29 Mar
2023
29 Mar
'23
2:48 p.m.
Hi!
On 28/3/23 16:36, Olle E. Johansson wrote:
Hi!
Using the “syft” tool from Anchore I created an SBOM for a server with Kamailio installed from Debian.
The result is quite interesting. Some notes:
- For each component (debian package) a list of licenses are made.
- The CPEs - filters for matching with NVD - are based on the debian package names, which is incorrect
I will try with a newer system, like Debian Bullseye.
My question is if we can fix this somehow by modifying meta data in our packages.
the information of licenses in packaging is at debian/copyright [0]
[0] https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/debian/cop...
--
-----------------------------------------------------------------
| ,''`. Victor Seva |
| : :' : linuxmaniac@torreviejawireless.org |
| `. `' PGP Key ID: 0x51A09B18CF5A5068 |
| `- Debian Developer |
-----------------------------------------------------------------