From 9e6fe95f8af5b380bfd3262d48e3ade887c7133c Mon Sep 17 00:00:00 2001
From: Laurent Goderre <laurent.goderre@docker.com>
Date: Thu, 21 Sep 2023 15:08:22 -0400
Subject: [PATCH] Add attestations for binaries compiled from source

---
 3.10/alpine/Dockerfile     |  7 +++++
 3.10/ubuntu/Dockerfile     |  5 ++++
 3.11/alpine/Dockerfile     |  7 +++++
 3.11/ubuntu/Dockerfile     |  5 ++++
 3.12/alpine/Dockerfile     |  7 +++++
 3.12/ubuntu/Dockerfile     |  5 ++++
 3.13-rc/alpine/Dockerfile  |  7 +++++
 3.13-rc/ubuntu/Dockerfile  |  5 ++++
 3.9/alpine/Dockerfile      |  7 +++++
 3.9/ubuntu/Dockerfile      |  5 ++++
 Dockerfile-alpine.template | 53 ++++++++++++++++++++++++++++++++++++++
 Dockerfile-ubuntu.template | 51 ++++++++++++++++++++++++++++++++++++
 12 files changed, 164 insertions(+)

diff --git a/3.10/alpine/Dockerfile b/3.10/alpine/Dockerfile
index 8ee87eb6..cd2cab55 100644
--- a/3.10/alpine/Dockerfile
+++ b/3.10/alpine/Dockerfile
@@ -4,6 +4,8 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+# syntax=docker/dockerfile:1.4
+
 # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk!
 FROM alpine:3.18 as build-base
 
@@ -198,6 +200,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/openssl@3.1.3?os_name=alpine&os_version=3.18"}]},{"name":"erlang","versionInfo":"25.3.2.6","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/erlang@25.3.2.6?os_name=alpine&os_version=3.18"}]},{"name":"rabbitmq","versionInfo":"3.10.25","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.10.25"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.10/ubuntu/Dockerfile b/3.10/ubuntu/Dockerfile
index ae3f9ca9..7ba6abcf 100644
--- a/3.10/ubuntu/Dockerfile
+++ b/3.10/ubuntu/Dockerfile
@@ -196,6 +196,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/openssl@3.1.3?os_name=ubuntu&os_version=22.04"}]},{"name":"erlang","versionInfo":"25.3.2.6","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/erlang@25.3.2.6?os_name=ubuntu&os_version=22.04"}]},{"name":"rabbitmq","versionInfo":"3.10.25","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.10.25"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.11/alpine/Dockerfile b/3.11/alpine/Dockerfile
index 57217eb3..c4ec07a8 100644
--- a/3.11/alpine/Dockerfile
+++ b/3.11/alpine/Dockerfile
@@ -4,6 +4,8 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+# syntax=docker/dockerfile:1.4
+
 # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk!
 FROM alpine:3.18 as build-base
 
@@ -198,6 +200,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/openssl@3.1.3?os_name=alpine&os_version=3.18"}]},{"name":"erlang","versionInfo":"25.3.2.6","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/erlang@25.3.2.6?os_name=alpine&os_version=3.18"}]},{"name":"rabbitmq","versionInfo":"3.11.23","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.11.23"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.11/ubuntu/Dockerfile b/3.11/ubuntu/Dockerfile
index 6aba6d26..8f8ce39a 100644
--- a/3.11/ubuntu/Dockerfile
+++ b/3.11/ubuntu/Dockerfile
@@ -196,6 +196,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/openssl@3.1.3?os_name=ubuntu&os_version=22.04"}]},{"name":"erlang","versionInfo":"25.3.2.6","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/erlang@25.3.2.6?os_name=ubuntu&os_version=22.04"}]},{"name":"rabbitmq","versionInfo":"3.11.23","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.11.23"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.12/alpine/Dockerfile b/3.12/alpine/Dockerfile
index 6ebeb09c..7f7512d3 100644
--- a/3.12/alpine/Dockerfile
+++ b/3.12/alpine/Dockerfile
@@ -4,6 +4,8 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+# syntax=docker/dockerfile:1.4
+
 # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk!
 FROM alpine:3.18 as build-base
 
