Muhimmancin nazarin abubuwan haɗin software na ɓangare na uku (Software Composition Analysis - SCA) a cikin tsarin ci gaba yana haɓaka tare da fitar da rahotanni na shekara-shekara game da raunin dakunan karatu na buɗewa, waɗanda Synopsys, Sonatype, Snyk, da White Source suka buga. . A cewar rahoton Adadin raunin da aka gano buɗaɗɗen tushe a cikin 2019 ya karu kusan sau 1.5 idan aka kwatanta da shekarar da ta gabata, yayin da abubuwan buɗe tushen ke amfani da kashi 60% zuwa 80% na ayyukan. A kan tsari mai zaman kansa, tsarin SCA daban-daban na OWASP SAMM da BSIMM a matsayin mai nuna balaga, kuma a farkon rabin 2020, OWASP ya fitar da sabon OWASP Software Proification Standard (SCVS), yana ba da mafi kyawun ayyuka don tabbatarwa na uku- sassan jam'iyyar a cikin sarkar samar da kayayyaki BY.
Daya daga cikin mafi yawan misalai tare da Equifax a cikin Mayu 2017. Maharan da ba a san ko su waye ba sun samu bayanai game da Amurkawa miliyan 143, da suka hada da cikakkun sunaye, adireshi, lambobin tsaro da kuma lasisin tuki. A cikin shari'o'i 209, takardun kuma sun haɗa da bayanai game da katunan banki na wadanda abin ya shafa. Wannan yabo ya faru ne sakamakon amfani da wani mummunan rauni a cikin Apache Struts 000 (CVE-2-2017), yayin da aka sake sake gyarawa a cikin Maris 5638. Kamfanin yana da watanni biyu don shigar da sabuntawar, amma babu wanda ya damu da shi.
Wannan labarin zai tattauna batun zabar kayan aiki don gudanar da SCA daga ma'anar ingancin sakamakon bincike. Hakanan za'a samar da kwatancen aiki na kayan aikin. Za a bar tsarin haɗin kai cikin CI / CD da damar haɗin kai don wallafe-wallafe na gaba. OWASP ya gabatar da kayan aiki da yawa , amma a cikin bita na yanzu za mu taɓa mafi mashahurin kayan aikin buɗaɗɗen Dogaro Dogara, ɗan ƙaramin sanannen dandalin tushen tushen tushen Dogaro da Maganin Kasuwancin Sonatype Nexus IQ. Za mu kuma fahimci yadda waɗannan mafita suke aiki kuma mu kwatanta sakamakon da aka samu don rashin gaskiya.
Yadda yake aiki
mai amfani ne (CLI, maven, jenkins module, ant) wanda ke nazarin fayilolin aikin, tattara guda na bayanai game da abin dogaro (sunan fakiti, rukuni, ƙayyadaddun taken, sigar…), yana gina layin CPE (Common Platform Enumeration) , Kunshin URL (PURL) da kuma gano raunin CPE / PURL daga bayanan bayanai (NVD, Sonatype OSS Index, NPM Audit API ...), bayan haka yana gina rahoton lokaci guda a cikin HTML, JSON, tsarin XML ...
Bari mu kalli yadda CPE yayi kama:
cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other- part: Nuna cewa ɓangaren yana da alaƙa da aikace-aikacen (a), tsarin aiki (o), hardware (h) (An buƙata)
- Mai sayarwa: Sunan Mai Kera Samfurin (Ake Bukata)
- Product: Sunan samfur (Ake buƙata)
- version: Sigar bangaren (abun da ba a daina aiki ba)
- ta karshe: Sabunta fakitin
- edition: Sigar Legacy (abun da aka yanke)
- Harshe: Harshe da aka ayyana a cikin RFC-5646
- SW Edition: Sigar software
- Manufar SW: Yanayin software wanda samfurin ke aiki
- Manufar HW: Yanayin kayan aikin da samfurin ke aiki
- sauran: Bayanin mai kaya ko samfur
Misali CPE yayi kama da haka:
cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
Layin yana nufin cewa sigar CPE 2.3 ta bayyana ɓangaren aikace-aikacen daga masana'anta pivotal_software tare da take spring_framework sigar 3.0.0. Idan muka bude wani rauni a cikin NVD, zamu iya ganin ambaton wannan CPE. Matsala ta farko da ya kamata ku kula da ita nan da nan ita ce CVE a cikin NVD, bisa ga CPE, yana ba da rahoton matsala a cikin tsarin, kuma ba a cikin takamaiman sashi ba. Wato, idan masu haɓakawa suna daure sosai ga tsarin, kuma raunin da aka gano bai shafi waɗancan samfuran da masu haɓaka ke amfani da su ba, ƙwararren masani na tsaro zai wata hanya ko wata ya kwance wannan CVE kuma yayi tunanin sabuntawa.
Ana amfani da URL ɗin ta kayan aikin SCA. Tsarin URL ɗin fakitin shine kamar haka:
scheme:type/namespace/name@version?qualifiers#subpath- Tsari: Za a sami 'pkg' koyaushe yana nuna cewa wannan fakitin URL ne (Ake buƙata)
- type: "Nau'in" na kunshin ko "protocol" na kunshin, kamar maven, npm, nuget, gem, pypi, da dai sauransu. (Abin da ake buƙata)
- Sararin suna: Wasu prefix na suna, kamar ID na ƙungiyar Maven, mai hoton Docker, mai amfani da GitHub, ko ƙungiya. Na zaɓi kuma ya dogara da nau'in.
- name: Sunan fakiti (Ake buƙata)
- version: Fakitin sigar
- Masu cancanta: Ƙarin bayanan cancanta don kunshin, kamar OS, gine-gine, rarrabawa, da sauransu. Na zaɓi da takamaiman nau'in.
