A Tern Update: Steady Progress on Helping Secure the Software Supply Chain

It’s been over a year since we last shared an update on Tern, the open source inspection tool for generating a Software Bill of Materials (SBoM) for container images and Dockerfiles. We’re now up to release 2.5.0 and getting ready for 2.6.0 in the next month or so.

In the last 12 months, the challenge Tern was designed to address — fostering transparency in the service of better securing the container supply chain — has only increased in importance. We’ve seen an uptick in urgency around the issue with major software customers, including the U.S. Government, announcing that they will require SBoMs from their suppliers. That’s spurring additional interest in the topic within the open source community, and among companies that have proposed or begun offering tools to address it within a proprietary framework. Tern, meanwhile, continues to grow in features and community, and remains very much open source. It has seen increased adoption as organizations both large and small look to pursue a flexible, efficient approach to understanding and reporting on the contents of their container-based software.  

You can, of course, find the full details of every Tern release on GitHub, but here are some of the most significant additions made over the last year:

  • Tern now runs on a non-Linux host, which means you no longer need to spin up a virtual machine or have a Linux machine available in order to run it. Instead you can run Tern in a Docker container on any Windows or Mac machine if that’s what you’d prefer.
  • Tern’s performance has dramatically improved. Its default collection mechanism, for example, now runs much faster and with greater accuracy. We also offer Go and NPM module collection and have significantly improved the time it takes to collect NPM package information.  
  • Tern now supports the SPDX JSON format. JSON is machine readable and the SPDX format allows Tern to be interoperable with other tools that understand SPDX. This is one step towards interoperability with other tools in the Automated Compliance Tooling family of projects governed by the Linux Foundation.
  • Tern can analyze multistage Dockerfiles. Developers like multistage builds because they lead to smaller resulting container images. But the process also strips the final container image of information from all previous build stages, including metadata that can be important to report in a software bill of materials but can’t be exposed by running Tern on only the final image. Now Tern can recreate that metadata, offering a more comprehensive — and thus more compliant and more trustable — understanding of your software supply chain.  
  • A new command line option lets you generate an SBoM for any specific container layer, instead of the entire container image. So if you want to know the dependencies for one specific layer in which your application is installed, you can generate a software bill of materials for just that layer, instead of a large document with information from layers you have no responsibility for or control over.
  • Finally, Tern now offers support for distroless containers. Distroless is a popular Google project that provides stripped down container images for different application types. Typically, a developer will use an existing container image to build a piece of software and then use multistage Docker builds to copy the artifacts out of the first stage into a stage that uses the distroless image. Tern can now generate a software bill of materials for both the build and the distroless run image. It will also display packages in the distroless image that it couldn’t report on before.

We had plenty of help adding these new features. We’re now up to 49 contributors and our users have given us over 500 stars. In recognition of our growing community, we’ve started running a regular community meeting every other Tuesday at 3pm UTC. Both existing and prospective contributors and users are welcome to join, as is anyone else interested in learning more about how Tern works and how it might help them.

Judging by the adoptions we’ve observed over the last year, Tern is proving value to organizations of a variety of sizes in a variety of fields — from global cloud providers, to national banks and consumer electronics companies, to small open source projects that aren’t much bigger than Tern. Interestingly, many operate in fields with strong existing cultures and requirements around compliance, and in a number of cases had held back from adopting cutting edge container solutions for lack of robust and reliable container compliance tools.

We’re delighted that organizations are caring about container compliance more than ever, and that Tern has been steadily evolving to serve more users with greater success. Look for a post here in the next month or so detailing our 2.6.0 release, and, if all goes well, we’ll be back again later in the summer to announce our beta release.


Leave a Reply

Your email address will not be published. Required fields are marked *