Learn how Red Hat's contextual SBOM pattern solves the problem of understanding package provenance in container images by establishing relationships between container images and their parent and builder images within the software supply chain. Improve vulnerability management with this hierarchical view.

Rhdev is a blog and resource hub dedicated to Ruby on Rails development, a popular web application framework written in Ruby. Developers can explore tutorials, best practices, and case studies for building web applications with Ruby on Rails. Additionally, Rhdev covers topics such as ActiveRecord ORM, RESTful APIs, and frontend integration using JavaScript frameworks, offering insights for both beginners and experienced Rails developers.

Red Hat Developer

Red Hat's contextual SBOM pattern extends traditional SBOMs by establishing hierarchical relationships between container images and their parent/builder images using SPDX 2.3 relationships. Instead of flat package lists, it tracks package provenance through DESCENDANT_OF and BUILD_TOOL_OF relationships, enabling teams to quickly identify whether vulnerabilities originate from parent images, builder stages, or direct installations. This approach significantly improves vulnerability remediation by clarifying which component needs updating when a CVE appears, though limitations exist around package matching when unique identifiers are absent.

How the contextual SBOM pattern improves vulnerability management

The contextual SBOM pattern in vulnerability management

Use case 1: Parent image vulnerability remediation

Use case 2: Builder stage vulnerability remediation