Skip to content
This repository has been archived by the owner on Nov 29, 2024. It is now read-only.

Files

Latest commit

35b5446 · Jan 23, 2023

History

History
45 lines (37 loc) · 2.82 KB

SBOM.md

File metadata and controls

45 lines (37 loc) · 2.82 KB

Introduction

This page lists ALL software, including dependencies, of the production releases of eduVPN / Let's Connect! It does not include installation or maintenance scripts, not components that we consider part of the operating system, e.g.: OpenVPN, WireGuard, Apache, PHP, Go, which we use without modification.

It is an initial attempt to create an SBOM.

Component Description Tag/Branch Language LoC*
vpn-user-portal User Portal / API 3.3.0 PHP 12281
vpn-server-node Node 3.0.2 PHP 1028
php-secookie Cookie/session library 6.1.0 PHP 835
php-oauth2-server OAuth 2.0 server 7.4.0 PHP 2169
vpn-daemon Manages VPN connections on Node main Go 380
vpn-ca X.509 Server/Client Cert CA main Go 263
wgctrl-go WireGuard Go Library master Go ?

We do not list the dependencies of wgctrl-go, there are many (indirect) ones. It is not exactly clear to me which ones are actually used. We vendor wgctrl-go (and its dependencies) in the vpn-daemon releases, see the make_release.sh script in the vpn-daemon project.

We create Fedora / Enterprise Linux and Debian / Ubuntu packages. The packages are created using builder.rpm and nbuilder.deb. The package descriptions can be found by appending .rpm or .deb behind the repository name of the "Component" listed above.

What is also missing is the PHP autoloader that is used when packaging the software for Fedora and Enterprise Linux, and phpab which is used both there and by the Debian/Ubuntu packages. We also omit the development dependencies, like PHPUnit for running unit tests.

* For PHP we use phploc and look in the output for NCLOC. For Go code we use cloc. All projects (except wgctrl-go) include a Makefile target sloc that can be used to reproduce these values.

Last Updated: 2023-01-23