Analyze Container Images and their Associated Licenses

Base Container Image

This product supports below listed Official Container Base Images as the common base image layer for building images.

  1. Debian official container

  2. Amazon Linux2

  3. Eclipse Temurin

  4. ubuntu

Note: We will be taking the example of Debian Base Image in the rest of the document for explanation.

See the license information for details on Debian licenses and software package types. See also the Debian notes on the Debian official images.

As with all container images, the Debian container image can contain other software (such as bash, glibc, zlib, and others from the base distribution, along with any direct or indirect dependencies of the primary software included in the built image) that might be subjected to other licenses.

The following links provide auto-detected license information for the Debian, amazonlinux2 official images:

For example, you can find information about the artifacts of the debian:bookworm-slim official image.

Note: The image user has the responsibility to ensure that any use of the image complies with all relevant licenses for all software contained within.

Additional Software Packages

Building images often installs additional software packages (fetched from the official distribution software repositories, from other user added repositories, or from specific locations), in addition to the packages already provided by the base image. You can inspect the Dockerfiles to identify these additional packages.

For example, when you read the TIBCO BWCE Dockerfile, you see a list of packages that are installed in the image, as specified in the Dockerfile. Each such specified package can, in turn, install other software packages as dependencies.

Note: There are different ways to extract the list of installed packages and other installed artifacts. Providing detailed instructions on software license analysis specialized tools is outside the scope of this document. Retrieving information on software artifacts other than software packages installed with the package manager tools is also outside the scope of this document. The following sections provide basic examples using standard container and package management tools.

Manually Retrieve Installed Packages Information

The document lists Debian and AmazonLinux as examples. You can use similar commands for other base image layers as well.

Debian

You can use the command dpkg-query to retrieve the full list of installed packages in a container image.

Example: To retrieve the list of installed packages in the debian:bookworm-slim image:

$ docker run --rm debian:bookworm-slim dpkg-query -l

Sample Result:

Unable to find image 'debian:bookworm-slim' locally
bookworm-slim: Pulling from library/debian
1f7ce2fa46ab: Pull complete 
Digest: sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9
Status: Downloaded newer image for debian:bookworm-slim
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                    Version            Architecture Description
+++-=======================-==================-============-========================================================================
ii  adduser                 3.134              all          add and remove users and groups
ii  apt                     2.6.1              amd64        commandline package manager
ii  base-files              12.4+deb12u2       amd64        Debian base system miscellaneous files
ii  base-passwd             3.6.1              amd64        Debian base system master password and group files
ii  bash                    5.2.15-2+b2        amd64        GNU Bourne Again SHell
ii  bsdutils                1:2.38.1-5+b1      amd64        basic utilities from 4.4BSD-Lite
ii  coreutils               9.1-1              amd64        GNU core utilities
ii  dash                    0.5.12-2           amd64        POSIX-compliant shell
ii  debconf                 1.5.82             all          Debian configuration management system
ii  debian-archive-keyring  2023.3+deb12u1     all          GnuPG archive keys of the Debian archive
...

AmazonLinux

You can use the command rpm to retrieve the full list of installed packages in a container image.

Example: To retrieve the list of installed packages in the amazonlunux:2 image:

docker run --rm amazonlinux:2 rpm -qa --queryformat "%{NAME},%{VERSION} ,%{LICENSE}\n"

