ʻO ke koʻikoʻi o ka nānā ʻana i nā ʻāpana polokalamu ʻaoʻao ʻekolu (Software Composition Analysis - SCA) i ka hoʻomohala ʻana ke ulu nei me ka hoʻokuʻu ʻana i nā hōʻike makahiki e pili ana i nā nāwaliwali o nā hale waihona puke wehe, i paʻi ʻia e Synopsys, Sonatype, Snyk, a me White Source. . Wahi a ka hōʻike
ʻO kekahi o nā hihia hoʻohālike loa
E kūkākūkā kēia ʻatikala i ka pilikia o ke koho ʻana i kahi mea hana no ka hoʻokele SCA mai ka manaʻo o ka maikaʻi o nā hopena loiloi. E hāʻawi pū ʻia kahi hoʻohālikelike hana o nā mea hana. E waiho ʻia ke kaʻina hana o ka hoʻohui ʻana i loko o CI/CD a me nā mana hoʻohui no nā paʻi ma hope. Ua hōʻike ʻia kahi ākea o nā mea hana e OWASP
Pehea ia hana
E nānā kākou i ke ʻano o ka CPE:
cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other
- Mahele: Hōʻike e pili ana ka ʻāpana i ka noi (a), ʻōnaehana hana (o), hāmeʻa (h) (Koi ʻia)
- Mea kūʻai aku: Ka inoa o ka mea hana huahana (koi)
- Product: Inoa Huahana (Koi)
- Version: Mana o ka wae (mea kahiko loa)
- Kiʻi hou: Hōʻano hou pūʻolo
- Edition: Mana hoʻoilina (mea i hoʻopau ʻia)
- Language: ʻŌlelo i wehewehe ʻia ma RFC-5646
- Puka SW: Mana polokalamu
- Kuhi SW: Kaiapuni lako polokalamu kahi e hana ai ka huahana
- HW pahuhopu: ʻO ke kaiapuni ʻenehana kahi e hana ai ka huahana
- Nā mea'ē a'e: Mea hoʻolako a ʻike huahana paha
ʻO kahi laʻana CPE e like me kēia:
cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
ʻO ka laina, ʻo ia ka CPE version 2.3 e wehewehe i ka mea noi mai ka mea hana pivotal_software
me ka inoa spring_framework
mana 3.0.0. Inā mākou e wehe i kahi vulnerability
Hoʻohana pū ʻia ka URL e nā mea hana SCA. Penei ka hōpili URL pūʻolo:
scheme:type/namespace/name@version?qualifiers#subpath
- Papahana: Aia mau 'pkg' e hōʻike ana he pūʻolo URL kēia (Koi ʻia)
- Type: ʻO ka "type" o ka pōʻai a i ʻole ka "protocol" o ka ʻeke, e like me maven, npm, nuget, gem, pypi, etc. (Ka mea i makemake ʻia)
- 'Ōnaewainoa: ʻO kekahi prefix inoa, e like me ka ID pūʻulu Maven, ka mea nona ke kiʻi Docker, mea hoʻohana GitHub, a i ʻole hui. He koho a pili i ke ʻano.
- Name: Ka inoa pūʻolo (Koi ʻia)
- Version: Pūʻolo mana
- Nā mea koho: Nā ʻikepili hōʻoia hou no ka pūʻolo, e like me OS, hoʻolālā, hoʻohele, a me nā mea ʻē aʻe.
- Alanui: ʻO ke ala hou i loko o ka pūʻolo e pili ana i ke kumu pūʻolo
Eia kekahi laʻana:
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.commons/[email protected]
pkg:pypi/[email protected]
ʻO kahi hiʻohiʻona o ke ʻano o ka BOM ma ke ʻano XML:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
</component>
<!-- More components here -->
</components>
</bom>
Hiki ke hoʻohana ʻia ʻo BOM ʻaʻole wale ma ke ʻano he helu hoʻokomo no ka Dependency Track, akā no ka hoʻopaʻa ʻana i nā ʻāpana polokalamu i loko o ke kaulahao lako, no ka laʻana, no ka hāʻawi ʻana i nā polokalamu i kahi mea kūʻai. I ka makahiki 2014, ua noi ʻia kekahi kānāwai ma ʻAmelika Hui Pū ʻIa
Ke hoʻi nei i SCA, ua mākaukau ʻo Dependency Track i hoʻohui pū ʻia me ka Notification Platforms e like me Slack, nā ʻōnaehana hoʻokele vulnerability e like me Kenna Security. He mea kūpono hoʻi e ʻōlelo ʻia ʻo Dependency Track, ma waena o nā mea ʻē aʻe, e ʻike i nā mana kahiko o nā pūʻolo a hāʻawi i ka ʻike e pili ana i nā laikini (ma muli o ke kākoʻo SPDX).
