# Amazon Inspector SBOM Generator comprehensive ecosystem collection
The Amazon Inspector SBOM Generator is a tool for creating a software bill of materials (SBOM) and performing vulnerability scanning for supported packages from operating systems and programming languages. It supports the scanning of various ecosystems beyond core operating systems, ensuring a robust and detailed analysis of infrastructure components. By generating an SBOM, you can understand the composition of modern technology stacks, identify vulnerabilities in ecosystem components, and gain visibility into third-party software.
## Supported ecosystems
The ecosystem collection extends SBOM generation beyond packages installed through OS package managers. This is done through the collection of applications deployed in alternative methods, such as manual installation. The Amazon Inspector SBOM Generator supports scanning for the following ecosystems:
| Ecosystems | Applications |
| --- | --- |
| 7-Zip | 7-Zip archiver (version 21.07 and higher) |
| Apache | Apache httpd Apache tomcat |
| Atlassian | Jira Core Confluence Jira Software Jira Service Management |
| Curl | Curl Libcurl |
| Elasticsearch | Elasticsearch |
| Google | Chrome |
| HuggingFace | HuggingFace CLI Models Cache |
| Java | JDK JRE Amazon Corretto |
| Jenkins | Jenkins (version 2.400.\$1 and higher) |
| MariaDB and MySQL | MariaDB Server (10.6\$1, 11.x, 12.x) Oracle MySQL Server Server (8.0, 8.4, 9.4\$1) |
| Microsoft applications | PowerShell NuGet CLI Visual Studio Code Microsoft Edge SharePoint Server Microsoft Defender Exchange Server Visual Studio .NET Core Runtime .NET Framework ASP.NET Core Runtime Microsoft Teams Outlook for Windows Microsoft Office Microsoft 365 |
| Microsoft SQL Server | Microsoft SQL Server |
| MongoDB | MongoDB Server (7.0\$1, 8.0\$1) |
| Nginx | Nginx |
| Node | Node |
| Node.JS | node |
| OpenSSH | OpenSSH (versions 9 and 10) |
| OpenSSL | OpenSSL |
| Oracle | Oracle Database Server |
| PHP | PHP (version 8.1 and higher) |
| Redis | Redis (version 7.2 and higher) |
| WordPress | core plugin theme |
## 7-Zip ecosystem collection
**Supported applications**
+ 7 Zip archiver (version 21.07 or higher)
**Key features**
+ Examines 7-Zip binaries to extract the embedded version information.
**Note**
Specifically, it searches for the product version value from the binary.
**Supported platforms – Windows**
+ `C:/Program Files/7-Zip/7z.exe`
+ `C:/Program Files/7-Zip/7za.exe`
+ `C:/Program Files/7-Zip/7zz.exe`
+ `C:/Program Files/7-Zip/7zr.exe`
+ `C:/Program Files (x86)/7-Zip/7z.exe`
+ `C:/Program Files (x86)/7-Zip/7za.exe`
+ `C:/Program Files (x86)/7-Zip/7zz.exe`
+ `C:/Program Files (x86)/7-Zip/7zr.exe`
**Example PURL**
The following is an example package URL for 7-Zip.
```
pkg:generic/7zip/7zip@25.01
```
## Apache ecosystem collection
This section provides details about Apache httpd and Apache tomcat applicatons.
### Apache httpd
**Supported applications**
+ Apache httpd
**Note**
Vulnerability evaluation only applies to Apache httpd version 2.0 and higher.
**Key features**
+ Parses the `/include/ap_release.h` file to extract installation macros, which contain major identifier strings, minor identifier strings, and patch identifier strings.
**Supported platforms**
The Amazon Inspector SBOM Generator scans for installations in common installation paths across platforms:
**Unix**
+ `/usr/local/apache2/include/`
**Windows**
+ `/Apache24/include/`
+ `/Program Files/Apache24/include/`
+ `/Program Files (x86)/Apache24/include/`
**Example `ap_release.h` file**
The following is an example of content inside an `ap_release.h` file.
```
//truncated
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
#define AP_SERVER_BASEPROJECT "Apache HTTP Server"
#define AP_SERVER_BASEPRODUCT "Apache"
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 4
#define AP_SERVER_PATCHLEVEL_NUMBER 1
#define AP_SERVER_DEVBUILD_BOOLEAN 0
//truncated
```
**Example PURL**
The following is an example package URL for an `Apache httpd` application.
```
Sample PURL: pkg:generic/apache/httpd@2.4.1
```
### Apache tomcat
**Supported applications**
+ Apache tomcat
**Note**
Vulnerability evaluation only applies to Apache tomcat version 9.0 and higher.
**Key features**
+ Unpacks the `catalina.jar` file to extract installation macros inside the `META-INF/MANIFEST.MF` file, which contains the version string.
**Supported platforms**
The Amazon Inspector SBOM Generator scans for installations in common installation paths across platforms:
**Linux**
+ `/opt/tomcat/lib/`
+ `/usr/share/tomcat/lib`
+ `/var/lib/tomcat/lib/`
**macOS**
+ `/Library/Tomcat/lib/`
+ `/usr/local/tomcat/lib`
**Windows**
+ `/Program Files/Apache Software Foundation`
+ `/Program Files (x86)/Apache Software Foundation/`
**Example `catalina.jar/META-INF/MANIFEST.MF` file**
The following is an example of content inside a `catalina.jar/META-INF/MANIFEST.MF` file.