Sample Result

ncurses-base,6.0 ,MIT
basesystem,10.0 ,Public Domain
glibc,2.26 ,LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
libstdc++,7.3.1 ,GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD
info,5.1 ,GPLv3+
xz-libs,5.2.2 ,LGPLv2+
popt,1.13 ,MIT
chkconfig,1.7.4 ,GPLv2
libffi,3.0.13 ,MIT and Public Domain
libxml2,2.9.1 ,MIT
libcrypt,2.26 ,LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
libnghttp2,1.41.0 ,MIT
libdb-utils,5.3.21 ,BSD and LGPLv2 and Sleepycat
findutils,4.5.11 ,GPLv3+
libidn2,2.3.0 ,(GPLv2+ or LGPLv3+) and GPLv3+
p11-kit-trust,0.23.22 ,BSD
openssl-libs,1.0.2k ,OpenSSL
libssh2,1.4.3 ,BSD
cyrus-sasl-lib,2.1.26 ,BSD with advertising
shared-mime-info,1.8 ,GPLv2+
nss-sysinit,3.90.0 ,MPLv2.0
curl,8.3.0 ,curl
python-urlgrabber,3.10 ,LGPLv2+
python2-rpm,4.11.3 ,GPLv2+
yum-plugin-priorities,1.1.31 ,GPLv2+
vim-minimal,9.0.2081 ,Vim AND LGPL-2.1-or-later AND MIT AND GPL-1.0-only AND (GPL-2.0-only OR Vim) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-or-later AND GPL-3.0-or-later AND OPUBL-1.0
tzdata,2023c ,Public Domain
filesystem,3.2 ,Public Domain
glibc-minimal-langpack,2.26 ,LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
libsepol,2.5 ,LGPLv2+
zlib,1.2.7 ,zlib and Boost
libdb,5.3.21 ,BSD and LGPLv2 and Sleepycat
libcap,2.54 ,BSD or GPLv2
libgpg-error,1.12 ,LGPLv2+
libacl,2.2.51 ,LGPLv2+
libassuan,2.1.0 ,LGPLv2+ and GPLv3+
file-libs,5.11 ,BSD
expat,2.1.0 ,MIT
gdbm,1.13 ,GPLv3+
gawk,4.0.2 ,GPLv3+ and GPL and LGPLv3+ and LGPL and BSD
libunistring,0.9.3 ,LGPLv3+
libtasn1,4.10 ,GPLv3+ and LGPLv2+
coreutils,8.22 ,GPLv3+
python,2.7.18 ,Python
pyxattr,0.5.1 ,LGPLv2+
glib2,2.56.1 ,LGPLv2+
nss,3.90.0 ,MPLv2.0
rpm-libs,4.11.3 ,GPLv2+ and LGPLv2+ with exceptions
python-pycurl,7.19.0 ,LGPLv2+ or MIT
rpm-build-libs,4.11.3 ,GPLv2+ and LGPLv2+ with exceptions
yum,3.4.3 ,GPLv2+
libmetalink,0.1.3 ,MIT
vim-data,9.0.2081 ,Vim AND LGPL-2.1-or-later AND MIT AND GPL-1.0-only AND (GPL-2.0-only OR Vim) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-or-later AND GPL-3.0-or-later AND OPUBL-1.0
setup,2.8.71 ,Public Domain
glibc-common,2.26 ,LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
bash,4.2.46 ,GPLv3+
libselinux,2.5 ,Public Domain
nss-util,3.90.0 ,MPLv2.0
readline,6.2 ,GPLv3+
elfutils-libelf,0.176 ,GPLv2+ or LGPLv3+
libattr,2.4.46 ,LGPLv2+
p11-kit,0.23.22 ,BSD
grep,2.20 ,GPLv3+
libuuid,2.30.2 ,BSD
libgcrypt,1.5.3 ,LGPLv2+
nss-softokn,3.90.0 ,MPLv2.0
diffutils,3.3 ,GPLv3+
ncurses,6.0 ,MIT
libverto,0.2.5 ,MIT
python-libs,2.7.18 ,Python
pyliblzma,0.5.3 ,LGPLv3+
libmount,2.30.2 ,LGPLv2+
nss-pem,1.0.3 ,MPLv1.1
libcurl,8.3.0 ,curl
openldap,2.4.44 ,OpenLDAP
gnupg2,2.0.22 ,GPLv3+
pygpgme,0.3 ,LGPLv2+
amazon-linux-extras,2.0.3 ,GPLv2
gpg-pubkey,c87f5b1a ,pubkey
system-release,2 ,GPLv2
libgcc,7.3.1 ,GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD
ncurses-libs,6.0 ,MIT
pcre,8.32 ,BSD
nspr,4.35.0 ,MPLv2.0
bzip2-libs,1.0.6 ,BSD
lua,5.1.4 ,MIT
sqlite,3.7.17 ,Public Domain
libcom_err,1.42.9 ,MIT
sed,4.2.2 ,GPLv3+
keyutils-libs,1.5.8 ,GPLv2+ and LGPLv2+
pinentry,0.8.1 ,GPLv2+
nss-softokn-freebl,3.90.0 ,MPLv2.0
cpio,2.12 ,GPLv3+
gmp,6.0.0 ,LGPLv3+ or GPLv2+
ca-certificates,2023.2.62 ,Public Domain
krb5-libs,1.15.1 ,MIT
python-iniparse,0.4 ,MIT
libblkid,2.30.2 ,LGPLv2+
yum-metadata-parser,1.1.4 ,GPLv2
nss-tools,3.90.0 ,MPLv2.0
rpm,4.11.3 ,GPLv2+
pth,2.0.7 ,LGPLv2+
gpgme,1.3.2 ,LGPLv2+
yum-plugin-ovl,1.1.31 ,GPLv2+
glibc-langpack-en,2.26 ,LGPLv2+ and LGPLv2+ with exceptions and GPLv2+

Manually Retrieve Installed Packages Licenses

Debian

You can use the command dpkg to retrieve the license for any installed package.