Inā mākou e kamaʻilio kūikawā e pili ana i ka maikaʻi o SCA, a laila aia kahi ʻokoʻa.
ʻAʻole ʻae ka Dependency Track i ka papahana ma ke ʻano he hoʻokomo, akā ʻo ka BOM. ʻO ia ke ʻano inā makemake mākou e hoʻāʻo i ka papahana, pono mākou e hana mua i ka bom.xml, no ka laʻana me CycloneDX. No laila, pili pono ka Dependency Track i CycloneDX. I ka manawa like, hiki iā ia ke hana maʻamau. ʻO kēia ka mea a ka hui OZON i kākau ai
E hōʻuluʻulu mākou i kekahi o nā hiʻohiʻona hana, a noʻonoʻo pū i nā ʻōlelo i kākoʻo ʻia no ka nānā ʻana:
'Ōlelo
Nexus IQ
Nānā hilinaʻi
Track hilinaʻi
Iawa
+
+
+
C / C ++
+
+
-
C#
+
+
-
.Net
+
+
+
ʻO Erlang
-
-
+
JavaScript (NodeJS)
+
+
+
PHP
+
+
+
Python
+
+
+
Ruby
+
+
+
Iā Perl
-
-
-
Scala
+
+
+
Pahuhopu C
+
+
-
māmā
+
+
-
R
+
-
-
Go
+
+
+
Hanaʻia
Hanaʻia
Nexus IQ
Nānā hilinaʻi
Track hilinaʻi
ʻO ka hiki ke hōʻoia i nā ʻāpana i hoʻohana ʻia i ke code kumu e nānā ʻia no ka maʻemaʻe laikini
+
-
+
Ka hiki ke nānā a nānā i nā nāwaliwali a me ka hoʻomaʻemaʻe laikini no nā kiʻi Docker
+ Hoʻohui me Clair
-
-
Hiki ke hoʻonohonoho i nā kulekele palekana e hoʻohana i nā hale waihona puke wehe
+
-
-
Hiki ke nānā i nā waihona waihona open source no nā mea nāwaliwali
+ RubyGems, Maven, NPM, Nuget, Pypi, Conan, Bower, Conda, Go, p2, R, Yum, Helm, Docker, CocoaPods, Git LFS
-
+ Hex, RubyGems, Maven, NPM, Nuget, Pypi
Loaʻa i kahi hui noiʻi kūikawā
+
-
-
Hoʻopili i ka hana loop
+
+
+
Ke hoʻohana nei i nā ʻikepili ʻaoʻao ʻekolu
+ Ua pani ʻia ka waihona ʻo Sonatype
+ Sonatype OSS, NPM Public Advisors
+ Sonatype OSS, NPM Public Advisors, RetireJS, VulnDB, kākoʻo no kāna waihona pilikino ponoʻī
Hiki ke kānana i nā ʻāpana kumu wehe i ka wā e hoʻāʻo ai e hoʻouka i ka loop hoʻomohala e like me nā kulekele i hoʻonohonoho ʻia
+
-
-
Manaʻo no ka hoʻoponopono ʻana i nā nāwaliwali, loaʻa nā loulou i nā hoʻoponopono
+
+- (e pili ana i ka wehewehe ʻana i nā ʻikepili lehulehu)
+- (e pili ana i ka wehewehe ʻana i nā ʻikepili lehulehu)
Ka helu ʻana o nā nāwaliwali i ʻike ʻia e ka paʻakikī
+
+
+
Ke kumu hoʻohālike e pili ana i ke kuleana
+
-
+
Kākoʻo CLI
+
+
+- (no CycloneDX wale nō)
Ka laʻana/kau ʻana o nā mea nāwaliwali e like me nā pae hoʻohālike i wehewehe ʻia
+
-
+
Dashboard ma ke kūlana noi
+
-
+
Ka hana ʻana i nā hōʻike ma ka palapala PDF
+
-
-
Ke hana nei i nā hōʻike ma ke ʻano JSONCSV
+
+
-
Kākoʻo ʻōlelo Lūkini
-
-
-
Nā mana hoʻohui
Hoʻohuiʻia
Nexus IQ
Nānā hilinaʻi
Track hilinaʻi
LDAP/Active Directory hoʻohui
+
-
+
Hoʻohui me ka ʻōnaehana hoʻohui mau ʻo Bamboo
+
-
-
Hoʻohui me ka ʻōnaehana hoʻohui mau TeamCity
+
-
-
Hoʻohui me ka ʻōnaehana hoʻohui mau ʻo GitLab
+
+- (ma ke ʻano he plugin no GitLab)
+
Hoʻohui me ka ʻōnaehana hoʻohui mau ʻo Jenkins
+
+
+
Loaʻa nā plugins no IDE
+ IntelliJ, Eclipse, Visual Studio
-
-
Kākoʻo no ka hoʻohui maʻamau ma o nā lawelawe pūnaewele (API) o ka mea hana
+
-
+
Nānā hilinaʻi
Ka hoʻomaka mua
E holo kāua i ka Dependency Check ma kahi noi i hoʻopaʻa ʻia
No kēia e hoʻohana mākou
mvn org.owasp:dependency-check-maven:check
ʻO ka hopena, e ʻike ʻia ka dependency-check-report.html i ka papa kuhikuhi.
