container-inspector icon indicating copy to clipboard operation
container-inspector copied to clipboard

Published 20 hours ago verified publisher icon nexB

Update intbitset

Open criztovyl opened this issue 1 year ago • 6 comments

I was looking around for a way to inspect (docker) container images on android (using termux, without root) and discovered this tool.

initially i ran into funny issues with intbitset due to python 3.11 (https://github.com/inveniosoftware-contrib/intbitset/issues/81), but if you update intbitset to 3.0.2, the tool runs quite fine in termux! :)

unfortunately this tool cannot download images, but for that i used https://github.com/NotGlop/docker-drag.

criztovyl avatar Jan 21 '24 10:01 criztovyl

@criztovyl Thanks! I happen to maintain https://github.com/inveniosoftware-contrib/intbitset so we can handle this easily enough. FYI, ScanCode.io does the full processing of Docker images but requires Postgres... so may be too big to run inside Android ... but this can show you what to call in container inspector. https://github.com/nexB/scancode.io/blob/main/scanpipe/pipelines/docker.py

Are you really trying to run "inside" an Android device?

NB: ScanCode.io does also download images from a container images registry/OCI using a bundled skopeo using this plugin https://github.com/nexB/scancode-plugins/tree/4df0cf04e1b7b6774ba6e983c7c57002f19327c9/builtins/fetchcode_container and this function https://github.com/nexB/scancode.io/blob/b10df0dbf5128f57e9dbc79d8eb5daa8f28eab7a/scanpipe/pipes/fetch.py#L214

pombredanne avatar Jan 21 '24 11:01 pombredanne

Ah "inspecting" here means "curiously look into"; I do not intend to run ScanCode.io inspections on Android. :)

I shortly considered skopeo independently, but did not further look into it. It might be a fun challenge, though.

criztovyl avatar Jan 21 '24 11:01 criztovyl

re:

unfortunately this tool cannot download images, but for that i used https://github.com/NotGlop/docker-drag.

This could be a nice way too, aside from skopeo.... Unfortunately there is no license there.... I pinged @NotGlop in https://github.com/NotGlop/docker-drag/issues/35

pombredanne avatar Jan 21 '24 11:01 pombredanne

Ah "inspecting" here means "curiously look into"; I do not intend to run ScanCode.io inspections on Android. :)

I shortly considered skopeo independently, but did not further look into it. It might be a fun challenge, though.

@criztovyl http://scancode.io should have a decent doc to get started. The syntax for docker images download is docker://image:tag_or_hash as in docker://debian

Creating a project will look like this: Screenshot 2024-01-21 at 12-38-41 ScanCode io

I reckon you you maybe looking for a CLI tool though you can also run ScanCode.io using the CLI and no UI. All the primitive functions are in this project as well as scancode-toolkit and fetchcode. scancode.io brings them together in a pipeline

pombredanne avatar Jan 21 '24 11:01 pombredanne

The results look like this: Screenshot 2024-01-21 at 12-42-43 ScanCode io docker __debian unstable-slim

and you can get various outputs and SBOMs out too

The CLI tutorials is at https://scancodeio.readthedocs.io/en/latest/tutorial_cli_analyze_docker_image.html

pombredanne avatar Jan 21 '24 11:01 pombredanne

@criztovyl https://github.com/NotGlop/docker-drag now has a license added by @NotGlop in https://github.com/NotGlop/docker-drag/issues/35 but this is a GPL which does not work here for use in an Apache-licensed library. We could instead integrate fetchcode_container but I still think we are better off doing this in ScanCode.io unless we have a pure python utility for here.

pombredanne avatar May 24 '24 06:05 pombredanne