Giter Club home page Giter Club logo

orion's Introduction

orion

The repository is a tool that generates software inventory of a container image, specifically the software installations that are not managed through package managers. Developers ofter install additional software artifacts through RUN shell commands and COPY/ADD during docker build besides OS packages and open-source software packages. Such installations need to be counted in order to produce a complete and accurate SBOM for security compliance and auditing purposes.

There are a number of open-source tools on SBOM: (1) tern for container image, (2) spdx sbom generator for open-source software packages of various languages, and (3) Kubernetes Release Tooling for golang applications.

Our project compliments these tools with the capabilities to track software artifacts installed outside of the package management tools, independent of the platform and language specific package management tools. The project also leavages the spdx module of Kubernetes Release Tooling in generating SPDX document.

Features

There are many ways that developers can compose their Dockerfile to install additional artifacts in docker build. We have selected some from the popular github projects (those with most stars). From examining them we extract scenarios/patterns that are used in these Dockerfiles.

The project has implemented the tracing capaibilities for artifacts installed by the following docker operations and shell commands, which covers the majority of the scenarios.

  • WORKDIR
  • ARG
  • ENV
  • RUN
    • curl
    • wget
    • tar -x...
    • unzip
    • git clone, git checkout
    • cp
    • mv
    • cd
  • COPY
  • ADD

The scenarios/paterns yet to be addressed are listed here for further development.

How to run it

  1. Clone the project and make a build
% git clone https://github.com/tap8stry/orion.git
% cd orion
% make
  1. Command to scan Dockefile and produce addon installation traces
% ./orion discover -f <dockerfile-path> -n <sbom-namespace> -r <output-file-path>

where

  • dockerfile-path: Dockerfile pathname
  • sbom-namespace: namespace, e.g. your project's github repository URL
  • output-file-path: file name for saving discovery results. The traces is saved to <output-filepath>-trace.json.
  1. Command to produce/verify addon installation traces and produce SBOM report
% ./orion discover -f <dockerfile-path> -n <sbom-namespace> -i <image-name:tag> -r <output-file-path>

The SBOM report is saved to <output-filepath>.spdx.

  1. Work around if encounter access permission issue when decompressing image tarball

You may encounter error messages like the following when running the command 3.

error executing untar cmd: exit status 1
error untar image layer "356f18f3a935b2f226093720b65383048249413ed99da72c87d5be58cc46661c.tar.gz": unable to untar an image file

This is caused by the access permission when decompressing the image tar file to a temperary file system. You can use sudo command to work around this problem, see the command below.

% sudo ./orion discover -d <dockerfile-path> -n <sbom-namespace> -i <image-name:tag> -f <output-file-path>

orion's People

Contributors

lluan444 avatar nadgowdas avatar

Stargazers

zhangzhenyu2 avatar avatar Toufeeq Ockards avatar Daniel Huckins avatar Alex Goodman avatar Andrew Martin avatar avatar Theofilos Petsios avatar Alex KIM avatar Ann Marie Fred avatar Batuhan Apaydın avatar avatar Mikael Vesavuori avatar avatar Igor Ajdišek avatar Randy Murrish avatar jhvaras avatar Weston Steimel avatar boB Rudis avatar

Watchers

avatar

Forkers

lluan444 syllogy

orion's Issues

access to private images in cloud providers' registries

Currently Orion works for public images and images on docker registry. A new capability is needed to support access to private images on cloud providers' private registries.

Orion leverages go-containerregistry module for registry access. According to its README, a NewKeychainFromHelper needs to be implemented to handle cloud provider specific authentication and authorization. Two example helpers are mentioned for Amazon ECR and Azure ACR.

Suggest the following two actions:

  1. Implement a NewKeychainFromHelper for ibmcloud. Get details on ibmcloud authentication and registry APIs.
  2. Incorporate available KeychainFromHelpers, and implement the use of appropriate KeychainFromHelper based on target registry (image url).

uncertainty and limitation when tracing destination of tarball extraction for SBOM

Consider the following scenario of tracing an install that involves extracting a tarball during docker build.

WORKDIR /opt/
RUN wget https://download.com/cloud/tools/abc.tar.gz -O abc.tar.gz &&\
    tar xvf abc.tar.gz &&\
    rm abc.tar.gz &&\

The tartball abc.tar.gz contains the following directory and files. Notice that the tarball file name is different from the leading directory name in the tarball content, e.g. abc vs somedir.
/somedir/file1
/somedir/file2

Without knowing the tarball directory information, we do not know the precise destination path of the extracted files by just parsing a Dockerfile. Currently the trace uses the parent directory as the destination, e.g. /opt/, and could not produce a valid SBOM component for it.

limitation in identifying the resources installed by executing scripts

The following is a segment of a sample Dockefile where it downloads a script that installs pip and removes the script afterwards. Without understanding the content of the script it is unknown what gets installed by the script execution. Also the script is removed after the execution and leaves no trace in the image.

Currently we are able to identify the script download, but not able to discover the resources installed by the script execution.

# if this is called "PIP_VERSION", pip explodes with "ValueError: invalid truth value '<VERSION>'"
ENV PYTHON_PIP_VERSION 21.2.4
# https://github.com/docker-library/python/issues/365
ENV PYTHON_SETUPTOOLS_VERSION 57.5.0
# https://github.com/pypa/get-pip
ENV PYTHON_GET_PIP_URL https://github.com/pypa/get-pip/raw/3cb8888cc2869620f57d5d2da64da38f516078c7/public/get-pip.py
ENV PYTHON_GET_PIP_SHA256 c518250e91a70d7b20cceb15272209a4ded2a0c263ae5776f129e0d9b5674309

RUN set -ex; \
	\
	wget -O get-pip.py "$PYTHON_GET_PIP_URL"; \
	echo "$PYTHON_GET_PIP_SHA256 *get-pip.py" | sha256sum -c -; \
	\
	python get-pip.py \
		--disable-pip-version-check \
		--no-cache-dir \
		"pip==$PYTHON_PIP_VERSION" \
		"setuptools==$PYTHON_SETUPTOOLS_VERSION" \
	; \
	pip --version; \
	\
	find /usr/local -depth \
		\( \
			\( -type d -a \( -name test -o -name tests -o -name idle_test \) \) \
			-o \
			\( -type f -a \( -name '*.pyc' -o -name '*.pyo' \) \) \
		\) -exec rm -rf '{}' +; \
	rm -f get-pip.py

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.