Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

License Compliance for Your Container Supply Chain


Published on

Video and slides synchronized, mp3 and slide download available at URL

Nisha Kumar talks about Tern, an open source tool for inspecting container images for OSS compliance. She provides examples of how enterprises can evaluate container images, Dockerfiles, and container supply chains using Tern, even for the impossible situations. She talks about the pitfalls of long advocated best practices for building and reusing container images for the software supply chain. Filmed at

Nisha Kumar is an Open Source Engineer at VMware’s Open Source Technology Center. She currently researches and advocates for compliant container build and release best practices. She has 4 years of experience in DevOps for embedded systems and 3 years as a Radio Frequency Engineer working with cellphones. She is also an open hardware enthusiast.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

License Compliance for Your Container Supply Chain

  1. 1. ©2019 VMware, Inc. 1 License Compliance for your Container Supply Chain Nisha Kumar (VMware) QCon San Francisco 2019 Drawings by Nisha Kumar and Gautham Mayernik
  2. 2. News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on! tern-oss/
  3. 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco
  4. 4. ©2019 VMware, Inc. 2 By Nisha Kumar Creative Commons Attribution 4.0 International CC-BY-4.0
  5. 5. ©2019 VMware, Inc. 3 What I think of my code My actual code Photo Source:
  6. 6. ©2019 VMware, Inc. 4 Gautham Mayernik
  7. 7. ©2019 VMware, Inc. 5 © Gautham Mayernik Creative Commons Attribution Non Commercial Share Alike 4.0 International CC-BY-NC-SA-4.0 ABSOLUTELY NO MEMES! Gautham Mayernik
  8. 8. ©2019 VMware, Inc. 6
  9. 9. ©2019 VMware, Inc. 7 OSS Compliance for Containers ranges from difficult to impossible
  10. 10. ©2019 VMware, Inc. 8 Building Container Images using Dockerfiles Dockerfile instructions BaseOS: bin boot etc home lib opt root tmp usr var Debian, Photon, Alpine Diff Files: etc/ca-certificates/* usr/share/ca-certificates/* OS & language package manager dependencies Someone else’s files FROM <image>
  11. 11. ©2019 VMware, Inc. 9 Building Container Images using Dockerfiles Dockerfile instructions COPY . . BaseOS: bin boot etc home lib opt root tmp usr var Debian, Photon, Alpine Diff files: install app dependencies and extra modifications Diff Files: etc/ca-certificates/* usr/share/ca-certificates/* OS & language package manager dependencies Diff Files: Copy app into container Someone else’s files FROM <image> RUN <script> Yours + Someone else’s files
  12. 12. ©2019 VMware, Inc. 10 Docker Multistage Builds Dockerfile instructions COPY . . BaseOS Diff files Diff Files Diff Files FROM <image1> as builder RUN <script> BaseOS Someone else’s files FROM <image2> as release COPY -- from=builder files Yours + Someone else’s files Dockerfile instructions
  13. 13. ©2019 VMware, Inc. 11 Docker Multistage Builds BaseOS Someone else’s files FROM <image2> as release COPY -- from=builder files Yours + Someone else’s files Dockerfile instructions
  14. 14. ©2019 VMware, Inc. 12 Gautham Mayernik
  15. 15. ©2019 VMware, Inc. 13 As an Enterprise I want to sell my customers the best sandwich
  16. 16. ©2019 VMware, Inc. 14 Gautham Mayernik
  17. 17. ©2019 VMware, Inc. 15 Three types of container images Panini Taco Weird Candy
  18. 18. ©2019 VMware, Inc. 16 Inspecting container images with Tern
  19. 19. ©2019 VMware, Inc. 17 Lots of layers
  20. 20. ©2019 VMware, Inc. 18 tern -l report -i edgexfoundry/docker-edgex-mongo:1.0.1 -o output.txt This report was generated by the Tern Project Version: 1.0.0 Docker image: edgexfoundry/docker-edgex-mongo:1.0.1: Layer: bcf84b2ae1: info: Found 'Debian GNU/Linux 8 (jessie)' in /etc/os-release. info: Layer created by commands: /bin/sh -c #(nop) ADD file:187fe0df97a4c52984a518a454fb7ab3984ae7b541ede.... info: Retrieved by invoking listing in command_lib/base.yml names: in container: dpkg --get-selections | cut -f1 -d':' | awk '{print $1}’ ..... Invoking commands from command_lib/base.yml: warning: No listing for key licenses. Consider adding this listing to command_lib/base.yml. No listing for key srcs. Consider adding this listing to command_lib/base.yml.
