Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
Commit 0891287 introduced using the OCIImage class instead of
DockerImage for container image analysis. There is a difference in the
name and type of the variable that holds the repository tag ('repotags'
list for DockerImage vs 'repotag' string for OCIImage) which is causing
the CycloneDX format to break. This was not caught prior to the release
because there are no tests for the CycloneDX format in the ci test file.
This commit resolves the CycloneDX format bug by using the repository
tag variable name depending on image type and also adds an appropriate
test in the ci test file to try to avoid this issue in the future.
Lastly, we add 'undefined-variable' to the list of pylint and pyflakes
warnings to ignore as it was being incorrectly surfaced during
prospector runs.
Commit 0891287 introduced using the OCIImage class instead of DockerImage for container image analysis. There is a difference in the name and type of the variable that holds the repository tag ('repotags' list for DockerImage vs 'repotag' string for OCIImage) which is causing the CycloneDX format to break. This was not caught prior to the release because there are no tests for the CycloneDX format in the ci test file.
This commit resolves the CycloneDX format bug by using the repository tag variable name depending on image type and also adds an appropriate test in the ci test file to try to avoid this issue in the future.
Lastly, we add 'undefined-variable' to the list of pylint and pyflakes warnings to ignore as it was being incorrectly surfaced during prospector runs.
Resolves #1097
Signed-off-by: Rose Judge rjudge@vmware.com