Open Source compliance for containers
Switch branches/tags
Nothing to show
Clone or download
nishakm Fix typo for adding a notice to list of origins
Fixes #142

Signed-off-by: Nisha K <nishak@vmware.com>
Latest commit 7650ac8 Dec 14, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/ISSUE_TEMPLATE Added issue templates for different issues Nov 10, 2018
classes Added notices to dict representation of classes Oct 30, 2018
command_lib Fixed error in parsing package listing Sep 19, 2018
docs Added Release Notes for v0.2.0 Nov 29, 2018
report Fix typo for adding a notice to list of origins Dec 15, 2018
samples Added a sample Dockerfile for Apline image Jun 7, 2018
scripts/debian Changed license from Apache-2.0 to BSD-2-Clause Dec 5, 2017
tests Add unit test for `notice_origin` Oct 10, 2018
tools Updates for full functional testing Oct 21, 2018
utils JSON formatted report Oct 31, 2018
vagrant Update vagrant setup Nov 8, 2018
.gitignore Update vagrant setup Nov 8, 2018
.travis.yml Updates for full functional testing Oct 21, 2018
CODE_OF_CONDUCT.md Added initial contributing documentation Nov 30, 2017
CONTRIBUTING.md Improvements to CONTRIBUTING accessability Nov 13, 2018
LICENSE.txt Changed license from Apache-2.0 to BSD-2-Clause Dec 5, 2017
NOTICE.txt Changed license from Apache-2.0 to BSD-2-Clause Dec 5, 2017
README.md Added reference to Vagrant setup Nov 10, 2018
cache.yml Changed license from Apache-2.0 to BSD-2-Clause Dec 5, 2017
common.py Compare package objects rather than package names Nov 29, 2018
docker.py Refactor: get shell commands from docker history Sep 19, 2018
requirements.txt Find sources for packages installed using apt-get Jul 17, 2017
tern Add command line argument to redo cache Nov 27, 2018

README.md

Tern

Build Status

Welcome to the Tern Project

Tern is a software package inspection tool for containers written in Python.

Quick Links

What is Tern?

Tern is an inspection tool to find the metadata of the packages installed in a container image. It does this in two steps:

  1. It uses overlayfs to mount the first filesystem layer in a container image
  2. It then executes scripts from the "command library" in a chroot environment to collect information about packages installed in that layer
  3. With that information as a base, it continues to iterate over step 1 and 2 for the rest of the layers in the container image
  4. Once done, it generates a report in different formats. The default report is a verbose explanation of what layers brought in what software components. If a Dockerfile is provided then it will also provide what lines in the Dockerfile was used to create the layers.

Tern gives you a deeper understanding of your container's bill of materials so you can make better decisions about your container based infrastructure, integration and deployment strategies.

Table of Contents

Getting Started

Requirements

Tern is currently developed on a Linux distro with a kernel version >= 4.0. Possible development distros are Ubuntu 16.04 or newer or Fedora 25 or newer. Install the following:

If you happen to be using Docker containers

Make sure the docker daemon is running.

Getting Started with Vagrant

Vagrant is a tool to setup an isolated virtual software development environment. Follow these steps to set up your Vagrant environment. This is a requirement if you are using Windows or Mac OSs.

Getting Started on Linux

If you have a Linux OS with the above requirements, you can start by setting up a python virtual environment to run the code.

$ python3 -m venv ternenv
$ cd ternenv
$ git clone https://github.com/vmware/tern.git
$ source bin/activate
$ cd tern
$ git checkout -b release v0.1.0
$ pip install -r requirements.txt

To run against a Docker image

If you have a Docker image pulled locally and want to inspect it

$ ./tern report -i debian:jessie

Take a look at report.txt to see what packages are installed in the Docker image and how Tern got this information. If you encounter any errors, please file an issue.

To run against a Dockerfile

You can run Tern against a Dockerfile. Tern will build the image for you and then analyze it with respect to the Dockerfile

$ ./tern report -d samples/photon_git/Dockerfile

Take a look at report.txt to see what packages are installed in the created Docker image and how Tern got this information. Feel free to try this out on the other sample Dockerfiles in the samples directory or on Dockerfiles you may be working with. If it doesn't work for you, please file an issue.

To get a summary report

To get just a list of packages, you can use the -s option to get a summary report.

$ ./tern report -s -d samples/photon_git/Dockerfile

WARNING: Tern is meant to give guidance on what may be installed in a container image, so it is recommended that for the purpose of investigation, the default report is used. The summary report may be used as the output of a build artifact or something to submit to a compliance or legal team.

To get the results in YAML form

To get the results in a YAML file to be consumed by a downstream tool or script

$ ./tern report -Y -i debian:jessie

To get the results in JSON form

To get the results in a JSON file for web use

$ ./tern report -J -i debian:jessie

To run a test

$ cd ternenv
$ source bin/activate
$ git clone https://github.com/vmware/tern.git
$ cd tern
$ export PYTHONPATH=`pwd`
$ python tests/<test file>.py

Project Status

Release 0.1.0 is here! Please see the release notes for details.

We try to keep the project roadmap as up to date as possible. We are currently working on Release 0.2.0

Releases

Documentation

Architecture, function blocks, code descriptions and the project roadmap are located in the docs folder. We also welcome contributions to the documentation. See the contributing guide to find out how to submit changes.

Get Involved

Do you have questions about Tern? Do you think it can do better? Would you like to make it better? You can get involved by giving your feedback and contributing to the code, documentation and conversation!

Please read our code of conduct first.

Next, take a look at the contributing guide to find out how you can start.