Example: To retrieve the license information for the installed package apt:

$ docker run --rm debian:bookworm-slim sh -c 'cat `dpkg -L apt | grep copyright`'

Sample Result:

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: apt
Upstream-Contact: APT Development Team <deity@lists.debian.org>
Source: https://salsa.debian.org/apt-team/apt
Comment:
 APT is an old software with lots of contributors over its lifetime. This
 file is a best effort to document the statements of copyright and licenses
 as stated in the file, but is not a complete representation of all copyright
 holders - those have been lost to times.
 .
 Several bits of apt-pkg/contrib have had public domain dedications but
 contributions from authors in countries not recognizing a public domain
 concept. We believe that these contributions have been done in good faith,
 and we treat them as if they had been made under the GPL-2+ as we believe
 some contributors may have missed these facts and the overall license statement
 for the project has always been GPL-2+, so we cannot be sure that contributors
 meant to grant additional permissions.
 .
 Translation files are considered to generally be GPL-2+,
 but they also include strings used by methods/rsh.cc which appears to be GPL-2.
 As the translations are split into separate domains later on,
 these strings are not loaded by library users outside of apt
 (they are in the 'apt' translation domain).
 .
 The apt-pkg/contrib/fileutl.cc file states "RunScripts()" is "GPLv2".
 We believe that this was not meant to exclude later versions of the GPL,
 as that would have changed the overall project license.
Files: *
Copyright: 1997-1999 Jason Gunthorpe and others
           2018, 2019 Canonical Ltd
           2009, 2010, 2015, 2016 Julian Andres Klode <jak@debian.org>
           1998, Ben Gertzfield <che@debian.org>
           2002-2019 Free Software Foundation, Inc.
           2003, 2004, 2005, 2009, 2010, 2012 Software in the Public Interest
           2002-2003 Lars Bahner <bahner@debian.org>
           2003-2004 Axel Bojer <axelb@skolelinux.no>
           2004 Klaus Ade Johnstad <klaus@skolelinux.no>
           2004 Bjorn Steensrud <bjornst@powertech.no>
           2003, 2005-2010 Hans Fredrik Nordhaug <hans@nordhaug.priv.no>
           2016, 2018 Petter Reinholdtsen <pere@hungry.com>
           2009 Rosetta Contributors and Canonical Ltd 2009
           2013 Debian L10n Turkish 2013
           2013-2018 Mert Dirik <mertdirik@gmail.com>
           2004 Krzysztof Fiertek <akfedux@megapolis.pl>
           2000-2004, 2010, 2012  Robert Luberda <robert@debian.org>
           2000-2017 Debian Italian l10n team <debian-l10n-italian@lists.debian.org>
           2003-2017 Debian Japanese List <debian-japanese@lists.debian.org>
           2000-2018 Debian French l10n team <debian-l10n-french@lists.debian.org>
           1997 Manoj Srivastava
           1997 Tom Lees
           2014 Anthony Towns
License: GPL-2+
Files: methods/rsh.cc
Copyright: 2000 Ben Collins <bcollins@debian.org>
License: GPL-2
Comment:
 This file stated:
 Licensed under the GNU General Public License v2 [no exception clauses]
 .
 We believe that this was intended to be not a statement against future
 versions of the GPL, but meant to exclude the Qt license exception in
 place in APT until that time.
 .
 We received permission from Ben in 2021 to relicense under GPL-2+,
 contributions from Adam Heath and Daniel Hartwig may still have to
 be considered GPL-2 for the time being.
 .
 Other contributions are GPL-2+
Files: CMake/FindBerkeley.cmake
Copyright: 2006, Alexander Dymo, <adymo@kdevelop.org>
           2016, Julian Andres Klode <jak@debian.org>
License: BSD-3-clause
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
 .
 1. Redistributions of source code must retain the copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
 3. The name of the author may not be used to endorse or promote products
    derived from this software without specific prior written permission.
 .
 THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Files: CMake/Documentation.cmake
       CMake/FindLFS.cmake
Copyright: 2016 Julian Andres Klode <jak@debian.org>
License: Expat
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation files
 (the "Software"), to deal in the Software without restriction,
 including without limitation the rights to use, copy, modify, merge,
 publish, distribute, sublicense, and/or sell copies of the Software,
 and to permit persons to whom the Software is furnished to do so,
 subject to the following conditions:
 .
 The above copyright notice and this permission notice shall be
 included in all copies or substantial portions of the Software.
 .
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
License: GPL-2
 This package is free software; you can redistribute it and/or modify
 it under the terms version 2 of the GNU General Public License
 as published by the Free Software Foundation.
 .
 This package is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 .
 You should have received a copy of the GNU General Public License
 along with this program. If not, see <https://www.gnu.org/licenses/>
Comment:
 On Debian systems, the complete text of the GNU General
 Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
License: GPL-2+
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2 of the License, or
 (at your option) any later version.
 .
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 .
 You should have received a copy of the GNU General Public License
 along with this program; if not, write to the Free Software
 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
Comment:
 On Debian systems, the complete text of the GNU General
 Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".

