SlideShare uma empresa Scribd logo

Scanning Docker Images with ScanCode.io

Transferir como PPTX, PDF
M
Michael Herzog

In this webinar, nexB co-founder and CTO Philippe Ombredanne introduces ScanCode.io, and explains the challenges of scanning Docker images for provenance analysis. Philippe then demonstrates how to use ScanCode.io for Software Composition Analysis (SCA) with Docker images. ScanCode is the most effective and efficient open source tool for SCA, used and trusted by most of the major tech companies. With ScanCode.io, you can analyze a complete container or VM image, a specific single application package, or a customized pipeline. ScanCode is 100% open source under Apache 2.0 and other business-friendly licenses, and supports all programming languages and environments. Ready to get started with ScanCode? Download at https://nexb.github.io/scancode.io-homepage/ Learn more about ScanCode at https://nexb.com/scancode

Software
1 de 20
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Software Composition Analysis of Docker and container images. Summer 2022
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Introduction: Philippe Ombredanne ▷ Weird facts and claims to fame  Signed off the largest deletion of source lines in the linux kernel (but these were only license comments) ▷ Maintainer of FOSS tools for FOSS code origin, license, security and quality analysis aka. SCA "Software Composition Analysis" ▷ ScanCode, VulnerableCode and AboutCode tools, LicenseDB, Package URLs ▷ Co-founder of SPDX, ClearlyDefined, long time GSoC/GSoD mentor, contributor to Open Chain Reference Tooling group & several FOSS projects ▷ Co-founder and CTO of nexB Inc. SCA tools and services ▷ pom@nexb.com or pombredanne@gmail.com
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Agenda ▷ The container challenge ▷ The ScanCode.io solution ▷ Who is using ScanCode.io for containers? ▷ ScanCode.io user flow & pipeline details ▷ Demo ▷ Status ▷ Architecture ▷ Next Steps
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ A Container is like a VM with a twist  Multiple slices of root filesystems  No kernel  Commonly include multiple Linux distros ▷ Many packages, mostly pre-built binaries  No kernel, BUT 10x to 100x more packages  10x to 100x more licenses :| ▷ Package metadata are not enough (too little or too much)  The declared license is often incorrect or misleading ▷ Not everything is a package  Extra files COPY'ied, download and ADD'ed to Docker image The container challenge (1)
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Dynamic analysis (e.g. running tools inside) is problematic because you modify what you are analyzing (observer effect) ▷ No scriptable, customizable and open source solution that provides an acceptable quality of license detection  Most tools focused only on surface package scans with minimal cross-checks ▷ 100x more packages: But how to avoid doing 100x more compliance work? ▷ And still get high quality composition analysis? The container challenge (2)
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Why ScanCode.io? ▷ Easy end-to-end analysis, press of a button analysis ▷ Static analysis e.g. do not run container to analyze it ▷ Guarantee that ALL files in an image are vetted ○ Not a mere inventory of packages and their licenses ▷ Scriptable pipelines aka. ScanPipes easy to customize ○ Not limited to containers, also any rootfs or any code  e.g. Full VM images or OpenWRT-based devices ○ Integration platform: can add analysis steps to run any other tools ○ Installable locally ▷ Open source and best in class ○ No other commercial or open source tool has the same capabilities so far ○ Recognized by key users as best in class
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Who is using ScanCode.io for containers? ▷ Two of the largest big tech companies ▷ A large US device manufacturer ▷ Three large European industrial companies ▷ Many more ▷ nexB professional service team for product release due diligence and M&A audits
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Alternatives ▷ Commercial tools are focused primarily on Security ○ Shallow support for licensing using only (weak) metadata ▷ Open source tools include Tern and few others ○ Use techniques of dynamic analysis ○ Package-level only, not vetting all the files ○ Fixed analysis process ○ Some use ScanCode Toolkit to provide better results
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Docker image user flow ▷ Upload (or fetch) a Docker image to your ScanCode.io server ▷ ScanCode.io analyzes the image and collects structured license and provenance of: ○ All system packages ○ All application packages ○ All files not part of packages are scanned in details ○ (optional: Your own Custom steps) ▷ Fetch results as JSON, XSLX, Browse online, JSON REST API access
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Fetch then Prepare image archive ▷ For each image layer: scan system packages ○ Find their file and check if modified ▷ For remaining files: scan application packages ○ All ScanCode-supported package types (npm, maven, composer, etc.) ▷ For remaining files: scan files ○ All files, including binaries ▷ For remaining files: analyze and tag ○ Dispose of temp and transient or log files and more ▷ Add your own special step ▷ Assemble results from DB and return JSON ScanCode.io Docker pipeline details
