TERN: inspección de imágenes de Docker

TERN es proyecto open source de VMware que realiza una inspección de metadatos de los paquetes instalados en una imagen de contenedor. La herramienta genera un informe proporcionando una explicación detallada, capa por capa, de los diversos componentes de software que tenga la imagen del container. Si se proporciona un Dockerfile, el informe indica las líneas de Dockerfile correspondientes a cada una de las capas del sistema de archivos. El proyecto es open source de VMware. Enlace a el proyecto en github TERN

En Docker Hub hay millones de imágenes de Docker y no todas tienen una validación de imagen oficial o publicador verificado. Por ello, queda en tu responsabilidad el uso de una imagen, sin saber que contiene exáctamente y si contiene alguna vulnerabilidad software.

Además TERN se interga con 2 extensiones muy interesantes:

Scancode-toolkit: es una herramienta de análisis que detecta licencias, derechos de autor, manifiestos de paquetes y dependencias directas tanto en el código fuente como en archivos binarios. Enalce al proyecto Scancode-toolkit
cve-bin-tool es una herramienta de línea de comandos que busca una serie de componentes vulnerables comunes (node, nginx, openssl, openvpn, openssh, systemd, mariadb, samba, postgresql, libpng, libxml2, expat y algunos otros) para hacerle saber si su sistema incluye bibliotecas comunes con vulnerabilidades conocidas. El proyecto de es Intel ®, información aquí cve-bin-tool

Realizo una instalación sobre CentOS 7 de TERN con las 2 extensiones

Con cve-bin-tool se reuqieren las siguientes dependencias:

yum install centos-release-scl
yum install rh-python36
scl enable rh-python36 bash
yum install epel-release
yum install git attr unzip cabextract

Creamos un entorno virtual en Python:

python -m venv scanenv
cd scanenv
source bin/activate

Isntalamos las aplicaciones:

pip install --upgrade pip 
pip install tern cve-bin-tool

Para instalar Scancode junto con cve-bin-tool, realizar los pasos anteriores y añadir la siguinte paquetería:

yum install gcc zlib bzip2-libs xz-libs libxml2-devel libxslt-devel rh-python36-python-devel.x86_64

pip install tern cve-bin-tool scancode-toolkit[full]

Ejecutamos TERN con una imagen de ubuntu al azar de Docker Hub:

tern report -i imagen:latest -o ubuntutest3.txt

(no especifico el nombre de la imagen)

TERN ha generado el siguiente contenido en el fichero ubuntutest3.txt

This report was generated by the Tern Project
Version: 2.3.0

Docker image: :latest:
Layer 1:
info: Found ‘Ubuntu 18.04.1 LTS’ in /etc/os-release.
info: Retrieved by invoking listing in command_lib/base.yml
names:
in container:
dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’

copyrights:
in container:
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do /bin/cat /usr/share/doc/$p/copyright; echo LICF; done

files:
in container:
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do files=`dpkg-query -L $p`; for file in $files; do if [ -f $file ]; then echo $file; fi; done; echo LICF; done

versions:
in container:
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do dpkg -l $p | awk ‘NR>5 {print $3}’; done

warning: No listing method for ‘srcs’. Additional analysis may be required.
No listing method for ‘licenses’. Additional analysis may be required.

File licenses found in Layer: None
Packages found in Layer: adduser-3.116ubuntu1, apt-1.6.3ubuntu0.1, base-files-10.1ubuntu2.2, base-passwd-3.5.44, bash-4.4.18-2ubuntu1, bsdutils-1:2.31.1-0.4ubuntu3.1, bzip2-1.0.6-8.1, coreutils-8.28-1ubuntu1, dash-0.5.8-2.10, debconf-1.5.66, debianutils-4.8.4, diffutils-1:3.6-1, dpkg-1.19.0.5ubuntu2, e2fsprogs-1.44.1-1, fdisk-2.31.1-0.4ubuntu3.1, findutils-4.6.0+git+20170828-2, gcc-8-base-8-20180414-1ubuntu2, gpgv-2.2.4-1ubuntu1.1, grep-3.1-2, gzip-1.6-5ubuntu1, hostname-3.20, init-system-helpers-1.51, libacl1-2.2.52-3build1, libapt-pkg5.0-1.6.3ubuntu0.1, libattr1-1:2.4.47-2build1, libaudit-common-1:2.8.2-1ubuntu1, libaudit1-1:2.8.2-1ubuntu1, libblkid1-2.31.1-0.4ubuntu3.1, libbz2-1.0-1.0.6-8.1, libc-bin-2.27-3ubuntu1, libc6-2.27-3ubuntu1, libcap-ng0-0.7.7-3.1, libcom-err2-1.44.1-1, libdb5.3-5.3.28-13.1ubuntu1, libdebconfclient0-0.213ubuntu1, libext2fs2-1.44.1-1, libfdisk1-2.31.1-0.4ubuntu3.1, libffi6-3.2.1-8, libgcc1-1:8-20180414-1ubuntu2, libgcrypt20-1.8.1-4ubuntu1.1, libgmp10-2:6.1.2+dfsg-2, libgnutls30-3.5.18-1ubuntu1, libgpg-error0-1.27-6, libhogweed4-3.4-1, libidn2-0-2.0.4-1.1build2, liblz4-1-0.0~r131-2ubuntu3, liblzma5-5.2.2-1.3, libmount1-2.31.1-0.4ubuntu3.1, libncurses5-6.1-1ubuntu1.18.04, libncursesw5-6.1-1ubuntu1.18.04, libnettle6-3.4-1, libp11-kit0-0.23.9-2, libpam-modules-1.1.8-3.6ubuntu2, libpam-modules-bin-1.1.8-3.6ubuntu2, libpam-runtime-1.1.8-3.6ubuntu2, libpam0g-1.1.8-3.6ubuntu2, libpcre3-2:8.39-9, libprocps6-2:3.3.12-3ubuntu1.1, libseccomp2-2.3.1-2.1ubuntu4, libselinux1-2.7-2build2, libsemanage-common-2.7-2build2, libsemanage1-2.7-2build2, libsepol1-2.7-1, libsmartcols1-2.31.1-0.4ubuntu3.1, libss2-1.44.1-1, libstdc++6-8-20180414-1ubuntu2, libsystemd0-237-3ubuntu10.3, libtasn1-6-4.13-2, libtinfo5-6.1-1ubuntu1.18.04, libudev1-237-3ubuntu10.3, libunistring2-0.9.9-0ubuntu1, libuuid1-2.31.1-0.4ubuntu3.1, libzstd1-1.3.3+dfsg-2ubuntu1, login-1:4.5-1ubuntu1, lsb-base-9.20170808ubuntu1, mawk-1.3.3-17ubuntu3, mount-2.31.1-0.4ubuntu3.1, ncurses-base-6.1-1ubuntu1.18.04, ncurses-bin-6.1-1ubuntu1.18.04, passwd-1:4.5-1ubuntu1, perl-base-5.26.1-6ubuntu0.2, procps-2:3.3.12-3ubuntu1.1, sed-4.4-2, sensible-utils-0.0.12, sysvinit-utils-2.88dsf-59.10ubuntu1, tar-1.29b-2, ubuntu-keyring-2018.02.28, util-linux-2.31.1-0.4ubuntu3.1, zlib1g-1:1.2.11.dfsg-0ubuntu2
Licenses found in Layer: GPLv2+, GPL-2, PD, BSD-4-clause, LGPL, GPL-3+, LGPL-2+, LGPL-2.1+, BSD-3-clause, public-domain, BSD-2-clause, LGPL-3+, GPL-2+, MIT, public-domain-md5, public-domain-s-s-d, permissive, Expat, TinySCHEME, GPL-3+ or BSD-3-clause, RFC-Reference, LGPL-2.1, Public domain., LGPL-2.1+ or BSD-3-clause, g10-permissive, other, GPL-2+ with Autoconf exception, GAP, LGPL-3+ or GPL-2+, Unicode, config-h, none, probably-PD, noderivs, Autoconf, permissive-nowarranty, PD-debian, permissive-fsf, same-as-rest-of-p11kit, ISC, permissive-like-automake-output, BSD-3-Clause, LGPL-2.0+, GPL-2.0+, CC0-1.0, GPL-3+ or GFDL-1.2+, FreeSoftware, GPL-2+ with distribution exception, GFDL-1.2+, BSD-3-clause-with-patent-grant, zlib, BSD-3-clause-with-patent-grant and GPL-2, Artistic-2, Expat or GPL-1+ or Artistic, Artistic-dist, GPL-3+-WITH-BISON-EXCEPTION, BSD-3-clause-GENERIC, REGCOMP, and GPL-1+ or Artistic, HSIEH-BSD, Artistic, GPL-1+ or Artistic, DONT-CHANGE-THE-GPL, GPL-1+ or Artistic or Artistic-dist, GPL-2+ or Artistic, Artistic or GPL-1+ or Artistic-dist, BZIP, TEXT-TABS, BSD-4-clause-POWERDOG, RRA-KEEP-THIS-NOTICE, HSIEH-DERIVATIVE, S2P, SDBM-PUBLIC-DOMAIN, GPL-1+ or Artistic, and Unicode, GPL-1+, ZLIB, REGCOMP, BSD-3-clause-with-weird-numbering, GPL-1+ or Artistic, and BSD-4-clause-POWERDOG, GPL-1+ or Artistic, and BSD-3-clause-GENERIC, installsh, configure, All-permissive
————————————————

Layer 2:
warning:
Unrecognized Commands:set -xe
echo #!/bin/sh > /usr/sbin/policy-rc.d
echo exit 101 >> /usr/sbin/policy-rc.d
chmod +x /usr/sbin/policy-rc.d
dpkg-divert –local –rename –add /sbin/initctl
cp -a /usr/sbin/policy-rc.d /sbin/initctl
sed -i s/^exit.*/exit 0/ /sbin/initctl
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup
echo DPkg::Post-Invoke { rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true
> /etc/apt/apt.conf.d/docker-clean
echo APT::Update::Post-Invoke { rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true
>> /etc/apt/apt.conf.d/docker-clean
echo Dir::Cache::pkgcache
Dir::Cache::srcpkgcache
>> /etc/apt/apt.conf.d/docker-clean
echo Acquire::Languages none
> /etc/apt/apt.conf.d/docker-no-languages
echo Acquire::GzipIndexes true
Acquire::CompressionTypes::Order:: gz
> /etc/apt/apt.conf.d/docker-gzip-indexes
echo Apt::AutoRemove::SuggestsImportant false
> /etc/apt/apt.conf.d/docker-autoremove-suggests

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 3:
warning:
Unrecognized Commands:rm -rf /var/lib/apt/lists/*

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 4:
warning:
Unrecognized Commands:sed -i s/^#s*(deb.*universe)$/1/g /etc/apt/sources.list

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 5:
warning:
Unrecognized Commands:mkdir -p /run/systemd
echo docker > /run/systemd/container

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 6:
warning:
Unrecognized Commands:echo /usr/bin/debconf shared/accepted-oracle-license-v1-1 select true | /usr/bin/debconf-set-selections

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 7:
warning:
Ignored Commands:apt-get update

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 8:
info: Retrieved by invoking listing in command_lib/base.yml
names:
in container:
dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’

copyrights:
in container:
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do /bin/cat /usr/share/doc/$p/copyright; echo LICF; done

versions:
in container:
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do dpkg -l $p | awk ‘NR>5 {print $3}’; done

warning: No listing method for ‘srcs’. Additional analysis may be required.
No listing method for ‘licenses’. Additional analysis may be required.

File licenses found in Layer: None
Packages found in Layer: ca-certificates-20180409, cron-3.0pl1-128.1ubuntu1, dbus-1.12.2-1ubuntu1, dirmngr-2.2.4-1ubuntu1.1, distro-info-data-0.37ubuntu0.1, file-1:5.32-2ubuntu0.1, gir1.2-glib-2.0-1.56.1-1, gnupg-2.2.4-1ubuntu1.1, gnupg-l10n-2.2.4-1ubuntu1.1, gnupg-utils-2.2.4-1ubuntu1.1, gpg-2.2.4-1ubuntu1.1, gpg-agent-2.2.4-1ubuntu1.1, gpg-wks-client-2.2.4-1ubuntu1.1, gpg-wks-server-2.2.4-1ubuntu1.1, gpgconf-2.2.4-1ubuntu1.1, gpgsm-2.2.4-1ubuntu1.1, iso-codes-3.79-1, libapparmor1-2.12-4ubuntu5, libapt-inst2.0-1.6.3ubuntu0.1, libasn1-8-heimdal-7.5.0+dfsg-1, libassuan0-2.5.1-2, libdbus-1-3-1.12.2-1ubuntu1, libexpat1-2.2.5-3, libgirepository-1.0-1-1.56.1-1, libglib2.0-0-2.56.2-0ubuntu0.18.04.2, libglib2.0-data-2.56.2-0ubuntu0.18.04.2, libgssapi3-heimdal-7.5.0+dfsg-1, libhcrypto4-heimdal-7.5.0+dfsg-1, libheimbase1-heimdal-7.5.0+dfsg-1, libheimntlm0-heimdal-7.5.0+dfsg-1, libhx509-5-heimdal-7.5.0+dfsg-1, libicu60-60.2-3ubuntu3, libkrb5-26-heimdal-7.5.0+dfsg-1, libksba8-1.3.5-2, libldap-2.4-2-2.4.45+dfsg-1ubuntu1, libldap-common-2.4.45+dfsg-1ubuntu1, libmagic-mgc-1:5.32-2ubuntu0.1, libmagic1-1:5.32-2ubuntu0.1, libmpdec2-2.4.2-1ubuntu1, libnpth0-1.5-3, libpython3-stdlib-3.6.5-3ubuntu1, libpython3.6-minimal-3.6.6-1~18.04, libpython3.6-stdlib-3.6.6-1~18.04, libreadline7-7.0-3, libroken18-heimdal-7.5.0+dfsg-1, libsasl2-2-2.1.27~101-g0780600+dfsg-3ubuntu2, libsasl2-modules-2.1.27~101-g0780600+dfsg-3ubuntu2, libsasl2-modules-db-2.1.27~101-g0780600+dfsg-3ubuntu2, libsqlite3-0-3.22.0-1, libssl1.1-1.1.0g-2ubuntu4.1, libwind0-heimdal-7.5.0+dfsg-1, libxml2-2.9.4+dfsg1-6.1ubuntu1.2, lsb-release-9.20170808ubuntu1, mime-support-3.60ubuntu1, openssl-1.1.0g-2ubuntu4.1, pinentry-curses-1.1.0-1, powermgmt-base-1.33, python-apt-common-1.6.2, python3-3.6.5-3ubuntu1, python3-apt-1.6.2, python3-dbus-1.2.6-1, python3-gi-3.26.1-2, python3-minimal-3.6.5-3ubuntu1, python3-software-properties-0.96.24.32.5, python3.6-3.6.6-1~18.04, python3.6-minimal-3.6.6-1~18.04, readline-common-7.0-3, shared-mime-info-1.9-2, software-properties-common-0.96.24.32.5, ucf-3.0038, unattended-upgrades-1.1ubuntu1.18.04.5, xdg-user-dirs-0.17-1ubuntu1, xz-utils-5.2.2-1.3
Licenses found in Layer: GPL-2+, MPL-2.0, ISC, Paul-Vixie’s-license, Paul-Vixie’s-license and GPL-2+ and ISC, Artistic, Expat, BSD-3-clause-generic, Tcl-BSDish, GPL-2+ or AFL-2.1, and Tcl-BSDish, BSD-3-clause, GPL-2+ or AFL-2.1, g10-permissive, AFL-2.1, permissive, TinySCHEME, GPL-3+, GPL-3+ or BSD-3-clause, LGPL-2.1+, RFC-Reference, LGPL-3+, MIT-Old-Style-with-legal-disclaimer-2, BSD-2-Clause-netbsd, BSD-2-Clause-alike, public-domain, BSD-2-Clause-regents, MIT, BSD-2-clause, LGPL-2+, BSD-3-clause or GPL-2+, GPL-2, GPLv2+, custom, none, GAP~FSF, GPL-2+ with libtool exception, GAP, BSD, Permission to use, copy, modify, and distribute this software and, Permission to use, copy, modify, and distribute this software and its, This software is provided ‘as-is’, without any express or implied, By obtaining, using, and/or copying this software and/or its, Redistribution and use in source and binary forms, with or without, Permission to use, copy, modify, and distribute this software for any, Permission is hereby granted, free of charge, to any person obtaining, This software is provided as-is, without express or implied, Permission is hereby granted, free of charge, to any person, BSD-4-clause, MIT-1, ad-hoc, Bellcore, LGPL-3+ or GPL-2+, X11, Permissive, config-h, probably-PD, noderivs, Autoconf, permissive-nowarranty, PD-debian, permissive-fsf, PD
————————————————

Layer 9:
warning:
Unrecognized Commands:add-apt-repository ppa:webupd8team/java

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 10:
warning:
Ignored Commands:apt-get update

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 11:
info: Retrieved by invoking listing in command_lib/base.yml
names:
in container:
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’

copyrights:
in container:
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do /bin/cat /usr/share/doc/$p/copyright; echo LICF; done

files:
in container:
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do files=`dpkg-query -L $p`; for file in $files; do if [ -f $file ]; then echo $file; fi; done; echo LICF; done

versions:
in container:
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do dpkg -l $p | awk ‘NR>5 {print $3}’; done

warning: No listing method for ‘srcs’. Additional analysis may be required.
No listing method for ‘licenses’. Additional analysis may be required.

File licenses found in Layer: None
Packages found in Layer: binutils-2.30-21ubuntu1~18.04, binutils-common-2.30-21ubuntu1~18.04, binutils-x86-64-linux-gnu-2.30-21ubuntu1~18.04, gsfonts-1:8.11+urwcyr1.0.7~pre44-4.4, gsfonts-x11-0.25, java-common-0.63ubuntu1~02, libbinutils-2.30-21ubuntu1~18.04, libfontenc1-1:1.1.3-1, libfreetype6-2.8.1-2ubuntu2, libpng16-16-1.6.34-1ubuntu0.18.04.1, libpsl5-0.19.1-5build1, locales-2.27-3ubuntu1, oracle-java8-installer-8u181-1~webupd8~1, oracle-java8-set-default-8u181-1~webupd8~1, publicsuffix-20180223.1310-1, wget-1.19.4-1ubuntu2.1, x11-common-1:7.7+19ubuntu7.1, xfonts-encodings-1:1.0.4-2, xfonts-utils-1:7.7+6
Licenses found in Layer: GPL-2, GPL-2+, GZip, FTL, BSD-2-Clause, GPL-2+ or FTL, BSD-3-Clause, Catharon-OSL, OpenGroup-BSD-like, BSD-like-with-advertising-clause, Apache-2.0, libpng OR Apache-2.0 OR BSD-3-clause, BSD-3-clause, expat, libpng, GPL-2+ or BSD-like-with-advertising-clause, Chromium, MIT, GPL-3+, CC Attribution-Noncommercial 4.0, MPL-2.0, CC0
————————————————

Layer 12:
info: Retrieved by invoking listing in command_lib/base.yml
names:
in container:
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’

copyrights:
in container:
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do /bin/cat /usr/share/doc/$p/copyright; echo LICF; done

files:
in container:
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do files=`dpkg-query -L $p`; for file in $files; do if [ -f $file ]; then echo $file; fi; done; echo LICF; done

versions:
in container:
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
pkgs=`dpkg –get-selections | cut -f1 -d’:’ | awk ‘{print $1}’`
for p in $pkgs; do dpkg -l $p | awk ‘NR>5 {print $3}’; done

warning: No listing method for ‘srcs’. Additional analysis may be required.
No listing method for ‘licenses’. Additional analysis may be required.

