What is a container/Docker Image?

Docker is a tool designed to make it easier to create, deploy, and run applications using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it out as one package.

What are the different parts of a container that you might want to scan?

Scanning a container as a whole is not easy, so we will break a container down to three components and analyze each component separately.

  1. Base OS (operating system)
    This would be equivalent to scanning Linux, Windows, or MacOS.
  2. Third-party services and their dependencies
    This is relevant if your company’s code is built on third-party services such Apache Web Server, Redis Database, or HAProxy Load Balancer.
  3. Your service and its dependencies
    This would be the code and product you create, build, and distribute to your end customers.

We will employ a different method for each of these components.

Which of the three components do I need to scan? Should all of them be scanned? Why?

This is the million (or even billion) dollar question. Currently, there aren't enough legal cases discussed on the web to determine one best way or another. While FOSSA is among those leading the charge to help the community understand this problem, each company ultimately needs to work with its own legal counsel to map out the best approach for its specific use case. Whichever components you and your legal team decide to scan, we'll provide the right options to proceed accordingly.

How do I scan the license of the base OS and its associated dependencies?

The simplest way to scan the base OS would be to install the FOSSA CLI (https://github.com/fossas/fossa-cli) on the OS deployment. Point the FOSSA CLI to scan the rpm or deb directory. This will give you visibility into the packages that are installed on the system and what open source licenses are associated with each package.

How do I scan the licenses of third-party services and their associated dependencies?

The best way to scan incoming third-party containers is to start with the source code of the version/build equivalent of the same services.

Since these services are of open source by nature, the source code is all available online.

We suggest you fork this version of the code into your repository (GitHub, GitLab, or your own repository) and let FOSSA scan them just like your own source code.

This would not only give you a license and obligation report, it would also give you a vulnerability report, as well. Note that FOSSA Vulnerability scanning is a feature that requires separate activation, so please inquire with your sales rep to enable this feature.

What about the tools that are used to create the container image?

There is definitely a small gap, depending on how the container was created. Build the image then burn the image into a container or use a build file.

While we expect most of these containers would be created in a consistent fashion, it's better to check than to assume. Reach out to the owner of the container image and ask. This is an open source community after all; you never know what kind of other useful nuggets you'll uncover!

How do I scan the license of my product and the associated dependencies?

Today, we help customers who want to work with containers integrate with their CI/CD build tools to scan the source code before creating the container image. The way FOSSA analyzes dependencies is different from most other tools; using our CLI, we integrate into the build process and connect directly to the package manager (like npm) after the project is built. This means we will analyze the dependencies that are actually pulled in during the build process so you can analyze all the dependencies in your container.

Does this mean FOSSA has access to my source code?

No, not if you integrate FOSSA into your build pipeline using FOSSA’s CLI. This will only give FOSSA access to the dependencies that are pulled in during the build process, which will be analyzed for licenses and security vulnerabilities.

Is there container scanning on FOSSA's roadmap?    

Yes, we are actively researching scanning Docker containers, although we haven't yet determined a release timeline. We are currently approaching this as a combination of analyzing the Docker config file and integrating into the build pipeline to analyze the source code loaded onto the container to identify all dependencies in the Docker image.

If you have any other questions, please feel free to reach out to us!

Albert Chen