This tutorial illustrates how to create SBOMs from containers using the tern CLI.
Install tern by running:
pip install tern
Verify installation by running:
tern -h
You should see:
usage: Tern [-h] [-q] [-l FILE] [-c] [-k] [-r] [-wd PATH] [-dr DRIVER_OPTION]
[-v]
{report,lock,debug} ...
Tern is a container image component curation tool. Tern retrieves
information about packages that are installed in a container image.
Learn more at https://github.com/tern-tools/tern
positional arguments:
{report,lock,debug} Subcommands
report Create a BoM report. Run 'tern report -h' for report format options.
lock Create an annotated Dockerfile that will pin the information it finds. Use this option to help achieve a more repeatable container image build.
debug Debug pieces of operation by themselves. This is useful when debugging scripts entered into the command library or drivers used for mounting the container image layers.
optional arguments:
-h, --help show this help message and exit
-q, --quiet Silences the output to the terminal;Useful when logging behaviour unnecessary
-l FILE, --log-file FILE
Provide a custom file to write logs to.
Useful when writing logs to a different location.
-c, --clear-cache Clear the cache before running
-k, --keep-wd Keep the working directory after execution. Useful when debugging container images
-r, --redo Repopulate the cache for found layers
-wd PATH, --working-dir PATH
Change default working directory to specified absolute path.
-dr DRIVER_OPTION, --driver DRIVER_OPTION
Choose from the following storage drivers:
overlay2: Use the kernel's overlay2 storage driver
fuse: Use the fuse-overlayfs system tool
If no option is given, the default method of applying container layers in userspace will be used.
-v, --version show program's version number and exit
Create an SBOM file with tern by running:
tern report -o <output.file> -i <container:image> -f <output-format>
with the <output-format> being one of:
spdxtagvaluespdxjsoncyclonedxjsonjsonyamlhtmlYou can create raw outputs to terminal by running:
tern report -i <container:image>
You can create SBOM formatted outputs to terminal by running:
tern report -i <container:image> -f <output-format>
This raw output can be saved to a file by running:
tern report -i <container:image> -o <output.file>
To create outputs SBOMs from Dockerfiles, run:
tern report -d <path/to/Dockerfile> -f <output-format> -o <output-file>
For raw output to terminal:
tern report -d <path/to/Dockerfile>
For SBOM formatted output to terminal:
tern report -d <path/to/Dockerfile> -f <output-format>
For raw output to file
tern report -d <path/to/Dockerfile> -o <output-file>
Issues arose with installation and running on Ubuntu 20.04. Skopeo does not appear to be available as a package in Ubuntu 20.04. These issues did not arise in Ubuntu 22.04.
Ensure your Python version and the Python version your Pip downloads to are the same should you have multiple different python versions on your machine.
SBOMs generated by this tool may create license IDs that are out of specification for the Cyclonedx schema. This will render the BOM invalid.
Tern-Tools. (n.d.). Tern-Tools/tern: Tern is a software composition analysis tool and python library that generates a software bill of materials for container images and dockerfiles. the SBOM that tern generates will give you a layer-by-layer view of what’s inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. GitHub. https://github.com/tern-tools/tern
Containers. (n.d.). Containers/Skopeo: Work with remote images registries - retrieving information, images, signing content. GitHub. https://github.com/containers/skopeo
CycloneDX v1.3 JSON reference. OWASP CycloneDX Software Bill of Materials (SBOM) Standard. (n.d.). https://cyclonedx.org/docs/1.3/