Analyze Docker images / Dockerfiles

[sschuberth]

We could add a "meta package manager" implementation for Docker images / Dockerfiles that uses Tern to get the OS-level packages, and additionally runs the ORT analyzer on the layers to identify language-level packages, similar like described at tern-tools/tern#149.

Edit: I'll be updating this comment with a list of tool that might come in question:

• https://github.com/tern-tools/tern (moved from the "vmware" org)
• https://github.com/org-metaeffekt/metaeffekt-container-annex (probably outdated by now)
• https://github.com/nexB/container-inspector (part of scancode.io)
• https://github.com/anchore/syft (for vulnerabilities use https://github.com/anchore/grype)
• https://github.com/aquasecurity/trivy
• https://github.com/kubernetes-sigs/bom

[dgutson]

@sschuberth you may want to look at hadolint too

[sschuberth]

@dgutson AFAIK hadolint is, as the name suggests, just a linter for the syntax in Dockerfiles. It tells you nothing about the semantics of the software being added to the Docker image.

[sschuberth]

For similar reasons as mentioned for Nix support I'm closing this as not planned.

[dgutson]

Another new tool from nexB to look at: https://github.com/nexB/container-inspector

out of curiosity, why this comment was marked as outdated? @sschuberth

[sschuberth]

Another new tool from nexB to look at: https://github.com/nexB/container-inspector

out of curiosity, why this comment was marked as outdated? @sschuberth

Because I started to gather tools by editing the top post, to have everything in one place, so you don't have to scan through the whole thread.