Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules?
Thanks, Ivan
Hello,
I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: Ivan Ribakov via sr-users sr-users@lists.kamailio.org Sent: Mittwoch, 27. September 2023 21:11 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Ivan Ribakov i.ribakov@zaleos.net Subject: [SR-Users] Software bill of materials (SBOM)
Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules?
Thanks, Ivan
Still digging through this. There are tools that can list your packages if you install Linux packages, i.e. Debian. But there are no tools that can parse your kamailio config to really see what’s loaded and active.
It all depends on what you want to do with the SBOM - if you want to check for vulnerabilities, list licenses or have a generic inventory.
/O
On 28 Sep 2023, at 09:41, Henning Westerholt via sr-users sr-users@lists.kamailio.org wrote:
Hello,
I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com https://gilawa.com/
From: Ivan Ribakov via sr-users <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org> Sent: Mittwoch, 27. September 2023 21:11 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org> Cc: Ivan Ribakov <i.ribakov@zaleos.net mailto:i.ribakov@zaleos.net> Subject: [SR-Users] Software bill of materials (SBOM)
Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules?
Thanks, Ivan __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org mailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hi Olle,
Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification?
I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations?
On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users sr-users@lists.kamailio.org wrote:
Hi Olle,
Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification?
I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations?
I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM.
C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs.
I think that the SBOM tree for the source code and dependencies would grow quite large.
Anyway - at this time, I failed. :-)
/O
-- Ivan Ribakov Software Engineer www.zaleos.net http://www.zaleos.net/
On Thu, 28 Sept 2023 at 10:58, Olle E. Johansson via sr-users <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org> wrote:
Still digging through this. There are tools that can list your packages if you install Linux packages, i.e. Debian. But there are no tools that can parse your kamailio config to really see what’s loaded and active.
It all depends on what you want to do with the SBOM - if you want to check for vulnerabilities, list licenses or have a generic inventory.
/O
On 28 Sep 2023, at 09:41, Henning Westerholt via sr-users <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org> wrote:
Hello,
I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com https://gilawa.com/
From: Ivan Ribakov via sr-users <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org> Sent: Mittwoch, 27. September 2023 21:11 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org> Cc: Ivan Ribakov <i.ribakov@zaleos.net mailto:i.ribakov@zaleos.net> Subject: [SR-Users] Software bill of materials (SBOM)
Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules?
Thanks, Ivan __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org mailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org mailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
I see, thanks for sharing your experience Olle.
I'm no autoconf expert - does anyone know if it's possible to dump more or less concise list of all linked libraries used either during build configuration or the actual build process? I'm thinking that should be pretty close to the source of truth for direct dependencies involved and could act as a starting point for a manual process of figuring out versions and licenses.
On Thu, 28 Sept 2023, 13:13 Olle E. Johansson, oej@edvina.net wrote:
On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users < sr-users@lists.kamailio.org> wrote:
Hi Olle,
Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification?
I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations?
I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM.
C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs.
I think that the SBOM tree for the source code and dependencies would grow quite large.
Anyway - at this time, I failed. :-)
/O
-- Ivan Ribakov Software Engineer www.zaleos.net
On Thu, 28 Sept 2023 at 10:58, Olle E. Johansson via sr-users < sr-users@lists.kamailio.org> wrote:
Still digging through this. There are tools that can list your packages if you install Linux packages, i.e. Debian. But there are no tools that can parse your kamailio config to really see what’s loaded and active.
It all depends on what you want to do with the SBOM - if you want to check for vulnerabilities, list licenses or have a generic inventory.
/O
On 28 Sep 2023, at 09:41, Henning Westerholt via sr-users < sr-users@lists.kamailio.org> wrote:
Hello,
I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com
*From:* Ivan Ribakov via sr-users sr-users@lists.kamailio.org *Sent:* Mittwoch, 27. September 2023 21:11 *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc:* Ivan Ribakov i.ribakov@zaleos.net *Subject:* [SR-Users] Software bill of materials (SBOM)
Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules?
Thanks, Ivan __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
On 28.09.23 13:13, Olle E. Johansson via sr-users wrote:
On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users sr-users@lists.kamailio.org wrote:
Hi Olle,
Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification?
I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations?
I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM.
C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs.
I think that the SBOM tree for the source code and dependencies would grow quite large.
