Black Duck Docker Inspector 9.1.1

Owned by Ray O'Meara (Unlicensed)
Last updated: Jan 15, 2021
3 min read

Version 9.1.1

Black Duck Docker Inspector automates the process of using Black Duck to discover security, license, and operational risks associated with Docker images.

Ideally, you invoke Black Duck Inspector through using Synopsys Detect, but you can also invoke it directly in your environment. The advantage of invoking Black Duck Docker Inspector through Synopsys Detect is that you get the latest version of Docker Inspector and Detect discovers components that Black Duck Docker Inspector is unable to discover by also invoking the Black Duck Signature Scanner on the target image container file system.

Black Duck Docker Inspector at work

The following is an overview of how Black Duck Docker Inspector works.

  1. Black Duck Docker Inspector inspects Docker images to discover packages (components).

  2. Docker Inspector discovers components by using the target Docker image's package manager, therefore, the results are limited to those components (packages) of which the package manager is aware. 

  3. The Docker Inspector uses the appropriate Linux package manager to provide a list of the packages installed by the package manager and creates a Black Duck project with a Bill of Materials (BOM) where those discovered packages are represented as components. Because the Inspector relies on the Linux package manager as its source, the discovered packages are limited to those installed and managed using the Linux package manager.

  4. After running the Black Duck Docker Inspector on an image, you can go to Black Duck to view the BOM created by Black Duck Docker Inspector.


Docker Inspector operational modes

Docker Inspector has the following operational modes:

  • Host mode (default) is for servers or virtual machines (VM) where Black Duck Docker Inspector can perform Docker operations using a Docker engine.
    In host mode, Black Duck Docker Inspector discovers components using the target Docker image's package manager. Black Duck Docker Inspector does this discovery without running the image, so it is safe to run on untrusted images.
    Black Duck Docker Inspector can pull the target Docker image to be inspected from a Docker registry such as Docker Hub. Alternatively, you can save an image to a .tar file by using the docker save command, then run Black Duck Docker Inspector on the .tar file.

  • Container mode is where Black Duck Docker Inspector runs inside a container started by Docker, Kubernetes, OpenShift, and others. For information on running Black Duck Docker Inspector in container mode, refer to Deployment options.

Inspecting images and discovering dependencies

Docker Inspector inspects Docker images and discovers dependencies.

  • Black Duck Docker Inspector discovers dependencies in the target image by making a request to an image inspector service (running inside a container).

  • Black Duck Docker Inspector can discover package manager-installed components in Linux Docker images that use the DPKG, RPM, or APK package manager database formats.

  • Black Duck Docker Inspector can inspect non-Linux images such as Windows images, and images that contain no operating system, but it doesn't discover any components. This is useful if the target image container file system that Black Duck Docker Inspector can produce as output is required for signature scanning.

Docker Inspector image inspector services

Black Duck Docker Inspector uses up to three container-based image inspector services; one for each of the supported Linux package manager database formats: DPKG, RPM, APK.

By default, Black Duck Docker Inspector submits its request to inspect the target image to the DPKG (Ubuntu) image inspector service. All services redirect to the appropriate image inspector service if it cannot handle the request. For example, if the target image is a Red Hat image, the Ubuntu inspector service, which cannot inspect a Red Hat image, redirects to the CentOS inspector service, which can inspect a Red Hat image. If you know that most of your images have either RPM or APK databases, you can improve performance by configuring Black Duck Docker Inspector to send requests to the CentOS (RPM) or Alpine (APK) image inspector service using the property imageinspector.service.distro.default.

In host mode (the default), Black Duck Docker Inspector automatically uses the Docker engine to pull as needed from Docker Hub the following three images:

  • blackducksoftware/blackduck-imageinspector-alpine

  • blackducksoftware/blackduck-imageinspector-centos

  • blackducksoftware/blackduck-imageinspector-ubuntu

Black Duck Docker Inspector starts those services as needed, and stops and removes the containers when Black Duck Docker Inspector exits. It uses a shared volume to share files, such as the target Docker image, between the Black Duck Docker Inspector utility and the three service containers.

Black Duck Docker Inspector supports Docker Image Specification v1.2.0 format .tar files.

In container mode, start the container running Black Duck Docker Inspector and the three image inspector container-based services such that all four containers share a mounted volume and can communicate with each other using HTTP GET operations using base URLs that you provide. For information on running Black Duck Docker Inspector in container mode, refer to Deployment options.


Previous versions of Black Duck Docker Inspector documentation are as follows:
version 9.0.2 | version 9.01 | version 9.0.0 | version 8.3.1 | version 8.3.0

©2018 Synopsys, Inc. All Rights Reserved