search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
968 stars 188 forks source link

How to crosscheck the FOSS packages detected by tern? #1168

Closed Raghavendrakamatagi-eng closed 2 years ago

Raghavendrakamatagi-eng commented 2 years ago

Hello Team,

One question,

How to verify the FOSS packages detected by tern are used in our project or not, since we found that some packages are coming under strong copyleft license e.g.GPLv3+. Kindly confirm

Thanks in advance.

rnjudge commented 2 years ago

Hi @Raghavendrakamatagi-eng if you have the source code for the packages that you want to cross-check you can confirm the licenses there. Otherwise, Tern uses the package manager available in your container to collect license information reported by the package publisher/author (with the exception of Debian-based packages which parses copyright text). If you want to see for yourself how these commands are run you can login to the interactive shell of your container and run the commands from base.yml there.

Let me know if you have any more questions.