Anyway - at this time, I failed. :-)
Maybe leveraging ldd in a first phase can help building the chain of dependencies:
$ ldd src/kamailio linux-vdso.so.1 (0x0000ffff91745000) libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000)
$ ldd src/modules/tls/tls.so linux-vdso.so.1 (0x0000ffff96e5d000) libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 (0x0000ffff968b0000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000)
$ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 linux-vdso.so.1 (0x0000ffff9952c000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000)
Might take some time, a matter of what modules are used, but if really needed, the process should be doable manually.
Cheers, Daniel
Hi,
We are using that "ldd" approach for our Docker containers: We are running ldd on the Kamailio binary and the modules from config (may vary - depending on system) and use that result to create a slim Kamailio Container "from scratch" - without any operating system.
Thanks, Carsten
-- Carsten Bock I Chief Technology Innovation Officer & Founder
ng-voice GmbH
Trostbrücke 1 I 20457 Hamburg I Germany T +49 1511 5942983 I www.ng-voice.com
Registry Office at Local Court Hamburg, HRB 120189 Managing Directors: Dr. David Bachmann, Carsten Bock, Quirin Maderspacher
Am Do., 28. Sept. 2023 um 19:22 Uhr schrieb Daniel-Constantin Mierla via sr-users sr-users@lists.kamailio.org:
On 28.09.23 13:13, Olle E. Johansson via sr-users wrote:
On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users sr-users@lists.kamailio.org sr-users@lists.kamailio.org wrote:
Hi Olle,
Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification?
I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations?
I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM.
C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs.
I think that the SBOM tree for the source code and dependencies would grow quite large.
Anyway - at this time, I failed. :-)
Maybe leveraging ldd in a first phase can help building the chain of dependencies:
$ ldd src/kamailio linux-vdso.so.1 (0x0000ffff91745000) libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000)
$ ldd src/modules/tls/tls.so linux-vdso.so.1 (0x0000ffff96e5d000) libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 (0x0000ffff968b0000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000)
$ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 linux-vdso.so.1 (0x0000ffff9952c000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000)
Might take some time, a matter of what modules are used, but if really needed, the process should be doable manually.
Cheers, Daniel
-- Daniel-Constantin Mierla (@ asipto.com)twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Here a example of function used to pool lib dependency https://github.com/kamailio/kamailio-ci/blob/master/alpine/build.sh#L80-L103
On Fri, Sep 29, 2023 at 5:41 PM Carsten Bock via sr-users < sr-users@lists.kamailio.org> wrote:
Hi,
We are using that "ldd" approach for our Docker containers: We are running ldd on the Kamailio binary and the modules from config (may vary - depending on system) and use that result to create a slim Kamailio Container "from scratch" - without any operating system.
Thanks, Carsten
-- Carsten Bock I Chief Technology Innovation Officer & Founder
ng-voice GmbH
Trostbrücke 1 I 20457 Hamburg I Germany T +49 1511 5942983 I www.ng-voice.com
Registry Office at Local Court Hamburg, HRB 120189 Managing Directors: Dr. David Bachmann, Carsten Bock, Quirin Maderspacher
Am Do., 28. Sept. 2023 um 19:22 Uhr schrieb Daniel-Constantin Mierla via sr-users sr-users@lists.kamailio.org:
On 28.09.23 13:13, Olle E. Johansson via sr-users wrote:
On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users sr-users@lists.kamailio.org sr-users@lists.kamailio.org wrote:
Hi Olle,
Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification?
I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations?
I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM.
C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs.
I think that the SBOM tree for the source code and dependencies would grow quite large.
Anyway - at this time, I failed. :-)
Maybe leveraging ldd in a first phase can help building the chain of dependencies:
$ ldd src/kamailio linux-vdso.so.1 (0x0000ffff91745000) libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000)
$ ldd src/modules/tls/tls.so linux-vdso.so.1 (0x0000ffff96e5d000) libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 (0x0000ffff968b0000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000)
$ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 linux-vdso.so.1 (0x0000ffff9952c000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000)
Might take some time, a matter of what modules are used, but if really needed, the process should be doable manually.
Cheers, Daniel
-- Daniel-Constantin Mierla (@ asipto.com)twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Thanks Sergey, looks like exactly what I was looking for! Now just need to solve the dependency source version problem...
That's a neat trick, Carsten. Thanks for sharing!
-
Carsten Bock -
Daniel-Constantin Mierla -
Henning Westerholt -
Ivan Ribakov -
Olle E. Johansson -
Sergey Safarov