Container and VM images contain many packages and are quite a challenge for composition analysis.
The current industry standard for container compliance is to scan container images after they have been created in order to create a Software Bill of Materials (SBoM). Tern is an open source inspection tool that creates an SBoM for this very purpose. As the complexity of Cloud Native applications and the containers they are shipped with increases, however, the need for a better compliance strategy presents itself. This talk will discuss the current state of Cloud Native compliance practices and the efforts by the Open Source Technology Center at VMware to tackle these issues. This includes the work on the SPDX 3.0 linkage profile, building containers with intrinsic SBoMs, and feature implementations in Tern to support intrinsic compliance for container images.
Speakers: Rose Judge