@@ -198,6 +200,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/openssl@3.1.3?os_name=alpine&os_version=3.18"}]},{"name":"erlang","versionInfo":"25.3.2.6","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/erlang@25.3.2.6?os_name=alpine&os_version=3.18"}]},{"name":"rabbitmq","versionInfo":"3.12.6","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.12.6"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.12/ubuntu/Dockerfile b/3.12/ubuntu/Dockerfile
index 1773d22f..995cc677 100644
--- a/3.12/ubuntu/Dockerfile
+++ b/3.12/ubuntu/Dockerfile
@@ -196,6 +196,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/openssl@3.1.3?os_name=ubuntu&os_version=22.04"}]},{"name":"erlang","versionInfo":"25.3.2.6","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/erlang@25.3.2.6?os_name=ubuntu&os_version=22.04"}]},{"name":"rabbitmq","versionInfo":"3.12.6","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.12.6"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.13-rc/alpine/Dockerfile b/3.13-rc/alpine/Dockerfile
index 643ddd46..cd1c7de4 100644
--- a/3.13-rc/alpine/Dockerfile
+++ b/3.13-rc/alpine/Dockerfile
@@ -4,6 +4,8 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+# syntax=docker/dockerfile:1.4
+
 # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk!
 FROM alpine:3.18 as build-base
 
@@ -198,6 +200,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/openssl@3.1.3?os_name=alpine&os_version=3.18"}]},{"name":"erlang","versionInfo":"26.1","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/erlang@26.1?os_name=alpine&os_version=3.18"}]},{"name":"rabbitmq","versionInfo":"3.13.0-beta.6","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.13.0-beta.6"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.13-rc/ubuntu/Dockerfile b/3.13-rc/ubuntu/Dockerfile
index fad8d871..da14dafb 100644
--- a/3.13-rc/ubuntu/Dockerfile
+++ b/3.13-rc/ubuntu/Dockerfile
@@ -196,6 +196,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/openssl@3.1.3?os_name=ubuntu&os_version=22.04"}]},{"name":"erlang","versionInfo":"26.1","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/erlang@26.1?os_name=ubuntu&os_version=22.04"}]},{"name":"rabbitmq","versionInfo":"3.13.0-beta.6","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.13.0-beta.6"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.9/alpine/Dockerfile b/3.9/alpine/Dockerfile
index b09522a5..dc9db185 100644
--- a/3.9/alpine/Dockerfile
+++ b/3.9/alpine/Dockerfile
@@ -4,6 +4,8 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+# syntax=docker/dockerfile:1.4
+
 # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk!
 FROM alpine:3.18 as build-base
 
@@ -198,6 +200,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/openssl@3.1.3?os_name=alpine&os_version=3.18"}]},{"name":"erlang","versionInfo":"25.3.2.6","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:apk/alpine/erlang@25.3.2.6?os_name=alpine&os_version=3.18"}]},{"name":"rabbitmq","versionInfo":"3.9.29","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.9.29"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/3.9/ubuntu/Dockerfile b/3.9/ubuntu/Dockerfile
index 286e06b1..982ea38c 100644
--- a/3.9/ubuntu/Dockerfile
+++ b/3.9/ubuntu/Dockerfile
@@ -196,6 +196,11 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-erlang-sbom","documentNamespace":"https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7","dataLicense":"CC0-1.0","packages":[{"name":"openssl","versionInfo":"3.1.3","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/openssl@3.1.3?os_name=ubuntu&os_version=22.04"}]},{"name":"erlang","versionInfo":"25.3.2.6","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:deb/ubuntu/erlang@25.3.2.6?os_name=ubuntu&os_version=22.04"}]},{"name":"rabbitmq","versionInfo":"3.9.29","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/rabbitmq/rabbitmq-server@3.9.29"}]}]}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index aed10a6e..2bd01c9c 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1.4
+
 # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk!
 FROM alpine:{{ .alpine.version }} as build-base
 
