This document describes how to view and filter dependency metadata that Artifact Analysis detects with automatic scanning.
When you enable the scanning API to to identify vulnerabilities in container images, Artifact Analysis also gathers information about the dependencies and licenses used in your images.
You can use this metadata to understand the components of your container images and remediate security issues.
Artifact Analysis provides dependency and license detection for OS packages and supported language packages within container images stored in stored in a Docker format Artifact Registry repository. For more information, see Container scanning overview.
Like vulnerability information, license and dependency metadata is generated each time you push an image to Artifact Registry, then stored in Artifact Analysis.
Artifact Analysis only updates the metadata for images that were pushed or pulled in the last 30 days. After 30 days, the metadata will no longer be updated, and the results will be stale. Furthermore, Artifact Analysis archives metadata that is stale for more than 90 days, and the metadata won't be available in the Google Cloud console, gcloud, or by using the API. To re-scan an image with stale or archived metadata, pull that image. Refreshing metadata can take up to 24 hours.
Before you begin
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Container Analysis, Artifact Registry APIs.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Container Analysis, Artifact Registry APIs.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
- Have a Docker repository in Artifact Registry . See instructions on generating SBOMs.
Required roles
To get the permissions that you need to view SBOM data and filter results, ask your administrator to grant you the following IAM roles on the project:
-
Container Analysis Occurrences Viewer (
roles/containeranalysis.occurrences.viewer
) -
Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer
) -
Artifact Registry Reader (
roles/artifactregistry.reader
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
View licenses and dependencies in the Google Cloud console
Open the Artifact Registry Repositories page.
The page displays a list of your repositories.
In the repositories list, click a repository name.
The Repository details page opens and displays a list of your images.
In the images list, click an image name.
The page displays a list of your image digests.
In the image digest list, click a digest name.
The page displays a row of tabs where the Overview tab is open, showing details such as format, location, repository, virtual size, and tags.
In the row of tabs, click the Dependencies tab.
The dependencies tab opens and displays the following information:
- SBOM section
- Licenses section
- A filterable list of dependencies
SBOMs
If you generate or upload a software bill of materials (SBOM) with Artifact Analysis, your SBOM details are displayed in this section. SBOMs aren't generated automatically like license and dependency information. Learn how to add SBOMs in SBOM overview.
Licenses
The Licenses summary section displays a bar graph called Most common licenses. This represents the types of licenses that appear most often in your dependency information. When you hold the pointer over a bar in the graph, the console displays the exact count for instances of that license type.
Dependencies
The list of dependencies displays the contents of your image digest including:
- Package name
- Package version
- Package type
- License type
You can filter the list of dependencies by any of these categories.
View licenses and dependencies in Cloud Build
If you're using Cloud Build, you can view image metadata in the Security insights side panel within the Google Cloud console.
The Security insights side panel provides a high-level overview of build security information for artifacts stored in Artifact Registry. To learn more about the side panel and how you can use Cloud Build to help protect your software supply chain, see View build security insights.
Limitations
Information about licenses and dependencies is only available with automatic scanning. On-demand scanning does not support this feature.
What's next
- Generate a software bill of materials (SBOM) to support compliance requirements.
- Investigate vulnerabilities using common query patterns.
- Create VEX statements to attest to the security posture of your images.