Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

spike: SGM for packaging, evaluate "Tern" container scanning & SBOM generation tool #95

Open
halcyondude opened this issue Aug 12, 2022 · 0 comments
Labels
brainstorm idea incubation, not always actionable. sgm Sub-Graph Module (sgm) spike

Comments

@halcyondude
Copy link
Collaborator

https://github.com/tern-tools/tern

Tern is a software package inspection tool that can create a Software Bill of Materials (SBOM) for containers. It's written in Python3 with a smattering of shell scripts.

https://github.com/tern-tools/tern/blob/main/docs/architecture.md
arch-diagram

The Cache

This is the database where filesystem identifiers can be queried against to retrieve package information. This is useful as many containers are based on other container images. If Tern had come across the same filesystem in another container, it can retrieve the package information without spinning up a container. Tern looks for filesystems here before doing any analysis. This is Tern's own data store which can be curated and culled over time. The reason that Tern keeps its own data store is because the filesystem artifacts that make up a container image are not necessarily how other compliance databases store license information. The filesystems also follow their own method of identifying themselves. A container build is not reproducible, so often, even when the content of the filesystem has not changed, the container's checksum has and that makes it difficult to identify the contents of a container image.

Analyzer

Data Model

https://github.com/tern-tools/tern/blob/main/docs/data-model.md#terns-data-model
![](
image

The main class is Image and its derived classes. This class contains a list of type ImageLayer. ImageLayer contains a list of type Package. Image, ImageLayer and Package contain a property called origins which is an object of type Origins. This class is used to record notes while Tern operates on an image such as what tools were used to retrieve the metadata or if the filesystem is of unknown content. Origins contains a list of type NoticeOrigin which contains a string and a list of type Notice. The Notice objects are where messages get recorded. You can easily record a message in the origins property of the Image, ImageLayer and Package types of objects by using the add_notice_to_origins method which just adds a Notice object to the NoticeOrigin object containing the origin string you give it ("origin_str" is basically a string indicating where in the image or analysis stage an event that you want recorded occurred).

You will also see a class called Template. This is an abstract base class used to make custom formats. To learn more see the documentation on creating custom formats.

Misc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
brainstorm idea incubation, not always actionable. sgm Sub-Graph Module (sgm) spike
Projects
Status: Triage
Development

No branches or pull requests

1 participant