```
//truncated
Implementation-Title: Apache Tomcat
Implementation-Vendor: Apache Software Foundation
Implementation-Version: 10.1.31
//truncated
```
**Example PURL**
The following is an example package URL for an `Apache tomcat` application.
```
Sample PURL: pkg:generic/apache/tomcat@10.1.31
```
## Atlassian ecosystem collection
This section provides details about Atlassian server products and applications.
### Atlassian Server Products
**Supported applications**
+ Jira Core
+ Confluence
**Key features**
+ Jira Core – Parses Maven POM properties from `atlassian-jira-webapp` to extract version information.
+ Confluence – Parses Maven POM properties from `confluence-webapp` to extract version information.
**Supported platforms**
The Amazon Inspector SBOM Generator scans for installations in common installation paths:
**Linux**
+ `/opt/atlassian/jira/atlassian-jira/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties`
+ `/opt/atlassian/confluence/confluence/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties`
**Example PURL**
The following are example package URLs for Atlassian server products.
```
// Jira Core
pkg:generic/atlassian/jira-core@10.0.1?distro=linux
// Confluence
pkg:generic/atlassian/confluence@9.2.7?distro=linux
```
### Atlassian Applications
**Supported applications**
+ Jira Software
+ Jira Service Management
**Key features**
+ Jira Software – Detects via `jira-software-application` JAR and extracts version from Maven POM properties.
+ Jira Service Management – Detects via `jira-servicedesk-application` JAR and extracts version from Maven POM properties.
**Supported platforms**
The Amazon Inspector SBOM Generator scans for installations in common installation paths:
**Linux**
+ `/opt/atlassian/jira/atlassian-jira/WEB-INF/application-installation/jira-software-application/jira-software-application-*.jar`
+ `/opt/atlassian/jira/atlassian-jira/WEB-INF/application-installation/jira-servicedesk-application/jira-servicedesk-application-*.jar`
**Example PURL**
The following are example package URLs for Atlassian applications.
```
// Jira Software
pkg:generic/atlassian/jira-software@10.3.9?distro=linux
// Jira Service Management
pkg:generic/atlassian/jira-service-management@10.3.9?distro=linux
```
## Curl ecosystem collection
This section provides details about Curl and Libcurl applicatons.
### Curl
**Supported applications**
+ Curl
**Supported platforms**
+ Unix – Linux and macOS
+ /usr/local/bin/curl
**Key features – Curl**
+ Examines curl binaries to extract the embedded version information.
**Note**
Specifically, it searches for version strings in the binary executable `.rodata` section (for ELF binaries on Linux), `.rdata` section (for PE binaries on Windows), or \$1\$1cstring section (for MachO binaries on macOS).
**Curl version string**
The following is an example of a version string embedded in a Curl binary:
```
curl/8.14.1
```
Version `8.14.1` is extracted from the string to identify the `Curl` version.
**Example PURL (Curl)**
The following is an example package URL for a `Curl` version file.
```
Sample PURL: pkg:generic/curl/curl@8.14.1
```
### Libcurl
**Supported applications**
+ Libcurl
**Supported platforms**
+ Unix – Linux and macOS
+ /usr/local/bin/curl/curlver.h
**Key features – Libcurl**
+ Examines curlver.h to extract embedded version information for Libcurl.
**Note**
Specifically, it extracts the version from the defined `LIBCURL_VERSION_MAJOR`, `LIBCURL_VERSION_MINOR`, and `LIBCURL_VERSION_PATCH` variables.
**Libcurl version string**
The following is an example of the version variables in a `curlver.h` file:
```
#define LIBCURL_VERSION_MAJOR 8
#define LIBCURL_VERSION_MINOR 14
#define LIBCURL_VERSION_PATCH 1
```
Version `8.14.1` is extracted from these lines to identify the `Libcurl` version.
**Example PURL (Libcurl)**
The following is an example package URL for a `Libcurl` version file.
```
Sample PURL: pkg:generic/curl/libcurl@8.14.1
```
## Elasticsearch ecosystem collection
**Supported applications**
+ Elasticsearch
**Note**
Vulnerability evaluation only applies to Elasticsearch version 7.17.0.
**Key features**
+ **Version** – Unpacks the `elasticsearch-.jar` file to extract installation macros inside of `META-INF/MANIFEST.MF` files, which contain the Elasticsearch version string.
**Supported platforms**
+ **Linux** – `/etc/elasticsearch/lib`, `/opt/elasticsearch/lib/`, and `/usr/share/elasticsearch/lib/`
+ **macOS** – `/usr/local/var/lib/elasticsearch/lib/`
+ **Windows** – `/elasticsearch/`, `/Program Files (x86)/Elastic/elasticsearch/lib/`, and `/Program Files/Elastic/elasticsearch/lib/`
**Example `elasticsearch-.jar/META-INF/MANIFEST.MF` file**
The following is an example of an `elasticsearch-.jar/META-INF/MANIFEST.MF` file.