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Live Demo ▷ A Debian-based Redis image  Get it from docker://redis:buster ▷ A problematic Alpine image  Get it from docker://quay.io/wire/alpine-deps  and https://quay.io/repository/wire/alpine-deps  Contains native GPL-3.0licensed binary built on the fly, no origin, no source, no license!  /usr/lib/libcryptobox.so happens to be a "random" GPL-3.0-licensed binary built on the fly and added to the image  https://github.com/wireapp/wire- server/blob/8d8525b30a5eb33557cb2c8a0f21a8aa2ea63999/build/alpine/Dockerfile.deps#L8  https://github.com/wireapp/cryptobox-c
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Architecture Scan Pipelines execute in ScanCode.io server ○ Python, Django, PostgreSQL ▷ Each focused composition analysis script is a pipeline ○ Flexible and clear scripting, customizable, resume/restart ▷ JSON API, Web UI, reporting ▷ Inside: ○ ScanPipe for end-to-end scripting and pipeline documentation ○ ScanCode toolkit for license and application package parsing ○ container-inspector library for container image processing ○ debian-inspector for debian ○ ScanCode for Alpine and RPMs, and distroless for system package
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Status and plans ▷ Support for all main Linux distro is available for Docker and OCI containers: ○ Debian/Ubuntu, RedHat/Suse RPM-based, Alpine and Distroless ○ And Windows containers too! ○ Support all common VM image formats ▷ Upcoming ○ Major improvement on license detection accuracy  Smart ML-based analysis of detected licenses and automated active learning ○ Policies and efficient handling of TODOs for human review ○ New one off license scans pipeline ○ New Android app scan pipeline ▷ Building a library of pre-scanned base images and layers ○ e.g. SCAN and REVIEW ALL THE PUBLIC CONTAINERS
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Credits Special thanks to all the people who made and released these excellent free resources: ▷ Presentation template by SlidesCarnival ▷ Photographs by Unsplash ▷ All the open source software authors that made DejaCode and AboutCode possible
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ nexB Solutions Overview ▷ SCA and Audit Services ○ Enabled and accelerated by our free ScanCode and AboutCode tools ○ http://www.nexb.com/services.html ▷ AboutCode - Open source for open source analysis ○ Recognized as best-in-class tools ○ nexB provides professional services to accelerate or customize implementation ○ ScanCode TK, ScanCode.io, ScanCode WB, AttributeCode TK, DeltaCode, TraceCode and other tools available at https://aboutcode.org and https://github.com/nexB ▷ DejaCode - Compliance application for legal and management teams ○ A central system of records to aggregate and manage all your software products, components, licenses and policies https://dejacode.com
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Related FOSS projects 16 ▷ AttributeCode TK - Auto generate attribution notices ▷ TraceCode TK - trace your build to find deployed code ▷ VulnerableCode - The free correlated vulnerabilities DB (startup funding from the EU and NLnet) ▷ DeltaCode - compare two scans ▷ Container-Inspector - Static Docker images analysis - low level library ▷ Debian-Inspector - Debian packages analysis ▷ AboutCode - Data models (used in Libraries.io and ORT) ▷ ScanCode Workbench - Desktop app for Scan review ▷ license expression - parse, combine, simplify ▷ Package URL (purl) - used in OWASP, Sonatype
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Contact us ▷ Contact persons ○ Michael Herzog mjherzog@nexb.com+ 1 650 380 0680 ○ Philippe Ombredanne pombredanne@nexb.com+ 1 650 799 0949 ▷ More information ○ https://www.nexb.com/
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ About nexB ▷ Focused on Software Composition Analysis (SCA) and FOSS Compliance since 2007 ▷ Software provenance experts ○ 500+ SCA projects completed to-date ○ 100% customer satisfaction ▷ Authors of ScanCode - industry-leading FOSS-SCA toolset ▷ Industry thought leaders ○ Co-founders of SPDX ○ Co-founders of Package URLs 18
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ nexB in the SCA domain ▷ Software Composition Analysis comprises four dimensions of managing your software: ○ Identification of software origin ○ Identification of software licensing ○ Identification of software vulnerabilities ○ Quantification of software quality ▷ nexB currently offers: ○ Leading solution for identification of software origin and license in sources and binaries ○ Emerging solution for vulnerabilities 19
Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ SCA and FOSS ▷ Newer software products and systems comprise 80% or more FOSS ○ Many products include hundreds or thousands of FOSS components ▷ FOSS licensing is a higher risk now than in the recent past ○ Explosion of the number of package dependencies and their rate of change ○ More “dual” licensing models - e.g. MongoDB, Redis, Elastic - that blur the lines between FOSS and proprietary software ▷ FOSS Compliance is focused on identifying licensing and complying with license conditions 20

Recomendados

Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era nexB Inc.
 
VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsVulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsMichael Herzog
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCodenexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodenexB Inc.
 
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...Michael Herzog
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!Michael Herzog
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabVoxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabRon Munitz
 

Recomendados

Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era nexB Inc.
 
VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsVulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsMichael Herzog
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCodenexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodenexB Inc.
 
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...Michael Herzog
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!Michael Herzog
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabVoxxed days Vilnius 2015 - Android Reverse Engineering Lab
Voxxed days Vilnius 2015 - Android Reverse Engineering LabRon Munitz
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source AutomationShane Coughlan
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariMetosin Oy
 
Cross-compilation native sous android
Cross-compilation native sous androidCross-compilation native sous android
Cross-compilation native sous androidThierry Gayet
 
From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R Kai Lichtenberg
 
RootStack - Devfactory
RootStack - DevfactoryRootStack - Devfactory
RootStack - DevfactoryKangaroot
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCodenexB Inc.
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTStéphanie Roger
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...Felipe Prado
 
CodeMotion tel aviv 2015 - android reverse engineering lab
CodeMotion tel aviv 2015 - android reverse engineering labCodeMotion tel aviv 2015 - android reverse engineering lab
CodeMotion tel aviv 2015 - android reverse engineering labRon Munitz
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMSherif Mousa
 
Approaching package manager
Approaching package managerApproaching package manager
Approaching package managerTimur Safin
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesDocker, Inc.
 
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016Phil Estes
 
Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Clark Everetts
 
Chromium: NaCl and Pepper API
Chromium: NaCl and Pepper APIChromium: NaCl and Pepper API
Chromium: NaCl and Pepper APIChang W. Doh
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applicationsPuneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 

Mais conteúdo relacionado

Semelhante a Scanning Docker Images with ScanCode.io

“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source AutomationShane Coughlan
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariMetosin Oy
 
Cross-compilation native sous android
Cross-compilation native sous androidCross-compilation native sous android
Cross-compilation native sous androidThierry Gayet
 
From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R Kai Lichtenberg
 
RootStack - Devfactory
RootStack - DevfactoryRootStack - Devfactory
RootStack - DevfactoryKangaroot
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCodenexB Inc.
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTStéphanie Roger
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...Felipe Prado
 
CodeMotion tel aviv 2015 - android reverse engineering lab
CodeMotion tel aviv 2015 - android reverse engineering labCodeMotion tel aviv 2015 - android reverse engineering lab
CodeMotion tel aviv 2015 - android reverse engineering labRon Munitz
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMSherif Mousa
 
Approaching package manager
Approaching package managerApproaching package manager
Approaching package managerTimur Safin
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOpsAarno Aukia
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesDocker, Inc.
 
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016Phil Estes
 
Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Clark Everetts
 
Chromium: NaCl and Pepper API
Chromium: NaCl and Pepper APIChromium: NaCl and Pepper API
Chromium: NaCl and Pepper APIChang W. Doh
 

Semelhante a Scanning Docker Images with ScanCode.io (20)

“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
 
Cross-compilation native sous android
Cross-compilation native sous androidCross-compilation native sous android
Cross-compilation native sous android
 
From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R
 
RootStack - Devfactory
RootStack - DevfactoryRootStack - Devfactory
RootStack - Devfactory
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCode
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
DEF CON 27 - workshop - ISAAC EVANS - discover exploit and eradicate entire v...
 
