What does the "OSS Allow and Block" list capability do? 

 

Aqua provides a way to identify the presence of Open-Source Software Licenses [ referred to as OSS ]  within container image application packages and host operating systems packages. The user can add these OSS items into two categories, allow and block, which can be applied to your assurance policy, meeting compliance and regulatory governance. 

 

Aqua currently recognises over 100 open Sources Software Licenses present within OS packages which can be applied to an image assurance policy.  

 

A full list of these licences can be found here: 

 

Each of the OSS Licenses have a unique identifier which Aqua recognises. The next section explains how to use these OSS licenses within a policy and how that is identified within scanned container images. 

 

How do I use the OSS Allow and Block list within Aqua? 

 

This functionality is simple to activate and add to your defined host or image assurance policy. 

 

Navigate to the Policies category and select Assurance Policies and select the default Image Assurance Policy by clicking on the relevant item (as shown by the blue box) 


 

Page Break 

 

Scroll down to the Controls section and choose one of the two OSS Licenses controls 

In the example below – we show both controls selected. For your use case you can just select one.  


Note: In Aqua versions 5.0 and older, the Allow and Block lists were named differently. 


 

 

  1. Each Allow and Block list control provides a drop-down menu with a list of the most used OSS licences. There nineteen of these licences by default. 

 


To add additional OSS licenses that are unlisted from the UI, you will need to: 

  • select the other licence option from the bottom of the drop down menu. 

  • enter the OSS ID reference (where the text “Click here for a complete list of known licenses and their ID”) 

 

  1. For this example, we will add the Open-Source Open LDAP License - referenced from (https://opensource.org/licenses/OLDAP-2.8),  then test our policy against a known OpenLDAP Docker image to identify it. 

 

We can add the ID text OLDAP-2.8 into the text box associated with the license type Other. 

 

 

Once you have added your OSS licence in the text box, click the blue ADD button in the UI to make it permanent.  

 

You will see (as denoted by the blue underlining) that OLDAP-2.8 is now part of the allowed list for OSS licences. 

 

 

After clicking the SAVE button in the top right of the UI, navigate back to the Images UI, the OSS package blocking is now applied. 

 

Your image assurance policy now permits the inclusion of container packages whicinclude the OpenLDAP OSS licence. We will follow onto the next section where we can identify the OSS licences within the images.  

 

Image Scanning and License resource detection 

 
To take our scenario a step further, each time a container image is scanned within Aqua; we identify the OSS package licenses within each image 

 

If we look at the scanned image results for openshift/openldap-2441-centos7:latest  via the Resources section tab, you will see all resources (aka application/OS packages RPM/DEB/APK’s) and the license types found. 

 

 



The blue box column showing the OSS Licence type is identified in our scan result (this view is abbreviated )
 

The results that you see after a scan depends on the OS type used within the container image and the programming languages detected within the packages [ as denoted by the blue highlighted box ] 

 

We have different methods of finding the license informationSometimes the license is inside the package manager, sometime in a license file.