Tern is a software package inspection tool for containers that is used to find the metadata of the packages installed in a container image.
“Tern gives users a deeper understanding of their container’s bill of materials so they can make better decisions about their container-based infrastructure, integration and deployment strategies, the working group behind the project wrote.
It’s also a good tool for finding out about the contents of the container images that have been built.
It uses overlayfs to mount the first filesystem layer (also known as the BaseOS) used to build the container image and then executes scripts from the “command library” in a chroot environment to collect information about packages installed in that layer.
It continues to iterate over steps 1 and 2 for the rest of the layers in the container image. Once done, it generates a report and various format options are available.
Tern is not meant to be a replacement for static analysis but simply a tool that automates some of the methods that developers and sysadmins use anyway.
“Tern was created to help developers meet open source compliance requirements for containers. Open source software compliance is a hard problem in general but it gets harder with containers due to the ability to reuse diff filesystems. How those filesystems were created is still an ad hoc process,” the team said.