Dockerfile and Docker Compose Trustlist and Replacement List

Matching Rules

Checking the basic image covers the trust_list.json and replaces_list.json files. The matching rules are as follows:

If the basic image and version are found in the trustlist, no message is displayed.
If the basic image is found in the trustlist but the version is not, the tool searches for the replacement list. If they are found in the replacement list, the tool prompts you to modify the version based on the replacement list.
If the basic image is found in the trustlist but the version is not, the tool searches for the replacement list. If they are not found in the replacement list, the tool prompts you to modify the version based on the trustlist.
If the basic image and version are not found in the trustlist or replacement list, a message is displayed prompting you to modify the image.

For a basic image not included in the trustlist or replacement list, configure the basic image (see the example in Procedure). After the configuration is complete, scan the Dockerfile and Docker Compose files again.

Example Scenario

Assume that the basic images are oraclelinux:6.10 and java:8u40-jre in the Dockerfile and Docker Compose files, respectively.

Source file 1: oraclelinux is found in the trustlist but the version is not.
```
image: oraclelinux:6.10
```
Source file 2: java:8u40-jre in found in the replacement list.
```
image: java:8u40-jre
```

Procedure

Use an SSH tool to remotely log in to the OS CLI.

Configure the trustlist.

Open the trust_list.json file.

          
               vi /opt/DevKit/devkitplugins/porting/config/sysmig/config_parser_resources/trust_list.json

/opt is the DevKit installation directory. Replace it with the actual directory.

Press i to enter the insert mode. The content in bold is the oraclelinux configuration.

{
  "notary": {
    "arm_version": ["signer-0.7.0", "signer", "server-0.7.0", "server", "signer-0.6.1-2", "server-0.6.1-2"],
    "recommended_version": "signer"
  },
  "oraclelinux": {
    "arm_version": ["8.10", "8-slim-fips", "8-slim", "8", "9-slim-fips", "9-slim", "9", "7.9", "7-slim-fips", "7-slim", "7", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "7.8", "7.7", "8.1", "8.0", "7.6"],
    "recommended_version": "9"
  },
  ...
}

oraclelinux: Name of the basic image. Replace it with the actual one.
arm_version: Versions supported by the Arm architecture. Use commas (,) to separate multiple versions.
recommended_version: Recommended version.

Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.

Configure the replacement list.

Open the replaces_list.json file.

          
               vi /opt/DevKit/devkitplugins/porting/config/sysmig/config_parser_resources/replaces_list.json

/opt is the DevKit installation directory. Replace it with the actual directory.

Press i to enter the insert mode. The content in bold is the java:8u40-jre configuration.
```
{
  "java:8u40-jre": "openjdk:8-jre",
  "java:openjdk-8u40-jre": "openjdk:8-jre",
  "java:8u40": "openjdk:8-jdk",
  "java:8u40-jdk": "openjdk:8-jdk",
  ...
}
```
The format is as follows: Basic_image_and_version:Recommended_basic_image_and_version.
Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.

Scan the files.
- Basic image oraclelinux:6.10: If the basic image oraclelinux is found in the trustlist but the version 6.10 is not supported by the Arm architecture and is not found in the replacement list, change the version to a version recommended (for example 9) in the trustlist.
  Figure 1 Source file 1
- Basic image java:8u40-jre: If it is not found in the trustlist but found in the replacement list, change the basic image version to openjdk:8-jre as prompted by the replacement list.
  Figure 2 Source file 2

Parent topic: References