```
//truncated
Manifest-Version: 1.0
Module-Origin: git@github.com:elastic/elasticsearch.git
X-Compile-Elasticsearch-Version: 8.19.0-SNAPSHOT
X-Compile-Lucene-Version: 9.12.1
X-Compile-Elasticsearch-Snapshot: true
//truncated
```
**Example PURL**
The following is an example package URL for an `elasticsearch-.jar/META-INF/MANIFEST.MF` file.
```
pkg:generic/elastic/elasticsearch@8.19.0-SNAPSHOT
```
## Google ecosystem collection
**Supported applications**
+ Google Chrome
+ Puppeteer (supports the puppeteer library; puppeteer-core is not included)
**Note**
Puppeteer supports the puppeteer library. Puppeteer core is not included.
**Supported artifacts**
Amazon Inspector collects Google Chrome information from the following:
+ The `chrome/VERSION` file (build source)
+ The `chrome.exe` file (Windows Chrome installation)
+ The `puppeteer` file (installation)
For each of the supported artifacts, the Sbomgen parses and collects either chrome file or the puppeteer file. For puppeteer installations, the corresponding Chromium version is collected based on the puppeteer version. For more information, see [Supported browsers](https://pptr.dev/supported-browsers) on the Puppeteer website.
When the `PUPPETEER_SKIP_CHROMIUM_DOWNLOAD` environment variable is set to `true`, evaluation is skipped, and the `skip_chromium_download=true` qualifier is added to the Puppeteer package URL.
**Example `chrome/VERSION` version file**
The following is an example of the `chrome/VERSION` version file.
```
MAJOR=130
MINOR=0
BUILD=6723
PATCH=58
```
**Example PURL**
The following is an example package URL for a `chrome/VERSION` version file.
```
Sample PURL: pkg:generic/google/chrome@131.0.6778.87
```
**Example `puppeteer` version file**
The following is an example of the `puppeteer` version file.
```
{
"name": "puppeteer",
"version": "23.9.0",
"description": "A high-level API to control headless Chrome over the DevTools Protocol",
"keywords": [
"puppeteer",
"chrome",
"headless",
"automation"
]
}
```
**Example PURL**
The following is an example package URL for a `puppeteer` version file.
```
Sample PURL: pkg:generic/google/puppeteer@23.9.0
```
**Example PURL**
The following is an example package URL with skip qualifier for a `puppeteer` version file.
```
pkg:generic/google/puppeteer@22.15.0?distro=linux&skip_chromium_download=true
```
## HuggingFace ecosystem collection
**Supported applications**
+ HuggingFace `hf` CLI
**Key features**
+ Extracts locally cached AI/ML models installed by HuggingFace
+ Generates HuggingFace Package URLs
+ Models downloaded using `hf download --local-dir` are not currently supported
**Example path**
The following is an example of a cached HuggingFace model path.
```
/home/ec2-user/.cache/huggingface/hub/models--MiniMaxAI--MiniMax-M2.5/snapshots/
```
**Example PURL**
The following is an example package URL for a HuggingFace model. The component type is `machine-learning-model`.
```
pkg:huggingface/MiniMaxAI/MiniMax-M2.5@
```
## Java ecosystem collection
**Supported applications**
+ Oracle JDK
+ Oracle JRE
+ Amazon Corretto
**Key features**
+ Extracts the string of the Java installation.
+ Identifies the directory path that contains the Java runtime.
+ Identifies the vendor as Oracle JDK, Oracle JRE, and Amazon Corretto.
The Amazon Inspector SBOM Generator scans for Java installations across the following installation paths and platforms:
+ macOS: `/Library/Java/JavaVirtualMachines`
+ Linux 32-bit: `/usr/lib/jvm`
+ Linux 64-bit: `/usr/lib64/jvm`
+ Linux (generic): `/usr/java and /opt/java`
**Example Java version information**
The folllowing is an example of an Oracle Java release.
```
// Amazon Corretto
IMPLEMENTOR="Amazon.com Inc."
IMPLEMENTOR_VERSION="Corretto-17.0.11.9.1"
JAVA_RUNTIME_VERSION="17.0.11+9-LTS"
JAVA_VERSION="17.0.11"
JAVA_VERSION_DATE="2024-04-16"
LIBC="default"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.foreign jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom jdk.zipfs"
OS_ARCH="x86_64"
OS_NAME="Darwin"
SOURCE=".:git:7917f11551e8+"
// JDK
IMPLEMENTOR="Oracle Corporation"
JAVA_VERSION="19"
JAVA_VERSION_DATE="2022-09-20"
LIBC="default"
MODULES="java.base java.compiler java.datatransfer java.xml java.prefs java.desktop java.instrument java.logging java.management java.security.sasl java.naming java.rmi java.management.rmi java.net.http java.scripting java.security.jgss java.transaction.xa java.sql java.sql.rowset java.xml.crypto java.se java.smartcardio jdk.accessibility jdk.internal.jvmstat jdk.attach jdk.charsets jdk.zipfs jdk.compiler jdk.crypto.ec jdk.crypto.cryptoki jdk.dynalink jdk.internal.ed jdk.editpad jdk.hotspot.agent jdk.httpserver jdk.incubator.concurrent jdk.incubator.vector jdk.internal.le jdk.internal.opt jdk.internal.vm.ci jdk.internal.vm.compiler jdk.internal.vm.compiler.management jdk.jartool jdk.javadoc jdk.jcmd jdk.management jdk.management.agent jdk.jconsole jdk.jdeps jdk.jdwp.agent jdk.jdi jdk.jfr jdk.jlink jdk.jpackage jdk.jshell jdk.jsobject jdk.jstatd jdk.localedata jdk.management.jfr jdk.naming.dns jdk.naming.rmi jdk.net jdk.nio.mapmode jdk.random jdk.sctp jdk.security.auth jdk.security.jgss jdk.unsupported jdk.unsupported.desktop jdk.xml.dom"
OS_ARCH="x86_64"
OS_NAME="Darwin"
SOURCE=".:git:53b4a11304b0 open:git:967a28c3d85f"
```
**Example PURL**
The following is an example package URL for an Oracle Java release.
```
Sample PURL:
# Amazon Corretto
pkg:generic/amazon/amazon-corretto@21.0.3
# Oracle JDK
pkg:generic/oracle/jdk@11.0.16
# Oracle JRE
pkg:generic/oracle/jre@20
```
## Jenkins ecosystem collection
**Supported applications**
+ Jenkins Core
**Note**
Vulnerability evaluation applies to Jenkins version 2.400.\$1 and higher.
**Key features**
+ Extracts version information from `jenkins.war` file by reading the `META-INF/MANIFEST.M` file, which contains the Jenkins version string.
The Amazon Inspector SBOM Generator looks for Jenkins installations in common installation paths across platforms:
**Linux**
+ `/usr/share/jenkins/jenkins.war`
+ /usr/share/java/jenkins.war
**macOS**
+ `/opt/homebrew/opt/jenkins-lts/libexec/jenkins.war`
**Windows**
+ `/Program Files/Jenkins/Jenkins.war`
+ `/Program Files (x86)/Jenkins/Jenkins.war`
**Example files**
The following are examples of `jenkins.war/META-INF/MANIFEST.MF` files for different releases.
```
Manifest-Version: 1.0
Created-By: Maven WAR Plugin 3.4.0
Build-Jdk-Spec: 21
Implementation-Title: Jenkins war
Main-Class: executable.Main
Implementation-Version: 2.516.2
Jenkins-Version: 2.516.2
```
```
Manifest-Version: 1.0
Jenkins-Version: 2.414.1
Implementation-Title: Jenkins
Implementation-Version: 2.414.1
Built-By: kohsuke
Created-By: Apache Maven 3.8.6
```
**Sample PURLs**
The following are package URLs for version 2.516.2 of the Jenkins LTS release and version 2.414 of the Jenkins automation server release.
```
LTS: pkg:generic/jenkins/jenkins-core-lts@2.516.2.1
Regular: pkg:generic/jenkins/jenkins-core@2.414
```
## MariaDB and MySQL ecosystem collection
### MariaDB
**Supported applications**
+ MariaDB Server (10.6\$1, 11.x, 12.x)
**Key features**
+ Extracts version information from database server binaries and header files using database-specific patterns.
+ Identifies the directory path containing the database server installation.
+ Automatically distinguishes between MariaDB and MySQL installations using data-driven file type detection.
The SBOM Generator looks for the MariaDB installation in common installation paths across platforms:
**Linux**
+ `/usr/bin/mariadbd`
+ `/usr/sbin/mariadbd`
+ `/usr/local/bin/mariadbd`
**macOS**
+ `C:/Program Files (x86)/MariaDB/include/mysql/mariadb_version.h (MariaDB)`
+ `C:/Program Files/MariaDB/include/mysql/mariadb_version.h (MariaDB)`
**Windows**
+ `C:/Program Files (x86)/MariaDB/include/mysql/mariadb_version.h (MariaDB)`
+ `C:/Program Files/MariaDB/include/mysql/mariadb_version.h (MariaDB)`
**Example PURL**
The following is an example package URL for a MariaDB server.
```
# MariaDB Server
pkg:generic/mysql/mariadb-server@10.11.8
```
### MySQL ecosystem collection
**Supported applications**
+ Oracle MySQL Server Server (8.0, 8.4, 9.4\$1)
**Key features**
+ Extracts version information from database server binaries and header files using database-specific patterns.
+ Identifies the directory path containing the database server installation.
+ Automatically distinguishes between MySQL and MariaDB installations using data-driven file type detection.
The SBOM Generator looks for the MySQL installation in common installation paths across platforms:
**Linux**
+ `/usr/local/bin/mysqld`
+ `/usr/bin/mysqld`
+ `/usr/sbin/mysqld`
**macOS**
+ `/usr/local/mysql/include/mysql_version.h (MySQL)`
**Windows**
+ `C:/Program Files/MySQL/MySQL Server/include/mysql_version.h (MySQL)`
+ `C:/Program Files (x86)/MySQL/MySQL Server/include/mysql_version.h (MySQL)`
**Example PURL**
The following is an example package URL for a MySQL server.
