Software Composition
Tern and the State of Cloud Native Compliance
Container and VM images contain many packages and are quite a challenge for composition analysis.
Linux root filesystems, virtual machine disk and container images routinely contain thousands of system packages, application packages and other custom software components.
Each of these components may have a different provenance, may be modified or vulnerable. Such a large number of packages creates a fertile ground for bugs, security and license issues to go unnoticed. Join me to discover approaches and FOSS tools to perform static composition analysis of a root filesystem with specific techniques for container and Docker images or virtual machines to uncover all the known and unknown third-party code they are composed of.
With this knowledge, we can validate if an image has been modified or tempered, if packages are subject to known vulnerabilities and what is their license: these are essential items to proactively vet and safely reuse these and build safely larger systems using these as a base.
Weitere Infos
| Format | devroom |
|---|
Weitere Sessions
| 07.02.21 |
Welcome to the Software Composition Analysis Devroom
|
| 07.02.21 |
In this session we will provide an update on OSS Review Toolkit (ORT) - which features have been recently added and what they ORT team is currently working on.
|
| 07.02.21 |
This is a presentation of the latest features and updates in ScanCode toolkit and its companion projects.
|
| 07.02.21 |
FOSSology focusses on license compliance analyses. Recently, a number of new features have been published by the community to integrate better with software composition analysis. The presentation shows an introduction of the main and relevant development here.
|
| 07.02.21 |
Software Composition Analysis (SCA) tools perform source-code analysis, comparison and identification of Open Source components. Sadly, none of the SCA vendors have embraced Open Source themselves, most of their tooling consists of proprietary code and their OSS Knowledge Bases are also closed.
|
| 07.02.21 |
The very short time is some placeholder between presentation groups to have questions being asked and answered or just simple to have a break.
|
| 07.02.21 |
What is a software bill of materials, and why is there all the interest about it? In this session, a quick overview of the minimum viable fields to represent an SBOM, and efforts to help with automation of them.
|
