Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967
stars
188
forks
source link
Add version info to layer Packages in SPDX reports #1210
The NTIA minimum requirements for an SBOM require that all Packages have version information. Since Tern represents container layers as SPDX Packages, these package elements must have version information in order to satisfy NTIA minimums. This commit adds version information to layer "Packages" using the layer indexes (i.e. the base OS layer has version "1")
The NTIA minimum requirements for an SBOM require that all Packages have version information. Since Tern represents container layers as SPDX Packages, these package elements must have version information in order to satisfy NTIA minimums. This commit adds version information to layer "Packages" using the layer indexes (i.e. the base OS layer has version "1")
Works towards #1205
Signed-off-by: Rose Judge rjudge@vmware.com