```
# Oracle MySQL Server
pkg:generic/mysql/mysql-server@8.0.43
```
## Microsoft applications ecosystem collection
The following Microsoft applications are inventoried by the Amazon Inspector SBOM generator. Due to limitations in the Microsoft CVRF API, detections in the InspectorScan API are only supported for versions of these applications released in 2021 (or later). Findings will be mapped to Microsoft KBs or CVEs (where applicable).
**Supported Microsoft applications (2021\$1)**
+ PowerShell
+ NuGet CLI
+ Visual Studio Code
+ Microsoft Edge
+ SharePoint Server
+ Microsoft Defender
+ Exchange Server
+ Visual Studio
+ .NET Core Runtime
+ .NET Framework
+ ASP.NET Core Runtime
+ Microsoft Teams
+ Outlook for Windows
+ Microsoft Office
+ Microsoft 365
**Key features**
+ PowerShell – Examines the `pwsh.exe` file to extract the embedded version information.
+ NuGet CLI – Examines the `nuget.exe` file to extract the embedded version information.
+ Visual Studio Code – Examines the `Code.exe` file to extract the embedded version information.
+ Microsoft Edge – Examines the `msedge.exe` file to extract the embedded version information.
+ SharePoint Server – Examines the `Microsoft.SharePoint.dll` file to extract the embedded version information.
+ Microsoft Defender – Examines the `MsMpEng.exe` file to extract the embedded version information.
+ Exchange Server – Examines the `Exsetup.exe` file to extract the embedded version information.
+ Visual Studio – Parses the `state.json` file to retrieve the version string from the `catalogInfo.productDisplayVersion` field.
+ .NET Core Runtime – Searches for `Microsoft.NETCore.App.deps.json` file in installation paths and extracts the version string from the following file path pattern.
```
Microsoft.NETCore.App//Microsoft.NETCore.App.deps.json
```
+ .NET Framework – Parses Windows Registry and reads file metadata to detect installed .NET Framework versions. The scanner checks the following registry key and value, and files.
+ **Registry Key** ( represents the .NET Framework version, such as v2.0.50727, v3.5, or v4\$1Full)
```
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\
```
```
HKLM\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\
```
+ **Registry Value**
+ Install – Indicates whether the .NET Framework version is installed.
+ Version – Installed .NET Framework version (version 4.0 or lower)
+ Release – A REG\$1DWORD value that maps to the installed .NET Framework version (version 4.5 or later)
+ **DLL Files**
The scanner extracts the file version from `mscorlib.dll` and `System.dll`. If these files exist, they are added to the SBOM as nested file components. For .NET Framework version 4.5 or later, the largest file version among files is reported as the version.
+ ASP.NET Core Runtime – Searches for `Microsoft.AspNetCore.App.deps.json` file in installation paths and extracts the version string from the following file path pattern.
```
Microsoft.AspNetCore.App//Microsoft.AspNetCore.App.deps.json
```
+ Outlook for Windows – Parses Windows Registry, and extracts version from the following registry key.
```
HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.OutlookForWindows____8wekyb3d8bbwe
```
+ Microsoft Teams – Parses Windows Registry, and extracts version from the following registry key.
```
HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\MSTeams____8wekyb3d8bbwee
```
+ Microsoft Office 365 / Microsoft 365 – Parses Windows Registry, and extracts version from the following registry key and value.
+ Registry Key
```
HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
```
+ Registry Value
+ VersionToReport – Microsoft Office Version
+ ProductReleaseIds – List of product IDs. This is used to identify installed Office products. For more information about product IDs, see [https://learn.microsoft.com/en-us/troubleshoot/microsoft-365-apps/office-suite-issues/product-ids-supported-office-deployment-click-to-run](https://learn.microsoft.com/en-us/troubleshoot/microsoft-365-apps/office-suite-issues/product-ids-supported-office-deployment-click-to-run) on the Microsoft website.
+ Microsoft Office Suite – Collects installed each Office applications by examining the following executable files:
+ `EXCEL.EXE` – Microsoft Excel
+ `WINWORD.EXE` – Microsoft Word
+ `POWERPNT.EXE` – Microsoft PowerPoint
+ `OUTLOOK.EXE` – Microsoft Outlook
Version number in the Windows Registry is used as authoritative version number for each installed Office applications.
**Example `state.json` file**
The following is an example of a `state.json` file to use to collect installed Visual Studio version.
```
{
"icon": {
"mimeType": "image/svg+xml",
"fileName": "product.svg"
},
"updateDate": "2025-11-06T05:05:35.6517471Z",
"installDate": "2025-11-06T05:05:35.6527436Z",
"enginePath": "C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\resources\\app\\ServiceHub\\Services\\Microsoft.VisualStudio.Setup.Service",
"installationName": "VisualStudio/17.14.19+36623.8",
"catalogInfo": {
"id": "VisualStudio/17.14.19+36623.8",
"buildBranch": "d17.14",
"buildVersion": "17.14.36623.8",
"localBuild": "build-lab",
"manifestName": "VisualStudio",
"manifestType": "installer",
"productDisplayVersion": "17.14.19",
// truncated
```
Example PURL
The following is an example package URL for each Microsoft Applications.
