Versions Compared

Old Version 2

changes.mady.by.user Ray O'Meara

Saved on

compared with

New Version Current

changes.mady.by.user Ray O'Meara

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version 9.1.1

Black Duck Docker Inspector automates the process of using Black Duck to discover security, license, and operational risks associated with Docker images.

Ideally, you invoke Black Duck Inspector through using Synopsys Detect, but you can also invoke it directly in your environment. The advantage of invoking Black Duck Docker Inspector through Synopsys Detect is that you get the latest version of Docker Inspector and Detect discovers components that Black Duck Docker Inspector is unable to discover by also invoking the Black Duck Signature Scanner on the target image container file system.

Black Duck Docker Inspector at work

The following is an overview of how Black Duck Docker Inspector works.

  1. Black Duck Docker Inspector inspects Docker images to discover packages (components).

  2. Docker Inspector discovers components by using the target Docker image's package manager, therefore, the results are limited to those components (packages) of which the package manager is aware. 

  3. The Docker Inspector uses the appropriate Linux package manager to provide a list of the packages installed by the package manager and creates a Black Duck project with a Bill of Materials (BOM) where those discovered packages are represented as components. Because the Inspector relies on the Linux package manager as its source, the discovered packages are limited to those installed and managed using the Linux package manager.

  4. After running the Black Duck Docker Inspector on an image, you can go to Black Duck to view the BOM created by Black Duck Docker Inspector.


Docker Inspector operational modes

Docker Inspector has the following operational modes:

  • Host mode (default) is for servers or virtual machines (VM) where Black Duck Docker Inspector can perform Docker operations using a Docker engine.
    In host mode, Black Duck Docker Inspector discovers components using the target Docker image's package manager. Black Duck Docker Inspector does this discovery without running the image, so it is safe to run on untrusted images.
    Black Duck Docker Inspector can pull the target Docker image to be inspected from a Docker registry such as Docker Hub. Alternatively, you can save an image to a .tar file by using the docker save command, then run Black Duck Docker Inspector on the .tar file.

  • Container mode is where Black Duck Docker Inspector runs inside a container started by Docker, Kubernetes, OpenShift, and others. For information on running Black Duck Docker Inspector in container mode, refer to Deployment options.

Inspecting images and discovering dependencies

Docker Inspector inspects Docker images and discovers dependencies.

  • Black Duck Docker Inspector discovers dependencies in the target image by making a request to an image inspector service (running inside a container).

  • Black Duck Docker Inspector can discover package manager-installed components in Linux Docker images that use the DPKG, RPM, or APK package manager database formats.

  • Black Duck Docker Inspector can inspect non-Linux images such as Windows images, and images that contain no operating system, but it doesn't discover any components. This is useful if the target image container file system that Black Duck Docker Inspector can produce as output is required for signature scanning.

Docker Inspector image inspector services

Black Duck Docker Inspector uses up to three container-based image inspector services; one for each of the supported Linux package manager database formats: DPKG, RPM, APK.

...