Inside the whale: at-rest analysis of Docker images for provenance, license and vulnerabilities
Container images routinely embed contain thousands of system packages, application packages and custom software components, all bundled in an opaque blob. Each of these have a different provenance and license and may have been modified. They are therefore a fertile ground for bugs, security and FOSS license issues to go unnoticed. Join me to discover a new approach and FOSS tool suite to perform a deep and extensive static analysis of a Docker image content at-rest to uncover all the known and unknown third-party code included.
Armed with this knowledge we will see how this can be leveraged to validate if packages have been modified, if they are subject to vulnerabilities and what is their license all of which are essential items to safely and productively use container images.
USA. San Carlos, CA
AboutCode.org and nexB Inc.
Philippe Ombredanne is a passionate FOSS hacker, lead maintainer of the ScanCode toolkit and on a mission to enable easier and safer to reuse FOSS code with best in class open source tools for open source discovery, software composition analysis and license & security compliance at https://aboutcode.org Philippe contributes to several other projects including most recently and proudly to the Linux kernel SPDX-ification; the SPDX and ClearlyDefined projects, several Python tools, and previously to strace, JBoss, Eclipse and Mozilla.
Philippe has also been a long time Google Summer of Code mentor and org admin. Work-wise, he is the CTO of nexB a company that helps software teams track what's in their code with DejaCode, a governance dashboard and compliance analysis platform for open source code.