```
// PowerShell
Sample PURL: pkg:generic/microsoft/powershell@7.5.3
// NuGet CLI
Sample PURL: pkg:generic/microsoft/nuget@6.14.0
// Visual Studio Code
Sample PURL: pkg:generic/microsoft/visualstudiocode@1.104.2
// Microsoft Edge
Sample PURL: pkg:generic/microsoft/edge@140.0.3485.94
// SharePoint Server
Sample PURL: pkg:generic/microsoft/sharepoint@23.38.219.1
// Microsoft Defender
Sample PURL: pkg:generic/microsoft/defender@4.18.23110.3
// Exchange Server
Sample PURL: pkg:generic/microsoft/exchangeserver@15.2.2562.17
// Visual Studio
Sample PURL: pkg:generic/microsoft/visualstudio@17.14.19
// .NET Core Runtime
Sample PURL: pkg:generic/microsoft/dotnet@8.0.18
// .NET Framework
Sample PURL: pkg:generic/microsoft/dotnet-framework-v4.8.1@4.8.9320.0
// ASP.NET Core Runtime
Sample PURL: pkg:generic/microsoft/aspdotnet@8.0.18
// Microsoft Teams
Sample PURL: pkg:generic/microsoft/teams@25241.203.3947.4411
// Outlook for Windows
Sample PURL: pkg:generic/microsoft/outlookforwindows@1.2025.916.400
// Microsoft 365 / Office 365
Sample PURL: pkg:generic/microsoft/office@16.0.19127.20264?product_ids=O365HomePremRetail
// Microsoft Word
Sample PURL: pkg:generic/microsoft/word@16.0.19127.20264
// Microsoft Excel
Sample PURL: pkg:generic/microsoft/excel@16.0.19127.20264
// Microsoft PowerPoint
Sample PURL: pkg:generic/microsoft/powerpoint@16.0.19127.20264
// Microsoft Outlook
Sample PURL: pkg:generic/microsoft/outlook@16.0.19127.20264
```
## Microsoft SQL Server ecosystem collection
**Supported applications**
+ Microsoft SQL Server
**Key features**
+ Reads from the Windows registry to discover installed Microsoft SQL Server instances and extract version information.
+ Discovers instances through a two-step process: reads the `InstalledInstances` value, resolves each instance path from the `Instance Names\SQL` subkey, then reads setup information from each instance's `Setup` subkey.
+ Collects instance name, base version, patch level, edition, service pack (if present), and the registry key path.
+ The component version and PURL use the patch level (full build number).
**Supported platforms – Windows**
The Amazon Inspector SBOM Generator reads from the following Windows registry key to discover installed instances:
```
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server
```
The scanner reads the `InstalledInstances` value to enumerate instances, resolves each instance path from the `Instance Names\SQL` subkey, then reads setup information from each instance's `Setup` subkey.
**Example PURL**
The following is an example package URL for a Microsoft SQL Server instance.
```
pkg:generic/microsoft/sqlserver@16.0.1000.6
```
## MongoDB ecosystem collection
**Supported applications**
+ MongoDB Server (7.0\$1, 8.0\$1)
**Key features**
+ Examines mongod binaries to extract embedded version information.
**Note**
The mongod binary can exceed 200 MB in size. To scan for MongoDB, the Amazon Inspector SBOM Generator file size limit must be configured to allow files over 200 MB.
The Amazon Inspector SBOM Generator looks for MongoDB installations in common installation paths across platforms:
**Linux**
+ `/usr/bin/mongod`
+ `/usr/local/bin/mongod`
**macOS**
+ `/usr/local/bin/mongod`
+ `/opt/homebrew/bin/mongod`
**Windows**
+ `C:\Program Files\MongoDB\Server\bin\mongod.exe`
**Example PURL**
The following is an example package URL for MongoDB Server.
```
pkg:generic/mongodb/mongodb-server@8.2.4?platform=linux
```
## Nginx ecosystem collection
**Supported applications**
+ Nginx
**Supported platforms**
The following are supported platforms.
**Linux**
+ /usr/sbin/nginx
+ /usr/local/nginx
+ /usr/local/etc/nginx
+ /usr/local/nginx/nginx
+ /usr/local/nginx/sbin/nginx
+ /etc/nginx/nginx
**Windows**
+ C:\$1nginx\$1nginx.exe
+ C:\$1nginx-x.y.z\$1nginx.exe (x.y.z is an arbitrary version)
**macOS**
+ /usr/local/etc/nginx/nginx
**Key features**
This collection examines binaries to extract embedded version information. It searches for version strings in the binary executable `.rodata` section (for ELF binaries on Linux), `.rdata` section (for PE binaries on Windows), or `__ctring` section (for MachO binaries).
**Example version string**
The following is an example of a version string embedded in an Nginx binary.