AmazonLinux

You can use the cat command to retrieve the license for any installed package.

Example: To retrieve the license information for the installed package yum:

docker run --rm amazonlinux:2 cat /usr/share/doc/yum-3.4.3/COPYING

Sample Result

GNU GENERAL PUBLIC LICENSE
		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
                          675 Mass Ave, Cambridge, MA 02139, USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

			    Preamble

  The licenses for most software are designed to take away your
freedom to share and change it.  By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users.  This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it.  (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.)  You can apply it to
your programs, too.

  When we speak of free software, we are referring to freedom, not
price.  Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.

  To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.

  For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have.  You must make sure that they, too, receive or can get the
source code.  And you must show them these terms so they know their
rights.

  We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.

  Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software.  If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.

  Finally, any free program is threatened constantly by software
patents.  We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary.  To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.

  The precise terms and conditions for copying, distribution and
modification follow.
		    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License.  The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language.  (Hereinafter, translation is included without limitation in
the term "modification".)  Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope.  The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.

  1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.

You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.

  2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:

    a) You must cause the modified files to carry prominent notices
    stating that you changed the files and the date of any change.

    b) You must cause any work that you distribute or publish, that in
    whole or in part contains or is derived from the Program or any
    part thereof, to be licensed as a whole at no charge to all third
    parties under the terms of this License.

    c) If the modified program normally reads commands interactively
    when run, you must cause it, when started running for such
    interactive use in the most ordinary way, to print or display an
    announcement including an appropriate copyright notice and a
    notice that there is no warranty (or else, saying that you provide
    a warranty) and that users may redistribute the program under
    these conditions, and telling the user how to view a copy of this
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole.  If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works.  But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.

In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.

  3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:

    a) Accompany it with the complete corresponding machine-readable
    source code, which must be distributed under the terms of Sections
    1 and 2 above on a medium customarily used for software interchange; or,

    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,

    c) Accompany it with the information you received as to the offer
    to distribute corresponding source code.  (This alternative is
    allowed only for noncommercial distribution and only if you
    received the program in object code or executable form with such
    an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for
making modifications to it.  For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable.  However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.

If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
  4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License.  Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.

  5. You are not required to accept this License, since you have not
signed it.  However, nothing else grants you permission to modify or
distribute the Program or its derivative works.  These actions are
prohibited by law if you do not accept this License.  Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.

  6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions.  You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.

  7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all.  For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.

It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices.  Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.

This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
  8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded.  In such case, this License incorporates
the limitation as if written in the body of this License.

  9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time.  Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.

Each version is given a distinguishing version number.  If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation.  If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.

  10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission.  For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this.  Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.

			    NO WARRANTY

  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.

  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

		     END OF TERMS AND CONDITIONS
	    How to Apply These Terms to Your New Programs

  If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.

  To do so, attach the following notices to the program.  It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.

    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) 19yy  <name of author>

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:

    Gnomovision version 69, Copyright (C) 19yy name of author
    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License.  Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary.  Here is a sample; alter the names:

  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
  `Gnomovision' (which makes passes at compilers) written by James Hacker.

