-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dockerfile support #272
Comments
@klautcomputing this is a great topic and I'd love to support this but I'll also say that it's a hard problem to solve. Licensed works on what is actively available on a system and requires that dependencies be installed. Dockerfile So, then there are a few more problems:
That's not to say that any of this is not solvable, just that it's not the easiest thing to enumerate system level dependencies 😄 . If you have ideas on how to accomplish this I'd absolutely welcome additional feedback or even a PR 🙏 |
What about using a Software Bill Of Materials (SBOM) of the Docker image1 as a source for license information? For example, I know Syft's own SBOM format includes the name of the license of all artifacts it detects (haven't checked SPDX's or CycloneDX's SBOM formats). I suppose the fact that Syft is able to determine the license of system dependencies in a Docker image implies that it's possible to do this manually as well. I guess, however, that it would be easier to let Syft (or another tool) do the heavy lifting and consult the SBOM it generates to contain the license information. Two potential complications with this approach is that SBOMs typically also contain information about artifacts that Licensed already supports (e.g. npm modules or Ruby gems). So these should either be filtered out or somehow consolidated with Licensed own analysis. Footnotes
|
@ericcornelissen I'm curious of the use case for licensed here - what is the added benefit of licensed on top of Syft or another tool like it? Why not use the output from that tool directly? |
@jonabc that's a fair question. I think the primary benefit is the "compliance" aspect of Licensed. As far as I know Syft doesn't support this, and I don't know of any tool that does for SBOMs (admittedly, in all likelihood such a tool already exist). Additionally, Licensed's output is much more extensive for the ecosystems it supports, and so may be preferable to Syft's output in many regards. Admittedly, this won't hold true for system-level dependencies, but I think it means there's value in using both Licensed and (something like) Syft for a single project. If nothing else, the implementation of Syft and tools like it may provide a starting point for Licensed to add Dockerfile support. |
@ericcornelissen ah good point, I'll check out Syft's output format and see if it's a good match. FWIW I'm a little concerned about confusion where there is overlap between Licensed and Syft. For example they both have ruby and go support, which will require guidance and specific configuration to avoid double reporting for those types of dependencies. Also, is not having licensed able to check compliance on docker images a blocking issue for you? Just trying to figure out the priority here - it doesn't seem to be as needed as the other recent changes you requested but let me know if that's incorrect 🙏 |
My (perhaps naïve) suggestion would be to simply ignore anything in the SBOM that's for an ecosystem already supported by Licensed. I know Syft's own custom format includes information on the ecosystem, don't know about the SPDX and CycloneDX formats though.
Not a priority/blocking issue for me - I just noticed this issue and wanted to share a suggestion 🙂 |
Would be great if
licensed
supported analyzingDockerfile
s and what is installed there to track all dependencies of a project!The text was updated successfully, but these errors were encountered: