Loading...

Type: Bug
Resolution: Not a Bug
Priority: Highest
Fix Version/s: None
Affects Version/s: Jakarta Release
Component/s: None
Labels:
None

The tern scan below indicates the image 'onap/integration-python:9.1.0' contains libuuid but does not disclose its license, actually it is GPL-3.0 which will be disclosed by derived image, e.g. 'nexus3.onap.org:10001/onap/multicloud/framework:1.7.3'

$ tern report -o int-py39-output.txt -i nexus3.onap.org:10001/onap/integration-python:9.1.0
=======================================================================================

Layer 3:
info: Layer created by commands: /bin/sh c set -ex && apk add --no-cache --virtual .fetch-deps gnupg tar xz && wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]}/Python$PYTHON_VERSION.tar.xz" && wget ~~O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]~~}/Python$PYTHON_VERSION.tar.xz.asc" && export GNUPGHOME="$(mktemp -d)" && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY" && gpg --batch --verify python.tar.xz.asc python.tar.xz &&

{ command -v gpgconf > /dev/null && gpgconf --kill all || :; }

&& rm rf "$GNUPGHOME" python.tar.xz.asc && mkdir -p /usr/src/python && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz && rm python.tar.xz && apk add --no-cache --virtual .build-deps bluez-dev bzip2-dev dpkg-dev dpkg expat-dev gcc libc-dev libffi-dev libnsl-dev libtirpc-dev linux-headers make ncurses-dev openssl-dev pax-utils sqlite-dev tcl-dev tk tk-dev util-linux-dev xz-dev zlib-dev && apk del --no-network .fetch-deps && cd /usr/src/python && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" && ./configure --build="$gnuArch" --enable-loadable-sqlite-extensions --enable-optimizations --enable-option-checking=fatal --enable-shared --with-system-expat --with-system-ffi --without-ensurepip && make -j "$(nproc)" EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000" LDFLAGS="-Wl,-strip-all" && make install && rm -rf /usr/src/python && find /usr/local -depth ( ( -type d -a ( -name test -o -name tests -o -name idle_test ) ) -o ( -type f -a ( -name '.pyc' -o -name '.pyo' -o -name '.a' ) ) ) -exec rm -rf '{}' + && find /usr/local -type f -executable -not ( -name '*tkinter' ) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' | tr ',' '\n' | sort -u | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0

{ next } { print "so:" $1 }' | xargs -rt apk add --no-cache --virtual .python-rundeps && apk del --no-network .build-deps && python3 --version
warning:
Unrecognized Commands:set -ex
wget ~~O python.tar.xz https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python~~$PYTHON_VERSION.tar.xz
wget ~~O python.tar.xz.asc https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python~~$PYTHON_VERSION.tar.xz.asc
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys $GPG_KEY
gpg --batch --verify python.tar.xz.asc python.tar.xz
command -v gpgconf > /dev/null
gpgconf --kill all
rm -rf $GNUPGHOME python.tar.xz.asc
mkdir -p /usr/src/python
tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz
rm python.tar.xz
cd /usr/src/python
--query DEB_BUILD_GNU_TYPE
./configure --build=$gnuArch --enable-loadable-sqlite-extensions --enable-optimizations --enable-option-checking=fatal --enable-shared --with-system-expat --with-system-ffi --without-ensurepip
make ~~j $(nproc) EXTRA_CFLAGS=-DTHREAD_STACK_SIZE=0x100000 LDFLAGS=-Wl,~~-strip-all
make install
rm -rf /usr/src/python
find /usr/local -depth ( ( -type d -a ( -name test -o -name tests -o -name idle_test ) ) -o ( -type f -a ( -name *.pyc -o -name *.pyo -o -name *.a ) ) ) -exec rm -rf {} +
find /usr/local -type f -executable -not ( -name tkinter ) -exec scanelf --needed --nobanner --format %n#p
| tr , n | sort -u | awk system([ -e /usr/local/lib/ $1 ]) == 0 { next }

{ print so: $1 }

| xargs -rt apk add --no-cache --virtual .python-rundeps
python3 --version

info: Retrieved package metadata using apk default method.

File licenses found in Layer: None
Packages found in Layer:
------------------------------------------------------------+

Package

Version

License(s)

Pkg Format

------------------------------------------------------------+

busybox	1.32.1-r6	apk
alpine-baselayout	3.2.0-r8	apk
alpine-keys	2.2-r0	apk
libcrypto1.1	1.1.1k-r0	apk
libssl1.1	1.1.1k-r0	apk
ca-certificates-bundle	20191127-r5	apk
libtls-standalone	2.9.1-r1	apk
ssl_client	1.32.1-r6	apk
zlib	1.2.11-r3	apk
apk-tools	2.12.5-r0	apk
scanelf	1.2.8-r0	apk
musl-utils	1.2.2-r0	apk
libc-utils	0.7.2-r3	apk
ca-certificates	20191127-r5	apk
tzdata	2021a-r0	apk
libffi	3.3-r2	apk
libintl	0.20.2-r2	apk
ncurses-terminfo-base	6.2_p20210109-r0	apk
ncurses-libs	6.2_p20210109-r0	apk
libbz2	1.0.8-r1	apk
sqlite-libs	3.34.1-r0	apk
xz-libs	5.2.5-r0	apk
musl	1.2.2-r1	apk
expat	2.2.10-r1	apk
libtirpc-conf	1.3.1-r0	apk
krb5-conf	1.0-r2	apk
libcom_err	1.45.7-r0	apk
keyutils-libs	1.6.3-r0	apk
libverto	0.3.1-r1	apk
krb5-libs	1.18.3-r1	apk
libtirpc	1.3.1-r0	apk
libnsl	1.3.0-r0	apk
libuuid	2.36.1-r1	apk
.python-rundeps	20210711.083045	apk

------------------------------------------------------------+

$ tern report -o mvbroker-output.txt -i nexus3.onap.org:10001/onap/multicloud/framework:1.7.3

libuuid

2.36.1-r1

GPL-3.0-or-later AND GPL-2.0-or-later AND GPL-2.0-only AND

apk

blocks

MULTICLOUD-1224 Multicloud dockers contain GPLv3

Closed

Details

Description

Attachments

Issue Links

Activity

People

Dates