- Hanya: Ƙarin hanya a cikin kunshin dangane da tushen kunshin
Alal misali:
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.commons/[email protected]
pkg:pypi/[email protected]- dandali na kan layi wanda ke karɓar shirye-shiryen Bill of Materials (BOM) da aka samar и , wato, shirye-shiryen ƙayyadaddun bayanai game da abubuwan dogaro da ke akwai. Wannan fayil ne na XML wanda ke kwatanta abubuwan dogaro - suna, hashes, url fakiti, mai bugawa, lasisi. Na gaba, Dependency Track yana ƙaddamar da BOM, yana duban CVEs da ke akwai ga abubuwan dogaro da aka gano daga bayanan raunin rauni (NVD, Sonatype OSS Index ...), bayan haka yana gina jadawali, ƙididdige ma'auni, yana sabunta bayanai akai-akai kan yanayin raunin abubuwan da aka gyara. .
Misalin abin da BOM zai iya yi kama a tsarin XML:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
</component>
<!-- More components here -->
</components>
</bom>Ana iya amfani da BOM ba kawai azaman sigogin shigarwa don Track Dependency ba, har ma don ƙirƙira kayan aikin software a cikin sarkar samarwa, misali, don samar da software ga abokin ciniki. A cikin 2014, har ma an gabatar da wata doka a Amurka , wanda ya bayyana cewa lokacin siyan software, kowace jiha. Dole ne cibiyar ta nemi BOM don hana amfani da abubuwan da ba su da ƙarfi, amma har yanzu dokar ba ta fara aiki ba.
Komawa zuwa SCA, Dependency Track yana da shirye-shiryen haɗin kai tare da Platform Fadakarwa kamar Slack, tsarin sarrafa rauni kamar Tsaro na Kenna. Hakanan yana da kyau a faɗi cewa Dependency Track, a tsakanin sauran abubuwa, yana gano tsoffin juzu'in fakiti da bayar da bayanai game da lasisi (saboda tallafin SPDX).
Idan muka yi magana musamman game da ingancin SCA, to akwai bambanci na asali.
Dependency Track baya karɓar aikin azaman shigarwa, amma maimakon BOM. Wannan yana nufin cewa idan muna son gwada aikin, da farko muna buƙatar samar da bom.xml, misali ta amfani da CycloneDX. Don haka, Track Dependency ya dogara kai tsaye akan CycloneDX. A lokaci guda, yana ba da damar daidaitawa. Wannan shine abin da kungiyar OZON ta rubuta don haɗa fayilolin BOM don ayyukan Golang don ƙarin dubawa ta hanyar Dogara.
bayani ne na SCA na kasuwanci daga Sonatype, wanda wani ɓangare ne na yanayin yanayin Sonatype, wanda kuma ya haɗa da Manajan Ma'ajiyar Na'ura na Nexus. Nexus IQ na iya karɓa azaman shigar da kayan tarihin yaƙi (don ayyukan java) ta hanyar haɗin yanar gizo ko API, da BOM, idan har yanzu ƙungiyar ku ba ta canza daga CycloneDX zuwa sabon bayani ba. Ba kamar mafita mai buɗewa ba, IQ yana nufin ba kawai ga CP/PURL zuwa ɓangaren da aka gano da kuma raunin da ya dace a cikin bayanan ba, amma kuma yana la'akari da binciken kansa, alal misali, sunan mai rauni ko aji. Za a tattauna hanyoyin IQ daga baya a cikin nazarin sakamakon.
Bari mu taƙaita wasu fasalulluka na aiki, sannan mu yi la'akari da harsunan da aka goyan baya don bincike:
Harshe
Nexus IQ
Duban Dogara
Dabarar Dogara
Java
+
+
+
C / C ++
+
+
-
C#
+
+
-
.Net
+
+
+
erlang
-
-
+
JavaScript (NodeJS)
+
+
+
PHP
+
+
+
Python
+
+
+
Ruby
+
+
+
Perl
-
-
-
Scala
+
+
+
Manufar C
+
+
-
Swift
+
+
-
R
+
-
-
Go
+
+
+
Aiki
Aiki
Nexus IQ
Duban Dogara
Dabarar Dogara
Ƙarfin tabbatar da cewa abubuwan da aka yi amfani da su a cikin lambar tushe an duba don tsabtar lasisi
+
-
+
Ikon dubawa da yin nazari don lahani da tsabtar lasisi don hotunan Docker
+ Haɗin kai tare da Clair
-
-
Ikon daidaita manufofin tsaro don amfani da ɗakunan karatu masu buɗewa
+
-
-
Ikon bincika wuraren buɗaɗɗen madogaran tushe don abubuwan da ba su da ƙarfi
+ RubyGems, Maven, NPM, Nuget, Pypi, Conan, Bower, Conda, Go, p2, R, Yum, Helm, Docker, CocoaPods, Git LFS
-
+ Hex, RubyGems, Maven, NPM, Nuget, Pypi
Samuwar ƙungiyar bincike ta musamman
+
-
-
Rufe madauki aiki
+
+
+
Amfani da bayanan bayanan ɓangare na uku
+ Rufe bayanan Sonatype
+ Sonatype OSS, NPM Jama'a Advisors
+ Sonatype OSS, Masu Ba da Shawarar Jama'a na NPM, RetireJS, VulnDB, tallafi don bayanan rashin lafiyar sa
Ikon tace abubuwan buɗaɗɗen tushen tushen lokacin ƙoƙarin lodawa cikin madauki na haɓaka bisa ga ƙayyadaddun manufofin
+
-
-
Shawarwari don gyara rashin ƙarfi, samun hanyoyin haɗin kai don gyarawa
+
+ - (ya dogara da bayanin a cikin bayanan jama'a)
+ - (ya dogara da bayanin a cikin bayanan jama'a)
Matsayin raunin da aka gano ta tsanani
+
+
+
Samfurin isa ga tushen rawar aiki
+
-
+
CLI goyon baya
+
+
+- (kawai don CycloneDX)
Samfurin / rarrabuwa na rauni bisa ga ƙayyadaddun sharudda
+
-
+
Dashboard ta matsayin aikace-aikace
+
-
+
Samar da rahotanni a cikin tsarin PDF
+
-
-
Samar da rahotanni a cikin tsarin JSONCSV
+
+
-
Tallafin harshen Rashanci
-
-
-
Abubuwan haɗin kai
Haɗin kai
Nexus IQ
Duban Dogara
Dabarar Dogara
Haɗin LDAP/Active Directory
+
-
+
Haɗin kai tare da ci gaba da tsarin haɗin kai Bamboo
+
-
-
Haɗin kai tare da ci gaba da tsarin haɗin kai TeamCity
+
-
-
Haɗin kai tare da ci gaba da tsarin haɗin kai GitLab
+
+- (a matsayin plugin don GitLab)
+
Haɗin kai tare da ci gaba da tsarin haɗin kai Jenkins
+
+
+
Samuwar plugins don IDE
+ IntelliJ, Eclipse, Visual Studio
-
-
Taimako don haɗin kai na al'ada ta hanyar sabis na yanar gizo (API) na kayan aiki
+
-
+
Duban Dogara
Farko farawa
Bari mu gudanar da Binciken Dogara akan aikace-aikacen da ba shi da rauni da gangan .
Don wannan za mu yi amfani :
mvn org.owasp:dependency-check-maven:checkSakamakon haka, dogaro-check-report.html zai bayyana a cikin adireshin da aka yi niyya.
Bari mu buɗe fayil ɗin. Bayan taƙaitaccen bayani game da jimlar yawan raunin da ya faru, za mu iya ganin bayani game da raunin da ya faru tare da babban matakin Ƙarfafawa da Amincewa, yana nuna kunshin, CPE, da adadin CVEs.
Na gaba ya zo da ƙarin cikakkun bayanai, musamman ma tushen abin da aka yanke shawara (shaida), wato, wani BOM.
Na gaba ya zo bayanin CPE, PURL da CVE. Af, shawarwarin don gyara ba a haɗa su ba saboda rashin su a cikin bayanan NVD.
Don duba sakamakon bincike a tsari, zaku iya saita Nginx tare da ƙaramin saitunan, ko aika lahani zuwa tsarin sarrafa lahani wanda ke goyan bayan masu haɗa zuwa Duba Dogara. Misali, Defect Dojo.
Dabarar Dogara
saitin
Dependency Track, bi da bi, dandamali ne na tushen gidan yanar gizo tare da zane-zanen nuni, don haka batun adana lahani a cikin mafita na ɓangare na uku ba ya taso a nan.
Rubutun da aka goyan bayan shigarwa sune: Docker, WAR, WAR da za a iya aiwatarwa.
Farko farawa
Muna zuwa URL ɗin sabis ɗin da ke gudana. Muna shiga ta hanyar admin/admin, canza login da kalmar wucewa, sannan mu je Dashboard. Abu na gaba da za mu yi shi ne ƙirƙirar aikin don aikace-aikacen gwaji a Java a ciki Gida/Ayyuka → Ƙirƙiri Ayyukan . Mu dauki DVJA a matsayin misali.
Tunda Dependency Track zai iya karɓar BOM kawai azaman shigarwa, dole ne a dawo da wannan BOM. Mu ci riba :
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBomMuna samun bom.xml kuma muna loda fayil ɗin a cikin aikin da aka ƙirƙira DVJA → Dogara → Loda BOM.
Mu je bangaren Gudanarwa → Analyzers. Mun fahimci cewa kawai ana kunna Analyzer na ciki, wanda ya haɗa da NVD. Bari mu kuma haɗa Sonatype OSS Index.
Don haka, muna samun hoto mai zuwa don aikinmu:
Hakanan a cikin lissafin zaku iya samun rauni guda ɗaya wanda ya dace da Sonatype OSS:
Babban abin takaici shine Dogara ba ya karɓar rahotannin Dogarowar Duba xml. Sabbin nau'ikan da aka goyan baya na haɗin kai na Dogara sun kasance 1.0.0 - 4.0.2, yayin da na gwada 5.3.2.
a nan (kuma ) lokacin da har yanzu yana yiwuwa.
Nexus IQ
Farko farawa
Shigar da Nexus IQ ya fito ne daga rumbun adana bayanai na , amma mun gina hoton Docker don waɗannan dalilai.
Bayan shiga cikin na'ura wasan bidiyo, kuna buƙatar ƙirƙirar Ƙungiya da Aikace-aikace.
Kamar yadda kake gani, saitin a cikin yanayin IQ yana da ɗan rikitarwa, saboda muna buƙatar ƙirƙirar manufofin da suka dace don "matakai" daban-daban (dev, ginawa, mataki, saki). Wannan yana da mahimmanci don toshe abubuwan da ke da rauni yayin da suke tafiya ta cikin bututun kusa da samarwa, ko kuma toshe su da zarar sun shiga Nexus Repo lokacin da masu haɓakawa suka zazzage su.
Don jin bambanci tsakanin buɗaɗɗen tushe da kamfani, bari mu yi wannan sikanin ta hanyar Nexus IQ ta hanyar iri ɗaya , tun da ya ƙirƙiri aikace-aikacen gwaji a cikin mahallin NexusIQ dvja-test-and-compare:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=dvja-test-and-compare -Dclm.serverUrl=<NEXUSIQIP> -Dclm.username=<USERNAME> -Dclm.password=<PASSWORD>
Bi URL ɗin zuwa rahoton da aka samar a cikin mahaɗin yanar gizon IQ:
Anan zaku iya ganin duk take hakki na manufofin da ke nuna matakan mahimmanci daban-daban (daga Bayani zuwa Mahimman Tsaro). Harafin D da ke kusa da bangaren yana nufin cewa bangaren shi ne Direct Dependency, kuma harafin T kusa da bangaren yana nufin cewa bangaren shi ne Transitive Dependency, wato transitive.
