search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
960 stars 188 forks source link

Tern Docker image: Pulling images from private registry #1160

Closed software-testing-professional closed 2 years ago

software-testing-professional commented 2 years ago

Is it possible to pull and analyze images from a private registry (like Artifactory)?

This happens when the Tern container is used in Gitlab CI. Although a docker login ... has been executed, and the /.docker/config has been mounted into the Tern container.

It works fine on my local machine.

It results in 2022-04-21 09:04:17,531 - WARNING - docker_api - Build failed: Get https://***********.com/v2/its-javabase/manifests/java-11: unknown: Authentication is required

I'm running Tern like this: 

docker run \
  --privileged \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v "$PWD/tmp/${PROJECT_NAME}:/project" \
  -v "$PWD/docker/config.json:/root/.docker/config.json" \
  -v "$PWD/docker/config.json:/root/.docker/config" \
  **************.com/ternd \
  --driver fuse \
  report \
    -d /project/Dockerfile \
    -f cyclonedxjson \
    -o /project/container.bom.json

Thanks for your help!

rnjudge commented 2 years ago

Hello! The issue of private repositories can be solved by either changing the Dockerfile or to mount the registries file to the build tern image. However, this doesn't work for situations where you want to run a demo registry without https or TLS verification. For this purpose, you would need to send the tls-verify=false flag to skopeo to pull the image.

See https://github.com/tern-tools/tern/issues/1087#issuecomment-1006656236 for more info about how to add your private registry to the base tern image. Here's another suggestion from a similar question: https://github.com/tern-tools/tern/issues/1121#issuecomment-1044907385.

rnjudge commented 2 years ago

Hi @software-testing-professional -- did you get a resolution to your issue or can I close this?

software-testing-professional commented 2 years ago

I think so. I'll do some testing and reply tomorrow. 

Am 27.06.2022 20:33 schrieb Rose Judge @.***>:

Hi @software-testing-professional[1] -- did you get a resolution to your issue or can I close this?

— Reply to this email directly, view it on GitHub[2], or unsubscribe[3]. You are receiving this because you were mentioned.Message ID: @.> [ { @.": "http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": "https://github.com/tern-tools/tern/issues/1160#issuecomment-1167730655", "url": "https://github.com/tern-tools/tern/issues/1160#issuecomment-1167730655", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { @.***": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Links:

[1] https://github.com/software-testing-professional [2] https://github.com/tern-tools/tern/issues/1160#issuecomment-1167730655 [3]
https://github.com/notifications/unsubscribe-auth/ATSZRRBFXNSDP6M4MF7ELSDVRHXZPANCNFSM5T6TJNEQ

software-testing-professional commented 2 years ago

Hi @rnjudge,

yes it works now.

It turned out that the config.json was incomplete. I added some more authentication data to the .docker/config.json. Now it is possible to pull Artifactory images via skopeo.

Thanks for your help!

Best regards, Michael

rnjudge commented 2 years ago

@software-testing-professional very happy to hear this! Thanks for your followup!