  21. 21. ©2019 VMware, Inc. 19 tern -l report -i edgexfoundry/docker-edgex-mongo:1.0.1 -o output.txt Packages found in Layer: acl-2.2.52-2, adduser-3.113+nmu3, apt-, base-files-8+deb8u9, base-passwd-3.5.37, bash-4.3-11+deb8u1, bsdutils-1:2.25.2-6, coreutils-8.23-4, dash-0.5.7-4+b1, debconf-1.5.56+deb8u1, debconf-i18n-1.5.56+deb8u1, debian-archive-keyring-2017.5~deb8u1, debianutils-4.4+b1, diffutils-1:3.3-1+b1, dmsetup-2:1.02.90-2.2+deb8u1, dpkg-1.17.27, e2fslibs-1.42.12-2+b1, e2fsprogs-1.42.12-2+b1, findutils-4.4.2-9+b1, gcc-4.8-base-4.8.4-1, gcc-4.9-base-4.9.2-10, gnupg-1.4.18-7+deb8u4, gpgv-1.4.18-7+deb8u4, grep-2.20-4.1, gzip-1.6-4, hostname-3.15, init-1.22, initscripts-2.88dsf-59, insserv-1.14.0-5, libacl1-2.2.52-2, libapt-pkg4.12-, libattr1-1:2.4.47-2, libaudit-common-1:2.4-1, libaudit1-1:2.4-1+b1, libblkid1-2.25.2-6, libbz2-1.0-1.0.6-7+b3, libc-bin-2.19-18+deb8u10, libc6-2.19-18+deb8u10, libcap2-1:2.24-8, libcap2-bin-1:2.24-8, libcomerr2-1.42.12-2+b1, libcryptsetup4-2:1.6.6-5, libdb5.3-5.3.28-9, libdebconfclient0-0.192, libdevmapper1.02.1-2:1.02.90-2.2+deb8u1, libgcc1-1:4.9.2-10, libgcrypt20-1.6.3-2+deb8u4, libgpg-error0-1.17-3, .... Licenses found in Layer: None
  22. 22. ©2019 VMware, Inc. 20 tern -l report -i edgexfoundry/docker-edgex-mongo:1.0.1 -o output.txt Layer: 13e6959a00: info: Instruction Line: RUN apt-get update && apt-get install -y --no-install-recommends ... warning: Ignored Commands: apt-get update Unrecognized Commands: rm -rf /var/lib/apt/lists/* ..... Packages found in Layer: ca-certificates-20141019+deb8u3, jq-1.4-2.1+deb8u1, libnuma1-2.0.10-1, ..... Licenses found in Layer: None
  23. 23. ©2019 VMware, Inc. 21 tern -l report -i edgexfoundry/docker-edgex-mongo:1.0.1 -o output.txt Layer: 9b92fab6d6: info: Instruction Line: RUN set -ex; export GNUPGHOME="$(mktemp -d)"; ..... warning: Unrecognized Commands:set -ex export GNUPGHOME="$(mktemp -d)" for key in $GPG_KEYS do gpg --keyserver --recv-keys "$key" done gpg --export $GPG_KEYS > /etc/apt/trusted.gpg.d/mongodb.gpg rm -r "$GNUPGHOME" apt-key list Packages found in Layer: None Licenses found in Layer: None
  24. 24. ©2019 VMware, Inc. 22 tern -l report -i edgexfoundry/docker-edgex-mongo:1.0.1 -o output.txt Layer: ee1d461919: info: Instruction Line: COPY file:820cdff24237d3d4f542ad4493ce4d7b254915f496981d560ad84e4350a0c8f7 in /edgex/mongo/.... warning: Unknown content included in layer file:820cdff24237d3d4f542ad4493ce4d7b254915f496981d560ad84e4350a0c8f7 in /edgex/mongo/config/. Please analyze these files separately Packages found in Layer: None Licenses found in Layer: None
  25. 25. ©2019 VMware, Inc. 23 tern -l report -i edgexfoundry/docker-edgex-mongo:1.0.1 -f spdxtagvalue -o output.txt PackageName: edgexfoundry/docker-edgex-mongo PackageVersion: 1.0.1 PackageDownloadLocation: edgexfoundry/docker-edgex-mongo:1.0.1 FilesAnalyzed: false PackageComment: <text>Docker image: edgexfoundry/docker-edgex-mongo:1.0.1: </text> Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-29d71372a4 Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-76029b7a6a Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-a2514a91dc Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-2f50446847 Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-1957d8bb5b Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-26d0f604dc Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-0885393eaa Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-56a71a6a57 Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-9d352487e7 Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-e11f893dcb Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-16d7333caf Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-4386317b1f Relationship: SPDXRef-34f2f1356d-edgexfoundry/docker-edgex-mongo-1.0.1 CONTAINS SPDXRef-c27c469982
