Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967
stars
188
forks
source link
Support all skopeo image prefixes for `tern report -i` #1247
Add support for all of the recognized skopeo image prefixes: i.e. oci-archive:, docker-archive:, containers-storage: (podman image cache), dirs:, etc.
Use Cases
I want to analyze a pre-built docker-archive
I want to analyze a pre-built oci-archive
I want to analyze a pre-built image in the the podman image cache
I want to analyze a pre-built image stored in dirs format
...
Implementation Changes
The code currently seems to do pre-parsing of the -i/--image argument to look for a list of known prefixes and conditionally add the remote registry prefix docker:// if none are found. The actual command has skopeo do the format conversion into the desired dirs format that will be used for analysis.
This requires tern to duplicate the list of format prefixes skopeo supports, which isn't required by skopeo itself.
Two approaches to avoiding duplicating but supporting all the format-prefixes exist:
Rely on skopeo's default that uses docker:// if no format prefix is specified.
Look for two : vs one in what was specified.
Relying on the default has some possible caveats but is by far the easiest and likely best.
Parsing for two : vs one works if the version tag is required (instead of defaulting to :latest that's extremely bad practice anyway), and allows any arbitrary format prefix to optionally exist.
Describe the Feature
Add support for all of the recognized
skopeoimage prefixes: i.e.oci-archive:,docker-archive:,containers-storage:(podman image cache),dirs:, etc.Use Cases
docker-archiveoci-archivepodmanimage cachedirsformatImplementation Changes
The code currently seems to do pre-parsing of the
-i/--imageargument to look for a list of known prefixes and conditionally add the remote registry prefixdocker://if none are found. The actual command hasskopeodo the format conversion into the desireddirsformat that will be used for analysis.This requires
ternto duplicate the list of format prefixesskopeosupports, which isn't required byskopeoitself.Two approaches to avoiding duplicating but supporting all the format-prefixes exist:
skopeo's default that usesdocker://if no format prefix is specified.:vs one in what was specified.Relying on the default has some possible caveats but is by far the easiest and likely best.
Parsing for two
:vs one works if the version tag is required (instead of defaulting to:latestthat's extremely bad practice anyway), and allows any arbitrary format prefix to optionally exist.