CodeMotion tel aviv 2015 - android reverse engineering lab
CodeMotion tel aviv 2015 - android reverse engineering labCodeMotion tel aviv 2015 - android reverse engineering lab
CodeMotion tel aviv 2015 - android reverse engineering lab
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
 
Approaching package manager
Approaching package managerApproaching package manager
Approaching package manager
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 
Containerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil EstesContainerize All the (Multi-Platform) Things! by Phil Estes
Containerize All the (Multi-Platform) Things! by Phil Estes
 
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
 
Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017
 
Chromium: NaCl and Pepper API
Chromium: NaCl and Pepper APIChromium: NaCl and Pepper API
Chromium: NaCl and Pepper API
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 

Último

Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 

Último (20)

Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 

Scanning Docker Images with ScanCode.io

  • 1. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Software Composition Analysis of Docker and container images. Summer 2022
  • 2. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Introduction: Philippe Ombredanne ▷ Weird facts and claims to fame  Signed off the largest deletion of source lines in the linux kernel (but these were only license comments) ▷ Maintainer of FOSS tools for FOSS code origin, license, security and quality analysis aka. SCA "Software Composition Analysis" ▷ ScanCode, VulnerableCode and AboutCode tools, LicenseDB, Package URLs ▷ Co-founder of SPDX, ClearlyDefined, long time GSoC/GSoD mentor, contributor to Open Chain Reference Tooling group & several FOSS projects ▷ Co-founder and CTO of nexB Inc. SCA tools and services ▷ pom@nexb.com or pombredanne@gmail.com
  • 3. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Agenda ▷ The container challenge ▷ The ScanCode.io solution ▷ Who is using ScanCode.io for containers? ▷ ScanCode.io user flow & pipeline details ▷ Demo ▷ Status ▷ Architecture ▷ Next Steps
  • 4. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ A Container is like a VM with a twist  Multiple slices of root filesystems  No kernel  Commonly include multiple Linux distros ▷ Many packages, mostly pre-built binaries  No kernel, BUT 10x to 100x more packages  10x to 100x more licenses :| ▷ Package metadata are not enough (too little or too much)  The declared license is often incorrect or misleading ▷ Not everything is a package  Extra files COPY'ied, download and ADD'ed to Docker image The container challenge (1)
  • 5. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Dynamic analysis (e.g. running tools inside) is problematic because you modify what you are analyzing (observer effect) ▷ No scriptable, customizable and open source solution that provides an acceptable quality of license detection  Most tools focused only on surface package scans with minimal cross-checks ▷ 100x more packages: But how to avoid doing 100x more compliance work? ▷ And still get high quality composition analysis? The container challenge (2)
  • 6. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Why ScanCode.io? ▷ Easy end-to-end analysis, press of a button analysis ▷ Static analysis e.g. do not run container to analyze it ▷ Guarantee that ALL files in an image are vetted ○ Not a mere inventory of packages and their licenses ▷ Scriptable pipelines aka. ScanPipes easy to customize ○ Not limited to containers, also any rootfs or any code  e.g. Full VM images or OpenWRT-based devices ○ Integration platform: can add analysis steps to run any other tools ○ Installable locally ▷ Open source and best in class ○ No other commercial or open source tool has the same capabilities so far ○ Recognized by key users as best in class
  • 7. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Who is using ScanCode.io for containers? ▷ Two of the largest big tech companies ▷ A large US device manufacturer ▷ Three large European industrial companies ▷ Many more ▷ nexB professional service team for product release due diligence and M&A audits
  • 8. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Alternatives ▷ Commercial tools are focused primarily on Security ○ Shallow support for licensing using only (weak) metadata ▷ Open source tools include Tern and few others ○ Use techniques of dynamic analysis ○ Package-level only, not vetting all the files ○ Fixed analysis process ○ Some use ScanCode Toolkit to provide better results
  • 9. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Docker image user flow ▷ Upload (or fetch) a Docker image to your ScanCode.io server ▷ ScanCode.io analyzes the image and collects structured license and provenance of: ○ All system packages ○ All application packages ○ All files not part of packages are scanned in details ○ (optional: Your own Custom steps) ▷ Fetch results as JSON, XSLX, Browse online, JSON REST API access
  • 10. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Fetch then Prepare image archive ▷ For each image layer: scan system packages ○ Find their file and check if modified ▷ For remaining files: scan application packages ○ All ScanCode-supported package types (npm, maven, composer, etc.) ▷ For remaining files: scan files ○ All files, including binaries ▷ For remaining files: analyze and tag ○ Dispose of temp and transient or log files and more ▷ Add your own special step ▷ Assemble results from DB and return JSON ScanCode.io Docker pipeline details
