View licenses and dependencies

This document describes how to view and filter dependency metadata that Artifact Analysis detects with automatic scanning.

When you enable the scanning API to to identify vulnerabilities in container images, Artifact Analysis also gathers information about the dependencies and licenses used in your images.

You can use this metadata to understand the components of your container images and remediate security issues.

Artifact Analysis provides dependency and license detection for OS packages and supported language packages within container images stored in stored in a Docker format Artifact Registry repository. For more information, see Container scanning overview.

Like vulnerability information, license and dependency metadata is generated each time you push an image to Artifact Registry, then stored in Artifact Analysis.

Artifact Analysis only updates the metadata for images that were pushed or pulled in the last 30 days. Artifact Analysis archives metadata that is older than 30 days.To re-scan an image with archived metadata, pull that image. Refreshing metadata can take up to 24 hours.

Before you begin

1. Sign in to your Google Account.

   If you don't already have one, sign up for a new account.

2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

3. Make sure that billing is enabled for your Google Cloud project.

4. Enable the Container Analysis, Artifact Registry APIs.

   Enable the APIs

5. Install the Google Cloud CLI.

6. To initialize the gcloud CLI, run the following command:

   gcloud init

7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

8. Make sure that billing is enabled for your Google Cloud project.

9. Enable the Container Analysis, Artifact Registry APIs.

   Enable the APIs

10. Install the Google Cloud CLI.

11. To initialize the gcloud CLI, run the following command:

    gcloud init

12. Have a Docker repository in Artifact Registry . See instructions on generating SBOMs.

Required roles

To get the permissions that you need to view SBOM data and filter results, ask your administrator to grant you the following IAM roles on the project:

• Container Analysis Occurrences Viewer (roles/containeranalysis.occurrences.viewer)
• Service Usage Consumer (roles/serviceusage.serviceUsageConsumer)
• Artifact Registry Reader (roles/artifactregistry.reader)

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

View licenses and dependencies in the Google Cloud console

1. Open the Artifact Registry Repositories page.

   Open the Repositories page

   The page displays a list of your repositories.

2. In the repositories list, click a repository name.

   The Repository details page opens and displays a list of your images.

3. In the images list, click an image name.

   The page displays a list of your image digests.

4. In the image digest list, click a digest name.

   The page displays a row of tabs where the Overview tab is open, showing details such as format, location, repository, virtual size, and tags.

5. In the row of tabs, click the Dependencies tab.

   The dependencies tab opens and displays the following information:

   • SBOM section
   • Licenses section
   • A filterable list of dependencies

SBOMs

If you generate or upload a software bill of materials (SBOM) with Artifact Analysis, your SBOM details are displayed in this section. SBOMs aren't generated automatically like license and dependency information. Learn how to add SBOMs in SBOM overview.

Licenses

The Licenses summary section displays a bar graph called Most common licenses. This represents the types of licenses that appear most often in your dependency information. When you hold the pointer over a bar in the graph, the console displays the exact count for instances of that license type.

Dependencies

The list of dependencies displays the contents of your image digest including:

• Package name
• Package version
• Package type
• License type

You can filter the list of dependencies by any of these categories.

View licenses and dependencies in Cloud Build

If you're using Cloud Build, you can view image metadata in the Security insights side panel within the Google Cloud console.

The Security insights side panel provides a high-level overview of build security information for artifacts stored in Artifact Registry. To learn more about the side panel and how you can use Cloud Build to help protect your software supply chain, see View build security insights.

Limitations

Information about licenses and dependencies is only available with automatic scanning. On-demand scanning does not support this feature.

What's next

• Generate a software bill of materials (SBOM) to support compliance requirements.
• Investigate vulnerabilities using common query patterns.
• Create VEX statements to attest to the security posture of your images.