blob: 71a4a3394b2d357f2f03f4716305be0524af2fdb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
#####################################
License Analysis of Docker Containers
#####################################
Vagrantfile that includes tern + scancode for performing dynamic license analysis
of docker containers. It takes either a Dockerfile or image name to analyse.
*********
Reasoning
*********
While there are tools supporting ONAP development that perform license analysis
and produce SBoM, they do it via static static analysis. When base image
introduces licensing issue we will have no way to know from those tools.
Additionally, the tools performing those static analysis require special access
rights which only few people have. This Vagrant box is meant to be run as close
to Docker build as possible to give feedback directly to developers.
It has been placed in a VM due to following reasons:
- reproducibility
- tern requires:
* access to /dev/fuse
* access to docker.sock
Due to the above requirements, running in Docker would require:
* running container in --privileged mode
* passing host's /dev/fuse to the container
* passing host's docker.sock to the container
Running it in VM creates new instances of both which should alleviate security
issues that could be present when running on host/docker
***************
Getting started
***************
Prerequisites
=============
`Vagrant <https://www.vagrantup.com/downloads>`_
Running
=======
Dockerfile analysis
-------------------
Substitute the DOCKER_FILE_ANALYSE value with location of the Dockerfile
you want to analyse::
DOCKER_FILE_ANALYSE="/path/to/Dockerfile" vagrant up
Please mind that the Docker on the VM needs to be able to download the base
image for analysis to take place.
Docker image analysis
---------------------
Substitute the DOCKER_IMAGE_ANALYSE value with your image of choice::
DOCKER_IMAGE_ANALYSE="debian:buster" vagrant up
Please mind that the Docker on the VM needs to be able to download the image
for analysis to take place.
Gathering results
=================
::
vagrant ssh-config > ssh-config
scp -F ssh-config default:~/ternvenv/report-scancode.json report-scancode.json
|