search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967 stars 188 forks source link

Set PackageDownloadLocation as NOASSERTION in SPDX tag:value report formatting #451

Closed rnjudge closed 5 years ago

rnjudge commented 5 years ago

Description Currently, Tern reports the SPDX PackagetDownloadLocation of an image layer as the docker image repotag. This does not reflect the actual download location and there is no way for Tern to pinpoint the download location of an image layer. Therefore, we should assign the SPDX PackageDownloadLocation value as NOASSERTION in accordance with the 2.1 spec. We can also remove the get_download_location function in docker_image.py

Implementation 1) In tern/formats/spdx/spdxtagvalue/generator.py, remove the registry_repotag variable assignment in the following lines:

235         # The image's PackageDownloadLocation is from a container registry      
236         # This includes all the layers but the packages' download location      
237         # is unknown if the download_url is blank                               
238         registry_repotag = image_obj.get_download_location() if hasattr(        
239             image_obj, 'repotag') else 'NOASSERTION'

2) In tern/formats/spdx/spdxtagvalue/generator.py, hardcode the PackageDownloadLocation value as NOASSERTION:

265                 PackageDownloadLocation=NOASSERTION,

3) In tern/classes/docker_image.py remove the definition for get_download_location() since it is not possible to get the actual location (dockerhub.io is not the actual location).

171     def get_download_location(self):                                            
172         '''A docker image's download location is in the repotags. We will       
173         return a string of repotags joined by a hyphen -'''                     
174         return '-'.join(self.repotags)

References See above.

manaswinidas commented 5 years ago

I'm interested to take this up.

nishakm commented 5 years ago

@manaswinidas yeah! Go for it!

manaswinidas commented 5 years ago

@nishakm Do I still have to follow the instructions mentioned in #449 for not getting the extra commits? To which branch should I rebase onto? I tried doing it with patch branch but I'm still getting those extra commits. Is it because I deleted the patch branch? Can I rebase it onto the patch4 branch I created my latest pull request with?

manaswinidas commented 5 years ago

Never mind, I found my way :sweat_smile: but do I have to do this every time:cry: ?

nishakm commented 5 years ago

Never mind, I found my way 😅 but do I have to do this every time😢 ?

I hope not! 😅

If you want to set up your local fork of tern to continue to contribute, follow the instructions here: https://github.com/nishakm/puns#how-to-submit-prs-with-your-github-fork

Everytime you need to submit a new PR you create a new branch to track the upstream master branch: git checkout -b 451-my-changes --track upstream/master

When you need to update this because of a conflict or to pull in newly merged changes, run: git pull --rebase

I hope you don't have trouble next time around.

manaswinidas commented 5 years ago

@nishakm you were right about this. It worked perfectly fine! Thanks :tada:

Everytime you need to submit a new PR you create a new branch to track the upstream master branch: git checkout -b 451-my-changes --track upstream/master