Static composition analysis of containers, virtual machines and other root filesystems
What's in your container?
Philippe Ombredanne is a passionate FOSS hacker, lead maintainer of the ScanCode toolkit and on a mission to enable easier and safer to reuse FOSS code with best in class open source tools for open source discovery, software composition analysis and license & security compliance at https://aboutcode.org
Philippe contributes to several other projects including the Linux kernel SPDX-ification; the SPDX and ClearlyDefined projects, strace, several Python tools, and previously to JBoss, Eclipse and Mozilla. Philippe has been also a long time Google Summer of Code mentor and org admin.
Work-wise, he is the CTO of nexB a company that helps software teams track what's in their code with DejaCode, an open source governance and compliance dashboard.
No video of the event yet, sorry!
Linux root filesystems, virtual machine disk and container images routinely contain thousands of system packages, application packages and other custom software components.
Each of these components may have a different provenance, may be modified or vulnerable. Such a large number of packages creates a fertile ground for bugs, security and license issues to go unnoticed. Join me to discover a new approach and FOSS tool suite to perform a deep and extensive static analysis of a root filesystem with specific techniques for container and Docker images or virtual machines to uncover all the known and unknown third-party code they are composed of.
With this knowledge, we can validate if code has been modified or tempered, if packages are subject to known vulnerabilities and what is their license: these are essential items to proactively vet and safely reuse these and build safely larger systems using these as a base.
- Date:
- 2020 October 16 - 20:00
- Duration:
- 30 min
- Room:
- Room 2
- Language:
- Track:
- Cloud and Containers
- Difficulty:
- Medium