Tern & the ACT Project: How It’s Helping Establish Automated Compliance Tooling

During last December’s Open Compliance Summit Japan, the Automated Compliance Tooling (ACT) Project convened for the first time, with VMware Chief Open Source Officer Dirk Hohndel in attendance to mark VMware’s commitment as a founding member of the ACT Project. Dirk also keynoted a lively Open Compliance Summit, discussing the importance of compliance in the software supply chain.

His keynote and the ACT Project’s kick-off further cement VMware’s commitment to open source practices and activities, especially with the recent general availability release of Tern 2.0 serving as another example of our dedication to compliance in open source.

The ACT Project, in particular, is an important step for both VMware and the broader community because it will increase the interoperability and usability of open source compliance tooling while consolidating open source compliance investment. The plan for the project is to facilitate the development of more integrated solutions and resources to increase license compliance.

According to Dirk, such license compliance must sit at the core of how companies engage with open source projects, but balancing compliance with agile development demands requires automated open source solutions.

“The more we automate compliance processing, the better we are able to advance agile development and rapid response to address required changes such as security issues. For years, VMware has worked toward automating compliance tooling and we are committed to helping enterprises better understand what’s inside containers and manage their compliance obligations.”

act project

As part of this push, VMware-originated Tern joins four other projects (FOSSologyOSS Review Toolkit, Quartermaster and SPDX Tools) under the ACT Project umbrella. Tern just celebrated its 2.0 release and was created by VMware to help developers meet open source compliance requirements for containers. It inspects container images to find individual software packages and their metadata installed in the image.

Tern 2.0, now generally available, is notable as the first non-backwards compatible release and comes with a number of built-in report styles available, including SPDX tag-value, JSON and YAML. Tern also enables individuals to customize their own report plugin (directions available on Tern’s GitHub page), which allows data collected by Tern to be formatted to accommodate internal automation and auditing processes.

In addition to custom report formats, Tern can be extended to analyze container images using external file or filesystem analysis tools, with scancode-toolkit and cve-bin-tool the two currently supported. Other notable additions to Tern include:

  • Bug fixes to support SPDX tag-value reporting and to improve Tern’s compatibility with SPDX online validation tool
  • Ability to consume raw image tarballs
  • Ability to continue to analyze base image if a Docker build fails from a Dockerfile
  • Option to gracefully exit if Docker is not installed or properly setup
  • Fixes to working directory cleanup after a keyboard interrupt
  • Bug fixes to improve the overall stability and robustness of the tool

Compliance must continue to evolve into a core consideration for the open source community, and VMware is committed to increasing that public awareness within the broader community with project’s like Tern and our ongoing work with the ACT project.

To learn more about the program, check out the Linux Foundation’s posts on the ACT kickoff and our blogs on all of Tern’s releases. And make sure you stay tuned to our Open Source Blog and Twitter (@vmwopensource) for all the latest open source news, resources and updates.


Leave a Reply

Your email address will not be published.