File licenses found in Layer: None
Packages found in Layer: dmsetup-2:1.02.145-4.1ubuntu3, krb5-locales-1.16-2build1, libargon2-0-0~20161029-1.1, libbsd0-0.8.7-1, libcap2-1:2.25-1.2, libcryptsetup12-2:2.0.2-1ubuntu1.1, libdevmapper1.02.1-2:1.02.145-4.1ubuntu3, libedit2-3.1-20170329-1, libgssapi-krb5-2-1.16-2build1, libidn11-1.33-2.1ubuntu1, libip4tc0-1.6.1-2ubuntu2, libjson-c3-0.12.1-1.3, libk5crypto3-1.16-2build1, libkeyutils1-1.5.9-9.2ubuntu2, libkmod2-24-1ubuntu3, libkrb5-3-1.16-2build1, libkrb5support0-1.16-2build1, libnss-systemd-237-3ubuntu10.3, libpam-systemd-237-3ubuntu10.3, libssl1.0.0-1.0.2n-1ubuntu5.1, libwrap0-7.6.q-27, libx11-6-2:1.6.4-3ubuntu0.1, libx11-data-2:1.6.4-3ubuntu0.1, libxau6-1:1.0.8-1, libxcb1-1.13-1, libxdmcp6-1:1.1.2-3, libxext6-2:1.3.3-1, libxmuu1-2:1.1.2-2, multiarch-support-2.27-3ubuntu1, ncurses-term-6.1-1ubuntu1.18.04, networkd-dispatcher-1.7-0ubuntu3.2, openssh-client-1:7.6p1-4, openssh-server-1:7.6p1-4, openssh-sftp-server-1:7.6p1-4, python3-certifi-2018.1.18-2, python3-chardet-3.0.4-1, python3-idna-2.6-1, python3-pkg-resources-39.0.1-2, python3-requests-2.18.4-2, python3-six-1.11.0-2, python3-urllib3-1.22-1, ssh-import-id-5.7-0ubuntu1.1, systemd-237-3ubuntu10.3, systemd-sysv-237-3ubuntu10.3, xauth-1:1.0.10-1
Licenses found in Layer: CC0 or Apache-2.0, CC0, Apache-2.0, ISC, BSD-2-clause-verbatim, Expat, BSD-3-clause-Peter-Wemm, BSD-4-clause-Niels-Provos, BSD-2-clause-author, BSD-3-clause, BSD-3-clause-Regents, BSD-5-clause-Peter-Wemm, BSD-2-clause, ISC-Original, public-domain, BSD-2-clause-NetBSD, BSD-4-clause-Christopher-G-Demetriou, BSD-3-clause-John-Birrell, public-domain-Colin-Plumb, Beerware, BSD-3-clause or GPL-2+, GPL-2, GPL-2+, BSD-3-clause or GPL-2, LGPL-2.1+, GPL-3+, GFDL-1.3+, LGPL-3+ or GPL-2+, GAP, custom, Artistic-2, MIT, LGPL-2+, CC0-1.0, Expat-with-advertising-restriction, Powell-BSD-style, Mazieres-BSD-style, OpenSSH, Beer-ware, MPL-2, PSF-2, Unicode, BSD-3-clause and PSF-2, BSD-3-clause and PSF-2 and Unicode, Apache, GPL-3
————————————————

Layer 13:
warning:
Unrecognized Commands:mkdir /var/run/sshd

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 14:
warning:
Unrecognized Commands:sed -ri s/^PermitRootLogins+.*/PermitRootLogin yes/ /etc/ssh/sshd_config

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 15:
warning:
Unrecognized Commands:sed -ri s/UsePAM yes/#UsePAM yes/g /etc/ssh/sshd_config

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

Layer 16:
warning:
Unrecognized Commands:#(nop) COPY file:0ff5c60707fe562b5f2d29d8e16cd415e7d8fe85f0346241e2d7e05b777d9727 in /etc/init.sh

File licenses found in Layer: None
Packages found in Layer: None
Licenses found in Layer: None
————————————————