```
nginx version: nginx/1.27.5
```
Version `1.27.5` is extracted to identify the Nginx version.
**Example PURL**
The following is an example package URL for Nginx.
```
Sample PURL: pkg:generic/nginx/nginx@1.27.5
```
## Node.JS runtime collection
**Supported applications**
+ node runtime binary for Node.JS
**Supported platforms**
The following are supported platforms. (\$1 is an arbitrary version)
**Linux**
+ /usr/local/bin/node
+ /usr/bin/node
+ /nodejs/bin/node
+ \$1/.nvm/versions/node/\$1/bin/node
+ \$1/.local/share/fnm/node-versions/\$1/installation/bin/node
+ \$1/.asdf/installs/nodejs/\$1/bin/node
+ \$1/.local/share/mise/installs/node/\$1/bin/node
+ \$1/.volta/tools/image/node/\$1/bin/node
**Windows**
+ C:\$1Program Files\$1nodejs\$1node.exe
+ C:\$1Program Files (x86)\$1nodejs\$1node.exe
+ \$1\$1AppData\$1Roaming\$1fnm\$1node-versions\$1\$1\$1installation\$1node.exe
**macOS**
+ /opt/homebrew/Cellar/node/\$1/bin/node
**Key features**
This collection examines binaries to extract embedded version information. It searches for version strings in the binary executable `.rodata` section (for ELF binaries on Linux), `.rdata` section (for PE binaries on Windows), or `__ctring` section (for MachO binaries).
**Example version string**
The following is an example of a version string embedded in an Node.JS runtime binary.
```
node.js/v24.11.1
```
Version `24.11.1` is extracted to identify the Node.JS runtime version.
**Example PURL**
The following is an example package URL for Node.JS.
```
Sample PURL: pkg:generic/nodejs/node@24.11.1
```
## OpenSSH ecosystem collection
**Supported applications**
+ OpenSSH (Version 9)
+ OpenSSH (Version 10)
**Supported platforms Linux/macOS**
+ `/usr/sbin/sshd`
+ `/usr/local/sbin/sshd`
**Supported platforms Windows**
+ `C:/Windows/System32/OpenSSH/sshd.exe`
+ `C:/Program Files/OpenSSH/sshd.exe`
+ `C:/Program Files (x86)/OpenSSH/sshd.exe`
+ `C:/OpenSSH/sshd.exe`
**Key features**
+ Examines `sshd` binaries to extract embedded verion information.
+ Looks for version strings in the binary executable `.rodata` section (for ELF binaries on Linux, `__cstring` section (for Mach-O binaries on MacOs), or `.rdata` section (for PE binaries on Windows).
**Example version string**
The following is an example of a version string embedded in an OpenSSH binary.
```
OpenSSH_9.9p2
```
Version `9.9p2` is extracted to identify the OpenSSH version.
**Example PURL**
The following is an example package URL for OpenSSH.
```
Sample PURL: pkg:generic/openssh/openssh@9.9p2
```
## OpenSSL ecosystem Collection
**Supported applications**
Support for OpenSSL libraries and development packages is limited to software built with official OpenSSL for 3.0.0 releases and above. The software also must follow semantic versioning. Custom or forked OpenSSL variants and versions lower than 3.0.0 are not supported.
The Amazon Inspector SBOM Generator extracts key package information for each installed OpenSSL instance.
**Key features**
+ Extracts the base SEMVER version string from the OpenSSL header file
+ Identifies the directory path containing the OpenSSL installation
The Amazon Inspector SBOM Generator looks for OpenSSL installations by scanning for the `opensslv.h` file in common installation paths across platforms.
**Example installation path for Linux/Unix**
The following is an example installation path for Linux/Unix.
```
/usr/local/include/openssl/opensslv.h
/usr/local/ssl/include/openssl/opensslv.h
/usr/local/openssl/include/openssl/opensslv.h
/usr/local/opt/openssl/include/openssl/opensslv.h
/usr/include/openssl/opensslv.h
```
The Amazon Inspector SBOM Generator extracts version information by parsing the `opensslv.h` file and looking for the version definitions.
```
# define OPENSSL_VERSION_MAJOR 3
# define OPENSSL_VERSION_MINOR 4
# define OPENSSL_VERSION_PATCH 0
```
**Example PURL**
The following is an example package URL for the OpenSSL version.
```
Sample PURL: pkg:generic/openssl/openssl@3.4.0
```
## Oracle Database Server collection
**Supported applications**
+ Oracle Database
**Supported platforms Linux**
+ `/opt/oracle`
+ `/u01/app/oracle`
**Note**
Vulnerability evaluation applies only to Oracle Database Server version 19 and higher.
**Key features**
+ Examines Oracle binaries to extract embedded version information.
+ Looks for version strings in the binary executable `.rodata` section (for ELF binaries on Linux).
+ Version information follows a specific format that includes the RDBMS version string.
**Example version string**
The following is an example of a version string embedded in an Oracle Database binary:
```
RDBMS_23.7.0.25.01DBRU_LINUX.X64_240304
```
Version `23.7.0.25.01` is extracted to identify the Oracle Database version.
**Example PURL**
The following is an example package URL for Oracle Database.