  26. 26. ©2019 VMware, Inc. 24 tern -l report -i edgexfoundry/docker-edgex-mongo:1.0.1 -f spdxtagvalue -o output.txt PackageName: mongodb-org-tools PackageVersion: 3.4.9 PackageLicenseDeclared: NOASSERTION PackageCopyrightText: <text> This package was debianized by Kristina Chodorow <> on Tue, 07 Apr 2009 10:18:58 -0400. .... License: AGPL The Debian packaging is (C) 2009, Kristina Chodorow <> and is licensed under the AGPL, see `'. </text> PackageDownloadLocation: NOASSERTION SPDXID: SPDXRef-mongodb-org-tools-3.4.9 PackageLicenseConcluded: NOASSERTION FilesAnalyzed: false
  27. 27. ©2019 VMware, Inc. 25 Just Enough
  28. 28. ©2019 VMware, Inc. 26 tern -lk report -i -o output.txt Docker image: Layer: 58de108e9e: info: Found 'Distroless' in /etc/os-release. warning: Unable to find a known package manager. Cannot list packages. Layer: ddd55ab5dd: info: Instruction Line: COPY file:3e3ff62ed6e1adbd71fc69f17d85b3faf3fcf20fb72486c0637ba6bfd11a6a37 in / warning: Unknown content included in layer file:3e3ff62ed6e1adbd71fc69f17d85b3faf3fcf20fb72486c0637ba6bfd11a6a37 in /. Please analyze these files separately cd ~/.tern/temp We find “pod_nanny”
  29. 29. ©2019 VMware, Inc. 27 Mystery Meat/ Weird Candy
  30. 30. ©2019 VMware, Inc. 28 tern -l report -x scancode -i Layer: 01092e5921 contents/usr/share/base-files/motd: wtfpl-2.0 contents/usr/share/common-licenses/Apache-2.0: apache-2.0 contents/usr/share/common-licenses/Artistic: artistic-perl-1.0 contents/usr/share/common-licenses/BSD: bsd-new contents/usr/share/common-licenses/GFDL-1.2: gfdl-1.2 contents/usr/share/common-licenses/GFDL-1.3: gfdl-1.3 contents/usr/share/common-licenses/GPL-1: gpl-1.0 ........ contents/usr/share/doc/base-files/copyright: gpl-2.0-plus,artistic-2.0,artistic-1.0,gpl-1.0-plus contents/usr/share/doc/base-files/README: unknown,apache-2.0,artistic-2.0,gpl-2.0-plus,lgpl-2.1-plus contents/usr/share/doc/ca-certificates/copyright: gpl-2.0-plus,mpl-2.0,mpl-2.0 contents/usr/share/doc/netbase/copyright: gpl-1.0-plus,gpl-2.0-plus,gpl-2.0 contents/usr/share/doc/tzdata/copyright: public-domain contents/usr/share/lintian/overrides/base-files: gpl-1.0-plus,gpl-1.0,lgpl-2.0-plus,gpl-1.0-plus,lgpl-2.0-plus,gpl-1.0-plus, ..... .... Layer: 3ff0819850 ß NOTHING
  31. 31. ©2019 VMware, Inc. 29 Mix of software Some knowns and some unknowns Fairly straightforward to reason about Unknown Software Bill of Materials Unknown binary Difficult to reason about Unknown binary Unknown context Impossible to reason about What did we learn?
  32. 32. ©2019 VMware, Inc. 30 Is Tern foolproof? It depends on the supply chain... Gautham Mayernik
  33. 33. ©2019 VMware, Inc. 31 “The words I would use to describe a maintainer is burnout and anxiety” - Henry Zhu, Babel Maintainer (All Things Open 2018)
  34. 34. ©2019 VMware, Inc. 32 Gautham Mayernik
  35. 35. ©2019 VMware, Inc. 33 Gautham Mayernik
  36. 36. ©2019 VMware, Inc. 34 • People find “creative” ways to use containers • Analyze every container you consume and distribute (shameless plug - use Tern!) • Be careful when building containers (some Dockefile tips) • FROM ß what is this and where is it coming from? • RUN ß what is this doing? • COPY/ADD ß what is this and where is it coming from? • Inventory the ecosystem • Software interactions (statically/dynamically linked) • Dependency chains • Build stages and toolchains • SDK • Get Involves in the Open Source projects you consume! Takeaways
  37. 37. ©2019 VMware, Inc. 35 Dockerfile + image Reporting formats • YAML • JSON • SPDX • Custom... Extensions • Scancode • Custom... Coming soon • Dockerfile freeze • Language package manager support • Tern + ACT + others... Tern features
  38. 38. ©2019 VMware, Inc. 36 Reading: • Storage drivers: • What’s wrong with tar - Aleksa Sarai: Talks: • Shipping compliant container images (Open Source Leadership Summit 2019): content/uploads/2018/07/OSLS_2019_shipping_compliant_container_images.pdf • Welcome back to dependency hell (Open Source Summit North America 2019): Links: • SPDX: • OCI: • Tern: Resources
  39. 39. ©2019 VMware, Inc. 37 Thank You! github: @nishakm twitter: @nishakmr
  40. 40. Watch the video with slide synchronization on! tern-oss/