Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/tap8stry/orion
Go beyond package manager discovery for SBOM
https://github.com/tap8stry/orion
Last synced: 28 days ago
JSON representation
Go beyond package manager discovery for SBOM
- Host: GitHub
- URL: https://github.com/tap8stry/orion
- Owner: tap8stry
- License: apache-2.0
- Created: 2021-11-09T14:14:29.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2022-02-22T21:13:49.000Z (almost 3 years ago)
- Last Synced: 2024-08-04T00:13:19.963Z (4 months ago)
- Language: Go
- Homepage:
- Size: 300 KB
- Stars: 19
- Watchers: 1
- Forks: 2
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
- awesome-software-supply-chain-security - tap8stry/orion: Go beyond package manager discovery for SBOM
README
# orion
The repository is a tool that generates software inventory of a container image, specifically the software installations that are not managed through package managers. Developers ofter install additional software artifacts through RUN shell commands and COPY/ADD during docker build besides OS packages and open-source software packages. Such installations need to be counted in order to produce a complete and accurate SBOM for security compliance and auditing purposes.
There are a number of open-source tools on SBOM: (1) [tern](https://github.com/tern-tools/tern) for container image, (2) [spdx sbom generator](https://github.com/spdx/spdx-sbom-generator) for open-source software packages of various languages, and (3) [Kubernetes Release Tooling](https://github.com/kubernetes/release) for golang applications.
Our project compliments these tools with the capabilities to track software artifacts installed outside of the package management tools, independent of the platform and language specific package management tools. The project also leavages the spdx module of [Kubernetes Release Tooling](https://github.com/kubernetes/release) in generating SPDX document.
### Features
There are many ways that developers can compose their Dockerfile to install additional artifacts in docker build. We have selected some from the popular github projects (those with most stars). From examining them we extract scenarios/patterns that are used in these Dockerfiles.
**The project has implemented the tracing capaibilities for artifacts installed by the following docker operations and shell commands, which covers the majority of the scenarios.**
- WORKDIR
- ARG
- ENV
- RUN
- curl
- wget
- tar -x...
- unzip
- git clone, git checkout
- cp
- mv
- cd
- COPY
- ADD
**The scenarios/paterns yet to be addressed are listed [here](https://github.com/tap8stry/orion/blob/main/doc/new-scenarios.md) for further development.**
### How to run it
1. Clone the project and make a build
```
% git clone https://github.com/tap8stry/orion.git
% cd orion
% make
```
2. Command to scan Dockefile and produce addon installation traces
```
% ./orion discover -f -n -r
```
where
- dockerfile-path: Dockerfile pathname
- sbom-namespace: namespace, e.g. your project's github repository URL
- output-file-path: file name for saving discovery results. The traces is saved to `-trace.json`.
3. Command to produce/verify addon installation traces and produce SBOM report
```
% ./orion discover -f -n -i -r
```
The SBOM report is saved to `.spdx`.
4. Work around if encounter access permission issue when decompressing image tarball
You may encounter error messages like the following when running the command 3.
```
error executing untar cmd: exit status 1
error untar image layer "356f18f3a935b2f226093720b65383048249413ed99da72c87d5be58cc46661c.tar.gz": unable to untar an image file
```
This is caused by the access permission when decompressing the image tar file to a temperary file system. You can use `sudo` command to work around this problem, see the command below.
```
% sudo ./orion discover -d -n -i -f
```