What would you like to be added:
It would be useful if syft could support cataloging installations of nextcloud server
Why is this needed:
There are quite a few vulnerabilities coming through in my enrichment data, some for nextcloud server itself, and others for specific nextcloud apps. It would be great to properly surface these in the sbom and then be able to properly match against available vulnerability data
Additional context:
#3459 is for tracking installing apps that are installed to the nextcloud server
Detecting the actual server install and version is going to be somewhat tricky.
Looking at https://download.nextcloud.com/server/releases/nextcloud-30.0.2.zip
At the root of the server install directory is a version.php file which we can probably extract the version from:
cat nextcloud/version.php
<?php
$OC_Version = array(30,0,2,2);
$OC_VersionString = '30.0.2';
$OC_Edition = '';
$OC_Channel = 'stable';
$OC_VersionCanBeUpgradedFrom = array (
'nextcloud' =>
array (
'29.0' => true,
'30.0' => true,
),
'owncloud' =>
array (
'10.13' => true,
),
);
$OC_Build = '2024-11-07T08:40:34+00:00 c23cdf609c38966f00fd44866086767eb7d5f1b2';
$vendor = 'nextcloud';This also seems to be true for at lease some older versons of nextcloud server (I peaked at 21.0.0, but have not gone further back then that)
I'm less sure on how to detect this is nextcloud server though, maybe based on having some expected folder structure or another of the php files?
In the most recent versions there seems to be a package.json file which could be used to identify that this is nextcloud server, but note the version is always set to 1.0.0 and we should ignore that part and parse from version.php file.
There is also an "enterprise" variant which I have not found any installable artifacts for, but as far as I've been able to tell so far it just contains security backports for older versions, so for instance they released version 26.0.13.3 as a security fix whereas the last non-enterprise version available was 26.0.13.
What would you like to be added:
It would be useful if syft could support cataloging installations of nextcloud server
Why is this needed:
There are quite a few vulnerabilities coming through in my enrichment data, some for nextcloud server itself, and others for specific nextcloud apps. It would be great to properly surface these in the sbom and then be able to properly match against available vulnerability data
Additional context:
#3459 is for tracking installing apps that are installed to the nextcloud server
Detecting the actual server install and version is going to be somewhat tricky.
Looking at https://download.nextcloud.com/server/releases/nextcloud-30.0.2.zip
At the root of the server install directory is a
version.phpfile which we can probably extract the version from:This also seems to be true for at lease some older versons of nextcloud server (I peaked at 21.0.0, but have not gone further back then that)
I'm less sure on how to detect this is nextcloud server though, maybe based on having some expected folder structure or another of the php files?
In the most recent versions there seems to be a package.json file which could be used to identify that this is nextcloud server, but note the version is always set to 1.0.0 and we should ignore that part and parse from version.php file.
There is also an "enterprise" variant which I have not found any installable artifacts for, but as far as I've been able to tell so far it just contains security backports for older versions, so for instance they released version
26.0.13.3as a security fix whereas the last non-enterprise version available was26.0.13.