Software bill of materials (SBOM) - sr-users - kamailio.org

List overview All Threads
Download

Software bill of materials (SBOM)

error in parsing HTTP messages

periodic could not resolve hostname

Ivan Ribakov

27 Sep 2023 27 Sep '23

10:11 p.m.

Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules? Thanks, Ivan

Attachments:

attachment.html (text/html — 210 bytes)

Reply

Show replies by date

Henning Westerholt

28 Sep 28 Sep

10:41 a.m.

Hello, I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com<https://gilawa.com/> From: Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> Sent: Mittwoch, 27. September 2023 21:11 To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> Cc: Ivan Ribakov <i.ribakov(a)zaleos.net> Subject: [SR-Users] Software bill of materials (SBOM) Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules? Thanks, Ivan

Reply

Olle E. Johansson

11:41 a.m.

Still digging through this. There are tools that can list your packages if you install Linux packages, i.e. Debian. But there are no tools that can parse your kamailio config to really see what’s loaded and active. It all depends on what you want to do with the SBOM - if you want to check for vulnerabilities, list licenses or have a generic inventory. /O

On 28 Sep 2023, at 09:41, Henning Westerholt via sr-users <sr-users(a)lists.kamailio.org> wrote: Hello, I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com <https://gilawa.com/> From: Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>> Sent: Mittwoch, 27. September 2023 21:11 To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>> Cc: Ivan Ribakov <i.ribakov(a)zaleos.net <mailto:i.ribakov@zaleos.net>> Subject: [SR-Users] Software bill of materials (SBOM) Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules? Thanks, Ivan __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org <mailto:sr-users-leave@lists.kamailio.org> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

Reply

Ivan Ribakov

1:36 p.m.

Hi Olle, Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification? I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations? -- Ivan Ribakov Software Engineer www.zaleos.net On Thu, 28 Sept 2023 at 10:58, Olle E. Johansson via sr-users < sr-users(a)lists.kamailio.org> wrote:

Still digging through this. There are tools that can list your packages if you install Linux packages, i.e. Debian. But there are no tools that can parse your kamailio config to really see what’s loaded and active. It all depends on what you want to do with the SBOM - if you want to check for vulnerabilities, list licenses or have a generic inventory. /O On 28 Sep 2023, at 09:41, Henning Westerholt via sr-users < sr-users(a)lists.kamailio.org> wrote: Hello, I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com *From:* Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> *Sent:* Mittwoch, 27. September 2023 21:11 *To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> *Cc:* Ivan Ribakov <i.ribakov(a)zaleos.net> *Subject:* [SR-Users] Software bill of materials (SBOM) Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules? Thanks, Ivan __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

Reply

Olle E. Johansson

2:13 p.m.

On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> wrote: Hi Olle, Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification? I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations?

I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM. C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs. I think that the SBOM tree for the source code and dependencies would grow quite large. Anyway - at this time, I failed. :-) /O

-- Ivan Ribakov Software Engineer www.zaleos.net <http://www.zaleos.net/> On Thu, 28 Sept 2023 at 10:58, Olle E. Johansson via sr-users <sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>> wrote:

Still digging through this. There are tools that can list your packages if you install Linux packages, i.e. Debian. But there are no tools that can parse your kamailio config to really see what’s loaded and active. It all depends on what you want to do with the SBOM - if you want to check for vulnerabilities, list licenses or have a generic inventory. /O

On 28 Sep 2023, at 09:41, Henning Westerholt via sr-users <sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>> wrote: Hello, I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com <https://gilawa.com/> From: Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>> Sent: Mittwoch, 27. September 2023 21:11 To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>> Cc: Ivan Ribakov <i.ribakov(a)zaleos.net <mailto:i.ribakov@zaleos.net>> Subject: [SR-Users] Software bill of materials (SBOM) Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules? Thanks, Ivan __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org <mailto:sr-users-leave@lists.kamailio.org> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org <mailto:sr-users-leave@lists.kamailio.org> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

Reply

Ivan Ribakov

8:11 p.m.