  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice

This General Public License does not permit incorporating your program into
proprietary programs.  If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library.  If this is what you want to do, use the GNU Library General
Public License instead of this License.

Manually Retrieve Installed Packages Sources

Debian

You can use the command apt-get to retrieve the source for any installed package.

Example: To retrieve the source for the installed package apt:

$ docker run --rm debian:bookworm-slim  cat /etc/apt/sources.list.d/debian.sources

Sample Result:

Types: deb
# http://snapshot.debian.org/archive/debian/20231120T000000Z
URIs: http://deb.debian.org/debian
Suites: bookworm bookworm-updates
Components: main
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
# http://snapshot.debian.org/archive/debian-security/20231120T000000Z
URIs: http://deb.debian.org/debian-security
Suites: bookworm-security
Components: main
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

AmazonLinux

You can use the command repolist to retrieve the repositories for any installed package.

Example: To retrieve the repositories for the installed package yum:

docker run --rm amazonlinux:2 yum -v repolist all

Sample Result:

Loading "ovl" plugin
Loading "priorities" plugin
Config time: 0.008
rpmdb time: 0.000
ovl: Copying up (0) files from OverlayFS lower layer
Yum version: 3.4.3
Setting up Package Sacks
pkgsack time: 0.003
Repo-id      : amzn2-core/2/aarch64
Repo-name    : Amazon Linux 2 core repository
Repo-status  : enabled
Repo-revision: 1699579172
Repo-updated : Fri Nov 10 01:19:32 2023
Repo-pkgs    : 23912
Repo-size    : 42 G
Repo-mirrors : http://amazonlinux.default.amazonaws.com/2/core/latest/aarch64/mirror.list
Repo-baseurl : https://cdn.amazonlinux.com/2/core/2.0/aarch64/6201a485818f2648562de7dd0e7d6a9177b7fb621c2a29b67b1878c2620de790/
Repo-expire  : 300 second(s) (last: Wed Nov 22 06:14:26 2023)
  Filter     : read-only:present
Repo-filename: /etc/yum.repos.d/amzn2-core.repo
Repo-id      : amzn2-core-debuginfo/2/aarch64
Repo-name    : Amazon Linux 2 core repository - debuginfo packages
Repo-status  : disabled
Repo-mirrors : http://amazonlinux.default.amazonaws.com/2/core/latest/debuginfo/aarch64/mirror.list
Repo-expire  : 300 second(s) (last: Unknown)
  Filter     : read-only:present
Repo-filename: /etc/yum.repos.d/amzn2-core.repo
Repo-id      : amzn2-core-source/2
Repo-name    : Amazon Linux 2 core repository - source packages
Repo-status  : disabled
Repo-mirrors : http://amazonlinux.default.amazonaws.com/2/core/latest/SRPMS/mirror.list
Repo-expire  : 300 second(s) (last: Unknown)
  Filter     : read-only:present
Repo-filename: /etc/yum.repos.d/amzn2-core.repo
repolist: 23912

Manually Retrieve Installed Files

You can use the command docker to extract the contents of a container for further inspection. Here we show 2 common methods to extract the image contents without running the container.

Method 1: Using a temporal container image to extract the files

Create a temporal container image based on the image you want to inspect, and export its whole filesystem (or parts of it).

Example:

  1. Create a temporal container image called temp-container, based on the unknown-image:latest image:

    docker create --name temp-container unknown-image:latest
  2. Extract the whole container image filesystem as a TAR file:

    docker export temp-container > temp-container.tar
  3. or, if you want to list only the included files:

    docker export temp-container | tar t > temp-container-files.txt

    This method is a direct way to extract the image's final filesystem. It provides a composite view of a container instance's filesystem.

    Note: This is the fastest way to list the included files or extract individual files.

Method 2: Extract the container image layers as a set of layers

Create a TAR file with all the individual image layers that compose the final container image.

Example:

Use the command docker image save to create a TAR file containing all the container image layers:

docker image save unknown-image:latest > temp-image.tar

The TAR file includes a manifest.json file, which describes the image's layers and a set of separate directories containing the content of each of the individual layers.

This method produces an archive that exposes the container image format, not the container instances created from it. It provides a layered view of the container image.

Note: This is useful when you want to evaluate each layer's role in building the image.

Layered View vs Composite View

The following diagram illustrates the differences between the layered view and the composite view of a container image.

  • For more information on the docker command arguments, see the Docker CLI documentation.