SBOM
The project comes with a reference suite, providing a simple static webserver.
Desired SBOM
Just add two lines
alpine-base
lighttpd #S
The two packages have several dependencies that originates how Alpine compile the source code
./configure --with-ldap --with-openssl --with-zstd --with-brotli --with-lua
To get all transitive dependencies according to CISA. iteration start until the resolver reports true.
Each iteration reports packages to be added to the desired SBOM. In this example four passes are required.
#
# This is the reference image
#
alpine-base
lighttpd #S
# Pass 1
openssl
brotli
openldap
lua5.4
zstd
# Pass 2
ncurses
libtool
cyrus-sasl
util-linux
# Pass 3
heimdal
# Pass 4
e2fsprogs
The APKBUILD for lighttpd could be modified to exclude dependencies For deployment in Kubernetes TLS is handled in api gateways/sidecar.
For deployment as standalone ldap and openssl may be needed. ECO systems with pre-compiled packages suites many use cases, but is not optimized for one specific.
Bom Resolver enables to start prototyping with existing packages and then customize to meet the requirements.
./configure
Software composition
Aggregations split large projects into smaller packages
- commands
- services
- libraries
- headers for development
- documentation
Format reports which library orginates from which package. This is useful for triage handling of vulnerabilities and also hardening.
"depends": {
"develop": {
"libbrotlienc.so.1": {
"parent": "brotli",
"child": "brotli-libs"
},
"libc.musl-x86_64.so.1": {
"parent": "musl"
},
"libcrypto.so.1.1": {
"parent": "openssl",
"child": "libcrypto1.1"
},
"libdbi.so.1": {
"parent": "libdbi"
},
"liblber.so.2": {
"parent": "openldap",
"child": "libldap"
},
"libldap.so.2": {
"parent": "openldap",
"child": "libldap"
},
"liblua-5.4.so.0": {
"parent": "lua5.4",
"child": "lua5.4-libs"
},
"libpcre2-8.so.0": {
"parent": "pcre2"
},
"libssl.so.1.1": {
"parent": "openssl",
"child": "libssl1.1"
},
"libz.so.1": {
"parent": "zlib"
},
"libzstd.so.1": {
"parent": "zstd",
"child": "zstd-libs"
}
},
Source code
The metadata is used for rebuild in isolation, therefore two locations are required.
- Location on Internet
- Where to store software for rebuild
The aggregation model supports vendor specific patches and local files not contributed to the upstream project.
"source": {
"external": {
"patch": [],
"code": [
{
"remote": {
"type": "generic",
"url": "https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.tar.xz"
},
"local": {
"type": "file",
"path": "main/lighttpd/lighttpd-1.4.64.tar.xz"
}
}
]
},
"internal": {
"code": [
{
"remote": {
"type": "git",
"commit": {
"hash": "1016b47723",
"tag": "v3.16.3"
},
"url": "git://git.alpinelinux.org/aports",
"path": "main/lighttpd/lighttpd.pre-install"
},
"local": {
"type": "file",
"path": "main/lighttpd/lighttpd.pre-install"
}
},
{
"remote": {
"type": "git",
"commit": {
"hash": "1016b47723",
"tag": "v3.16.3"
},
"url": "git://git.alpinelinux.org/aports",
"path": "main/lighttpd/lighttpd.pre-upgrade"
},
"local": {
"type": "file",
"path": "main/lighttpd/lighttpd.pre-upgrade"
}
},
{
"remote": {
"type": "git",
"commit": {
"hash": "1016b47723",
"tag": "v3.16.3"
},
"url": "git://git.alpinelinux.org/aports",
"path": "main/lighttpd/lighttpd.initd"
},
"local": {
"type": "file",
"path": "main/lighttpd/lighttpd.initd"
}
},
Source code
Bom resolver downloads all source code required to re-build, enabling complete scanning of code, contributions and patches.