I see, thanks for sharing your experience Olle. I'm no autoconf expert - does anyone know if it's possible to dump more or less concise list of all linked libraries used either during build configuration or the actual build process? I'm thinking that should be pretty close to the source of truth for direct dependencies involved and could act as a starting point for a manual process of figuring out versions and licenses. On Thu, 28 Sept 2023, 13:13 Olle E. Johansson, <oej(a)edvina.net> wrote:

On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users < sr-users(a)lists.kamailio.org> wrote: Hi Olle, Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification? I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations? I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM. C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs. I think that the SBOM tree for the source code and dependencies would grow quite large. Anyway - at this time, I failed. :-) /O -- Ivan Ribakov Software Engineer www.zaleos.net On Thu, 28 Sept 2023 at 10:58, Olle E. Johansson via sr-users < sr-users(a)lists.kamailio.org> wrote:

Still digging through this. There are tools that can list your packages if you install Linux packages, i.e. Debian. But there are no tools that can parse your kamailio config to really see what’s loaded and active. It all depends on what you want to do with the SBOM - if you want to check for vulnerabilities, list licenses or have a generic inventory. /O On 28 Sep 2023, at 09:41, Henning Westerholt via sr-users < sr-users(a)lists.kamailio.org> wrote: Hello, I think Olle was looking into that some month ago, maybe (when he reads it) can share some of his research results if possible. You can also find some of his articles e.g., on his linkedin page. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com *From:* Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> *Sent:* Mittwoch, 27. September 2023 21:11 *To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org> *Cc:* Ivan Ribakov <i.ribakov(a)zaleos.net> *Subject:* [SR-Users] Software bill of materials (SBOM) Any recommendations for a tool that can generate SBOM for a Kamailio instance based on configured modules? Thanks, Ivan __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

Reply

Daniel-Constantin Mierla

8:17 p.m.

On 28.09.23 13:13, Olle E. Johansson via sr-users wrote:

On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> wrote: Hi Olle, Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification? I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations?

I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM. C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs. I think that the SBOM tree for the source code and dependencies would grow quite large. Anyway - at this time, I failed. :-)

Maybe leveraging ldd in a first phase can help building the chain of dependencies: $ ldd src/kamailio linux-vdso.so.1 (0x0000ffff91745000) libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000) $ ldd src/modules/tls/tls.so linux-vdso.so.1 (0x0000ffff96e5d000) libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 (0x0000ffff968b0000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000) $ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 linux-vdso.so.1 (0x0000ffff9952c000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000) Might take some time, a matter of what modules are used, but if really needed, the process should be doable manually. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com

Reply

Carsten Bock

29 Sep 29 Sep

5:02 p.m.

Hi, We are using that "ldd" approach for our Docker containers: We are running ldd on the Kamailio binary and the modules from config (may vary - depending on system) and use that result to create a slim Kamailio Container "from scratch" - without any operating system. Thanks, Carsten -- Carsten Bock I Chief Technology Innovation Officer & Founder ng-voice GmbH Trostbrücke 1 I 20457 Hamburg I Germany T +49 1511 5942983 I www.ng-voice.com Registry Office at Local Court Hamburg, HRB 120189 Managing Directors: Dr. David Bachmann, Carsten Bock, Quirin Maderspacher Am Do., 28. Sept. 2023 um 19:22 Uhr schrieb Daniel-Constantin Mierla via sr-users <sr-users(a)lists.kamailio.org>rg>:

On 28.09.23 13:13, Olle E. Johansson via sr-users wrote: On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> <sr-users(a)lists.kamailio.org> wrote: Hi Olle, Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification? I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations? I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM. C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs. I think that the SBOM tree for the source code and dependencies would grow quite large. Anyway - at this time, I failed. :-) Maybe leveraging ldd in a first phase can help building the chain of dependencies: $ ldd src/kamailio linux-vdso.so.1 (0x0000ffff91745000) libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000) $ ldd src/modules/tls/tls.so linux-vdso.so.1 (0x0000ffff96e5d000) libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 (0x0000ffff968b0000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000) $ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 linux-vdso.so.1 (0x0000ffff9952c000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000) Might take some time, a matter of what modules are used, but if really needed, the process should be doable manually. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com)twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

Reply

Sergey Safarov

9:40 p.m.

