Versions Compared

Old Version 52

changes.mady.by.user Chris Potts

Saved on

compared with

New Version Current

changes.mady.by.user Chris Potts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Docker Inspector documentation has moved to the

...

SIG Documentation Portal, to which you will be automatically redirected.

Redirect
filename
locationhttps://communitysig-product-docs.synopsys.com/s/document-item?bundleId=bundle/integrations-detect&topicId=introduction/page/components/inspectors.html&_LANG=enus

Note: The Confluence documentation below is only for archival purpose

Version 9.4.3

Black Duck Docker Inspector automates the process of using Black Duck to discover security, license, and operational risks associated with Docker images.

Ideally, you invoke Black Duck Inspector using Synopsys Detect, but you can also invoke it directly in your environment. The advantage of invoking Black Duck Docker Inspector through Synopsys Detect is that you get the latest version of Docker Inspector, and Detect discovers components that Black Duck Docker Inspector is unable to discover by also invoking the Black Duck Signature Scanner on the target image container file system.

Black Duck Docker Inspector

The following is an overview of how Black Duck Docker Inspector works.

...

Black Duck Docker Inspector inspects Docker images to discover packages (components).

...

Because Docker Inspector discovers components from the target Docker image package manager, the results are limited to those components. 

...

only

...

After running the Inspector on an image, you can view the BOM created in Black Duck.

...

Docker Inspector has the following operational modes:

...

.

...

Container mode is where the Inspector runs inside a container started by Docker, Kubernetes, OpenShift, and others. Refer to Deployment options for running Black Duck Docker Inspector in container mode.

Inspecting images and discovering dependencies

Docker Inspector inspects Docker images and discovers dependencies.

  • Black Duck Docker Inspector discovers dependencies in the target image by requesting an image inspector service (running inside a container).

  • Black Duck Docker Inspector can discover package manager-installed components in Linux Docker images that use the DPKG, RPM, or APK package manager database formats.

  • Black Duck Docker Inspector can inspect non-Linux images such as Windows images and images that contain no operating system, but it doesn't discover any components. This is useful if the target image container file system that Black Duck Docker Inspector can produce as output is required for signature scanning.

Docker Inspector image inspector services

Black Duck Docker Inspector uses up to three container-based image inspector services, one for each supported Linux package manager database format: DPKG, RPM, APK.

By default, Black Duck Docker Inspector submits its request to inspect the target image to the DPKG (Ubuntu) image inspector service. All services redirect to the appropriate image inspector service if it cannot handle the request. For example, if the target image is a Red Hat image, the Ubuntu inspector service, which cannot inspect a Red Hat image, redirects to the CentOS inspector service, which can inspect a Red Hat image. If you know that most of your images have either RPM or APK databases, you can improve performance by configuring Black Duck Docker Inspector to send requests to the CentOS (RPM) or Alpine (APK) image inspector service using the property imageinspector.service.distro.default.

In host mode (the default), Black Duck Docker Inspector automatically uses the Docker engine to pull as needed from Docker Hub the following three images:

  • blackducksoftware/blackduck-imageinspector-alpine

  • blackducksoftware/blackduck-imageinspector-centos

  • blackducksoftware/blackduck-imageinspector-ubuntu

Black Duck Docker Inspector starts those services as needed and stops and removes the containers when Black Duck Docker Inspector exits. It uses a shared volume to share files, such as the target Docker image, between the Black Duck Docker Inspector utility and the three service containers.

Black Duck Docker Inspector supports Docker Image Specification v1.2.0 format .tar files.

In container mode, start the container running Black Duck Docker Inspector and the three image inspector container-based services. All four containers share a mounted volume and can communicate using HTTP GET operations using the base URLs that you provide. Refer to Deployment options for running Black Duck Docker Inspector in container mode.

Previous versions of Black Duck Docker Inspector documentation are as follows:
version 9.1.1 | version 9.0.2 | version 9.01 | version 9.0.0 | version 8.3.1 | version 8.3.0