E wehe kākou i ka faila. Ma hope o ka hōʻuluʻulu ʻana i ka ʻike e pili ana i ka nui o nā nāwaliwali, hiki iā mākou ke ʻike i ka ʻike e pili ana i nā nāwaliwali me kahi kiʻekiʻe o ka Severity and Confidence, e hōʻike ana i ka pūʻolo, CPE, a me ka helu o nā CVE.
E hele mai ana ka ʻike kikoʻī hou aku, ʻo ia hoʻi ke kumu i hana ʻia ai ka hoʻoholo (hōʻike), ʻo ia hoʻi, kahi BOM.
E hele mai ana ka wehewehe CPE, PURL a me CVE. Ma ke ala, ʻaʻole i hoʻokomo ʻia nā ʻōlelo aʻoaʻo no ka hoʻoponopono ʻana ma muli o ko lākou haʻalele ʻana i ka waihona NVD.
No ka nānā pono ʻana i nā hopena scan, hiki iā ʻoe ke hoʻonohonoho iā Nginx me nā hoʻonohonoho liʻiliʻi, a i ʻole e hoʻouna i nā hemahema i kahi ʻōnaehana hoʻokele defect e kākoʻo ana i nā mea hoʻohui i ka Dependency Check. No ka laʻana, Defect Dojo.
Track hilinaʻi
Kāu Mau Koho Paʻamau
ʻO Dependency Track, ʻo ia hoʻi, he kahua pūnaewele me nā kiʻi hōʻikeʻike, no laila ʻaʻole i kū mai ka pilikia koʻikoʻi o ka mālama ʻana i nā hemahema i kahi hopena ʻaoʻao ʻekolu.
ʻO nā palapala i kākoʻo ʻia no ka hoʻokomo ʻana: Docker, WAR, Executable WAR.
Ka hoʻomaka mua
Hele mākou i ka URL o ka lawelawe holo. Hoʻopili mākou ma o admin/admin, hoʻololi i ka inoa inoa a me ka ʻōlelo huna, a laila hele i ka Dashboard. ʻO ka mea aʻe e hana ai mākou e hana i kahi papahana no kahi noi hoʻāʻo ma Java i Home/Pahana → Hana i ka Papahana . E lawe kākou i ka DVJA i laʻana.
No ka mea hiki i ka Dependency Track ke ʻae iā BOM ma ke ʻano he hoʻokomo, pono e kiʻi ʻia kēia BOM. E hoʻohana pono kākou
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
Loaʻa iā mākou bom.xml a hoʻouka i ka faila ma ka papahana i hana ʻia DVJA → Nā hilinaʻi → Hoʻouka i ka BOM.
E hele kāua i Administration → Analyzers. Hoʻomaopopo mākou ua hoʻohana wale ʻia ka Internal Analyzer, e komo pū me NVD. E hoʻohui pū kākou i ka Sonatype OSS Index.
No laila, loaʻa iā mākou kēia kiʻi no kā mākou papahana:
I loko o ka papa inoa hiki iā ʻoe ke loaʻa i kahi nāwaliwali e pili ana iā Sonatype OSS:
ʻO ka pōʻino nui, ʻaʻole ʻae ʻo Dependency Track i nā hōʻike ʻo Dependency Check xml. ʻO nā mana hou i kākoʻo ʻia o ka hoʻohui ʻana i ka Dependency Check he 1.0.0 - 4.0.2, ʻoiai au i hoʻāʻo ai i ka 5.3.2.
ʻaneʻi
Nexus IQ
Ka hoʻomaka mua
Hoʻokomo ʻia ka Nexus IQ mai ka waihona o
Ma hope o ke komo ʻana i loko o ka console, pono ʻoe e hana i kahi Organisation and Application.
E like me kāu e ʻike ai, ʻoi aku ka paʻakikī o ka hoʻonohonoho ʻana i ka hihia o IQ, no ka mea pono mākou e hana i nā kulekele e pili ana i nā "pae" like ʻole (dev, build, stage, release). Pono kēia no ka pale ʻana i nā ʻāpana palupalu i ko lākou neʻe ʻana i ka pipeline kokoke i ka hana ʻana, a i ʻole e pale iā lākou i ka wā e komo ai lākou i ka Nexus Repo ke hoʻoiho ʻia e nā mea hoʻomohala.
