Hi Alexander run a new Docker image scanning campaign on a recent ONAP master deployment (14st of January). Long time ago I made some tests and shared first results of Tern with PTL. Alexander went further by testing 163 images, almost all the images declared in the ONAP cluster. Moreover thanks to dockerviz he was also able to draw the "big picture" of docker dependencies.
All the results have been pushed to https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/01-14-2021_00-01/tern-reports/ Be aware that some html pages are unreasonably heavy (generating json artifacts will be privileged next time) A good view of the dependency (also a big image) can be found here: https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/01-14-2021_00-01/tern-reports/images-created-by2.png A presentation for the next virtual event has been submitted (requested by the TAC to share this dynamic scanning experience), so if the presentation is selected, we will give some details during the vEvent. Meanwhile, I believe it is important to share what we have on ONAP. I will book a slot in the next PTL meeting. on the 163 images tested, 76% includes GPLv3 code - we need to be cautious, there are some false positive and we cannot be 100% sure, but thanks to tern and scancode we have a better view) even the python baseline image contains some python lib under GPLv3 declared as GPL in alpine but finally GPLv3. The java baseline image is clean The visualization also shows that there are lots of spaces for docker optimization by squashing the layers. Big thanks to Alexander. /Morgan NB If you want to have a look at your dockers, click on the link, then select your image (be aware that depending on the image size, it can be long..) e.g. portal-app https://logs.onap.org/onap-integration/weekly/onap_weekly_pod4_master/01-14-2021_00-01/tern-reports/nexus3.onap.org:10001_onap_portal-app:3.4.2.html.gz You can click on Summary to get a summary of license [X] for this image there is no GPLv3 traces If you want to get some details on the component/license per layer, click on REPORT DETAILS > Images: [1] > nexus3.onap.org > layerts: [17] > 88b6239a87 > packages: [13] you can see that the first layer of this image include 13 packages: musl (MIT), busybox (GPL-2.0), alpine-baselayout (GPL-2.0),.... [X] /Morgan _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7465): https://lists.onap.org/g/onap-tsc/message/7465 Mute This Topic: https://lists.onap.org/mt/80003138/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
