28 Mar
2023
28 Mar
'23
5:36 p.m.
Hi!
Using the “syft” tool from Anchore I created an SBOM for a server with Kamailio installed
from Debian.
The result is quite interesting. Some notes:
- For each component (debian package) a list of licenses are made.
- The CPEs - filters for matching with NVD - are based on the debian package names, which
is incorrect
I will try with a newer system, like Debian Bullseye.
My question is if we can fix this somehow by modifying meta data in our packages.
Will have to check what syft is using, but this SBOM is not
very useful….
Cheers,
/O
Examples:
"cpe":
"cpe:2.3:a:kamailio-extra-modules:kamailio-extra-modules:5.3.9\\+bpo10:*:*:*:*:*:*:*",
"licenses": [
{
"license": {
"id": "Apache-1.0"
}
},
{
"license": {
"id": "BSD-2-Clause"
}
},
{
"license": {
"id": "BSD-3-Clause"
}
},
{
"license": {
"name": "Expat"
}
},
{
"license": {
"id": "GPL-2.0-only"
}
},
{
"license": {
"id": "GPL-2.0-or-later"
}
},
{
"license": {
"id": "GPL-2.0-or-later"
}
},
{
"license": {
"id": "ISC"
}
},
{
"license": {
"id": "MIT"
}
},