Wani muhimmin sashi na kula da raunin rauni shine fahimtar sosai da kuma amintaccen tsarin samar da kayan aikin software waɗanda suka haɗa da tsarin zamani. Ƙungiyoyin Agile da DevOps suna yin amfani da yawa na buɗaɗɗen ɗakunan karatu da tsarin don rage lokacin haɓakawa da farashi. Amma wannan lambar yabo kuma tana da rauni: damar da za ta gaji kurakurai da raunin wasu mutane.
Babu shakka, ya kamata ƙungiyar ta tabbatar da sanin wadanne abubuwan buɗaɗɗen tushen abubuwan da aka haɗa a cikin aikace-aikacenta, tabbatar da cewa an zazzage sanannun nau'ikan ingantattun amintattun maɓuɓɓuka, da zazzage sabbin abubuwan abubuwan da aka sabunta bayan an gano lahani.
A cikin wannan sakon, za mu duba amfani da OWASP Dependency Check don soke ginin idan ya gano manyan matsaloli tare da lambar ku.
A cikin littafin "Tsaron Ci gaba a Ayyukan Agile" an kwatanta shi kamar haka. Duba Dogara na OWASP na'urar daukar hotan takardu ce ta kyauta wacce ke tsara duk abubuwan da aka bude tushen da aka yi amfani da su a cikin aikace-aikacen kuma yana nuna raunin da ke tattare da su. Akwai nau'ikan Java, .NET, Ruby (gemspec), PHP (mawallafi), Node.js da Python, da kuma wasu ayyukan C/C++. Binciken Dogara yana haɗawa tare da kayan aikin gama gari, gami da Ant, Maven da Gradle, da ci gaba da sabar haɗin kai kamar Jenkins.
Binciken Dogara yana ba da rahoton duk abubuwan haɗin gwiwa tare da sanannun lahani daga NIST's National Vulnerability Database (NVD) kuma an sabunta shi tare da bayanai daga ciyarwar labarai na NVD.
Sa'ar al'amarin shine, duk waɗannan ana iya yin su ta atomatik ta amfani da kayan aikin kamar OWASP Dependency Check project ko shirye-shiryen kasuwanci kamar
Ana iya haɗa waɗannan kayan aikin a cikin ginin bututun don ƙirƙira abubuwan dogaro masu buɗewa ta atomatik, gano tsoffin nau'ikan ɗakunan karatu da ɗakunan karatu waɗanda ke ɗauke da sanannun lahani, da zubar da ciki idan an gano manyan matsaloli.
Duba Dogara na OWASP
Don gwadawa da nuna yadda Duba Dogara ke aiki, muna amfani da wannan ma'ajiyar
Don duba rahoton HTML, kuna buƙatar saita sabar gidan yanar gizo na nginx akan gitlab-runner ku.
Misalin ƙaramin nginx config:
server {
listen 9999;
listen [::]:9999;
server_name _;
root /home/gitlab-runner/builds;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
A karshen taron zaku iya ganin wannan hoton:
Bi hanyar haɗin yanar gizon kuma duba rahoton Dogara.
Hoton hoton farko shine babban ɓangaren rahoton tare da taƙaitawa.
Bayanan hoto na biyu CVE-2017-5638. Anan muna ganin matakin CVE da hanyoyin haɗin kai don cin nasara.
Hoton hoto na uku shine cikakkun bayanai na log4j-api-2.7.jar. Mun ga cewa matakan CVE sune 7.5 da 9.8.
Hoton hoto na huɗu shine cikakkun bayanai na gama-gari-fileupload-1.3.2.jar. Mun ga cewa matakan CVE sune 7.5 da 9.8.
Idan kana so ka yi amfani da shafukan gitlab, to, ba zai yi aiki ba - aikin da ya fadi ba zai haifar da kayan tarihi ba.
Misali a nan
Gina fitarwa: babu kayan tarihi, bana ganin rahoton html. Ya kamata ku gwada Artifact: koyaushe
Daidaita matakin raunin CVE
Layi mafi mahimmanci a cikin fayil ɗin gitlab-ci.yaml:
mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7
Tare da ma'aunin failBuildOnCVSS zaku iya daidaita matakin raunin CVE wanda kuke buƙatar amsawa.
Zazzage bayanan NIST Vulnerability Database (NVD) daga Intanet
Shin kun lura cewa NIST koyaushe tana zazzage bayanan raunin raunin NIST (NVD) daga Intanet:
Don saukewa, zaka iya amfani da mai amfani
Bari mu shigar da kaddamar da shi.
yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirror
Nist-data-mirror yana loda NIST JSON CVE zuwa /var/www/repos/nist-data-mirror/ akan farawa kuma yana sabunta bayanan kowane awa 24.
Don zazzage CVE JSON NIST, kuna buƙatar saita sabar gidan yanar gizon nginx (misali, akan gitlab-runner ɗin ku).
Misalin ƙaramin nginx config:
server {
listen 12345;
listen [::]:12345;
server_name _;
root /var/www/repos/nist-data-mirror/;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Domin kar a yi dogon layi inda aka ƙaddamar da mvn, za mu matsar da sigogi zuwa wani madaidaicin DEPENDENCY_OPTS.
Ƙarshen mafi ƙarancin .gitlab-ci.yml zai yi kama da wannan:
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"
cache:
paths:
- .m2/repository
verify:
stage: test
script:
- set +e
- mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
- export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
- echo "************************* URL Dependency-check-report.html *************************"
- echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
- set -e
- exit ${EXIT_CODE}
tags:
- shell
source: www.habr.com