Af, rahoton daga Snyk rahotanni cewa fiye da 70% na buɗaɗɗen lahani da aka gano a cikin Node.js, Java da Ruby suna cikin abubuwan dogaro.
Idan muka buɗe ɗaya daga cikin keɓancewar manufofin Nexus IQ, zamu iya ganin bayanin ɓangaren, da kuma Hoton Siffar, wanda ke nuna wurin sigar yanzu a cikin jadawali na lokaci, da kuma lokacin da raunin rauni ya daina. zama m. Tsayin kyandir a kan jadawali yana nuna shaharar amfani da wannan bangaren.
Idan kun je sashin raunin rauni kuma ku fadada CVE, zaku iya karanta bayanin wannan raunin, shawarwarin kawarwa, da kuma dalilin da yasa aka keta wannan bangaren, wato kasancewar aji. DiskFileitem.class.
Bari mu taƙaita kawai waɗanda ke da alaƙa da abubuwan haɗin Java na ɓangare na uku, cire abubuwan js. A cikin baka muna nuna adadin raunin da aka samu a wajen NVD.
Jimlar Nexus IQ:
- Abubuwan dogaro: 62
- Dogaran masu rauni: 16
- An Samu Lalacewar: 42 (8 sonatype db)
Jimlar Duban Dogara:
- Abubuwan dogaro: 47
- Dogaran masu rauni: 13
- An Samu Lalacewar: 91 (14 sonatype oss)
Gabaɗaya Waƙar Dogara:
- Abubuwan dogaro: 59
- Dogaran masu rauni: 10
- An Samu Lalacewar: 51 (1 sonatype oss)
A cikin matakai na gaba, za mu bincika sakamakon da aka samu kuma mu gano wanne daga cikin waɗannan raunin shine ainihin lahani kuma wanda yake da kyau.
Disclaimer
Wannan bita ba gaskiya ba ce. Marubucin ba shi da burin haskaka wani keɓaɓɓen kayan aiki a kan tushen wasu. Manufar bitar ita ce nuna hanyoyin aiki na kayan aikin SCA da hanyoyin duba sakamakonsu.
Kwatanta sakamako
Условия:
Ƙarya tabbatacce ga raunin ɓangarori na ɓangare na uku shine:
- Rashin daidaituwa na CVE da abin da aka gano
- Misali, idan aka gano rauni a cikin tsarin struts2, kuma kayan aikin yana nuna wani sashi na tsarin struts-tiles, wanda wannan raunin ba ya amfani da shi, to wannan tabbataccen ƙarya ne.
- CVE rashin dacewa da sigar da aka gano na bangaren
- Misali, raunin yana da alaƙa da nau'in Python> 3.5 kuma kayan aikin yana nuna sigar 2.7 a matsayin mai rauni - wannan tabbataccen ƙarya ne, tunda a zahiri raunin ya shafi reshen samfurin 3.x ne kawai.
- Kwafi CVE
- Misali, idan SCA ta ƙididdige CVE wanda ke ba da damar RCE, to SCA ta ƙididdige CVE don wannan ɓangaren da ya shafi samfuran Cisco da RCE ya shafa. A wannan yanayin zai zama tabbataccen ƙarya.
- Misali, an sami CVE a cikin bangaren yanar gizo na bazara, bayan haka SCA tana nuna CVE iri ɗaya a cikin sauran abubuwan da ke cikin Tsarin bazara, yayin da CVE ba shi da alaƙa da sauran abubuwan. A wannan yanayin zai zama tabbataccen ƙarya.
Manufar binciken shine Open Source project DVJA. Binciken ya ƙunshi abubuwan haɗin java kawai (ba tare da js ba).
Sakamakon taƙaitaccen bayani
Bari mu je kai tsaye zuwa ga sakamakon bita da hannu na lahanin da aka gano. Ana iya samun cikakken rahoton kowane CVE a cikin Karin bayani.
Takaitaccen sakamako ga duk rashin lahani:
Alamar
Nexus IQ
Duban Dogara
Dabarar Dogara
An gano jimlar rashin lahani
42
91
51
Lalacewar da ba a gano daidai ba (tabbatacce karya)
2 (4.76%)
62 (68,13%)
29 (56.86%)
Ba a sami raunin da ya dace ba (ƙarya mara kyau)
10
20
27
Takaitaccen sakamako ta bangaren:
Alamar
Nexus IQ
Duban Dogara
Dabarar Dogara
Jimlar abubuwan da aka gano
62
47
59
Jimlar abubuwan da ke da rauni
16
13
10
Abubuwan da ba a iya ganowa ba daidai ba (ƙarar tabbatacce)
1
5
0
Abubuwan da ba a iya ganowa ba daidai ba (ƙarar tabbatacce)
0
6
6
Bari mu gina zane-zane na gani don kimanta rabon tabbataccen ƙarya da mara kyau na ƙarya ga jimlar yawan lahani. Abubuwan da aka yi alama ana yiwa alama a kwance, kuma raunin da aka gano a cikinsu ana yiwa alama a tsaye.
Don kwatantawa, ƙungiyar Sonatype ta gudanar da irin wannan binciken ta gwada wani aiki na abubuwan 1531 ta amfani da Binciken Dogara na OWASP. Kamar yadda muke iya gani, rabon surutu zuwa daidai martani yana kama da sakamakon mu.
source:
Bari mu kalli wasu CVEs daga sakamakon binciken mu don fahimtar dalilin waɗannan sakamakon.
Read more
No.1
Bari mu fara duba wasu abubuwa masu ban sha'awa game da Sonatype Nexus IQ.