###########################################
# Summary of licenses found in Container: #
###########################################
BSD-like-with-advertising-clause, BSD-3-clause-with-patent-grant, ISC, BSD-2-clause-verbatim, LGPL-2.1+ or BSD-3-clause, Paul-Vixie’s-license, ISC-Original, GZip, BSD-2-Clause-regents, Chromium, REGCOMP, and GPL-1+ or Artistic, public-domain-Colin-Plumb, Beerware, same-as-rest-of-p11kit, Redistribution and use in source and binary forms, with or without, DONT-CHANGE-THE-GPL, FTL, GFDL-1.3+, GPL-3, GPL-2+ or Artistic, BZIP, permissive-fsf, BSD-2-clause-author, TEXT-TABS, BSD-4-clause-POWERDOG, BSD-2-Clause, LGPL-2+, CC0-1.0, Permission is hereby granted, free of charge, to any person obtaining, Apache-2.0, All-permissive, BSD-3-clause-John-Birrell, GPL-2+, S2P, MIT, GPL-1+ or Artistic, and Unicode, Paul-Vixie’s-license and GPL-2+ and ISC, public-domain-s-s-d, MPL-2, BSD-2-clause, Powell-BSD-style, GPL-1+ or Artistic, and BSD-4-clause-POWERDOG, BSD-3-clause and PSF-2 and Unicode, Permission to use, copy, modify, and distribute this software and its, GPL-3+, Artistic-dist, zlib, CC0, RFC-Reference, OpenGroup-BSD-like, OpenSSH, configure, Artistic, FreeSoftware, TinySCHEME, Public domain., Permission to use, copy, modify, and distribute this software for any, GPL-1+ or Artistic or Artistic-dist, LGPL-2.0+, PD-debian, X11, libpng, BSD-4-clause-Christopher-G-Demetriou, By obtaining, using, and/or copying this software and/or its, Permissive, permissive, probably-PD, CC0 or Apache-2.0, public-domain-md5, installsh, BSD-3-Clause, REGCOMP, Expat or GPL-1+ or Artistic, BSD-2-Clause-alike, BSD-4-clause-Niels-Provos, public-domain, g10-permissive, LGPL-3+, GFDL-1.2+, config-h, GPL-3+ or GFDL-1.2+, MIT-Old-Style-with-legal-disclaimer-2, permissive-like-automake-output, BSD-3-clause-Peter-Wemm, GPL-1+ or Artistic, Apache, LGPL-3+ or GPL-2+, BSD-3-clause, GPL-2+ or AFL-2.1, BSD-5-clause-Peter-Wemm, PSF-2, GPL-2+ with Autoconf exception, Catharon-OSL, BSD-3-clause or GPL-2, GAP~FSF, LGPL, This software is provided ‘as-is’, without any express or implied, RRA-KEEP-THIS-NOTICE, This software is provided as-is, without express or implied, HSIEH-DERIVATIVE, Unicode, GAP, BSD-3-clause and PSF-2, GPL-2+ or BSD-like-with-advertising-clause, Permission to use, copy, modify, and distribute this software and, Expat-with-advertising-restriction, BSD-3-clause or GPL-2+, Expat, SDBM-PUBLIC-DOMAIN, MPL-2.0, ZLIB, noderivs, LGPL-2.1+, GPL-2+ or AFL-2.1, and Tcl-BSDish, GPL-2, BSD-2-clause-NetBSD, GPL-1+ or Artistic, and BSD-3-clause-GENERIC, AFL-2.1, ad-hoc, BSD-4-clause, Artistic-2, BSD-3-clause-generic, BSD-3-clause-with-patent-grant and GPL-2, libpng OR Apache-2.0 OR BSD-3-clause, Autoconf, GPL-3+-WITH-BISON-EXCEPTION, Mazieres-BSD-style, Bellcore, BSD-3-clause-GENERIC, expat, PD, GPLv2+, HSIEH-BSD, Beer-ware, BSD-2-Clause-netbsd, Artistic or GPL-1+ or Artistic-dist, permissive-nowarranty, GPL-2+ with libtool exception, other, BSD, GPL-2.0+, LGPL-2.1, GPL-2+ or FTL, GPL-2+ with distribution exception, custom, Permission is hereby granted, free of charge, to any person, none, GPL-1+, MIT-1, Tcl-BSDish, GPL-3+ or BSD-3-clause, BSD-3-clause-Regents, CC Attribution-Noncommercial 4.0, BSD-3-clause-with-weird-numbering

Es interesante la información de cada capa que compone la imagen, los comandos que se han ejecutado y la versión de cada paquete instalado.

La herramienta TERN es muy útil, sobre todo si desconfías de la procedencia de una imagen de Docker.

Espero que os sea de utilidad.