With the growing development and adoption of microservice architectures and container technologies, open source license compliance grows ever more complex and critical. While many new build tools simplify and enable rapid microservice development, often times the licenses that underpin those container apps are lost in the development process. It’s important for developers to be aware of the licenses that become embedded in their applications – knowingly or not.Licenses protect and constrain code use and reuse, provide credit to original developers and offer insights on the source of the code. Good engineering says you should know what’s in your application, where it came from, who wrote it and what usage boundaries apply.
To address the growing compliance challenge, the Linux Foundation is kicking off a new initiative: Automated Compliance Tooling (ACT) project. The goal of ACT is to consolidate investment in, and increase interoperability and usability of, open source compliance tooling, which helps organizations manage compliance obligations. VMware is proud to announce that Tern, an open source tool for container image inspection and reporting, will be one of the inaugural projects accepted into this new initiative.
What is Tern?
Tern inspects container images to find individual software packages and their metadata installed in the image. Tern does this by stepping through each of the container image’s filesystem layers and inspecting each layer using methods in its ‘command library.’ For Docker images, Tern will identify changes to the Dockerfile to build more compliant containers if a Dockerfile is provided. Tern gives container engineers a deeper understanding of the container’s bill of materials in order to make better decisions about container-based infrastructure, integration and deployment strategies.
First open sourced in June 2017, Tern has made significant strides in a short time. According to Nisha Kumar, project maintainer, “the project has grown in community and features, continuing with the most recent release version 0.2.0, which adds features to make the project more accessible to users and contributors.” Recent enhancements to Tern include:
- Multiple report formats support: The default report is a verbose text file showing packages for each of the container layers and what methods were used to get those results. Structured data reports are now available in JSON and YAML formats. You can also generate a summary report containing just a list of packages found in the container image.
- Base OS discovery: Tern can ‘discover’ the base OS in a given container image. If it cannot find any of the known OSs, it will report the OS as ‘unknown.’
- Detection of package version change from layer to layer: This is useful in finding out if you are shipping a container with different versions of the same package.
The Tern community is always looking for additional contributors – visit the contributor’s guide for more information and guidelines.
We’re thrilled to see Tern accepted into ACT and look forward to even more enhancement and community involvement in the months ahead. Tern joins the recent acceptance of Harbor to the CNCF in a growing body of open source contributions and community commitments made by VMware and its engineers.