New release includes an updated CLI and support for custom report formats and analysis tool extensions
Tern is a VMware-originated open source tool that inspects container images to find individual software packages and their metadata installed in the image.
Due to changes in the command line options, Tern version 1.0.0 is the first non-backwards compatible release. If you have been using previous versions of Tern, we recommend that you upgrade to the latest release. You can run Tern by installing it from PyPI or you can clone the project from GitHub and install the project after cloning it.
Tern has a number of built-in report styles available including SPDX tag-value, JSON and YAML. Tern release 1.0.0 provides the ability to customize your own report plugin, which allows data collected by Tern to be formatted in a custom way to accommodate any user’s internal automation and auditing process. Tern uses the OpenStack Stevedore python module to dynamically load any customized report plugins at runtime. If you’re curious about how you can customize your own report plugin, we supply directions for how to do this on Tern’s GitHub page.
In addition to customizing your report format, the Tern 1.0.0 release can be extended to analyze container images using external file or filesystem analysis tools. The two currently supported external tools are scancode-toolkit and cve-bin-tool. Support for formatting the output of these external tools is expected to be completed in subsequent releases.
Scancode-toolkit is a license scanning tool that finds licenses in source code and binaries. cve-bin-tool is a security vulnerability scanning tool that finds common vulnerabilities. Note that although you can use a security scanner with Tern, there isn’t any support for reporting the results beyond printing them to console. This may change as the industry demand for security information in Software Bill of Materials seems to be on the rise. If you would like incorporate your own tool extension to Tern, there are some general steps to follow documented on Tern’s GitHub page.
The 1.0.0 release for Tern also includes important bug fixes to support the SPDX tag-value reporting that Tern does. These bug fixes primarily improve Tern’s compatibility with the SPDX online validation tool.
Other notable additions to Tern in the 1.0.0 release include:
- Enablement for Tern to consume raw image tarballs
- Continue to analyze the base image if a Docker build fails from a Dockerfile
- Gracefully exit if Docker is not installed or properly setup
- Fix working directory cleanup after a keyboard interrupt
- Bug fixes that improve the overall stability and robustness of the tool
The next Tern release will be a little smaller in scope. It will focus on enabling the pip package manager to collect information and adding a “dockerfile freeze” command line option which will produce an annotated Dockerfile with all the versions pinned to the versions Tern finds in order help developers achieve a somewhat repeatable build (similar to the “pip freeze” functionality in Python).
If you are interested in contributing to Tern, or just want to know more about the project, visit our GitHub page.