properties` file**
The following is an example of a `pom.properties` file.
```
#Generated by Maven
#Tue Mar 16 15:44:02 UTC 2021
version=1.6.0
groupId=net.datafaker
artifactId=datafaker
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
**Excluding nested `pom.xml` parsing**
If you want to exclude `pom.xml` parsing when scanning compiled Java applications, use the `--skip-nested-pomxml` argument.
### pom.xml
The `pom.xml` file is the core configuration file for Maven projects. It contains information about projects and project dependencies. The Amazon Inspector SBOM Generator parses pom.xml files to collect dependencies, scanning standalone files in repositories and files inside compiled .jar files.
**Key features**
+ Parses and extracts package artifacts, package groups, and package versions from `pom.xml` files.
**Supported Maven scopes and tags**
Dependencies are collected with the following Maven scopes:
+ compile
+ provided
+ runtime
+ test
+ system
+ import
Dependencies are collected with the following Maven tag: `true`.
**Example `pom.xml` file with a scope**
The following is an example of a `pom.xml` file with a scope.
```
jakarta.servlet
jakarta.servlet-api
6.0.0
provided
mysql
mysql-connector-java
8.0.28
runtime
```
**Example `pom.xml` file without a scope**
The following is an example of a `pom.xml` file without a scope.
```
com.fasterxml.jackson.core
jackson-databind
2.17.1
org.jenkins-ci.plugins
plain-credentials
183.va_de8f1dd5a_2b_
org.jenkins-ci.plugins
jackson2-api
2.15.2-350.v0c2f3f8fc595
```
**Note**
Each of these files produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
## JavaScript dependency scanning
| Programming language | Package manager | Supported artifacts | Toolchain support | Development dependencies | Transitive dependencies | Private flag | Recursively |
| --- | --- | --- | --- | --- | --- | --- | --- |
| Javascript | `Node Modules` `NPM` `PNPM` `YARN` | `node_modules/*/package.json` `package-lock.json (v1, v2, and v3) / npm-shrinkwrap.json` `pnpm-lock.yaml` `yarn.lock` | N/A N/A N/A N/A | N/A Yes Yes Yes | Yes N/A N/A N/A | Yes N/A N/A N/A | Yes No No No |
### package.json
The `package.json` file is a core component of Node.js projects. It contains metadata about installed packages. The Amazon Inspector SBOM Generator scans this file to identify package names and package versions.
**Key features**
+ Parses the JSON file structure to extract package names and versions
+ Identifies private packages with private values
**Example `package.json` file**
The following is an example of a `package.json` file.
```
{
"name": "arrify",
"private": true,
"version": "2.0.1",
"description": "Convert a value to an array",
"license": "MIT",
"repository": "sindresorhus/arrify"
}
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### package-lock.json
The `package-lock.json` file is automatically generated by npm to lock exact versions of dependencies installed for a project. It ensures consistency in environments by storing exact versions of all dependencies and their sub-dependencies. This file can distinguish between regular dependencies and development dependencies.
**Key features**
+ Parses the JSON file structure to extract package names and package versions
+ Supports dev dependency detection
**Example `package-lock.json` file**
The following is an example of a `package-lock.json` file.
```
"verror": {
"version": "1.10.0",
"resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz",
"integrity": "sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=",
"requires": {
"assert-plus": "^1.0.0",
"core-util-is": "1.0.2",
"extsprintf": "^1.2.0"
}
},
"wrappy": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
"integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
"dev": true
},
"yallist": {
"version": "3.0.2",
"resolved": "https://registry.npmjs.org/yallist/-/yallist-3.0.2.tgz",
"integrity": "sha1-hFK0u36Dx8GI2AQcGoN8dz1ti7k="
}
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### npm-shrinkwrap.json
npm automatically generates`package-lock.json` and `npm-shrinkwrap.json` files to lock exact versions of dependencies installed for a project. This guarantees consistency in environments by storing exact versions of all dependencies and sub-dependencies. The files distinguish between regular dependencies and development dependencies.
**Key features**
+ Parse `package-lock` versions 1 ,2, and 3 of the JSON file structure to extract the package name and version
+ Developer dependency detection is supported (`package-lock.json` captures production and development dependencies, allowing tools to identify which packages are used in development environments)
+ The `npm-shrinkwrap.json` file is prioritized over the `package-lock.json` file
**Example**
The following is an example of a `package-lock.json` file.
```
"verror": {
"version": "1.10.0",
"resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz",
"integrity": "sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=",
"requires": {
"assert-plus": "^1.0.0",
"core-util-is": "1.0.2",
"extsprintf": "^1.2.0"
}
},
"wrappy": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
"integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
"dev": true
},
"yallist": {
"version": "3.0.2",
"resolved": "https://registry.npmjs.org/yallist/-/yallist-3.0.2.tgz",
"integrity": "sha1-hFK0u36Dx8GI2AQcGoN8dz1ti7k="
}
```
### pnpm-yaml.lock
The `pnpm-lock.yaml` file is generated by pnpm to maintain a record of installed dependency versions. It also tracks development dependencies separately.
**Key features**
+ Parses the YAML file structure to extract package names and versions
+ Supports dev dependency detection
**Example**
The following is an example of a `pnpm-lock.yaml` file.
```
lockfileVersion: 5.3
importers:
my-project:
dependencies:
lodash: 4.17.21
devDependencies:
jest: 26.6.3
specifiers:
lodash: ^4.17.21
jest: ^26.6.3
packages:
/lodash/4.17.21:
resolution:
integrity: sha512-xyz
engines:
node: '>=6'
dev: false
/jest/26.6.3:
resolution:
integrity: sha512-xyz
dev: true
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### yarn.lock
The Amazon Inspector SBOM Generator tries to collect SHA–1 hashes for `.ear`, `.jar`, and `.war` files in a project to guarantee the integrity and traceability of compiled Java artifacts.
**Key features**
+ Generates SHA–1 hashes for all compiled Java artifacts
**Example SHA–1 artifact**
The following is an example of an SHA–1 artifact.
```
"@ampproject/remapping@npm:^2.2.0":
version: 2.2.0
resolution: "@ampproject/remapping@npm:2.2.0"
dependencies:
"@jridgewell/gen-mapping": ^0.1.0
"@jridgewell/trace-mapping": ^0.3.9
checksum: d74d170d06468913921d72430259424b7e4c826b5a7d39ff839a29d547efb97dc577caa8ba3fb5cf023624e9af9d09651afc3d4112a45e2050328abc9b3a2292
languageName: node
linkType: hard
"@babel/code-frame@npm:^7.0.0, @babel/code-frame@npm:^7.12.13, @babel/code-frame@npm:^7.18.6, @babel/code-frame@npm:^7.21.4":
version: 7.21.4
resolution: "@babel/code-frame@npm:7.21.4"
dependencies:
"@babel/highlight": ^7.18.6
checksum: e5390e6ec1ac58dcef01d4f18eaf1fd2f1325528661ff6d4a5de8979588b9f5a8e852a54a91b923846f7a5c681b217f0a45c2524eb9560553160cd963b7d592c
languageName: node
linkType: hard
```
**Note**
This artifact produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
## .NET dependency scanning
| Programming language | Package manager | Supported artifacts | Toolchain support | Development dependencies | Transitive dependencies | Private flag | Recursively |
| --- | --- | --- | --- | --- | --- | --- | --- |
| .NET | `.NET Core` `Nuget` `Nuget` `.NET` | `*.deps.json` `Packages.config` `packages.lock.json` `.csproj` | N/A N/A N/A N/A | N/A N/A N/A N/A | N/A N/A Yes N/A | N/A N/A N/A N/A | Yes Yes Yes Yes |
### Packages.config
The `Packages.config` file is an XML file used by an older version of Nuget to manage project dependencies. It lists all the packages referenced by the project, including specific versions.
**Key features**
+ Parses XML structure to extract package IDs and versions
**Example**
The following is an example of a `Packages.config` file.
```
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### \$1.deps.json
The `*.deps.json` file is generated by .NET Core projects and contains detailed information about all dependencies, including paths, versions, and runtime dependencies. This file makes sure the runtime has necessary information to load correct versions of dependencies.
**Key features**
+ Parses the JSON structure for comprehensive dependency details
+ Extracts package names and versions in a `libraries` list.
**Example `.deps.json` file**
The following is an example of a `.deps.json` file.
```
{
"runtimeTarget": {
"name": ".NETCoreApp,Version=v7.0",
"signature": ""
},
"libraries": {
"sample-Nuget/1.0.0": {
"type": "project",
"serviceable": false,
"sha512": ""
},
"Microsoft.EntityFrameworkCore/7.0.5": {
"type": "package",
"serviceable": true,
"sha512": "sha512-RXbRLHHWP2Z3pq8qcL5nQ6LPeoOyp8hasM5bd0Te8PiQi3RjWQR4tcbdY5XMqQ+oTO9wA8/RLhZRn/hnxlTDnQ==",
"path": "microsoft.entityframeworkcore/7.0.5",
"hashPath": "microsoft.entityframeworkcore.7.0.5.nupkg.sha512"
},
}
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### packages.lock.json
The `packages.lock.json` file is used by newer versions of Nuget to lock exact versions of dependencies for a .NET project to guarantee the same versions are used consistently across different environments.
**Key features**
+ Parses the JSON structure to list locked dependencies
+ Supports both direct and transitive dependencies
+ Extracts package name and resolved versions
**Example `packages.lock.json` file**
The following is an example of a `packages.lock.json` file.
```
{
"version": 1,
"dependencies": {
"net7.0": {
"Microsoft.EntityFrameworkCore": {
"type": "Direct",
"requested": "[7.0.5, )",
"resolved": "7.0.5",
"contentHash": "RXbRLHHWP2Z3pq8qcL5nQ6LPeoOyp8hasM5bd0Te8PiQi3RjWQR4tcbdY5XMqQ+oTO9wA8/RLhZRn/hnxlTDnQ==",
"dependencies": {
"Microsoft.EntityFrameworkCore.Abstractions": "7.0.5",
"Microsoft.EntityFrameworkCore.Analyzers": "7.0.5",
"Microsoft.Extensions.Caching.Memory": "7.0.0",
"Microsoft.Extensions.DependencyInjection": "7.0.0",
"Microsoft.Extensions.Logging": "7.0.0"
}
},
"Newtonsoft.Json": {
"type": "Direct",
"requested": "[13.0.3, )",
"resolved": "13.0.3",
"contentHash": "HrC5BXdl00IP9zeV+0Z848QWPAoCr9P3bDEZguI+gkLcBKAOxix/tLEAAHC+UvDNPv4a2d18lOReHMOagPa+zQ=="
},
"Microsoft.Extensions.Primitives": {
"type": "Transitive",
"resolved": "7.0.0",
"contentHash": "um1KU5kxcRp3CNuI8o/GrZtD4AIOXDk+RLsytjZ9QPok3ttLUelLKpilVPuaFT3TFjOhSibUAso0odbOaCDj3Q=="
}
}
}
}
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### .csproj
The `.csproj` file is written in XML and the project file for .NET projects. It includes references to Nuget packages, project properties, and build configurations.
**Key features**
+ Parses XML the structure to extract package references
**Example `.csproj` file**
The following is an example of a `.csproj` file.
```
net7.0
sample_Nuget
enable
enable
true
```
**Example `.csproj` file**
The following is an example of a `.csproj` file.
```
```
**Note**
Each of these files produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
## PHP dependency scanning
| Programming language | Package manager | Supported artifacts | Toolchain support | Development dependencies | Transitive dependencies | Private flag | Recursively |
| --- | --- | --- | --- | --- | --- | --- | --- |
| PHP | Composer | `composer.lock` `/vendor/composer/installed.json` | N/A N/A | N/A N/A | Yes Yes | N/A N/A | Yes Yes |
### composer.lock
The `composer.lock` file is automatically generated when running the composer install or composer update commands. This file guarantees the same versions of dependencies are installed in every environment. This provides a consistent and reliable build process.
**Key features**
+ Parses the JSON format for structured data
+ Extracts dependency names and versions
**Example `composer.lock` file**
The following is an example of a `composer.lock` file.
```
{
"packages": [
{
"name": "nesbot/carbon",
"version": "2.53.1",
// TRUNCATED
},
{
"name": "symfony/deprecation-contracts",
"version": "v3.2.1",
// TRUNCATED
},
{
"name": "symfony/polyfill-mbstring",
"version": "v1.27.0",
// TRUNCATED
}
]
// TRUNCATED
}
```
**Note**
This produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### /vendor/composer/installed.json
The `/vendor/composer/installed.json` file is located in the `vendor/composer` directory and provides a comprehensive list of all installed packages and package versions.
**Key features**
+ Parses the JSON format for structured data
+ Extracts dependency names and version
**Example `/vendor/composer/installed.json` file**
The following is an example of a `/vendor/composer/installed.json` file.
```
{
"packages": [
{
"name": "nesbot/carbon",
"version": "2.53.1",
// TRUNCATED
},
{
"name": "symfony/deprecation-contracts",
"version": "v3.2.1",
// TRUNCATED
},
{
"name": "symfony/polyfill-mbstring",
"version": "v1.27.0",
// TRUNCATED
}
]
// TRUNCATED
}
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
## Python dependency scanning
| Programming language | Package manager | Supported artifacts | Toolchain support | Development dependencies | Transitive dependencies | Private flag | Recursively |
| --- | --- | --- | --- | --- | --- | --- | --- |
| Python | `pip` `Poetry` `Pipenv` `uv` `Egg/Wheel` | `requirements.txt` `Poetry.lock` `Pipfile.lock` `uv.lock` `.egg-info/PKG-INFO` `.dist-info/METADATA` | N/A N/A N/A N/A N/A N/A | N/A N/A N/A Yes N/A N/A | N/A N/A N/A N/A N/A N/A | N/A N/A N/A N/A N/A N/A | Yes Yes Yes Yes Yes Yes |
### requirements.txt
The `requirements.txt` file is a widely used format in Python projects to specify project dependencies. Each line in this file includes a package with its version constraints. The Amazon Inspector SBOM Generator parses this file to identify and catalog dependencies accurately.
**Key features**
+ Supports version specifiers (== and ˜=)
+ Supports comments and complex dependency lines
**Note**
The version specifiers <= and => aren't supported.
**Example `requirements.txt` file**
The following is an example of a `requirements.txt` file.
```
flask==1.1.2
requests==2.24.0
numpy==1.18.5
foo~=1.2.0
# Comment about a dependency
scipy. # invalid
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### Pipfile.lock
Pipenv is a tool bringing the best of all packaging worlds (bundled, pinned, and unpinned). The `Pipfile.lock` locks exact versions of dependencies to facilitate deterministic builds. The Amazon Inspector SBOM Generator reads this file to list dependencies and their resolved versions.
**Key features**
+ Parses the JSON format for dependency resolution
+ Supports default and development dependencies
**Example `Pipfile.lock` file**
The following is an example of a `Pipfile.lock` file.
```
{
"default": {
"requests": {
"version": "==2.24.0",
"hashes": [
"sha256:cc718bb187e53b8d"
]
}
},
"develop": {
"blinker": {
"hashes": [
"sha256:1779309f71bf239144b9399d06ae925637cf6634cf6bd131104184531bf67c01",
"sha256:8f77b09d3bf7c795e969e9486f39c2c5e9c39d4ee07424be2bc594ece9642d83"
],
"markers": "python_version >= '3.8'",
"version": "==1.8.2"
}
}
}
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### Poetry.lock
Poetry is a dependency management and packaging tool for Python. The `Poetry.lock` file locks exact versions of dependencies to facilitate consistent environments. The Amazon Inspector SBOM Generator extracts detailed dependency information from this file.
**Key features**
+ Parses the TOML format for structured data
+ Extracts dependency names, and versions
**Example `Poetry.lock` file**
The following is an example of a `Poetry.lock` file.
```
[[package]]
name = "flask"
version = "1.1.2"
description = "A simple framework for building complex web applications."
category = "main"
optional = false
python-versions = ">=3.5"
[[package]]
name = "requests"
version = "2.24.0"
description = "Python HTTP for Humans."
category = "main"
optional = false
python-versions = ">=3.5"
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### uv.lock
uv is a fast Python package manager written in Rust. The `uv.lock` file locks exact versions of dependencies to facilitate consistent environments. The Amazon Inspector SBOM Generator extracts detailed dependency information from this file.
**Key features**
+ Parses the TOML formatted `uv.lock` for structured data
+ Extracts dependency names, and versions
+ Supports development dependencies
+ Collects only packages where the source is a registry
**Example `uv.lock` file**
The following is an example of a `uv.lock` file.
```
version = 1
requires-python = ">=3.12"
[[package]]
name = "flask"
version = "3.1.0"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "blinker" },
{ name = "click" },
{ name = "itsdangerous" },
{ name = "jinja2" },
{ name = "markupsafe" },
{ name = "werkzeug" },
]
[[package]]
name = "pytest"
version = "8.3.4"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "iniconfig" },
{ name = "packaging" },
{ name = "pluggy" },
]
[package.dev-dependencies]
dev = [
{ name = "pytest" },
]
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### Egg/Wheel
For globally installed Python packages, the Amazon Inspector SBOM Generator supports parsing metadata files found in the `.egg-info/PKG-INFO` and `.dist-info/METADATA` directories. These files provide detailed metadata about installed packages.
**Key features**
+ Extracts package name, and version
+ Supports both egg and wheel formats
**Example `PKG-INFO/METADATA` file**
The following is an example of a `PKG-INFO/METADATA` file.
```
Metadata-Version: 1.2
Name: Flask
Version: 1.1.2
Summary: A simple framework for building complex web applications.
Home-page: https://palletsprojects.com/p/flask/
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
## Ruby dependency scanning
| Programming language | Package manager | Supported artifacts | Toolchaing support | Development dependencies | Transitive dependencies | Private flag | Recursively |
| --- | --- | --- | --- | --- | --- | --- | --- |
| Ruby | Bundler | `Gemfile.lock` `.gemspec` `globall installed Gems` | N/A N/A N/A | N/A N/A N/A | Yes N/A N/A | N/A N/A N/A | Yes Yes Yes |
### Gemfile.lock
The `Gemfile.lock` file locks exact versions of all dependencies to make sure the same versions are used in every environment.
**Key features**
+ Parses the `Gemfile.lock` file to identity dependencies and dependency versions
+ Extracts detailed package names and package versions
**Example `Gemfile.lock` file**
The following is an example of a `Gemfile.lock` file.
```
GEM
remote: https://rubygems.org/
specs:
ast (2.4.2)
awesome_print (1.9.2)
diff-lcs (1.5.0)
json (2.6.3)
parallel (1.22.1)
parser (3.2.2.0)
nokogiri (1.16.6-aarch64-linux)
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### .gemspec
The `.gemspec` file is a RubyGem file containing metadata about a gem. The Amazon Inspector SBOM Generator parses this file to collect detailed information about a gem.
**Key features**
+ Parses and extracts the gem name and gem version
**Note**
Reference specification is not supported.
**Example `.gemspec` file**
The following is an example of a `.gemspec` file.
```
Gem::Specification.new do |s|
s.name = "generategem"
s.version = "2.0.0"
s.date = "2020-06-12"
s.summary = "generategem"
s.description = "A Gemspec Builder"
s.email = "edersondeveloper@gmail.com"
s.files = ["lib/generategem.rb"]
s.homepage = "https://github.com/edersonferreira/generategem"
s.license = "MIT"
s.executables = ["generategem"]
s.add_dependency('colorize', '~> 0.8.1')
end
```
```
# Not supported
Gem::Specification.new do |s|
s.name = &class1
s.version = &foo.bar.version
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### Globally installed gems
The Amazon Inspector SBOM Generator supports scanning globally installed gems, which are located in standard directories, such as `/usr/local/lib/ruby/gems//gems/` in Amazon EC2/Amazon ECR and `ruby/gems//gems/` in Lambda. This makes sure all globally installed dependencies are identified and cataloged.
**Key features**
+ Identifies and scans all globally installed gems in standard directories
+ Extracts metadata and version information for each globally installed gem
**Example directory structure**
The following is an example of a directory structure.
```
.
└── /usr/local/lib/ruby/3.5.0/gems/
├── actrivesupport-6.1.4
├── concurrent-ruby-1.1.9
└── i18n-1.8.10
```
**Note**
This structure produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
## Rust dependency scanning
| Programming language | Package manager | Supported artifacts | Toolchain support | Development dependencies | Transitive dependencies | Private flag | Recursively |
| --- | --- | --- | --- | --- | --- | --- | --- |
| Rust | Cargo.toml | `Cargo.toml` `Cargo.lock` `Rust binary (built with cargo-auditable)` | N/A N/A Yes | N/A N/A N/A | N/A Yes N/A | N/A N/A N/A | Yes Yes Yes |
### Cargo.toml
The `Cargo.toml` file is the manifest file for Rust projects.
**Key features**
+ Parses and extracts the `Cargo.toml` file to identify the project package name and version.
**Example `Cargo.toml` file**
The following is an example of a `Cargo.toml` file.
```
[package]
name = "wait-timeout"
version = "0.2.0"
description = "A crate to wait on a child process with a timeout specified across Unix and\nWindows platforms.\n"
homepage = "https://github.com/alexcrichton/wait-timeout"
documentation = "https://docs.rs/wait-timeout"
readme = "README.md"
categories = ["os"]
license = "MIT/Apache-2.0"
repository = "https://github.com/alexcrichton/wait-timeout"
[target."cfg(unix)".dependencies.libc]
version = "0.2"
[badges.appveyor]
repository = "alexcrichton/wait-timeout"
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### Cargo.lock
The `Cargo.lock` file locks dependency versions to make sure the same versions are used whenever a project is built.
**Key features**
+ Parses the `Cargo.lock` file to identify all dependencies and dependency versions.
**Example `Cargo.lock` file**
The following is an example of a `Cargo.lock` file.
```
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
[[package]]
name = "adler32"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "aho-corasick"
version = "0.7.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
```
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
### Rust binaries with cargo-auditable
The Amazon Inspector SBOM Generator collects dependencies from Rust binaries built with the `cargo-auditable` library. This provides additional dependency information by enabling dependency extraction from compiled binaries.
**Key features**
+ Extracts dependency information directly from Rust binaries built with the `cargo-auditable` library
+ Retrieves metadata and version information for dependencies included in the binaries
**Note**
This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website.
## Unsupported artifacts
This section describes unsupported artifacts.
### Java
The Amazon Inspector SBOM Generator generator only supports vulnerability detection for dependencies sourced from [the mainstream Maven repository](https://repo1.maven.org/maven2). Private or custom Maven repositories, such as Red Hat Maven and Jenkins, aren't supported. For accurate vulnerability detection, make sure Java dependencies are pulled from the mainstream Maven repository. Dependencies from other repositories won't be covered in vulnerability scans.
### JavaScript
**esbuild bundles**
For esbuild minified bundles, the Amazon Inspector SBOM Generator doesn't support dependency scanning for projects using esbuild. Source maps generated by esbuild don't include sufficient metadata(dependency names and versions) required for accurate Sbomgen generation. For reliable results, scan the original project files, such as the `node_modules/directory` and `package-lock.json`, prior to the bundling process.
**package.json**
The Amazon Inspector SBOM Generator doesn't support scanning the root-level package.json file for dependency information. This file only specifies package names and version ranges, but doesn't include fully resolved package versions. For accurate scanning results, use `package.json` or other lock files, such as `yarn.lock` and `pnpm.lock`, that include resolved versions.
### Dotnet
When using floating versions or version ranges in `PackageReference`, it becomes more challenging to determine the exact package version used in a project without performing package resolution. Floating versions and version ranges allow developers to specify a range of acceptable package versions rather than a fixed version.
### Go binaries
The Amazon Inspector SBOM Generator doesn't scan Go binaries that are built with build flags configured to exclude the build ID. These build flags prevent Amazon Inspector SBOM Generator from accurately mapping the binary to its original source. Unclear Go binaries aren't supported due to the inability to extract package information. For accurate dependency scanning, make sure that Go binaries are built with default settings, including the build ID.
### Rust binaries
The Amazon Inspector SBOM Generator only scans Rust binaries if the binaries are built using [the cargo-auditable library](https://github.com/rust-secure-code/cargo-auditable). Rust binaries not utilizing this library lack necessary metadata for accurate dependency extraction. The Amazon Inspector SBOM Generator extract the compiled Rust toolchain version starting from Rust 1.7.3, but only for binaries in a Linux environment. For comprehensive scanning, build Rust binaries on Linux using cargo-auditable.
**Note**
Vulnerability detection for the Rust toolchain itself isn't supported, even if the toolchain version is extracted.
# Amazon Inspector SBOM Generator comprehensive ecosystem collection
The Amazon Inspector SBOM Generator is a tool for creating a software bill of materials (SBOM) and performing vulnerability scanning for supported packages from operating systems and programming languages. It supports the scanning of various ecosystems beyond core operating systems, ensuring a robust and detailed analysis of infrastructure components. By generating an SBOM, you can understand the composition of modern technology stacks, identify vulnerabilities in ecosystem components, and gain visibility into third-party software.
## Supported ecosystems
The ecosystem collection extends SBOM generation beyond packages installed through OS package managers. This is done through the collection of applications deployed in alternative methods, such as manual installation. The Amazon Inspector SBOM Generator supports scanning for the following ecosystems:
| Ecosystems | Applications |
| --- | --- |
| 7-Zip | 7-Zip archiver (version 21.07 and higher) |
| Apache | Apache httpd Apache tomcat |
| Atlassian | Jira Core Confluence Jira Software Jira Service Management |
| Curl | Curl Libcurl |
| Elasticsearch | Elasticsearch |
| Google | Chrome |
| HuggingFace | HuggingFace CLI Models Cache |
| Java | JDK JRE Amazon Corretto |
| Jenkins | Jenkins (version 2.400.\$1 and higher) |
| MariaDB and MySQL | MariaDB Server (10.6\$1, 11.x, 12.x) Oracle MySQL Server Server (8.0, 8.4, 9.4\$1) |
| Microsoft applications | PowerShell NuGet CLI Visual Studio Code Microsoft Edge SharePoint Server Microsoft Defender Exchange Server Visual Studio .NET Core Runtime .NET Framework ASP.NET Core Runtime Microsoft Teams Outlook for Windows Microsoft Office Microsoft 365 |
| Microsoft SQL Server | Microsoft SQL Server |
| MongoDB | MongoDB Server (7.0\$1, 8.0\$1) |
| Nginx | Nginx |
| Node | Node |
| Node.JS | node |
| OpenSSH | OpenSSH (versions 9 and 10) |
| OpenSSL | OpenSSL |
| Oracle | Oracle Database Server |
| PHP | PHP (version 8.1 and higher) |
| Redis | Redis (version 7.2 and higher) |
| WordPress | core plugin theme |
## 7-Zip ecosystem collection
**Supported applications**
+ 7 Zip archiver (version 21.07 or higher)
**Key features**
+ Examines 7-Zip binaries to extract the embedded version information.
**Note**
Specifically, it searches for the product version value from the binary.
**Supported platforms – Windows**
+ `C:/Program Files/7-Zip/7z.exe`
+ `C:/Program Files/7-Zip/7za.exe`
+ `C:/Program Files/7-Zip/7zz.exe`
+ `C:/Program Files/7-Zip/7zr.exe`
+ `C:/Program Files (x86)/7-Zip/7z.exe`
+ `C:/Program Files (x86)/7-Zip/7za.exe`
+ `C:/Program Files (x86)/7-Zip/7zz.exe`
+ `C:/Program Files (x86)/7-Zip/7zr.exe`
**Example PURL**
The following is an example package URL for 7-Zip.
```
pkg:generic/7zip/7zip@25.01
```
## Apache ecosystem collection
This section provides details about Apache httpd and Apache tomcat applicatons.
### Apache httpd
**Supported applications**
+ Apache httpd
**Note**
Vulnerability evaluation only applies to Apache httpd version 2.0 and higher.
**Key features**
+ Parses the `/include/ap_release.h` file to extract installation macros, which contain major identifier strings, minor identifier strings, and patch identifier strings.
**Supported platforms**
The Amazon Inspector SBOM Generator scans for installations in common installation paths across platforms:
**Unix**
+ `/usr/local/apache2/include/`
**Windows**
+ `/Apache24/include/`
+ `/Program Files/Apache24/include/`
+ `/Program Files (x86)/Apache24/include/`
**Example `ap_release.h` file**
The following is an example of content inside an `ap_release.h` file.
```
//truncated
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
#define AP_SERVER_BASEPROJECT "Apache HTTP Server"
#define AP_SERVER_BASEPRODUCT "Apache"
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 4
#define AP_SERVER_PATCHLEVEL_NUMBER 1
#define AP_SERVER_DEVBUILD_BOOLEAN 0
//truncated
```
**Example PURL**
The following is an example package URL for an `Apache httpd` application.
```
Sample PURL: pkg:generic/apache/httpd@2.4.1
```
### Apache tomcat
**Supported applications**
+ Apache tomcat
**Note**
Vulnerability evaluation only applies to Apache tomcat version 9.0 and higher.
**Key features**
+ Unpacks the `catalina.jar` file to extract installation macros inside the `META-INF/MANIFEST.MF` file, which contains the version string.
**Supported platforms**
The Amazon Inspector SBOM Generator scans for installations in common installation paths across platforms:
**Linux**
+ `/opt/tomcat/lib/`
+ `/usr/share/tomcat/lib`
+ `/var/lib/tomcat/lib/`
**macOS**
+ `/Library/Tomcat/lib/`
+ `/usr/local/tomcat/lib`
**Windows**
+ `/Program Files/Apache Software Foundation`
+ `/Program Files (x86)/Apache Software Foundation/`
**Example `catalina.jar/META-INF/MANIFEST.MF` file**
The following is an example of content inside a `catalina.jar/META-INF/MANIFEST.MF` file.
```
//truncated
Implementation-Title: Apache Tomcat
Implementation-Vendor: Apache Software Foundation
Implementation-Version: 10.1.31
//truncated
```
**Example PURL**
The following is an example package URL for an `Apache tomcat` application.
```
Sample PURL: pkg:generic/apache/tomcat@10.1.31
```
## Atlassian ecosystem collection
This section provides details about Atlassian server products and applications.
### Atlassian Server Products
**Supported applications**
+ Jira Core
+ Confluence
**Key features**
+ Jira Core – Parses Maven POM properties from `atlassian-jira-webapp` to extract version information.
+ Confluence – Parses Maven POM properties from `confluence-webapp` to extract version information.
**Supported platforms**
The Amazon Inspector SBOM Generator scans for installations in common installation paths:
**Linux**
+ `/opt/atlassian/jira/atlassian-jira/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties`
+ `/opt/atlassian/confluence/confluence/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties`
**Example PURL**
The following are example package URLs for Atlassian server products.
```
// Jira Core
pkg:generic/atlassian/jira-core@10.0.1?distro=linux
// Confluence
pkg:generic/atlassian/confluence@9.2.7?distro=linux
```
### Atlassian Applications
**Supported applications**
+ Jira Software
+ Jira Service Management
**Key features**
+ Jira Software – Detects via `jira-software-application` JAR and extracts version from Maven POM properties.
+ Jira Service Management – Detects via `jira-servicedesk-application` JAR and extracts version from Maven POM properties.
**Supported platforms**
The Amazon Inspector SBOM Generator scans for installations in common installation paths:
**Linux**
+ `/opt/atlassian/jira/atlassian-jira/WEB-INF/application-installation/jira-software-application/jira-software-application-*.jar`
+ `/opt/atlassian/jira/atlassian-jira/WEB-INF/application-installation/jira-servicedesk-application/jira-servicedesk-application-*.jar`
**Example PURL**
The following are example package URLs for Atlassian applications.
```
// Jira Software
pkg:generic/atlassian/jira-software@10.3.9?distro=linux
// Jira Service Management
pkg:generic/atlassian/jira-service-management@10.3.9?distro=linux
```
## Curl ecosystem collection
This section provides details about Curl and Libcurl applicatons.
### Curl
**Supported applications**
+ Curl
**Supported platforms**
+ Unix – Linux and macOS
+ /usr/local/bin/curl
**Key features – Curl**
+ Examines curl binaries to extract the embedded version information.
**Note**
Specifically, it searches for version strings in the binary executable `.rodata` section (for ELF binaries on Linux), `.rdata` section (for PE binaries on Windows), or \$1\$1cstring section (for MachO binaries on macOS).
**Curl version string**
The following is an example of a version string embedded in a Curl binary:
```
curl/8.14.1
```
Version `8.14.1` is extracted from the string to identify the `Curl` version.
**Example PURL (Curl)**
The following is an example package URL for a `Curl` version file.
```
Sample PURL: pkg:generic/curl/curl@8.14.1
```
### Libcurl
**Supported applications**
+ Libcurl
**Supported platforms**
+ Unix – Linux and macOS
+ /usr/local/bin/curl/curlver.h
**Key features – Libcurl**
+ Examines curlver.h to extract embedded version information for Libcurl.
**Note**
Specifically, it extracts the version from the defined `LIBCURL_VERSION_MAJOR`, `LIBCURL_VERSION_MINOR`, and `LIBCURL_VERSION_PATCH` variables.
**Libcurl version string**
The following is an example of the version variables in a `curlver.h` file:
```
#define LIBCURL_VERSION_MAJOR 8
#define LIBCURL_VERSION_MINOR 14
#define LIBCURL_VERSION_PATCH 1
```
Version `8.14.1` is extracted from these lines to identify the `Libcurl` version.
**Example PURL (Libcurl)**
The following is an example package URL for a `Libcurl` version file.
```
Sample PURL: pkg:generic/curl/libcurl@8.14.1
```
## Elasticsearch ecosystem collection
**Supported applications**
+ Elasticsearch
**Note**
Vulnerability evaluation only applies to Elasticsearch version 7.17.0.
**Key features**
+ **Version** – Unpacks the `elasticsearch-.jar` file to extract installation macros inside of `META-INF/MANIFEST.MF` files, which contain the Elasticsearch version string.
**Supported platforms**
+ **Linux** – `/etc/elasticsearch/lib`, `/opt/elasticsearch/lib/`, and `/usr/share/elasticsearch/lib/`
+ **macOS** – `/usr/local/var/lib/elasticsearch/lib/`
+ **Windows** – `/elasticsearch/`, `/Program Files (x86)/Elastic/elasticsearch/lib/`, and `/Program Files/Elastic/elasticsearch/lib/`
**Example `elasticsearch-.jar/META-INF/MANIFEST.MF` file**
The following is an example of an `elasticsearch-.jar/META-INF/MANIFEST.MF` file.
```
//truncated
Manifest-Version: 1.0
Module-Origin: git@github.com:elastic/elasticsearch.git
X-Compile-Elasticsearch-Version: 8.19.0-SNAPSHOT
X-Compile-Lucene-Version: 9.12.1
X-Compile-Elasticsearch-Snapshot: true
//truncated
```
**Example PURL**
The following is an example package URL for an `elasticsearch-.jar/META-INF/MANIFEST.MF` file.
```
pkg:generic/elastic/elasticsearch@8.19.0-SNAPSHOT
```
## Google ecosystem collection
**Supported applications**
+ Google Chrome
+ Puppeteer (supports the puppeteer library; puppeteer-core is not included)
**Note**
Puppeteer supports the puppeteer library. Puppeteer core is not included.
**Supported artifacts**
Amazon Inspector collects Google Chrome information from the following:
+ The `chrome/VERSION` file (build source)
+ The `chrome.exe` file (Windows Chrome installation)
+ The `puppeteer` file (installation)
For each of the supported artifacts, the Sbomgen parses and collects either chrome file or the puppeteer file. For puppeteer installations, the corresponding Chromium version is collected based on the puppeteer version. For more information, see [Supported browsers](https://pptr.dev/supported-browsers) on the Puppeteer website.
When the `PUPPETEER_SKIP_CHROMIUM_DOWNLOAD` environment variable is set to `true`, evaluation is skipped, and the `skip_chromium_download=true` qualifier is added to the Puppeteer package URL.
**Example `chrome/VERSION` version file**
The following is an example of the `chrome/VERSION` version file.
```
MAJOR=130
MINOR=0
BUILD=6723
PATCH=58
```
**Example PURL**
The following is an example package URL for a `chrome/VERSION` version file.
```
Sample PURL: pkg:generic/google/chrome@131.0.6778.87
```
**Example `puppeteer` version file**
The following is an example of the `puppeteer` version file.
```
{
"name": "puppeteer",
"version": "23.9.0",
"description": "A high-level API to control headless Chrome over the DevTools Protocol",
"keywords": [
"puppeteer",
"chrome",
"headless",
"automation"
]
}
```
**Example PURL**
The following is an example package URL for a `puppeteer` version file.
```
Sample PURL: pkg:generic/google/puppeteer@23.9.0
```
**Example PURL**
The following is an example package URL with skip qualifier for a `puppeteer` version file.
```
pkg:generic/google/puppeteer@22.15.0?distro=linux&skip_chromium_download=true
```
## HuggingFace ecosystem collection
**Supported applications**
+ HuggingFace `hf` CLI
**Key features**
+ Extracts locally cached AI/ML models installed by HuggingFace
+ Generates HuggingFace Package URLs
+ Models downloaded using `hf download --local-dir` are not currently supported
**Example path**
The following is an example of a cached HuggingFace model path.
```
/home/ec2-user/.cache/huggingface/hub/models--MiniMaxAI--MiniMax-M2.5/snapshots/
```
**Example PURL**
The following is an example package URL for a HuggingFace model. The component type is `machine-learning-model`.
```
pkg:huggingface/MiniMaxAI/MiniMax-M2.5@
```
## Java ecosystem collection
**Supported applications**
+ Oracle JDK
+ Oracle JRE
+ Amazon Corretto
**Key features**
+ Extracts the string of the Java installation.
+ Identifies the directory path that contains the Java runtime.
+ Identifies the vendor as Oracle JDK, Oracle JRE, and Amazon Corretto.
The Amazon Inspector SBOM Generator scans for Java installations across the following installation paths and platforms:
+ macOS: `/Library/Java/JavaVirtualMachines`
+ Linux 32-bit: `/usr/lib/jvm`
+ Linux 64-bit: `/usr/lib64/jvm`
+ Linux (generic): `/usr/java and /opt/java`
**Example Java version information**
The folllowing is an example of an Oracle Java release.
```
// Amazon Corretto
IMPLEMENTOR="Amazon.com Inc."
IMPLEMENTOR_VERSION="Corretto-17.0.11.9.1"
JAVA_RUNTIME_VERSION="17.0.11+9-LTS"
JAVA_VERSION="17.0.11"
JAVA_VERSION_DATE="2024-04-16"
LIBC="default"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs"
OS_ARCH="x86_64"
OS_NAME="Darwin"
SOURCE=".:git:7917f11551e8+"
// JDK
IMPLEMENTOR="Oracle Corporation"
JAVA_VERSION="19"
JAVA_VERSION_DATE="2022-09-20"
LIBC="default"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.zipfs jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.concurrent jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom"
OS_ARCH="x86_64"
OS_NAME="Darwin"
SOURCE=".:git:53b4a11304b0 open:git:967a28c3d85f"
```
**Example PURL**
The following is an example package URL for an Oracle Java release.
```
Sample PURL:
# Amazon Corretto
pkg:generic/amazon/amazon-corretto@21.0.3
# Oracle JDK
pkg:generic/oracle/jdk@11.0.16
# Oracle JRE
pkg:generic/oracle/jre@20
```
## Jenkins ecosystem collection
**Supported applications**
+ Jenkins Core
**Note**
Vulnerability evaluation applies to Jenkins version 2.400.\$1 and higher.
**Key features**
+ Extracts version information from `jenkins.war` file by reading the `META-INF/MANIFEST.M` file, which contains the Jenkins version string.
The Amazon Inspector SBOM Generator looks for Jenkins installations in common installation paths across platforms:
**Linux**
+ `/usr/share/jenkins/jenkins.war`
+ /usr/share/java/jenkins.war
**macOS**
+ `/opt/homebrew/opt/jenkins-lts/libexec/jenkins.war`
**Windows**
+ `/Program Files/Jenkins/Jenkins.war`
+ `/Program Files (x86)/Jenkins/Jenkins.war`
**Example files**
The following are examples of `jenkins.war/META-INF/MANIFEST.MF` files for different releases.
```
Manifest-Version: 1.0
Created-By: Maven WAR Plugin 3.4.0
Build-Jdk-Spec: 21
Implementation-Title: Jenkins war
Main-Class: executable.Main
Implementation-Version: 2.516.2
Jenkins-Version: 2.516.2
```
```
Manifest-Version: 1.0
Jenkins-Version: 2.414.1
Implementation-Title: Jenkins
Implementation-Version: 2.414.1
Built-By: kohsuke
Created-By: Apache Maven 3.8.6
```
**Sample PURLs**
The following are package URLs for version 2.516.2 of the Jenkins LTS release and version 2.414 of the Jenkins automation server release.
```
LTS: pkg:generic/jenkins/jenkins-core-lts@2.516.2.1
Regular: pkg:generic/jenkins/jenkins-core@2.414
```
## MariaDB and MySQL ecosystem collection
### MariaDB
**Supported applications**
+ MariaDB Server (10.6\$1, 11.x, 12.x)
**Key features**
+ Extracts version information from database server binaries and header files using database-specific patterns.
+ Identifies the directory path containing the database server installation.
+ Automatically distinguishes between MariaDB and MySQL installations using data-driven file type detection.
The SBOM Generator looks for the MariaDB installation in common installation paths across platforms:
**Linux**
+ `/usr/bin/mariadbd`
+ `/usr/sbin/mariadbd`
+ `/usr/local/bin/mariadbd`
**macOS**
+ `C:/Program Files (x86)/MariaDB/include/mysql/mariadb_version.h (MariaDB)`
+ `C:/Program Files/MariaDB/include/mysql/mariadb_version.h (MariaDB)`
**Windows**
+ `C:/Program Files (x86)/MariaDB/include/mysql/mariadb_version.h (MariaDB)`
+ `C:/Program Files/MariaDB/include/mysql/mariadb_version.h (MariaDB)`
**Example PURL**
The following is an example package URL for a MariaDB server.
```
# MariaDB Server
pkg:generic/mysql/mariadb-server@10.11.8
```
### MySQL ecosystem collection
**Supported applications**
+ Oracle MySQL Server Server (8.0, 8.4, 9.4\$1)
**Key features**
+ Extracts version information from database server binaries and header files using database-specific patterns.
+ Identifies the directory path containing the database server installation.
+ Automatically distinguishes between MySQL and MariaDB installations using data-driven file type detection.
The SBOM Generator looks for the MySQL installation in common installation paths across platforms:
**Linux**
+ `/usr/local/bin/mysqld`
+ `/usr/bin/mysqld`
+ `/usr/sbin/mysqld`
**macOS**
+ `/usr/local/mysql/include/mysql_version.h (MySQL)`
**Windows**
+ `C:/Program Files/MySQL/MySQL Server/include/mysql_version.h (MySQL)`
+ `C:/Program Files (x86)/MySQL/MySQL Server/include/mysql_version.h (MySQL)`
**Example PURL**
The following is an example package URL for a MySQL server.
```
# Oracle MySQL Server
pkg:generic/mysql/mysql-server@8.0.43
```
## Microsoft applications ecosystem collection
The following Microsoft applications are inventoried by the Amazon Inspector SBOM generator. Due to limitations in the Microsoft CVRF API, detections in the InspectorScan API are only supported for versions of these applications released in 2021 (or later). Findings will be mapped to Microsoft KBs or CVEs (where applicable).
**Supported Microsoft applications (2021\$1)**
+ PowerShell
+ NuGet CLI
+ Visual Studio Code
+ Microsoft Edge
+ SharePoint Server
+ Microsoft Defender
+ Exchange Server
+ Visual Studio
+ .NET Core Runtime
+ .NET Framework
+ ASP.NET Core Runtime
+ Microsoft Teams
+ Outlook for Windows
+ Microsoft Office
+ Microsoft 365
**Key features**
+ PowerShell – Examines the `pwsh.exe` file to extract the embedded version information.
+ NuGet CLI – Examines the `nuget.exe` file to extract the embedded version information.
+ Visual Studio Code – Examines the `Code.exe` file to extract the embedded version information.
+ Microsoft Edge – Examines the `msedge.exe` file to extract the embedded version information.
+ SharePoint Server – Examines the `Microsoft.SharePoint.dll` file to extract the embedded version information.
+ Microsoft Defender – Examines the `MsMpEng.exe` file to extract the embedded version information.
+ Exchange Server – Examines the `Exsetup.exe` file to extract the embedded version information.
+ Visual Studio – Parses the `state.json` file to retrieve the version string from the `catalogInfo.productDisplayVersion` field.
+ .NET Core Runtime – Searches for `Microsoft.NETCore.App.deps.json` file in installation paths and extracts the version string from the following file path pattern.
```
Microsoft.NETCore.App//Microsoft.NETCore.App.deps.json
```
+ .NET Framework – Parses Windows Registry and reads file metadata to detect installed .NET Framework versions. The scanner checks the following registry key and value, and files.
+ **Registry Key** ( represents the .NET Framework version, such as v2.0.50727, v3.5, or v4\$1Full)
```
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\
```
```
HKLM\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\
```
+ **Registry Value**
+ Install – Indicates whether the .NET Framework version is installed.
+ Version – Installed .NET Framework version (version 4.0 or lower)
+ Release – A REG\$1DWORD value that maps to the installed .NET Framework version (version 4.5 or later)
+ **DLL Files**
The scanner extracts the file version from `mscorlib.dll` and `System.dll`. If these files exist, they are added to the SBOM as nested file components. For .NET Framework version 4.5 or later, the largest file version among files is reported as the version.
+ ASP.NET Core Runtime – Searches for `Microsoft.AspNetCore.App.deps.json` file in installation paths and extracts the version string from the following file path pattern.
```
Microsoft.AspNetCore.App//Microsoft.AspNetCore.App.deps.json
```
+ Outlook for Windows – Parses Windows Registry, and extracts version from the following registry key.
```
HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.OutlookForWindows____8wekyb3d8bbwe
```
+ Microsoft Teams – Parses Windows Registry, and extracts version from the following registry key.
```
HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\MSTeams____8wekyb3d8bbwee
```
+ Microsoft Office 365 / Microsoft 365 – Parses Windows Registry, and extracts version from the following registry key and value.
+ Registry Key
```
HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
```
+ Registry Value
+ VersionToReport – Microsoft Office Version
+ ProductReleaseIds – List of product IDs. This is used to identify installed Office products. For more information about product IDs, see [https://learn.microsoft.com/en-us/troubleshoot/microsoft-365-apps/office-suite-issues/product-ids-supported-office-deployment-click-to-run](https://learn.microsoft.com/en-us/troubleshoot/microsoft-365-apps/office-suite-issues/product-ids-supported-office-deployment-click-to-run) on the Microsoft website.
+ Microsoft Office Suite – Collects installed each Office applications by examining the following executable files:
+ `EXCEL.EXE` – Microsoft Excel
+ `WINWORD.EXE` – Microsoft Word
+ `POWERPNT.EXE` – Microsoft PowerPoint
+ `OUTLOOK.EXE` – Microsoft Outlook
Version number in the Windows Registry is used as authoritative version number for each installed Office applications.
**Example `state.json` file**
The following is an example of a `state.json` file to use to collect installed Visual Studio version.
```
{
"icon": {
"mimeType": "image/svg+xml",
"fileName": "product.svg"
},
"updateDate": "2025-11-06T05:05:35.6517471Z",
"installDate": "2025-11-06T05:05:35.6527436Z",
"enginePath": "C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\resources\\app\\ServiceHub\\Services\\Microsoft.VisualStudio.Setup.Service",
"installationName": "VisualStudio/17.14.19+36623.8",
"catalogInfo": {
"id": "VisualStudio/17.14.19+36623.8",
"buildBranch": "d17.14",
"buildVersion": "17.14.36623.8",
"localBuild": "build-lab",
"manifestName": "VisualStudio",
"manifestType": "installer",
"productDisplayVersion": "17.14.19",
// truncated
```
Example PURL
The following is an example package URL for each Microsoft Applications.
```
// PowerShell
Sample PURL: pkg:generic/microsoft/powershell@7.5.3
// NuGet CLI
Sample PURL: pkg:generic/microsoft/nuget@6.14.0
// Visual Studio Code
Sample PURL: pkg:generic/microsoft/visualstudiocode@1.104.2
// Microsoft Edge
Sample PURL: pkg:generic/microsoft/edge@140.0.3485.94
// SharePoint Server
Sample PURL: pkg:generic/microsoft/sharepoint@23.38.219.1
// Microsoft Defender
Sample PURL: pkg:generic/microsoft/defender@4.18.23110.3
// Exchange Server
Sample PURL: pkg:generic/microsoft/exchangeserver@15.2.2562.17
// Visual Studio
Sample PURL: pkg:generic/microsoft/visualstudio@17.14.19
// .NET Core Runtime
Sample PURL: pkg:generic/microsoft/dotnet@8.0.18
// .NET Framework
Sample PURL: pkg:generic/microsoft/dotnet-framework-v4.8.1@4.8.9320.0
// ASP.NET Core Runtime
Sample PURL: pkg:generic/microsoft/aspdotnet@8.0.18
// Microsoft Teams
Sample PURL: pkg:generic/microsoft/teams@25241.203.3947.4411
// Outlook for Windows
Sample PURL: pkg:generic/microsoft/outlookforwindows@1.2025.916.400
// Microsoft 365 / Office 365
Sample PURL: pkg:generic/microsoft/office@16.0.19127.20264?product_ids=O365HomePremRetail
// Microsoft Word
Sample PURL: pkg:generic/microsoft/word@16.0.19127.20264
// Microsoft Excel
Sample PURL: pkg:generic/microsoft/excel@16.0.19127.20264
// Microsoft PowerPoint
Sample PURL: pkg:generic/microsoft/powerpoint@16.0.19127.20264
// Microsoft Outlook
Sample PURL: pkg:generic/microsoft/outlook@16.0.19127.20264
```
## Microsoft SQL Server ecosystem collection
**Supported applications**
+ Microsoft SQL Server
**Key features**
+ Reads from the Windows registry to discover installed Microsoft SQL Server instances and extract version information.
+ Discovers instances through a two-step process: reads the `InstalledInstances` value, resolves each instance path from the `Instance Names\SQL` subkey, then reads setup information from each instance's `Setup` subkey.
+ Collects instance name, base version, patch level, edition, service pack (if present), and the registry key path.
+ The component version and PURL use the patch level (full build number).
**Supported platforms – Windows**
The Amazon Inspector SBOM Generator reads from the following Windows registry key to discover installed instances:
```
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server
```
The scanner reads the `InstalledInstances` value to enumerate instances, resolves each instance path from the `Instance Names\SQL` subkey, then reads setup information from each instance's `Setup` subkey.
**Example PURL**
The following is an example package URL for a Microsoft SQL Server instance.
```
pkg:generic/microsoft/sqlserver@16.0.1000.6
```
## MongoDB ecosystem collection
**Supported applications**
+ MongoDB Server (7.0\$1, 8.0\$1)
**Key features**
+ Examines mongod binaries to extract embedded version information.
**Note**
The mongod binary can exceed 200 MB in size. To scan for MongoDB, the Amazon Inspector SBOM Generator file size limit must be configured to allow files over 200 MB.
The Amazon Inspector SBOM Generator looks for MongoDB installations in common installation paths across platforms:
**Linux**
+ `/usr/bin/mongod`
+ `/usr/local/bin/mongod`
**macOS**
+ `/usr/local/bin/mongod`
+ `/opt/homebrew/bin/mongod`
**Windows**
+ `C:\Program Files\MongoDB\Server\bin\mongod.exe`
**Example PURL**
The following is an example package URL for MongoDB Server.
```
pkg:generic/mongodb/mongodb-server@8.2.4?platform=linux
```
## Nginx ecosystem collection
**Supported applications**
+ Nginx
**Supported platforms**
The following are supported platforms.
**Linux**
+ /usr/sbin/nginx
+ /usr/local/nginx
+ /usr/local/etc/nginx
+ /usr/local/nginx/nginx
+ /usr/local/nginx/sbin/nginx
+ /etc/nginx/nginx
**Windows**
+ C:\$1nginx\$1nginx.exe
+ C:\$1nginx-x.y.z\$1nginx.exe (x.y.z is an arbitrary version)
**macOS**
+ /usr/local/etc/nginx/nginx
**Key features**
This collection examines binaries to extract embedded version information. It searches for version strings in the binary executable `.rodata` section (for ELF binaries on Linux), `.rdata` section (for PE binaries on Windows), or `__ctring` section (for MachO binaries).
**Example version string**
The following is an example of a version string embedded in an Nginx binary.
```
nginx version: nginx/1.27.5
```
Version `1.27.5` is extracted to identify the Nginx version.
**Example PURL**
The following is an example package URL for Nginx.
```
Sample PURL: pkg:generic/nginx/nginx@1.27.5
```
## Node.JS runtime collection
**Supported applications**
+ node runtime binary for Node.JS
**Supported platforms**
The following are supported platforms. (\$1 is an arbitrary version)
**Linux**
+ /usr/local/bin/node
+ /usr/bin/node
+ /nodejs/bin/node
+ \$1/.nvm/versions/node/\$1/bin/node
+ \$1/.local/share/fnm/node-versions/\$1/installation/bin/node
+ \$1/.asdf/installs/nodejs/\$1/bin/node
+ \$1/.local/share/mise/installs/node/\$1/bin/node
+ \$1/.volta/tools/image/node/\$1/bin/node
**Windows**
+ C:\$1Program Files\$1nodejs\$1node.exe
+ C:\$1Program Files (x86)\$1nodejs\$1node.exe
+ \$1\$1AppData\$1Roaming\$1fnm\$1node-versions\$1\$1\$1installation\$1node.exe
**macOS**
+ /opt/homebrew/Cellar/node/\$1/bin/node
**Key features**
This collection examines binaries to extract embedded version information. It searches for version strings in the binary executable `.rodata` section (for ELF binaries on Linux), `.rdata` section (for PE binaries on Windows), or `__ctring` section (for MachO binaries).
**Example version string**
The following is an example of a version string embedded in an Node.JS runtime binary.
```
node.js/v24.11.1
```
Version `24.11.1` is extracted to identify the Node.JS runtime version.
**Example PURL**
The following is an example package URL for Node.JS.
```
Sample PURL: pkg:generic/nodejs/node@24.11.1
```
## OpenSSH ecosystem collection
**Supported applications**
+ OpenSSH (Version 9)
+ OpenSSH (Version 10)
**Supported platforms Linux/macOS**
+ `/usr/sbin/sshd`
+ `/usr/local/sbin/sshd`
**Supported platforms Windows**
+ `C:/Windows/System32/OpenSSH/sshd.exe`
+ `C:/Program Files/OpenSSH/sshd.exe`
+ `C:/Program Files (x86)/OpenSSH/sshd.exe`
+ `C:/OpenSSH/sshd.exe`
**Key features**
+ Examines `sshd` binaries to extract embedded verion information.
+ Looks for version strings in the binary executable `.rodata` section (for ELF binaries on Linux, `__cstring` section (for Mach-O binaries on MacOs), or `.rdata` section (for PE binaries on Windows).
**Example version string**
The following is an example of a version string embedded in an OpenSSH binary.
```
OpenSSH_9.9p2
```
Version `9.9p2` is extracted to identify the OpenSSH version.
**Example PURL**
The following is an example package URL for OpenSSH.
```
Sample PURL: pkg:generic/openssh/openssh@9.9p2
```
## OpenSSL ecosystem Collection
**Supported applications**
Support for OpenSSL libraries and development packages is limited to software built with official OpenSSL for 3.0.0 releases and above. The software also must follow semantic versioning. Custom or forked OpenSSL variants and versions lower than 3.0.0 are not supported.
The Amazon Inspector SBOM Generator extracts key package information for each installed OpenSSL instance.
**Key features**
+ Extracts the base SEMVER version string from the OpenSSL header file
+ Identifies the directory path containing the OpenSSL installation
The Amazon Inspector SBOM Generator looks for OpenSSL installations by scanning for the `opensslv.h` file in common installation paths across platforms.
**Example installation path for Linux/Unix**
The following is an example installation path for Linux/Unix.
```
/usr/local/include/openssl/opensslv.h
/usr/local/ssl/include/openssl/opensslv.h
/usr/local/openssl/include/openssl/opensslv.h
/usr/local/opt/openssl/include/openssl/opensslv.h
/usr/include/openssl/opensslv.h
```
The Amazon Inspector SBOM Generator extracts version information by parsing the `opensslv.h` file and looking for the version definitions.
```
# define OPENSSL_VERSION_MAJOR 3
# define OPENSSL_VERSION_MINOR 4
# define OPENSSL_VERSION_PATCH 0
```
**Example PURL**
The following is an example package URL for the OpenSSL version.
```
Sample PURL: pkg:generic/openssl/openssl@3.4.0
```
## Oracle Database Server collection
**Supported applications**
+ Oracle Database
**Supported platforms Linux**
+ `/opt/oracle`
+ `/u01/app/oracle`
**Note**
Vulnerability evaluation applies only to Oracle Database Server version 19 and higher.
**Key features**
+ Examines Oracle binaries to extract embedded version information.
+ Looks for version strings in the binary executable `.rodata` section (for ELF binaries on Linux).
+ Version information follows a specific format that includes the RDBMS version string.
**Example version string**
The following is an example of a version string embedded in an Oracle Database binary:
```
RDBMS_23.7.0.25.01DBRU_LINUX.X64_240304
```
Version `23.7.0.25.01` is extracted to identify the Oracle Database version.
**Example PURL**
The following is an example package URL for Oracle Database.
```
Sample PURL: pkg:generic/oracle/database@23.7.0.25.01
```
## PHP ecosystem collection
**Supported applications**
+ PHP (version 8.1 and higher)
**Key features**
+ Extracts version information from PHP binary executables using embedded version strings.
+ Identifies the directory path containing the PHP binary.
+ Automatically detects both standard PHP binaries and versioned installations, such as `php8.1`, `php8.2`, and `php8.3`.
The Amazon Inspector SBOM Generator looks for PHP installations in common installation paths across platforms:
**Linux**
+ `usr/bin/php8.1 through /usr/bin/php8.9`
+ `/usr/sbin/php8.1 through /usr/sbin/php8.9`
+ `/usr/local/bin/php, /usr/bin/php, /usr/sbin/php`
+ `/usr/local/bin/php8.1 through /usr/local/bin/php8.9` (versioned binaries)
**macOS**
+ `/opt/homebrew/bin/php`
+ `/usr/bin/php`
+ `/usr/local/bin/php`
**Windows**
+ `C:/php/php.exe`
+ `C:/php8.1/php.exe through C:/php8.9/php.exe` (versioned directories)
**Example PHP version extraction**
The Amazon Inspector SBOM Generator extracts version information from PHP binaries by searching for embedded version strings using the following pattern.
```
X-Powered-By: PHP/8.4.12
```
`8.4.12` is extracted from this pattern to identify the PHP version.
**Example PURL**
The following is an example package URL for a PHP pattern.
```
pkg:generic/php/php@8.4.12
```
## Redis ecosystem collection
**Supported applications**
+ Redis (version 7.2 and higher)
**Key features**
+ Extracts version information from Redis `redis-server` binary executables using embedded version strings.
+ Searches for version strings in the binary executable `.rodata` section (for ELF binaries on Linux) or `__cstring` section (for Mach-O binaries on macOS).
The Amazon Inspector SBOM Generator looks for Redis installations in common installation paths across platforms:
**Linux**
+ `/usr/bin/redis-server`
+ `/usr/local/bin/redis-server`
**macOS**
+ `/opt/homebrew/bin/redis-server`
+ `/usr/local/bin/redis-server`
**Example version string**
The following is an example of a version string embedded in a Redis binary.
```
redis-7.2.6
```
Version `7.2.6` is extracted to identify the Redis version.
**Example PURL**
The following is an example package URL for Redis.
```
pkg:generic/redis/redis@7.2.6
```
## WordPress ecosystem collection
**Supported components**
+ WordPress core
+ WordPress plugins
+ WordPress themes
**Key features**
+ WordPress core – parses the `/wp-includes/version.php` file to extract version value from \$1wp\$1version variable.
+ WordPress plugins – parses the `/wp-content/plugins//readme.txt` file or `/wp-content/plugins//readme.md` file to extract the `Stable` tag as the version string.
+ WordPress themes – parses the `/wp-content/themes//style.css` file to extract the version from the version metadata.
**Example `version.php` file**
The following is an example of a WordPress core `version.php` file.
```
// truncated
/**
* The WordPress version string.
*
* Holds the current version number for WordPress core. Used to bust caches
* and to enable development mode for scripts when running from the /src directory.
*
* @global string $wp_version
*/
$wp_version = '6.5.5';
// truncated
```
**Example PURL**
The following is an example package URL for WordPress core.
```
Sample PURL: pkg:generic/wordpress/core/wordpress@6.5.5
```
**Example `readme.txt` file**
The following is an example of a WordPress plugin `readme.txt` file.
```
=== Plugin Name ===
Contributors: (this should be a list of wordpress.org userid's)
Donate link: https://example.com/
Tags: tag1, tag2
Requires at least: 4.7
Tested up to: 5.4
Stable tag: 4.3
Requires PHP: 7.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
// truncated
```
**Example PURL**
The following is an example package URL for a WordPress plugin.
```
Sample PURL: pkg:generic/wordpress/plugin/exclusive-addons-for-elementor@1.0.0
```
**Example `style.css` file**
The following is an example of a WordPress theme `style.css` file.
```
/*
Author: the WordPress team
Author URI: https://wordpress.org
Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collection of templates and patterns tailor to different needs, such as presenting a business, blogging and writing or showcasing work. A multitude of possibilities open up with just a few adjustments to color and typography. Twenty Twenty-Four comes with style variations and full page designs to help speed up the site building process, is fully compatible with the site editor, and takes advantage of new design tools introduced in WordPress 6.4.
Requires at least: 6.4
Tested up to: 6.5
Requires PHP: 7.0
Version: 1.2
License: GNU General Public License v2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
Text Domain: twentytwentyfour
Tags: one-column, custom-colors, custom-menu, custom-logo, editor-style, featured-images, full-site-editing, block-patterns, rtl-language-support, sticky-post, threaded-comments, translation-ready, wide-blocks, block-styles, style-variations, accessibility-ready, blog, portfolio, news
*/
```
**Example PURL**
The following is an example package URL for a WordPress theme.
```
Sample PURL: pkg:generic/wordpress/theme/avada@1.0.0
```
# Amazon Inspector SBOM Generator SSL/TLS certificate scans
This section describes how to use the Amazon Inspector SBOM Generator to inventory SSL/TLS certificates. The Sbomgen inventories SSL/TLS certificates by searching for certificates in predefined locations as well as directories provided by the user. The feature is intended to enable users to inventory SSL/TLS certificates as well as identify expired certificates. CA certificates will also appear in the output inventory.
## Using Sbomgen certificate scans
You can enable SSL/TLS certificate inventory collection using the `--scanners certificates` argument. Certificate scans can be combined with any of the other scanners. By default, certificate scans are not enabled.
The Sbomgen searches different locations for certificates depending on the artifact being scanned. In all cases, the Sbomgen attempts to extract certificates in files with the following extensions.
```
.pem
.crt
.der
.p7b
.p7m
.p7s
.p12
.pfx
```
**The localhost artifact type**
If the certificate scanner is enabled and the artifact type is localhost, the Sbomgen recursively looks for certificates in `/etc/*/ssl`, `/opt/*/ssl/certs`, `/usr/local/*/ssl`, and `/var/lib/*/certs`, where `*` is not empty. User-provided directories will be searched recursively, regardless of what directories are named. Typically, CA/system certificates are not placed in these paths. These certificates are often in folders named `pki`, `ca-certs`, or `CA`. They also may appear in the default localhost scan paths.
**Directory and container artifacts**
When scanning directory or container artifacts, the Sbomgen searches for certificates located anywhere on the artifact.
**Example certificate scan commands**
The following contains example certificate scan commands. One generates an SBOM that only contains certificates in a local directory. Another generates an SBOM that contains certificates and Alpine, Debian, and Rhel packages in a local directory. Another generates an SBOM that contains certificates found in common certificate locations.
```
# generate SBOM only containing certificates in a local directory
./inspector-sbomgen directory --path ./project/ --scanners certificates
# generate SBOM only containing certificates and Alpine, Debian, and Rhel OS packages in a local directory
./inspector-sbomgen directory --path ./project/ --scanners certificates,dpkg,alpine-apk,rhel-rpm
# generate SBOM only containing certificates, taken from common localhost certificate locations
./inspector-sbomgen localhost --scanners certificates
```
**Example file component**
The following contains two example certificate finding components. When a certificate expires, you can view an extra property that identifies the expiration date.
```
{
"bom-ref": "comp-2",
"type": "file",
"name": "certificate:expired.pem",
"properties": [
{
"name": "amazon:inspector:sbom_generator:certificate_finding:IN-CERTIFICATE-001",
"value": "expired:2015-06-06T11:59:59Z"
},
{
"name": "amazon:inspector:sbom_generator:source_path",
"value": "/etc/ssl/expired.pem"
}
]
},
{
"bom-ref": "comp-3",
"type": "file",
"name": "certificate:unexpired.pem",
"properties": [
{
"name": "amazon:inspector:sbom_generator:source_path",
"value": "/etc/ssl/unexpired.pem"
}
]
}
```
**Example vulnerability response component**
Running the Amazon Inspector SBOM Generator with the `--scan-sbom` flag sends the resulting SBOM to Amazon Inspector for vulnerability scanning. The following is an example of a certificate finding for a vulnerability response component.
```
{
"advisories": [
{
"url": "https://aws.amazon.com/inspector/"
},
{
"url": "https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_encrypt.html"
}
],
"affects": [
{
"ref": "comp-2"
}
],
"analysis": {
"state": "in_triage"
},
"bom-ref": "vuln-1",
"created": "2025-04-17T18:48:20Z",
"cwes": [
324,
298
],
"description": "Expired Certificate: The associated certificate(s) are no longer valid. Replace certificate in order to reduce risk.",
"id": "IN-CERTIFICATE-001",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:priority",
"value": "standard"
},
{
"name": "amazon:inspector:sbom_scanner:priority_intelligence",
"value": "unverified"
}
],
"published": "2025-04-17T18:48:20Z",
"ratings": [
{
"method": "other",
"severity": "medium",
"source": {
"name": "AMAZON_INSPECTOR",
"url": "https://aws.amazon.com/inspector/"
}
}
],
"source": {
"name": "AMAZON_INSPECTOR",
"url": "https://aws.amazon.com/inspector/"
},
"updated": "2025-04-17T18:48:20Z"
}
```
# Amazon Inspector SBOM Generator license collection
The Amazon Inspector SBOM Generator helps track license information in a software bill of materials (SBOM). It collects license information from supported packages across operating systems and programming languages. With standardized license expressions in your generated SBOM, you can understand your licensing obligations.
## Collect license information
**Example command**
The following example shows how to collect license information from a directory.
```
./inspector-sbomgen directory --path /path/to/your/directory/ --collect-licenses
```
**SBOM component example**
The following example shows a component entry in the generated SBOM.
```
"components": [
{
"bom-ref": "comp-2",
"type": "application",
"name": "sample-js-pkg",
"version": "1.2.3",
"licenses": [
{
"expression": "Apache-2.0 AND (MIT OR GPL-2.0-only)"
}
],
"purl": "pkg:npm/sample-js-pkg@1.2.3",
}
]
```
## Supported packages
The following programming languages and operating system packages are supported for license collection.
| Target | Package manager | License information source | Type |
| --- | --- | --- | --- |
| Alma Linux | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| Amazon Linux | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| CentOS | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| Fedora | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| OpenSUSE | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| Oracle Linux | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| Photon OS | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| RHEL | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| Rocky Linux | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| SLES | RPM | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | OS |
| Alpine Linux | APK | /lib/apk/db/installed | OS |
| Chainguard | APK | /lib/apk/db/installed | OS |
| Debian | DPKG | /usr/share/doc/\$1/copyright | OS |
| Ubuntu | DPKG | /usr/share/doc/\$1/copyright | OS |
| Node.js | Javascript | node\$1modules/\$1/package.json | Programing language |
| PHP | Composer package | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | Programing language |
| Go | Go | LICENSE | Programing language |
| Python | Python/Egg/Wheel | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/inspector/latest/user/sbom-generator-license-collection.html) | Programing language |
| Ruby | RubyGem | \$1.gemspec | Programing language |
| Rust | crate | Cargo.toml | Programming language |
### License expression standardization
The SPDX license expressions format provides accurate representation of licensing terms found in open source software. The Amazon Inspector SBOM Generator standardizes all license information into SPDX license expressions through rules described in this section. The rules provide consistency and compatibility across licensing information.
**SPDX short form identifier mapping**
All license names are mapped to SPDX short form identifiers. For example, `MIT License` is shortened to `MIT`.
**Multiple license combination**
You can combine more than one license with the `AND` operator. The following is an example command showing how to format your command.
```
MIT AND Apache-2.0
```
**Custom license prefix**
Custom licenses are prefixed with `LicenseRef`, such as `LicenseRef-CompanyPrivate`.
**Custom exception prefix**
Custom exceptions are prefixed with `AdditionRef-`, such as `AdditionRef-CustomException`.
# What is a package URL?
[A package URL or PURL](https://github.com/package-url/purl-spec) is a standardized format used to identify software packages, components, and libraries across different package management systems. The format makes it easier to track, analyze, and manage dependencies in software projects, particularly when generating a Software Bill of Materials (SBOMs).
## PURL structure
The PURL structure is similar to a URL and is composed of multiple components:
+ `pkg` – The literal prefix
+ `type`– The package type
+ `namespace` – The grouping
+ `name` – The package name
+ `version` – The package version
+ `qualifiers` – Extra key-value pairs
+ `subpath` – The filepath in the package
**Example PURL**
The following is an example of how a PURL might look.
```
pkg://@?#
```
### The generic PURL
A generic PURL is used to represent software packages and components that don't fit into established package ecosystems, such as npm, pypi, or maven. It identifies software components and captures metadata that might not align with specific package management systems. A generic PURL is useful for a variety of software projects, from compiled binaries to platforms, such as Apache and WordPress. Its allows it to be applied across a wide range of use cases, including compiled binaries, web platforms, and custom software distributions.
**Key use cases**
+ Supports compiled binaries and is useful for Go and Rust
+ Supports web platforms, such as Apache and WordPress, where a package might not be associated with traditional package managers.
+ Supports custom legacy software by allowing organizations to reference internally developed software or systems lacking formal packages.
**Example format**
The following is an example of the generic PURL format.
```
pkg:generic//@?
```
#### Additional examples of the generic PURL format
The following are additional examples of the generic PURL format.
**Compiled Go binary**
The following represents the `inspector-sbomgen binary` compiled with a Go.
```
pkg:generic/inspector-sbomgen?go_toolchain=1.22.5
```
**Compiled Rust binary**
The following represents the `myrustapp` binary compiled with Rust.
```
pkg:generic/myrustapp?rust_toolchain=1.71.0
```
**Apache project**
The following refers to an http project under the Apache namespace.
```
pkg:generic/apache/httpd@1.0.0
```
**WordPress software**
The following refers to a core WordPress software.
```
pkg:generic/wordpress/core/wordpress@6.0.0
```
**WordPress theme**
The following refers to a custom WordPress theme.
```
pkg:generic/wordpress/theme/mytheme@1.0.0
```
**WordPress plugin**
The following refers to a custom WordPress plugin.
```
pkg:generic/wordpress/plugin/myplugin@1.0.0
```
# Handling unresolved or non-standard version references in the Amazon Inspector SBOM Generator
The Amazon Inspector SBOM Generator locates and parses supported artifacts within a system by identifying dependencies directly from source files. It's not a package manager and does not resolve version ranges, infer versions based on dynamic references, or handle registry lookups. It collects dependencies only as they're defined in project source artifacts. In many cases, dependencies in package manifests, such as `package.json`, `pom.xml`, or `requirements.txt`, are specified using unresolved or range-based versions. This topic includes examples of how these dependencies might look.
## Recommendations
The Amazon Inspector SBOM Generator extracts dependencies from source artifacts, but doesn't resolve or interpret version ranges or dynamic references. For more accurate vulnerability scanning and SBOMs, we recommend using resolved, semantic version identifiers in project dependencies.
## Java
For Java, Maven projects can use version ranges to define dependencies in the `pom.xml` file.
```
org.inspector
inspector-api
(,1.0]
```
The range specifies that any version up to and including 1.0 is acceptable. However, if a version is not a resolved version, the Amazon Inspector SBOM Generator won't collect it because it cannot be mapped to a specific release.
## JavaScript
For JavaScript, the `package.json` file can include version ranges that resemble the following:
```
"dependencies": {
"ky": "^1.2.0",
"registry-auth-token": "^5.0.2",
"registry-url": "^6.0.1",
"semver": "^7.6.0"
}
```
The `^` operator specifies that any version greater than or equal to the specified version is acceptable. However, if the specified version is not a resolved version, the Amazon Inspector SBOM Generator won't collect it becaue doing so can lead to false positives during vulnerability detection.
## Python
For Python, the `requirements.txt` file can include entries with a boolean expression.
```
requests>=1.0.0
```
The `>=` operator specifies that any version greater than or equal to `1.0.0` is acceptable. Because this particular expression doesn't specify an exact version, the Amazon Inspector SBOM Generator cannot reliably collect a version for vulnerability analysis.
The Amazon Inspector SBOM Generator doesn't support non-standard or ambiguous version identifiers, such as beta, latest, or snapshot.
