Open Source Summit Europe 2022

SBOM has received significant attention due to recent incidents. Therefore, you can find many related tools and resources for generating it. However, detecting information about software running in an operating environment remains an unresolved problem. Although Apache patched the Log4Shell vulnerability last year, many applications and systems are still vulnerable. It becomes more challenging to detect and fix when an application embeds a vulnerable software component buried in long dependency chains. In this talk, Inhyeok Jang finds out how to determine whether vulnerable software is running on your systems and applications. In particular, he uses eBPF to detect which version of the software of interest, such as Log4j and Spring Core, from the running system without an initial configuration for each application. To this end, he will show what information needs to be obtained from the kernel when executing the java application. He also introduces how to process the data collected from the Linux kernel in the userspace to find out Java Archive information such as title and version. Using the implemented runtime java component detector, he verifies whether the vulnerable version of the component is used in the container images in a public repository and talks about the result.