Nexus IQ yana nuna wani batu tare da lalatawa tare da ikon yin RCE a cikin Tsarin bazara sau da yawa. CVE-2016-1000027 a cikin bazara-web: 3.0.5 karo na farko, da CVE-2011-2894 a cikin bazara-yanayin: 3.0.5 da spring-core: 3.0.5. Da farko, ya bayyana cewa akwai kwafi na rauni a cikin CVEs da yawa. Domin, idan kun kalli CVE-2016-1000027 da CVE-2011-2894 a cikin bayanan NVD, da alama komai a bayyane yake.
Bangare
Varfafawa
spring-web: 3.0.5
CVE-2016-1000027
yanayin bazara: 3.0.5
CVE-2011-2894
spring-core: 3.0.5
CVE-2011-2894
Description daga NVD:
Description daga NVD:
CVE-2011-2894 kanta sananne ne. A cikin rahoton An gane wannan CVE a matsayin ɗaya daga cikin na kowa. Bayanin CVE-2016-100027, bisa ƙa'ida, kaɗan ne a cikin NVD, kuma da alama ana amfani da shi kawai don Tsarin bazara 4.1.4. Mu duba kuma a nan komai ya zama ƙara ko žasa a fili. Daga Mun fahimci cewa ban da rauni a cikin RemoteInvocationSerializingExporter a cikin CVE-2011-2894, ana lura da rauni a cikin HttpInvokerServiceExporter. Wannan shine abin da Nexus IQ ya gaya mana:
Koyaya, babu wani abu makamancin haka a cikin NVD, wanda shine dalilin da yasa Duba Dogaro da Dogarowar Dogaro kowane yana karɓar mara kyau na ƙarya.
Hakanan daga bayanin CVE-2011-2894 ana iya fahimtar cewa raunin yana cikin yanayin yanayin bazara: 3.0.5 da spring-core: 3.0.5. Ana iya samun tabbacin hakan a cikin labarin daga mutumin da ya sami wannan raunin.
No.2
Bangare
Varfafawa
sakamakon
struts2-core: 2.3.30
CVE-2016-4003
KARYA
Idan muka yi nazarin raunin CVE-2016-4003, za mu fahimci cewa an gyara shi a cikin sigar 2.3.28, duk da haka, Nexus IQ ya ba mu rahoto. Akwai bayanin kula a cikin bayanin raunin:
Wato, raunin yana wanzuwa ne kawai tare da tsohuwar sigar JRE, wacce suka yanke shawarar gargaɗe mu akai. Duk da haka, muna la'akari da wannan Ƙarya Mai Kyau, kodayake ba mafi muni ba.
№ 3
Bangare
Varfafawa
sakamakon
xwork-core: 2.3.30
CVE-2017-9804
GASKIYA
xwork-core: 2.3.30
CVE-2017-7672
KARYA
Idan muka dubi bayanin CVE-2017-9804 da CVE-2017-7672, za mu fahimci cewa matsalar ita ce. URLValidator class, tare da CVE-2017-9804 mai tushe daga CVE-2017-7672. Kasancewar raunin na biyu baya ɗaukar wani nauyi mai amfani banda gaskiyar cewa tsananinsa ya karu zuwa High, don haka zamu iya la'akari da shi amo mara amfani.
Gabaɗaya, ba a sami wasu tabbataccen ƙarya ga Nexus IQ ba.
No.4
Akwai abubuwa da yawa da ke sa IQ ya fice daga sauran mafita.
Bangare
Varfafawa
sakamakon
spring-web: 3.0.5
CVE-2020-5398
GASKIYA
CVE a cikin NVD ya bayyana cewa kawai ya shafi nau'ikan 5.2.x kafin 5.2.3, 5.1.x kafin 5.1.13, da nau'ikan 5.0.x kafin 5.0.16, duk da haka, idan muka kalli bayanin CVE a cikin Nexus IQ , to za mu ga kamar haka:
Sanarwa Bayar da Shawara: Ƙungiyar binciken tsaro ta Sonatype ta gano cewa an gabatar da wannan raunin a cikin sigar 3.0.2.SAKI kuma ba 5.0.x kamar yadda aka bayyana a cikin shawarwarin ba.
Wannan yana biye da PoC don wannan raunin, wanda ya bayyana cewa yana cikin sigar 3.0.5.
Ana aika maras kyau na ƙarya zuwa Duba Dogara da Waƙoƙin Dogaro.
No.5
Bari mu duba tabbataccen ƙarya don Binciken Dogaro da Dogara.
Binciken Dogaro ya fito waje domin yana nuna waɗancan CVEs waɗanda suka shafi gabaɗayan tsarin a cikin NVD zuwa abubuwan da waɗannan CVEs ba sa amfani da su. Wannan ya shafi CVE-2012-0394, CVE-2013-2115, CVE-2014-0114, CVE-2015-0899, CVE-2015-2992, CVE-2016-1181, CVE-2016-1182, wanda ya dogara ” zuwa struts-taglib:1.3.8 da struts-tiles-1.3.8. Waɗannan abubuwan ba su da alaƙa da abin da aka bayyana a cikin CVE - sarrafa buƙatun, ingantaccen shafi, da sauransu. Wannan shi ne saboda gaskiyar cewa abin da waɗannan CVEs da abubuwan da aka haɗa su da shi shine kawai tsarin, wanda shine dalilin da ya sa Dependency Check yayi la'akari da shi a matsayin rauni.
Hakanan yanayin yana tare da spring-tx: 3.0.5, da kuma irin wannan yanayin tare da struts-core: 1.3.8. Don struts-core, Dependency Check da Dependency Track sun sami lahani da yawa waɗanda a zahiri sun dace da struts2-core, wanda shine ainihin tsarin daban. A wannan yanayin, Nexus IQ ya fahimci hoton daidai kuma a cikin CVEs da aka bayar, ya nuna cewa struts-core ya kai ƙarshen rayuwa kuma ya zama dole don matsawa zuwa struts2-core.