```
Sample PURL: pkg:generic/oracle/database@23.7.0.25.01
```
## PHP ecosystem collection
**Supported applications**
+ PHP (version 8.1 and higher)
**Key features**
+ Extracts version information from PHP binary executables using embedded version strings.
+ Identifies the directory path containing the PHP binary.
+ Automatically detects both standard PHP binaries and versioned installations, such as `php8.1`, `php8.2`, and `php8.3`.
The Amazon Inspector SBOM Generator looks for PHP installations in common installation paths across platforms:
**Linux**
+ `usr/bin/php8.1 through /usr/bin/php8.9`
+ `/usr/sbin/php8.1 through /usr/sbin/php8.9`
+ `/usr/local/bin/php, /usr/bin/php, /usr/sbin/php`
+ `/usr/local/bin/php8.1 through /usr/local/bin/php8.9` (versioned binaries)
**macOS**
+ `/opt/homebrew/bin/php`
+ `/usr/bin/php`
+ `/usr/local/bin/php`
**Windows**
+ `C:/php/php.exe`
+ `C:/php8.1/php.exe through C:/php8.9/php.exe` (versioned directories)
**Example PHP version extraction**
The Amazon Inspector SBOM Generator extracts version information from PHP binaries by searching for embedded version strings using the following pattern.
```
X-Powered-By: PHP/8.4.12
```
`8.4.12` is extracted from this pattern to identify the PHP version.
**Example PURL**
The following is an example package URL for a PHP pattern.
```
pkg:generic/php/php@8.4.12
```
## Redis ecosystem collection
**Supported applications**
+ Redis (version 7.2 and higher)
**Key features**
+ Extracts version information from Redis `redis-server` binary executables using embedded version strings.
+ Searches for version strings in the binary executable `.rodata` section (for ELF binaries on Linux) or `__cstring` section (for Mach-O binaries on macOS).
The Amazon Inspector SBOM Generator looks for Redis installations in common installation paths across platforms:
**Linux**
+ `/usr/bin/redis-server`
+ `/usr/local/bin/redis-server`
**macOS**
+ `/opt/homebrew/bin/redis-server`
+ `/usr/local/bin/redis-server`
**Example version string**
The following is an example of a version string embedded in a Redis binary.
```
redis-7.2.6
```
Version `7.2.6` is extracted to identify the Redis version.
**Example PURL**
The following is an example package URL for Redis.
```
pkg:generic/redis/redis@7.2.6
```
## WordPress ecosystem collection
**Supported components**
+ WordPress core
+ WordPress plugins
+ WordPress themes
**Key features**
+ WordPress core – parses the `/wp-includes/version.php` file to extract version value from \$1wp\$1version variable.
+ WordPress plugins – parses the `/wp-content/plugins//readme.txt` file or `/wp-content/plugins//readme.md` file to extract the `Stable` tag as the version string.
+ WordPress themes – parses the `/wp-content/themes//style.css` file to extract the version from the version metadata.
**Example `version.php` file**
The following is an example of a WordPress core `version.php` file.
```
// truncated
/**
* The WordPress version string.
*
* Holds the current version number for WordPress core. Used to bust caches
* and to enable development mode for scripts when running from the /src directory.
*
* @global string $wp_version
*/
$wp_version = '6.5.5';
// truncated
```
**Example PURL**
The following is an example package URL for WordPress core.
```
Sample PURL: pkg:generic/wordpress/core/wordpress@6.5.5
```
**Example `readme.txt` file**
The following is an example of a WordPress plugin `readme.txt` file.
```
=== Plugin Name ===
Contributors: (this should be a list of wordpress.org userid's)
Donate link: https://example.com/
Tags: tag1, tag2
Requires at least: 4.7
Tested up to: 5.4
Stable tag: 4.3
Requires PHP: 7.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
// truncated
```
**Example PURL**
The following is an example package URL for a WordPress plugin.
```
Sample PURL: pkg:generic/wordpress/plugin/exclusive-addons-for-elementor@1.0.0
```
**Example `style.css` file**
The following is an example of a WordPress theme `style.css` file.
```
/*
Author: the WordPress team
Author URI: https://wordpress.org
Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collection of templates and patterns tailor to different needs, such as presenting a business, blogging and writing or showcasing work. A multitude of possibilities open up with just a few adjustments to color and typography. Twenty Twenty-Four comes with style variations and full page designs to help speed up the site building process, is fully compatible with the site editor, and takes advantage of new design tools introduced in WordPress 6.4.
Requires at least: 6.4
Tested up to: 6.5
Requires PHP: 7.0
Version: 1.2
License: GNU General Public License v2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
Text Domain: twentytwentyfour
Tags: one-column, custom-colors, custom-menu, custom-logo, editor-style, featured-images, full-site-editing, block-patterns, rtl-language-support, sticky-post, threaded-comments, translation-ready, wide-blocks, block-styles, style-variations, accessibility-ready, blog, portfolio, news
*/
```
**Example PURL**
The following is an example package URL for a WordPress theme.
```
Sample PURL: pkg:generic/wordpress/theme/avada@1.0.0
```