  • 11. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Live Demo ▷ A Debian-based Redis image  Get it from docker://redis:buster ▷ A problematic Alpine image  Get it from docker://quay.io/wire/alpine-deps  and https://quay.io/repository/wire/alpine-deps  Contains native GPL-3.0licensed binary built on the fly, no origin, no source, no license!  /usr/lib/libcryptobox.so happens to be a "random" GPL-3.0-licensed binary built on the fly and added to the image  https://github.com/wireapp/wire- server/blob/8d8525b30a5eb33557cb2c8a0f21a8aa2ea63999/build/alpine/Dockerfile.deps#L8  https://github.com/wireapp/cryptobox-c
  • 12. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Architecture Scan Pipelines execute in ScanCode.io server ○ Python, Django, PostgreSQL ▷ Each focused composition analysis script is a pipeline ○ Flexible and clear scripting, customizable, resume/restart ▷ JSON API, Web UI, reporting ▷ Inside: ○ ScanPipe for end-to-end scripting and pipeline documentation ○ ScanCode toolkit for license and application package parsing ○ container-inspector library for container image processing ○ debian-inspector for debian ○ ScanCode for Alpine and RPMs, and distroless for system package
  • 13. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Status and plans ▷ Support for all main Linux distro is available for Docker and OCI containers: ○ Debian/Ubuntu, RedHat/Suse RPM-based, Alpine and Distroless ○ And Windows containers too! ○ Support all common VM image formats ▷ Upcoming ○ Major improvement on license detection accuracy  Smart ML-based analysis of detected licenses and automated active learning ○ Policies and efficient handling of TODOs for human review ○ New one off license scans pipeline ○ New Android app scan pipeline ▷ Building a library of pre-scanned base images and layers ○ e.g. SCAN and REVIEW ALL THE PUBLIC CONTAINERS
  • 14. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Credits Special thanks to all the people who made and released these excellent free resources: ▷ Presentation template by SlidesCarnival ▷ Photographs by Unsplash ▷ All the open source software authors that made DejaCode and AboutCode possible
  • 15. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ nexB Solutions Overview ▷ SCA and Audit Services ○ Enabled and accelerated by our free ScanCode and AboutCode tools ○ http://www.nexb.com/services.html ▷ AboutCode - Open source for open source analysis ○ Recognized as best-in-class tools ○ nexB provides professional services to accelerate or customize implementation ○ ScanCode TK, ScanCode.io, ScanCode WB, AttributeCode TK, DeltaCode, TraceCode and other tools available at https://aboutcode.org and https://github.com/nexB ▷ DejaCode - Compliance application for legal and management teams ○ A central system of records to aggregate and manage all your software products, components, licenses and policies https://dejacode.com
  • 16. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Related FOSS projects 16 ▷ AttributeCode TK - Auto generate attribution notices ▷ TraceCode TK - trace your build to find deployed code ▷ VulnerableCode - The free correlated vulnerabilities DB (startup funding from the EU and NLnet) ▷ DeltaCode - compare two scans ▷ Container-Inspector - Static Docker images analysis - low level library ▷ Debian-Inspector - Debian packages analysis ▷ AboutCode - Data models (used in Libraries.io and ORT) ▷ ScanCode Workbench - Desktop app for Scan review ▷ license expression - parse, combine, simplify ▷ Package URL (purl) - used in OWASP, Sonatype
  • 17. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Contact us ▷ Contact persons ○ Michael Herzog mjherzog@nexb.com+ 1 650 380 0680 ○ Philippe Ombredanne pombredanne@nexb.com+ 1 650 799 0949 ▷ More information ○ https://www.nexb.com/
  • 18. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ About nexB ▷ Focused on Software Composition Analysis (SCA) and FOSS Compliance since 2007 ▷ Software provenance experts ○ 500+ SCA projects completed to-date ○ 100% customer satisfaction ▷ Authors of ScanCode - industry-leading FOSS-SCA toolset ▷ Industry thought leaders ○ Co-founders of SPDX ○ Co-founders of Package URLs 18
  • 19. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ nexB in the SCA domain ▷ Software Composition Analysis comprises four dimensions of managing your software: ○ Identification of software origin ○ Identification of software licensing ○ Identification of software vulnerabilities ○ Quantification of software quality ▷ nexB currently offers: ○ Leading solution for identification of software origin and license in sources and binaries ○ Emerging solution for vulnerabilities 19
  • 20. Copyright (c) nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ SCA and FOSS ▷ Newer software products and systems comprise 80% or more FOSS ○ Many products include hundreds or thousands of FOSS components ▷ FOSS licensing is a higher risk now than in the recent past ○ Explosion of the number of package dependencies and their rate of change ○ More “dual” licensing models - e.g. MongoDB, Redis, Elastic - that blur the lines between FOSS and proprietary software ▷ FOSS Compliance is focused on identifying licensing and complying with license conditions 20