No.6
A wasu yanayi, rashin adalci ne a fassara tabbataccen Duban Dogaro da Kuskuren Dogaro. Musamman CVE-2013-4152, CVE-2013-6429, CVE-2013-6430, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225, CVE-2014-0225 Dependency Dubawa da Dogara dangana ga spring-core:3.0.5 a zahiri nasa ne na spring-web:3.0.5. A lokaci guda, wasu daga cikin waɗannan CVEs ma Nexus IQ ya samo su, duk da haka, IQ ya gano su daidai zuwa wani sashi. Saboda ba a sami waɗannan raunin ba a cikin bazara-core, ba za a iya jayayya cewa ba su cikin tsarin bisa ka'ida kuma kayan aikin buɗe tushen daidai sun nuna waɗannan raunin (kawai sun ɓace kaɗan).
binciken
Kamar yadda muke iya gani, tabbatar da amincin da aka gano raunin da aka gano ta hanyar bita da hannu ba ya ba da sakamako mara kyau, wanda shine dalilin da ya sa batutuwa masu rikitarwa suka taso. Sakamakon shine cewa mafita na Nexus IQ yana da mafi ƙarancin ƙima mai inganci da daidaito mafi girma.
Da farko dai, wannan ya faru ne saboda gaskiyar cewa ƙungiyar Sonatype ta faɗaɗa bayanin kowane rashin lafiyar CVE daga NVD a cikin bayananta, yana nuna lahani ga wani nau'in sigar abubuwan har zuwa aji ko aiki, suna gudanar da ƙarin bincike (misali. , duba lahani akan tsofaffin nau'ikan software).
Wani muhimmin tasiri akan sakamakon kuma yana taka rawa ta waɗancan raunin da ba a haɗa su a cikin NVD ba, amma duk da haka suna nan a cikin bayanan Sonatype tare da alamar SONATYPE. A cewar rahoton Kashi 45% na lahanin buɗe ido da aka gano ba a ba da rahoto ga NVD ba. Dangane da bayanan WhiteSource, kawai kashi 29 cikin XNUMX na duk raunin tushen buɗe ido da aka ruwaito a wajen NVD sun ƙare a can, wanda shine dalilin da ya sa yana da mahimmanci a nemo raunin a wasu kafofin kuma.
Sakamakon haka, Binciken Dogara yana haifar da hayaniya da yawa, yana rasa wasu abubuwan da ba su da ƙarfi. Dependency Track yana samar da ƙaramar amo kuma yana gano ɗimbin abubuwan haɗin gwiwa, waɗanda baya cutar da idanu a cikin mahallin yanar gizo.
Koyaya, aikin yana nuna cewa buɗaɗɗen tushe yakamata ya zama matakan farko zuwa balagagge DevSecOps. Abu na farko da ya kamata ku yi tunani akai lokacin haɗa SCA cikin ci gaba shine matakai, wato, tunani tare da gudanarwa da sassan da ke da alaƙa game da irin kyakkyawan tsari ya kamata yayi kama da ƙungiyar ku. Yana iya zama cewa ga ƙungiyar ku, da farko, Binciken Dogaro ko Tsarin Dogaro zai rufe duk buƙatun kasuwanci, kuma mafitacin Kasuwanci zai zama ci gaba mai ma'ana saboda haɓakar abubuwan da ake haɓakawa.
Karin Bayani A: Sakamako na Bangaren
Labarin:
- High-high da m matakin rauni a cikin bangaren
- Matsakaici - Lalacewar matakin matsakaicin mahimmanci a cikin sashin
- GASKIYA - Gaskiya mai kyau batu
- KARYA - Batun gaskiya na karya
Bangare
Nexus IQ
Duban Dogara
Dabarar Dogara
sakamakon
dom4j: 1.6.1
high
high
high
GASKIYA
log4j-core: 2.3
high
high
high
GASKIYA
log4j: 1.2.14
high
high
-
GASKIYA
Tarin gama-gari: 3.1
high
high
high
GASKIYA
na kowa-fayil: 1.3.2
high
high
high
GASKIYA
gama-gari: 1.7.0
high
high
high
GASKIYA
na kowa-codec: 1:10
Medium
-
-
GASKIYA
mysql-mai haɗa-java: 5.1.42
high
high
high
GASKIYA
Maganar bazara: 3.0.5
high
Ba a samo bangaren ba
GASKIYA
spring-web: 3.0.5
high
Ba a samo bangaren ba
high
GASKIYA
yanayin bazara: 3.0.5
Medium
Ba a samo bangaren ba
-
GASKIYA
spring-core: 3.0.5
Medium
high
high
GASKIYA
struts2-config-browser-plugin: 2.3.30
Medium
-
-
GASKIYA
bazara-tx: 3.0.5
-
high
-
KARYA
struts-core: 1.3.8
high
high
high
GASKIYA
xwork-core: 2.3.30
high
-
-
GASKIYA
struts2-core: 2.3.30
high
high
high
GASKIYA
struts-taglib: 1.3.8
-
high
-
KARYA
struts-tiles-1.3.8
-
high
-
KARYA
Shafi B: Sakamako na Rauni
Labarin:
- High-high da m matakin rauni a cikin bangaren
- Matsakaici - Lalacewar matakin matsakaicin mahimmanci a cikin sashin
- GASKIYA - Gaskiya mai kyau batu
- KARYA - Batun gaskiya na karya
Bangare
Nexus IQ
Duban Dogara
Dabarar Dogara
Girma
sakamakon
comment
dom4j: 1.6.1
