Hi, We are using that "ldd" approach for our Docker containers: We are running ldd on the Kamailio binary and the modules from config (may vary - depending on system) and use that result to create a slim Kamailio Container "from scratch" - without any operating system.
Thanks, Carsten -- Carsten Bock I Chief Technology Innovation Officer & Founder ng-voice GmbH Trostbrücke 1 I 20457 Hamburg I Germany T +49 1511 5942983 I www.ng-voice.com Registry Office at Local Court Hamburg, HRB 120189 Managing Directors: Dr. David Bachmann, Carsten Bock, Quirin Maderspacher Am Do., 28. Sept. 2023 um 19:22 Uhr schrieb Daniel-Constantin Mierla via sr-users <[email protected]>: > > On 28.09.23 13:13, Olle E. Johansson via sr-users wrote: > > > > On 28 Sep 2023, at 12:36, Ivan Ribakov via sr-users > <[email protected]> <[email protected]> wrote: > > Hi Olle, > > Yes, I realised by now that taking enabled Kamailio modules into account > when generating SBOM is too much to ask. I'd be ok with obtaining full list > of Kamailio dependencies (with transitive dependencies if possible) and > then manually filtering them based on module usage. Not sure if at any > point during Kamailio build process all sources + dependency > sources/binaries are present in the system for scanning/identification? > > I'm mainly interested in listing (and validating licenses) and having a > general inventory. Any recommendations? > > I did try a beta of a tool in cyclonedx toolset for scanning C files and > it crashed. Will try again, but so far I haven’t succeeded. > I suggest we would need one SBOM based on a linux distro, like Debian and > one > more generic based on C code and the versions of libraries we recommend. I > have tried to add pointers to the various > third party dependencies in the READMEs over the years in a somewhat > unstructured effort, but the information is there. > Maybe we can add the dependencies in a way that’s parseable in order to > build an SBOM. > > C code doesn’t have package management like Python, Perl, Go and others so > it’s tricky to automate creation of SBOMs. > > I think that the SBOM tree for the source code and dependencies would grow > quite large. > > Anyway - at this time, I failed. :-) > > Maybe leveraging ldd in a first phase can help building the chain of > dependencies: > > $ ldd src/kamailio > linux-vdso.so.1 (0x0000ffff91745000) > libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff90f30000) > libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff90d80000) > /lib/ld-linux-aarch64.so.1 (0x0000ffff9170c000) > > $ ldd src/modules/tls/tls.so > linux-vdso.so.1 (0x0000ffff96e5d000) > libssl.so.3 => /lib/aarch64-linux-gnu/libssl.so.3 (0x0000ffff96ca0000) > libcrypto.so.3 => /lib/aarch64-linux-gnu/libcrypto.so.3 > (0x0000ffff968b0000) > libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff96700000) > /lib/ld-linux-aarch64.so.1 (0x0000ffff96e24000) > > $ ldd /lib/aarch64-linux-gnu/libcrypto.so.3 > linux-vdso.so.1 (0x0000ffff9952c000) > libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff98f50000) > /lib/ld-linux-aarch64.so.1 (0x0000ffff994f3000) > > Might take some time, a matter of what modules are used, but if really > needed, the process should be doable manually. > > Cheers, > Daniel > > -- > Daniel-Constantin Mierla (@ asipto.com)twitter.com/miconda -- > linkedin.com/in/miconda > Kamailio Consultancy and Development Services > Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com > > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > To unsubscribe send an email to [email protected] > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: >
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