├── lighttpd
│ ├── APKBUILD
│ ├── lighttpd-1.4.64.tar.xz
│ ├── lighttpd.conf
│ ├── lighttpd.confd
│ ├── lighttpd.initd
│ ├── lighttpd.logrotate
│ ├── lighttpd.pre-install
│ ├── lighttpd.pre-upgrade
│ ├── mime-types.conf
│ ├── mod_cgi.conf
│ ├── mod_fastcgi.conf
│ └── mod_fastcgi_fpm.conf
Vulnerabilities
For each release, all security fixes are listed in the APKBUILD
# secfixes:
# 1.4.64-r0:
# - CVE-2022-22707
This information is extracted and added to the complete SBOM.
"secfixes": {
"secfixes": {
"1.4.64-r0": [
"CVE-2022-22707"
]
}
}
Licenses
Combined with the software composition information, the legal impact could be analyzed in the right context.
- Is there any business critical internal code linked against a restrictive license ?
- Is this the software used as a command only ?
- Any patches applied during the build process ?
{
"license": "BSD-3-Clause"
}
Providence
The output could be further checked against OSSKB
Below lighttpd version 1.4..67 contains the core file ( server.c ) with hash 03a1d48410609b2bbd1ef7f01518e8f3
that is used by other linux vendors such as
- fedora
- opensuse
- redhat
- debian
This information is not needed for rebuild, but for legal and security analyze it contain usefule information
There are also other services that gather commit history. Commit id connected to users could also be checked against social media to find more about the contributer
# unpack the source package and then create fingerprint for everything inside lighttpd-1.4.64.tar.xz
src/server.c": [
{
"component": "lighttpd1.4",
"file": "server.c",
"file_hash": "03a1d48410609b2bbd1ef7f01518e8f3",
"file_url": "https://osskb.org/api/file_contents/03a1d48410609b2bbd1ef7f01518e8f3",
"id": "file",
"latest": "1.4.67",
"licenses": [
{
"checklist_url": "https://www.osadl.org/fileadmin/checklists/unreflicenses/BSD-3-Clause.txt",
"copyleft": "no",
"name": "BSD-3-Clause",
"osadl_updated": "2023-01-09T15:58:00+00:00",
"patent_hints": "no",
"source": "component_declared",
"url": "https://spdx.org/licenses/BSD-3-Clause.html"
},
{
"checklist_url": "https://www.osadl.org/fileadmin/checklists/unreflicenses/MIT.txt",
"copyleft": "no",
"name": "MIT",
"osadl_updated": "2023-01-09T15:58:00+00:00",
"patent_hints": "no",
"source": "license_file",
"url": "https://spdx.org/licenses/MIT.html"
},
{
"checklist_url": "https://www.osadl.org/fileadmin/checklists/unreflicenses/BSD-3-Clause.txt",
"copyleft": "no",
"name": "BSD-3-Clause",
"osadl_updated": "2023-01-09T15:58:00+00:00",
"patent_hints": "no",
"source": "license_file",
"url": "https://spdx.org/licenses/BSD-3-Clause.html"
},
{
"checklist_url": "https://www.osadl.org/fileadmin/checklists/unreflicenses/BSD-3-Clause.txt",
"copyleft": "no",
"name": "BSD-3-Clause",
"osadl_updated": "2023-01-09T15:58:00+00:00",
"patent_hints": "no",
"source": "scancode",
"url": "https://spdx.org/licenses/BSD-3-Clause.html"
}
],
"lines": "all",
"matched": "100%",
"oss_lines": "all",
"purl": [
"pkg:github/lighttpd/lighttpd1.4",
"pkg:rpm/fedora/lighttpd",
"pkg:rpm/opensuse/lighttpd",
"pkg:deb/debian/lighttpd",
"pkg:deb/ubuntu/lighttpd",
"pkg:github/lighttpd/lighttpd2"
],
"release_date": "2022-08-07",
"server": {
"kb_version": {
"daily": "23.02.08",
"monthly": "23.01"
},
"version": "5.2.3"
},
"source_hash": "03a1d48410609b2bbd1ef7f01518e8f3",
"status": "pending",
"url": "https://github.com/lighttpd/lighttpd1.4",
"url_hash": "691da43b083dfe143df300a09b88f2fc",
"vendor": "lighttpd",
"version": "lighttpd-1.4.66"
}
],
The source code is hosted on Github.