I mea e ʻike ai i ka ʻokoʻa ma waena o ka open source a me ka ʻoihana, e hana like kāua ma o Nexus IQ ma ke ala like dvja-test-and-compare
:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=dvja-test-and-compare -Dclm.serverUrl=<NEXUSIQIP> -Dclm.username=<USERNAME> -Dclm.password=<PASSWORD>
E hahai i ka URL i ka hōʻike i hana ʻia ma ka ʻaoʻao pūnaewele IQ:
Ma ʻaneʻi hiki iā ʻoe ke ʻike i nā hewa kulekele āpau e hōʻike ana i nā pae koʻikoʻi like ʻole (mai ka Info a Security Critical). ʻO ka leka D ma ka ʻaoʻao o ka ʻāpana, ʻo ia ka Direct Dependency ka mea, a ʻo ka leka T ma ka ʻaoʻao o ka ʻāpana ʻo ia ka Transitive Dependency, ʻo ia hoʻi, he transitive.
Ma ke ala, ka hōʻike
Inā mākou e wehe i kekahi o ka Nexus IQ kuʻikahi, hiki iā mākou ke ʻike i ka wehewehe ʻana o ka ʻāpana, a me kahi Version Graph, e hōʻike ana i kahi o ka mana o kēia manawa i ka pakuhi manawa, a me ka manawa e pau ai ka nāwaliwali. e waliwali. ʻO ke kiʻekiʻe o nā kukui ma ka pakuhi e hōʻike i ka kaulana o ka hoʻohana ʻana i kēia ʻāpana.
Inā hele ʻoe i ka ʻāpana vulnerabilities a hoʻonui i ka CVE, hiki iā ʻoe ke heluhelu i ka wehewehe ʻana o kēia nāwaliwali, nā ʻōlelo aʻoaʻo no ka hoʻopau ʻana, a me ke kumu i uhaki ʻia ai kēia ʻāpana, ʻo ia hoʻi, ke alo o ka papa. DiskFileitem.class
.
E hōʻuluʻulu wale i nā mea pili i nā ʻāpana Java ʻaoʻao ʻekolu, e wehe ana i nā ʻāpana js. I loko o nā pale, hōʻike mākou i ka helu o nā nāwaliwali i loaʻa ma waho o NVD.
Huina Nexus IQ:
- Nā mea hilinaʻi i nānā ʻia: 62
- ʻO nā mea hilinaʻi ʻino: 16
- Loaʻa nā mea ʻino: 42 (8 sonatype db)
Ka huina hilinai ana:
- Nā mea hilinaʻi i nānā ʻia: 47
- ʻO nā mea hilinaʻi ʻino: 13
- Loaʻa nā mea ʻino: 91 (14 sonatype oss)
Ka huina hilinai ana:
- Nā mea hilinaʻi i nānā ʻia: 59
- ʻO nā mea hilinaʻi ʻino: 10
- Loaʻa nā mea ʻino: 51 (1 sonatype oss)
Ma nā ʻanuʻu aʻe, e nānā mākou i nā hopena i loaʻa a ʻike i ka mea o kēia mau nāwaliwali he kīnā maoli a he hewa hoʻi.
Hoʻolele
ʻAʻole kēia loiloi he ʻoiaʻiʻo hiki ʻole ke hoʻopaʻapaʻa ʻia. ʻAʻohe manaʻo o ka mea kākau e hōʻike i kahi mea kani kaʻawale e kūʻē i ke kua o nā poʻe ʻē aʻe. ʻO ke kumu o ka loiloi e hōʻike i nā hana o ka hana o nā mea hana SCA a me nā ala e nānā ai i kā lākou hopena.
Hoʻohālikelike o nā hopena
Nā Kūlana:
ʻO ka maikaʻi wahaheʻe no nā mea nāwaliwali o nā ʻaoʻao ʻekolu:
- Kūlike ʻole ʻo CVE i ka ʻāpana i ʻike ʻia
- No ka laʻana, inā ʻike ʻia kahi nāwaliwali ma ka struts2 framework, a kuhikuhi ka mea hana i kahi ʻāpana o ka struts-tiles framework, kahi i pili ʻole ai kēia nāwaliwali, a laila he kuhi hewa kēia.
- Kūlike ʻole CVE i ka mana i ʻike ʻia o ka mea
- No ka laʻana, pili ka vulnerability i ka python version> 3.5 a hōʻailona ka hāmeʻa i ka version 2.7 me he vulnerable - he kuhi hewa kēia, no ka mea, pili wale ka nāwaliwali i ka lālā huahana 3.x.
- Hoʻopālua CVE
- No ka laʻana, inā kuhikuhi ka SCA i kahi CVE e hiki ai i kahi RCE, a laila kuhikuhi ka SCA i kahi CVE no kēlā ʻāpana like e pili ana i nā huahana Cisco i hoʻopili ