Evaluate SBOMs Using Policies

This guide provides an example of how to scan an SBOM of a filesystem generated with AnchoreCTL.

Note: This does require a minimum of Anchore Enterprise 5.24 installed.

1. Create a new SBOM policy mapping:

   

   1. Within Policies navigate to Mappings
   2. Select SBOMs tab
   3. Click Let’s add a policy first!

2. Now let’s name a rule set that maps to SBOMs which we will name: sbom-demo

   

3. This will prompt us to make a rule set configuration:

   

   1. Gate: vulnerabilities
   2. Trigger: package
   3. package type: all
   4. severity comparison: >=
   5. severity: medium
   6. fix available: true

   Scroll down to the bottom and click the red STOP button.

   

   It will now look like this and can you can save the policy:

   

   1. Click Save 1 new rule, and Close

4. We have a rule set but now we need to make a rule map to SBOMs:

   

   1. Click Mappings
   2. Click SBOMs
   3. Click Let’s add one!

5. Now we will map the ruleset to SBOMs by giving it a name, the Rule Sets of ‘sbom-demo’ is applied and we will map this to all SBOM Names and Versions. Click OK when done.

   

   The result will look like this:

   

6. SBOMs can be generated using the commands below. It works for applications, containers, files, filesystems, firmware, libraries, modules and mounted virtual disks. Here are is an example below:

   For the menu:

   anchorectl sbom add --help
   

   To generate a scan of a filesystem:

   anchorectl sbom add --from /usr/bin --name usr_bin_binaries --version 1.0 --type filesystem
   

7. The SBOM is available via the UI here:

1. Navigate to Imported SBOMs 
2. Click on the user_bin_binaries 1.0 object

8. From here we can see that the SBOM has been analyzed against policy:

1. The Final Action was a STOP due to the policy rule map
2. The mapping is: SBOM Map All and Rule Sets: sbom-demo

Congrats!!! You have now mapped a policy to an SBOM