CVE-2018-1000632
CVE-2018-1000632
CVE-2018-1000632
high
GASKIYA
CVE-2020-10683
CVE-2020-10683
CVE-2020-10683
high
GASKIYA
log4j-core: 2.3
CVE-2017-5645
CVE-2017-5645
CVE-2017-5645
high
GASKIYA
CVE-2020-9488
CVE-2020-9488
CVE-2020-9488
low
GASKIYA
log4j: 1.2.14
CVE-2019-17571
CVE-2019-17571
-
high
GASKIYA
-
CVE-2020-9488
-
low
GASKIYA
SONATYPE-2010-0053
-
-
high
GASKIYA
Tarin gama-gari: 3.1
-
CVE-2015-6420
CVE-2015-6420
high
KARYA
Kwafi RCE(OSSINDEX)
-
CVE-2017-15708
CVE-2017-15708
high
KARYA
Kwafi RCE(OSSINDEX)
SONATYPE-2015-0002
RCE (OSSINDEX)
RCE(OSSINDEX)
high
GASKIYA
na kowa-fayil: 1.3.2
CVE-2016-1000031
CVE-2016-1000031
CVE-2016-1000031
high
GASKIYA
SONATYPE-2014-0173
-
-
Medium
GASKIYA
gama-gari: 1.7.0
CVE-2014-0114
CVE-2014-0114
CVE-2014-0114
high
GASKIYA
-
CVE-2019-10086
CVE-2019-10086
high
KARYA
Rashin lahani ya shafi nau'ikan 1.9.2+ kawai
na kowa-codec: 1:10
SONATYPE-2012-0050
-
-
Medium
GASKIYA
mysql-mai haɗa-java: 5.1.42
CVE-2018-3258
CVE-2018-3258
CVE-2018-3258
high
GASKIYA
CVE-2019-2692
CVE-2019-2692
-
Medium
GASKIYA
-
CVE-2020-2875
-
Medium
KARYA
Irin wannan rauni kamar CVE-2019-2692, amma tare da bayanin kula "hare-hare na iya tasiri ga ƙarin samfuran"
-
CVE-2017-15945
-
high
KARYA
Bai dace da mysql-connector-java ba
-
CVE-2020-2933
-
low
KARYA
Kwafi na CVE-2020-2934
CVE-2020-2934
CVE-2020-2934
-
Medium
GASKIYA
Maganar bazara: 3.0.5
CVE-2018-1270
Ba a samo bangaren ba
-
high
GASKIYA
CVE-2018-1257
-
-
Medium
GASKIYA
spring-web: 3.0.5
CVE-2016-1000027
Ba a samo bangaren ba
-
high
GASKIYA
CVE-2014-0225
-
CVE-2014-0225
high
GASKIYA
CVE-2011-2730
-
-
high
GASKIYA
-
-
CVE-2013-4152
Medium
GASKIYA
CVE-2018-1272
-
-
high
GASKIYA
CVE-2020-5398
-
-
high
GASKIYA
Misalin misali don goyon bayan IQ: "Tawagar binciken tsaro na Sonatype sun gano cewa an gabatar da wannan raunin a cikin sigar 3.0.2.RELEASE kuma ba 5.0.x kamar yadda aka bayyana a cikin shawara ba."
CVE-2013-6429
-
-
Medium
GASKIYA
CVE-2014-0054
-
CVE-2014-0054
Medium
GASKIYA
CVE-2013-6430
-
-
Medium
GASKIYA
yanayin bazara: 3.0.5
CVE-2011-2894
Ba a samo bangaren ba
-
Medium
GASKIYA
spring-core: 3.0.5
-
CVE-2011-2730
CVE-2011-2730
high
GASKIYA
CVE-2011-2894
CVE-2011-2894
CVE-2011-2894
Medium
GASKIYA
-
-
CVE-2013-4152
Medium
KARYA
Kwafi irin wannan rauni a cikin gidan yanar gizo na bazara
-
CVE-2013-4152
-
Medium
KARYA
Rashin lahani yana da alaƙa da sashin yanar gizo na bazara
-
CVE-2013-6429
CVE-2013-6429
Medium
KARYA
Rashin lahani yana da alaƙa da sashin yanar gizo na bazara
-
CVE-2013-6430
-
Medium
KARYA
Rashin lahani yana da alaƙa da sashin yanar gizo na bazara
-
CVE-2013-7315
CVE-2013-7315
Medium
KARYA
SPLIT daga CVE-2013-4152. + Rashin lahani yana da alaƙa da sashin yanar gizo na bazara
-
CVE-2014-0054
CVE-2014-0054
Medium
KARYA
Rashin lahani yana da alaƙa da sashin yanar gizo na bazara
-
CVE-2014-0225
-
high
KARYA
Rashin lahani yana da alaƙa da sashin yanar gizo na bazara
-
-
CVE-2014-0225
high
KARYA
Kwafi irin wannan rauni a cikin gidan yanar gizo na bazara
-
CVE-2014-1904
CVE-2014-1904
Medium
KARYA
Rashin lahani ya shafi bangaren spring-web-mvc
-
CVE-2014-3625
CVE-2014-3625
Medium
KARYA
Rashin lahani ya shafi bangaren spring-web-mvc
-
CVE-2016-9878
CVE-2016-9878
high
KARYA
Rashin lahani ya shafi bangaren spring-web-mvc
-
CVE-2018-1270
CVE-2018-1270
high
KARYA
Don saƙon bazara-bayyani / saƙon bazara
-
CVE-2018-1271
CVE-2018-1271
Medium
KARYA
Rashin lahani ya shafi bangaren spring-web-mvc
-
CVE-2018-1272
CVE-2018-1272
high
GASKIYA
CVE-2014-3578
CVE-2014-3578 (OSSINDEX)
CVE-2014-3578
Medium
GASKIYA
SONATYPE-2015-0327
-
-
low
GASKIYA
struts2-config-browser-plugin: 2.3.30
SONATYPE-2016-0104
-
-
Medium
GASKIYA
bazara-tx: 3.0.5
-
CVE-2011-2730
-
high
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2011-2894
-
high
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2013-4152
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2013-6429
