List of the libs and component versions used in applications
Hi all, we're currently looking for a list of the libs and component versions used in our applications. The background is that we would like to know if the application uses potentially insecure or deprecated libs. We also can't find any indication under "environment" and app settings where the security status is checked. Is there any option to generate a libs list (i.e. SBOM – software bill of materials) or at least see an appropriate indicator somewhere? (logs etc.) SOLUTION IS: If you want to generate an SBOM of all the libraries used in an app, it could be done by a well-supported oss tool called syft https://github.com/anchore/syft. For example, in a mda file you can do: unzip app.mda -d deployment syft dir:deployment -o cyclonedx-json > sbom.cyclonedx.json If you want to get a vulnerability list run grype (by the same creators as syft, https://github.com/anchore/grype): grype sbom.cyclonedx.json -o cyclonedx-json > vuln.cyclonedx.json OR grype dir:deployment It takes seconds and works just fine. We've found some criticals and updated affected libs accordingly. Hope that information is helpful for the community.
You can use the Mendix SDK to identify components of your application, if you wish. An easier way to identify potential vulnerable components is to scan parts of a built Mendix package. So for instance, you could build the application using the Mendix Docker Buildpack and scan the image using tools such as Snyk or Trivy.
Couple of things to keep in mind:
userlib dependencies are installed with marketplace components, which means you and your team have control over them in terms of updating and/or removing old dependencies;
runtime folder vulnerabilities are not in your control as a third-party, but you ARE informed by scanning them, meaning you can either make your own assessment or ask Mendix Support;
the Mendix Docker Buildpack might generate files which are otherwise not present in deployed Mendix apps in the Mendix cloud, so be aware of potential false positives.
Sebastiaan den Boer
I think you should only worry about the ones in your project userlib directory because they are out of Mendix control. And those you can easily check yourself.