Software Bill of Materials¶
A Software Bill of Materials (SBOM) is a machine-readable inventory of the components and dependencies included in a software release. It helps you understand what is included in a build and assess potential security or compliance risks.
Starting with version 0.9.0, every Percona ClusterSync for MongoDB (PCSM) release includes a CycloneDX 1.6 SBOM in JSON format.
Why it matters¶
An SBOM helps you:
- Identify the components and dependencies included in a PCSM release.
- Assess known vulnerabilities using SBOM-compatible security scanners.
- Support security reviews, compliance processes, and software supply chain requirements.
- Verify the contents of deployed software artifacts.
Where to find the SBOM¶
| Distribution method | SBOM location |
|---|---|
| Binary tarball | percona-clustersync-mongodb-0.9.0/percona-clustersync-mongodb-0.9.0.cdx.json inside the archive |
| RPM package | /usr/share/doc/percona-clustersync-mongodb/percona-clustersync-mongodb-0.9.0.cdx.json |
| DEB package | /usr/share/doc/percona-clustersync-mongodb/percona-clustersync-mongodb-0.9.0.cdx.json |
| Docker image | Embedded in the image and available as an attached OCI artifact. See Docker images. |
Verifying and scanning the SBOM¶
The examples below use Trivy . You can also use other CycloneDX-compatible scanners, such as Grype or Snyk.
Binary tarball¶
# Confirm the SBOM is bundled
tar tzf percona-clustersync-mongodb-0.9.0-x86_64.tar.gz | grep cdx.json
# Extract and scan
tar xzf percona-clustersync-mongodb-0.9.0-x86_64.tar.gz \
-C /tmp percona-clustersync-mongodb-0.9.0/percona-clustersync-mongodb-0.9.0.cdx.json
trivy sbom --severity HIGH,CRITICAL --ignore-unfixed \
/tmp/percona-clustersync-mongodb-0.9.0/percona-clustersync-mongodb-0.9.0.cdx.json
RPM package¶
# Confirm the package installs the SBOM
rpm -ql percona-clustersync-mongodb | grep cdx.json
# Scan it (replace 9.x with your RHEL/OL version)
trivy sbom --severity HIGH,CRITICAL --ignore-unfixed --distro redhat/9.x \
/usr/share/doc/percona-clustersync-mongodb/percona-clustersync-mongodb-0.9.0.cdx.json
DEB package¶
# Confirm the package installs the SBOM
dpkg -L percona-clustersync-mongodb | grep cdx.json
# Scan it
trivy sbom --severity HIGH,CRITICAL --ignore-unfixed \
/usr/share/doc/percona-clustersync-mongodb/percona-clustersync-mongodb-0.9.0.cdx.json
Docker images¶
Each PCSM Docker image (Docker Hub percona/percona-clustersync-mongodb and PerconaLab perconalab/percona-clustersync-mongodb) ships with two CycloneDX 1.6 SBOMs that describe overlapping scopes:
| SBOM | Scope | How to access |
|---|---|---|
| Embedded | PCSM binary and Go modules only | Inside the image filesystem |
| OCI-attached | Full image — PCSM and UBI9 base OS packages | Registry-side, via the OCI Referrers API |
Scan via OCI Referrers API (recommended)¶
trivy image --sbom-sources oci fetches the attached SBOM via the OCI Referrers API and scans it, without pulling the image:
trivy image --severity HIGH,CRITICAL --ignore-unfixed --sbom-sources oci \
docker.io/percona/percona-clustersync-mongodb:0.9.0
Scan the embedded SBOM¶
To scan the embedded SBOM from inside the container image:
docker run --rm --entrypoint cat \
docker.io/percona/percona-clustersync-mongodb:0.9.0 \
/usr/share/doc/percona-clustersync-mongodb/percona-clustersync-mongodb-0.9.0.cdx.json \
| trivy sbom --severity HIGH,CRITICAL --ignore-unfixed -
Advanced: Inspect OCI-attached SBOMs with ORAS¶
You can use the ORAS CLI to discover and download OCI-attached SBOMs.
# Use the per-architecture tag to resolve directly to the image manifest
oras discover --format tree \
docker.io/percona/percona-clustersync-mongodb:0.9.0-amd64
# Pull the SBOM artifact using the digest from the discover output
oras pull docker.io/percona/percona-clustersync-mongodb@sha256:<referrer-digest>
Created: June 3, 2026