Here a example of function used to pool lib dependency https://github.com/kamailio/kamailio-ci/blob/master/alpine/build.sh#L80-L103 On Fri, Sep 29, 2023 at 5:41 PM Carsten Bock via sr-users < sr-users(a)lists.kamailio.org> wrote:

Hi, We are using that "ldd" approach for our Docker containers: We are running ldd on the Kamailio binary and the modules from config (may vary - depending on system) and use that result to create a slim Kamailio Container "from scratch" - without any operating system. Thanks, Carsten -- Carsten Bock I Chief Technology Innovation Officer & Founder ng-voice GmbH Trostbrücke 1 I 20457 Hamburg I Germany T +49 1511 5942983 I www.ng-voice.com Registry Office at Local Court Hamburg, HRB 120189 Managing Directors: Dr. David Bachmann, Carsten Bock, Quirin Maderspacher Am Do., 28. Sept. 2023 um 19:22 Uhr schrieb Daniel-Constantin Mierla via sr-users <sr-users(a)lists.kamailio.org>rg>:

On 28.09.23 13:13, Olle E. Johansson via sr-users wrote: On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> <sr-users(a)lists.kamailio.org> wrote: Hi Olle, Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification? I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations? I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM. C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs. I think that the SBOM tree for the source code and dependencies would grow quite large. Anyway - at this time, I failed. :-) Maybe leveraging ldd in a first phase can help building the chain of dependencies: $ ldd src/kamailio linux-vdso.so.1 (0x0000ffff91745000) libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000) $ ldd src/modules/tls/tls.so linux-vdso.so.1 (0x0000ffff96e5d000) libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 (0x0000ffff968b0000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000) $ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 linux-vdso.so.1 (0x0000ffff9952c000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000) Might take some time, a matter of what modules are used, but if really needed, the process should be doable manually. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com)twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

Reply

Ivan Ribakov

30 Sep 30 Sep

12:12 p.m.

Thanks Sergey, looks like exactly what I was looking for! Now just need to solve the dependency source version problem... -- Ivan Ribakov Software Engineer www.zaleos.net On Fri, 29 Sept 2023 at 20:59, Sergey Safarov via sr-users < sr-users(a)lists.kamailio.org> wrote:

Here a example of function used to pool lib dependency https://github.com/kamailio/kamailio-ci/blob/master/alpine/build.sh#L80-L103 On Fri, Sep 29, 2023 at 5:41 PM Carsten Bock via sr-users < sr-users(a)lists.kamailio.org> wrote:

Hi, We are using that "ldd" approach for our Docker containers: We are running ldd on the Kamailio binary and the modules from config (may vary - depending on system) and use that result to create a slim Kamailio Container "from scratch" - without any operating system. Thanks, Carsten -- Carsten Bock I Chief Technology Innovation Officer & Founder ng-voice GmbH Trostbrücke 1 I 20457 Hamburg I Germany T +49 1511 5942983 I www.ng-voice.com Registry Office at Local Court Hamburg, HRB 120189 Managing Directors: Dr. David Bachmann, Carsten Bock, Quirin Maderspacher Am Do., 28. Sept. 2023 um 19:22 Uhr schrieb Daniel-Constantin Mierla via sr-users <sr-users(a)lists.kamailio.org>rg>:

On 28.09.23 13:13, Olle E. Johansson via sr-users wrote: On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> <sr-users(a)lists.kamailio.org> wrote: Hi Olle, Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification? I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations? I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM. C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs. I think that the SBOM tree for the source code and dependencies would grow quite large. Anyway - at this time, I failed. :-) Maybe leveraging ldd in a first phase can help building the chain of dependencies: $ ldd src/kamailio linux-vdso.so.1 (0x0000ffff91745000) libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000) $ ldd src/modules/tls/tls.so linux-vdso.so.1 (0x0000ffff96e5d000) libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 (0x0000ffff968b0000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000) $ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 linux-vdso.so.1 (0x0000ffff9952c000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000) Might take some time, a matter of what modules are used, but if really needed, the process should be doable manually. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com)twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

Reply

Ivan Ribakov

12:09 p.m.

That's a neat trick, Carsten. Thanks for sharing! -- Ivan Ribakov Software Engineer www.zaleos.net On Fri, 29 Sept 2023 at 16:29, Carsten Bock via sr-users < sr-users(a)lists.kamailio.org> wrote:

Hi, We are using that "ldd" approach for our Docker containers: We are running ldd on the Kamailio binary and the modules from config (may vary - depending on system) and use that result to create a slim Kamailio Container "from scratch" - without any operating system. Thanks, Carsten -- Carsten Bock I Chief Technology Innovation Officer & Founder ng-voice GmbH Trostbrücke 1 I 20457 Hamburg I Germany T +49 1511 5942983 I www.ng-voice.com Registry Office at Local Court Hamburg, HRB 120189 Managing Directors: Dr. David Bachmann, Carsten Bock, Quirin Maderspacher Am Do., 28. Sept. 2023 um 19:22 Uhr schrieb Daniel-Constantin Mierla via sr-users <sr-users(a)lists.kamailio.org>rg>:

On 28.09.23 13:13, Olle E. Johansson via sr-users wrote: On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users <sr-users(a)lists.kamailio.org> <sr-users(a)lists.kamailio.org> wrote: Hi Olle, Yes, I realised by now that taking enabled Kamailio modules into account when generating SBOM is too much to ask. I'd be ok with obtaining full list of Kamailio dependencies (with transitive dependencies if possible) and then manually filtering them based on module usage. Not sure if at any point during Kamailio build process all sources + dependency sources/binaries are present in the system for scanning/identification? I'm mainly interested in listing (and validating licenses) and having a general inventory. Any recommendations? I did try a beta of a tool in cyclonedx toolset for scanning C files and it crashed. Will try again, but so far I haven’t succeeded. I suggest we would need one SBOM based on a linux distro, like Debian and one more generic based on C code and the versions of libraries we recommend. I have tried to add pointers to the various third party dependencies in the READMEs over the years in a somewhat unstructured effort, but the information is there. Maybe we can add the dependencies in a way that’s parseable in order to build an SBOM. C code doesn’t have package management like Python, Perl, Go and others so it’s tricky to automate creation of SBOMs. I think that the SBOM tree for the source code and dependencies would grow quite large. Anyway - at this time, I failed. :-) Maybe leveraging ldd in a first phase can help building the chain of dependencies: $ ldd src/kamailio linux-vdso.so.1 (0x0000ffff91745000) libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000) $ ldd src/modules/tls/tls.so linux-vdso.so.1 (0x0000ffff96e5d000) libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 (0x0000ffff968b0000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000) $ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 linux-vdso.so.1 (0x0000ffff9952c000) libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000) Might take some time, a matter of what modules are used, but if really needed, the process should be doable manually. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com)twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

Reply

421

days inactive

424

days old

sr-users@lists.kamailio.org

Manage subscription

10 comments

6 participants

tags (0)

participants (6)

Carsten Bock
Daniel-Constantin Mierla
Henning Westerholt
Ivan Ribakov
Olle E. Johansson
Sergey Safarov