Hi!
Using the “syft” tool from Anchore I created an SBOM for a server with Kamailio
installed from Debian.
The result is quite interesting. Some notes:
- For each component (debian package) a list of licenses are made.
- The CPEs - filters for matching with NVD - are based on the debian package
names, which is incorrect
I will try with a newer system, like Debian Bullseye.
My question is if we can fix this somehow by modifying meta data in our
packages.
Will have to check what syft is using, but this SBOM is not
very useful….
Cheers,
/O
Examples:
"cpe":
"cpe:2.3:a:kamailio-extra-modules:kamailio-extra-modules:5.3.9\\+bpo10:*:*:*:*:*:*:*",
"licenses": [
{
"license": {
"id": "Apache-1.0"
}
},
{
"license": {
"id": "BSD-2-Clause"
}
},
{
"license": {
"id": "BSD-3-Clause"
}
},
{
"license": {
"name": "Expat"
}
},
{
"license": {
"id": "GPL-2.0-only"
}
},
{
"license": {
"id": "GPL-2.0-or-later"
}
},
{
"license": {
"id": "GPL-2.0-or-later"
}
},
{
"license": {
"id": "ISC"
}
},
{
"license": {
"id": "MIT"
}
},
_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to [email protected]
