With the growing development and adoption of microservice architectures and container technologies, open source license compliance grows ever more complex and critical. While many new build tools simplify and enable rapid microservice development, often times the licenses that underpin those container apps are lost in the development process. It’s important for developers to be aware of the licenses that become embedded in their applications – knowingly or not. Licenses protect and constrain code use and reuse, provide credit to original developers and offer insights on the source of the code. Good engineering says you should know what’s in your application, where it came from, who wrote it and what usage boundaries apply. While this has always been important, it’s even more important now that open source technologies underpin the vast majority of technology projects.
To address the growing compliance challenge, the Linux Foundation, a non-profit organization, kicked off a new initiative: Automated Compliance Tooling (ACT) project. The goal of the ACT Linux Foundation initiative is to consolidate investment in, and increase interoperability and usability of, open source compliance tooling, which helps organizations and open source developers manage compliance obligations. It convened for the first time at the 2019 Open Compliance Summit in Japan at which VMware Chief Open Source Officer Dirk Hohdnel gave an important keynote on compliance within the software supply chain. Dirk was a perfect speaker because VMware long ago committed to the ACT by contributing Tern, an open source tool for container image inspection and reporting, as one of the inaugural projects a part of this new initiative.
What Is Tern?
Open source Tern inspects container images to find individual software packages and their metadata installed in the image. Tern does this by stepping through each of the container image’s filesystem layers and inspecting each layer using methods in its ‘command library.’ For Docker images, Tern will identify changes to the Dockerfile to build more compliant containers if a Dockerfile is provided. Tern gives container engineers a deeper understanding of the container’s bill of materials in order to make better decisions about container-based infrastructure, integration and deployment strategies as well as to ensure license compliance.
Why Is This Important?
To understand why this is important requires knowledge of both the growth of cloud computing and the cloud native infrastructure this growth engendered. Cloud native architecture relies on a microservices container-based infrastructure approach, but as Dirk frequently notes, the current container ecosystem encourages developers to use containers without examining the source of their various open source code components. This opens the software development community up to a variety of risks, including compliance and security. And as cloud native becomes a larger and larger part of the open source ecosystem and of the software landscape generally, the ability to inspect container images for compliance is an increasingly needed service.
However, that service must be automated for it to be effective. According to Dirk, “the more we automate compliance processing, the better we are able to advance agile development and rapid response to address required changes such as security issues.”
Tern’s Progress
That’s where Ternplays a part in ensuring open source license compliance. First open sourced in June 2017, Tern has made significant strides in a short time. Recently, it celebrated its 1.0 release, and according to Nisha Kumar, project maintainer, “the project has grown in community and features,”and continues to become more accessible to users and contributors. Recent enhancements to Tern include:
- Multiple report formats support: The default report is a verbose text file showing packages for each of the container layers and what methods were used to get those results. Structured data reports are now available in JSON, SPDX tag-value, and YAML formats. You can generate a summary report containing just a list of packages found in the container image, while also customizing your own report plug-in to accommodate internal automation and auditing processes.
- Base OS discovery: Tern can ‘discover’ the base OS in a given container image. If it cannot find any of the known OSs, it will report the OS as ‘unknown.’And if a Docker build fails from a Dockerfile, it has the ability to continue to analyze the base image.
- Detection of package version change from layer to layer: This is useful in finding out if you are shipping a container with different versions of the same package.
The Tern community is always looking for additional contributors – visit the contributor’s guide for more information and guidelines.
We’re thrilled to see Tern accepted into ACT and look forward to even more enhancement and community involvement in the months ahead. Tern joins the recent acceptance of Harbor to the Cloud Native Computing Foundation in a growing body of open source contributions and community commitments made by VMware and its engineers.
Stay up-to-date on Tern, other VMware open source projects and the ACT Linux Foundation initiative by visiting the Open Source Blog and following us on Twitter (@vmwopensource).