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2013-6430
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2013-7315
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2014-0054
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2014-0225
-
high
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2014-1904
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2014-3625
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2016-9878
-
high
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2018-1270
-
high
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2018-1271
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
-
CVE-2018-1272
-
Medium
KARYA
Rashin lahani bai keɓance ga spring-tx ba
struts-core: 1.3.8
-
CVE-2011-5057 (OSSINDEX)
Medium
FASLE
Rashin lahani ga Struts 2
-
CVE-2012-0391 (OSSINDEX)
CVE-2012-0391
high
KARYA
Rashin lahani ga Struts 2
-
CVE-2014-0094 (OSSINDEX)
CVE-2014-0094
Medium
KARYA
Rashin lahani ga Struts 2
-
CVE-2014-0113 (OSSINDEX)
CVE-2014-0113
high
KARYA
Rashin lahani ga Struts 2
CVE-2016-1182
3 VE-2016-1182
-
high
GASKIYA
-
-
CVE-2011-5057
Medium
KARYA
Rashin lahani ga Struts 2
-
CVE-2012-0392 (OSSINDEX)
CVE-2012-0392
high
KARYA
Rashin lahani ga Struts 2
-
CVE-2012-0393 (OSSINDEX)
CVE-2012-0393
Medium
KARYA
Rashin lahani ga Struts 2
CVE-2015-0899
CVE-2015-0899
-
high
GASKIYA
-
CVE-2012-0394
CVE-2012-0394
Medium
KARYA
Rashin lahani ga Struts 2
-
CVE-2012-0838 (OSSINDEX)
CVE-2012-0838
high
KARYA
Rashin lahani ga Struts 2
-
CVE-2013-1965 (OSSINDEX)
CVE-2013-1965
high
KARYA
Rashin lahani ga Struts 2
-
CVE-2013-1966 (OSSINDEX)
CVE-2013-1966
high
FASLE
Rashin lahani ga Struts 2
-
CVE-2013-2115
CVE-2013-2115
high
FASLE
Rashin lahani ga Struts 2
-
CVE-2013-2134 (OSSINDEX)
CVE-2013-2134
high
FASLE
Rashin lahani ga Struts 2
-
CVE-2013-2135 (OSSINDEX)
CVE-2013-2135
high
FASLE
Rashin lahani ga Struts 2
CVE-2014-0114
CVE-2014-0114
-
high
GASKIYA
-
CVE-2015-2992
CVE-2015-2992
Medium
KARYA
Rashin lahani ga Struts 2
-
CVE-2016-0785 (OSSINDEX)
CVE-2016-0785
high
KARYA
Rashin lahani ga Struts 2
CVE-2016-1181
CVE-2016-1181
-
high
GASKIYA
-
CVE-2016-4003 (OSSINDEX)
CVE-2016-4003
high
KARYA
Rashin lahani ga Struts 2
xwork-core: 2.3.30
CVE-2017-9804
-
-
high
GASKIYA
SONATYPE-2017-0173
-
-
high
GASKIYA
CVE-2017-7672
-
-
high
KARYA
Kwafi na CVE-2017-9804
SONATYPE-2016-0127
-
-
high
GASKIYA
struts2-core: 2.3.30
-
CVE-2016-6795
CVE-2016-6795
high
GASKIYA
-
CVE-2017-9787
CVE-2017-9787
high
GASKIYA
-
CVE-2017-9791
CVE-2017-9791
high
GASKIYA
-
CVE-2017-9793
-
high
KARYA
Kwafi na CVE-2018-1327
-
CVE-2017-9804
-
high
GASKIYA
-
CVE-2017-9805
CVE-2017-9805
high
GASKIYA
CVE-2016-4003
-
-
Medium
KARYA
Ana amfani da Apache Struts 2.x har zuwa 2.3.28, wanda shine sigar 2.3.30. Koyaya, dangane da bayanin, CVE yana aiki ga kowane sigar Struts 2 idan aka yi amfani da JRE 1.7 ko ƙasa da haka. Da alama sun yanke shawarar sake dawo da mu anan, amma yana kama da KARYA
-
CVE-2018-1327
CVE-2018-1327
high
GASKIYA
CVE-2017-5638
CVE-2017-5638
CVE-2017-5638
high
GASKIYA
Irin raunin da Equifax hackers suka yi amfani da shi a cikin 2017
CVE-2017-12611
CVE-2017-12611
-
high
GASKIYA
CVE-2018-11776
CVE-2018-11776
CVE-2018-11776
high
GASKIYA
struts-taglib: 1.3.8
-
CVE-2012-0394
-
Medium
KARYA
Don struts2-core
-
CVE-2013-2115
-
high
KARYA
Don struts2-core
-
CVE-2014-0114
-
high
KARYA
Don gama-gari-benutils
-
CVE-2015-0899
-
high
KARYA
Ba ya shafi taglib
-
CVE-2015-2992
-
Medium
KARYA
Yana nufin struts2-core
-
CVE-2016-1181
-
high
KARYA
Ba ya shafi taglib
-
CVE-2016-1182
-
high
KARYA
Ba ya shafi taglib
struts-tiles-1.3.8
-
CVE-2012-0394
-
Medium
KARYA
Don struts2-core
-
CVE-2013-2115
-
high
KARYA
Don struts2-core
-
CVE-2014-0114
-
high
KARYA
Karkashin gama-gari-benutils
-
CVE-2015-0899
-
high
KARYA
Ba ya shafi tayal
-
CVE-2015-2992
-
Medium
KARYA
Don struts2-core
-
CVE-2016-1181
-
high
KARYA
Ba ya shafi taglib
-
CVE-2016-1182
-
high
KARYA
Ba ya shafi taglib
source: www.habr.com