| Alexander Mazuruk | 846dd7f | 2020-12-17 17:13:45 +0100 | [diff] [blame] | 1 | ##################################### |
| 2 | License Analysis of Docker Containers |
| 3 | ##################################### |
| 4 | |
| 5 | Vagrantfile that includes tern + scancode for performing dynamic license analysis |
| 6 | of docker containers. It takes either a Dockerfile or image name to analyse. |
| 7 | |
| 8 | |
| 9 | ********* |
| 10 | Reasoning |
| 11 | ********* |
| 12 | |
| 13 | While there are tools supporting ONAP development that perform license analysis |
| 14 | and produce SBoM, they do it via static static analysis. When base image |
| 15 | introduces licensing issue we will have no way to know from those tools. |
| 16 | Additionally, the tools performing those static analysis require special access |
| 17 | rights which only few people have. This Vagrant box is meant to be run as close |
| 18 | to Docker build as possible to give feedback directly to developers. |
| 19 | |
| 20 | It has been placed in a VM due to following reasons: |
| 21 | |
| 22 | - reproducibility |
| 23 | - tern requires: |
| 24 | |
| 25 | * access to /dev/fuse |
| 26 | * access to docker.sock |
| 27 | |
| 28 | Due to the above requirements, running in Docker would require: |
| 29 | |
| 30 | * running container in --privileged mode |
| 31 | * passing host's /dev/fuse to the container |
| 32 | * passing host's docker.sock to the container |
| 33 | |
| 34 | Running it in VM creates new instances of both which should alleviate security |
| 35 | issues that could be present when running on host/docker |
| 36 | |
| 37 | |
| 38 | *************** |
| 39 | Getting started |
| 40 | *************** |
| 41 | |
| 42 | Prerequisites |
| 43 | ============= |
| 44 | |
| 45 | `Vagrant <https://www.vagrantup.com/downloads>`_ |
| 46 | |
| 47 | |
| 48 | Running |
| 49 | ======= |
| 50 | |
| 51 | Dockerfile analysis |
| 52 | ------------------- |
| 53 | |
| 54 | Substitute the DOCKER_FILE_ANALYSE value with location of the Dockerfile |
| 55 | you want to analyse:: |
| 56 | |
| 57 | DOCKER_FILE_ANALYSE="/path/to/Dockerfile" vagrant up |
| 58 | |
| 59 | Please mind that the Docker on the VM needs to be able to download the base |
| 60 | image for analysis to take place. |
| 61 | |
| 62 | Docker image analysis |
| 63 | --------------------- |
| 64 | |
| 65 | |
| 66 | Substitute the DOCKER_IMAGE_ANALYSE value with your image of choice:: |
| 67 | |
| 68 | DOCKER_IMAGE_ANALYSE="debian:buster" vagrant up |
| 69 | |
| 70 | Please mind that the Docker on the VM needs to be able to download the image |
| 71 | for analysis to take place. |
| 72 | |
| 73 | Gathering results |
| 74 | ================= |
| 75 | |
| 76 | :: |
| 77 | |
| 78 | vagrant ssh-config > ssh-config |
| 79 | scp -F ssh-config default:~/ternvenv/report-scancode.json report-scancode.json |
| 80 | |