@@ -232,6 +234,57 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{{
+	{
+		spdxVersion: "SPDX-2.3",
+		SPDXID: "SPDXRef-DOCUMENT",
+		name: "openssl-erlang-sbom",
+		documentNamespace: "https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7",
+		dataLicense: "CC0-1.0",
+		packages: [
+			{
+				name: "openssl",
+				versionInfo: .openssl.version,
+				SPDXID: "SPDXRef-Package--openssl",
+				externalRefs: [
+					{
+						referenceCategory: "PACKAGE-MANAGER",
+						referenceType: "purl",
+						referenceLocator: ("pkg:apk/alpine/openssl@" + .openssl.version +"?os_name=alpine\u0026os_version=" + .alpine.version)
+					}
+				]
+			},
+			{
+				name: "erlang",
+				versionInfo: .otp.version,
+				SPDXID: "SPDXRef-Package--erlang",
+				externalRefs: [
+					{
+						referenceCategory: "PACKAGE-MANAGER",
+						referenceType: "purl",
+						referenceLocator: ("pkg:apk/alpine/erlang@" + .otp.version +"?os_name=alpine\u0026os_version=" + .alpine.version)
+					}
+				]
+			},
+			{
+				name: "rabbitmq",
+				versionInfo: .version,
+				SPDXID: "SPDXRef-Package--rabbitmq",
+				externalRefs: [
+					{
+						referenceCategory: "PACKAGE-MANAGER",
+						referenceType: "purl",
+						referenceLocator: ("pkg:github/rabbitmq/rabbitmq-server@" + .version)
+					}
+				]
+			}
+		]
+	} | tostring
+}}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \
diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template
index 3dd4faf3..186e5136 100644
--- a/Dockerfile-ubuntu.template
+++ b/Dockerfile-ubuntu.template
@@ -230,6 +230,57 @@ COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREF
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 
+RUN mkdir -p /usr/local/share/sbom/ && \
+<<EOT cat > /usr/local/share/sbom/openssl-erlang.spdx.json
+{{
+	{
+		spdxVersion: "SPDX-2.3",
+		SPDXID: "SPDXRef-DOCUMENT",
+		name: "openssl-erlang-sbom",
+		documentNamespace: "https://docker.com/docker-scout/fs/sbom-61b3df18-3e41-47b8-a954-e4224f48b2f7",
+		dataLicense: "CC0-1.0",
+		packages: [
+			{
+				name: "openssl",
+				versionInfo: .openssl.version,
+				SPDXID: "SPDXRef-Package--openssl",
+				externalRefs: [
+					{
+						referenceCategory: "PACKAGE-MANAGER",
+						referenceType: "purl",
+						referenceLocator: ("pkg:deb/ubuntu/openssl@" + .openssl.version +"?os_name=ubuntu\u0026os_version=" + .ubuntu.version)
+					}
+				]
+			},
+			{
+				name: "erlang",
+				versionInfo: .otp.version,
+				SPDXID: "SPDXRef-Package--erlang",
+				externalRefs: [
+					{
+						referenceCategory: "PACKAGE-MANAGER",
+						referenceType: "purl",
+						referenceLocator: ("pkg:deb/ubuntu/erlang@" + .otp.version +"?os_name=ubuntu\u0026os_version=" + .ubuntu.version)
+					}
+				]
+			},
+			{
+				name: "rabbitmq",
+				versionInfo: .version,
+				SPDXID: "SPDXRef-Package--rabbitmq",
+				externalRefs: [
+					{
+						referenceCategory: "PACKAGE-MANAGER",
+						referenceType: "purl",
+						referenceLocator: ("pkg:github/rabbitmq/rabbitmq-server@" + .version)
+					}
+				]
+			}
+		]
+	} | tostring
+}}
+EOT
+
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 
 RUN set -eux; \