```
pkg:maven/org.example.com/testmaven@1.0.2%20Beta-RC-1_Release
```
**Note**
The use of a non-standard suffix, such as Beta-RC-1\$1Release, isn't compliant with standard semantic versioning and cannot be assessed for vulnerabilities within the Amazon Inspector detection engine.
# Using CycloneDX namespaces with Amazon Inspector
Amazon Inspector provides you with CycloneDX namespaces and property names that you can use with SBOMs. This section describes all of the custom key/value properties that might be added to components in CycloneDX SBOMs. For more information, see [CycloneDX property taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy) on the GitHub website.
## `amazon:inspector:sbom_scanner` namespace taxonomy
The Amazon Inspector Scan API uses the `amazon:inspector:sbom_scanner` namespace and has the following properties:
| **Property** | **Description** |
| --- | --- |
| amazon:inspector:sbom\$1scanner:cisa\$1kev\$1date\$1added | Indicates when the vulnerability was added to the CISA Known Exploited Vulnerabilities catalog. |
| amazon:inspector:sbom\$1scanner:cisa\$1kev\$1date\$1due | Indicates when the vulnerability fix is due according to the CISA Known Exploited Vulnerabilities catalog. |
| amazon:inspector:sbom\$1scanner:critical\$1vulnerabilities | Count of the total number of critical severity vulnerabilities found in the SBOM. |
| amazon:inspector:sbom\$1scanner:exploit\$1available | Indicates if an exploit is available for the given vulnerability. |
| amazon:inspector:sbom\$1scanner:exploit\$1last\$1seen\$1in\$1public | Indicates when an exploit was last seen in public for the given vulnerability. |
| amazon:inspector:sbom\$1scanner:fixed\$1version:component\$1bom\$1ref | Provides the fixed version of the indicated component for the given vulnerability. |
| amazon:inspector:sbom\$1scanner:high\$1vulnerabilities | Count of the total number of high severity vulnerabilities found in the SBOM. |
| amazon:inspector:sbom\$1scanner:info | Provides scan context for a given component, for example: "Component scanned: no vulnerabilities found." |
| amazon:inspector:sbom\$1scanner:is\$1malicious | Indicates if OpenSSF identifies affected components as malicious. |
| amazon:inspector:sbom\$1scanner:low\$1vulnerabilities | Count of the total number of low severity vulnerabilities found in the SBOM. |
| amazon:inspector:sbom\$1scanner:medium\$1vulnerabilities | Count of the total number of medium severity vulnerabilities found in the SBOM. |
| amazon:inspector:sbom\$1scanner:path | The path to the file that yields the subject package information. |
| amazon:inspector:sbom\$1scanner:priority | The recommended priority for fixing a given vulnerability. The values in descending order are "IMMEDIATE", "URGENT", "MODERATE", and "STANDARD". |
| amazon:inspector:sbom\$1scanner:priority\$1intelligence | The quality of intelligence used to determine the priority for a given vulnerability. The values include "VERIFIED" or "UNVERIFIED". |
| amazon:inspector:sbom\$1scanner:warning | Provides context for a why a given component was not scanned, for example: "Component skipped: no purl provided." |
## `amazon:inspector:sbom_generator` namespace taxonomy
The Amazon Inspector SBOM Generator uses the `amazon:inspector:sbom_generator` namespace and has the following properties:
| **Property** | **Description** |
| --- | --- |
| amazon:inspector:sbom\$1generator:cpu\$1architecture | The CPU architecture of the system being inventoried (x86\$164). |
| amazon:inspector:sbom\$1generator:ec2:instance\$1id | The Amazon EC2 instance ID. |
| amazon:inspector:sbom\$1generator:ec2:instance\$1type | The Amazon EC2 Instance type |
| amazon:inspector:sbom\$1generator:live\$1patching\$1enabled | A boolean value indicating whether live patching is enabled on Amazon EC2 Amazon Linux. |
| amazon:inspector:sbom\$1generator:live\$1patched\$1cves | A list of CVEs patched through live patching on Amazon EC2 Amazon Linux. |
| amazon:inspector:sbom\$1generator:dockerfile\$1finding:inspector\$1finding\$1id | Indicates that an Amazon Inspector finding in a component is related to Dockerfile checks. |
| amazon:inspector:sbom\$1generator:image\$1id | The hash belonging to the container image config file (also known as the Image ID). |
| amazon:inspector:sbom\$1generator:image\$1arch | The architecture of the container image. |
| amazon:inspector:sbom\$1generator:image\$1author | The author of the container image. |
| amazon:inspector:sbom\$1generator:image:cmd:count | An absolute directory within the container image defined in default CMD configured at image build time. |
| amazon:inspector:sbom\$1generator:image:entrypoint:count | An absolute directory within the container image defined in default ENTRYPOINT configured at image build time. |
| amazon:inspector:sbom\$1generator:image:workdir | The WORKDIR directory of the container image configured at image build time. |
| amazon:inspector:sbom\$1generator:image\$1docker\$1version | The docker version used to build the container image. |
| amazon:inspector:sbom\$1generator:is\$1duplicate\$1package | Indicates that the subject package was found by more than one file scanner. |
| amazon:inspector:sbom\$1generator:duplicate\$1purl | Indicates the duplicated package PURL found by another scanner. |
| amazon:inspector:sbom\$1generator:kernel\$1name | The kernel name of the system being inventoried. |
| amazon:inspector:sbom\$1generator:kernel\$1version | The kernel version of the system being inventoried. |
| amazon:inspector:sbom\$1generator:kernel\$1component | A boolean value indicating whether a subject package is a kernel component |
| amazon:inspector:sbom\$1generator:running\$1kernel | A boolean value that indicates if a subject package is the running kernel |
| amazon:inspector:sbom\$1generator:layer\$1diff\$1id | The hash of the uncompressed container image layer. |
| amazon:inspector:sbom\$1generator:replaced\$1by | The value that replaces the current Go module. |
| amazon:inspector:sbom\$1generator:os\$1hostname | The hostname of the system being inventoried. |
| amazon:inspector:sbom\$1generator:source\$1file\$1scanner | The scanner that found the file that contains package information, for example: /var/lib/dpkg/status. |
| amazon:inspector:sbom\$1generator:source\$1package\$1collector | The collector that extracted the package name and version from a specific file. |
| amazon:inspector:sbom\$1generator:source\$1path | The path to the file that the subject package information was extracted from. |
| amazon:inspector:sbom\$1generator:file\$1size\$1bytes | Indicates file size of a given artifact. |
| amazon:inspector:sbom\$1generator:unresolved\$1version | Indicates a version string that has not been resolved by package manager.. |
| amazon:inspector:sbom\$1generator:experimental:transitive\$1dependency | Indicates indirect dependencies from a package manager. |
| amazon:inspector:sbom\$1generator:subscription:enabled | A boolean value indicating whether a subscription is enabled, such as RHEL EUS/E4S or Ubuntu Pro. |
| amazon:inspector:sbom\$1generator:subscription:name | The name of the active subscription (e.g., EUS, E4S, Pro). |
| amazon:inspector:sbom\$1generator:subscription:locked\$1version | The version locked by the active RHEL subscription (RHEL EUS/E4S only). |
| amazon:inspector:sbom\$1generator:metadata:host:hostname | The hostname of the scanned system. |
| amazon:inspector:sbom\$1generator:metadata:host:kernel\$1name | The kernel name of the operating system (e.g., Linux, Darwin, Windows\$1NT). |
| amazon:inspector:sbom\$1generator:metadata:host:kernel\$1version | The kernel version string of the operating system. |
| amazon:inspector:sbom\$1generator:metadata:host:cpu\$1architecture | The CPU architecture of the system (e.g., x86\$164, arm64). |
| amazon:inspector:sbom\$1generator:metadata:host:bootdisk\$1id | Unique identifier of the boot disk. |
| amazon:inspector:sbom\$1generator:metadata:host:boot\$1id | Unique identifier for the current boot session. |
| amazon:inspector:sbom\$1generator:metadata:host:boot\$1time | System boot time in ISO 8601 format. |
| amazon:inspector:sbom\$1generator:metadata:host:system\$1id | Persistent system identifier (machine-id on Linux, MachineGuid on Windows). |
| amazon:inspector:sbom\$1generator:metadata:host:system\$1serial | Hardware serial number from system firmware. |
| amazon:inspector:sbom\$1generator:metadata:host:network\$1interfaces:name:hardware | MAC address of the network interface. |
| amazon:inspector:sbom\$1generator:metadata:host:network\$1interfaces:name:ipv4 | IPv4 address(es) assigned to the interface. |
| amazon:inspector:sbom\$1generator:metadata:host:network\$1interfaces:name:ipv6 | IPv6 address(es) assigned to the interface. |
| amazon:inspector:sbom\$1generator:metadata:host:sbomgen\$1tag:key | Custom user-defined tags passed via the --tag CLI argument. |
| amazon:inspector:sbom\$1generator:metadata:imds:provider | The cloud provider detected via IMDS (aws, azure). |
| amazon:inspector:sbom\$1generator:metadata:imds:instance\$1id | The Amazon EC2 instance ID or Azure VM name. |
| amazon:inspector:sbom\$1generator:metadata:imds:instance\$1type | The instance type (e.g., t3.micro, Standard\$1D2s\$1v3). |
| amazon:inspector:sbom\$1generator:metadata:imds:instance\$1location | The region/location of the instance. |
| amazon:inspector:sbom\$1generator:metadata:imds:instance\$1partition | The cloud partition (aws, aws-cn, aws-us-gov for AWS, or AzurePublicCloud for Azure). |
| amazon:inspector:sbom\$1generator:metadata:imds:account\$1id | The AWS account ID of the Amazon EC2 instance, obtained from the instance identity document (AWS only). |
| amazon:inspector:sbom\$1generator:metadata:imds:resource\$1type | The type of cloud resource being scanned (e.g., aws\$1ec2\$1instance). |
| amazon:inspector:sbom\$1generator:metadata:imds:instance\$1managed\$1id | Amazon EC2 Systems Manager managed instance ID (AWS only). |
| amazon:inspector:sbom\$1generator:metadata:imds:tenant\$1id | Azure tenant ID (Azure only). |
| amazon:inspector:sbom\$1generator:metadata:imds:resource\$1group | The Azure resource group the instance belongs to (Azure only). |
| amazon:inspector:sbom\$1generator:metadata:imds:subscription\$1id | The Azure subscription ID associated with the instance (Azure only). |
| amazon:inspector:sbom\$1generator:metadata:imds:vm\$1id | Azure VM unique identifier (Azure only). |
| amazon:inspector:sbom\$1generator:metadata:host:open\$1port:port:protocol | Indicates an open port of a runtime resource (i.e. EC2) |
| amazon:inspector:sbom\$1generator:hardened\$1image:vendor | The vendor of a hardened container image |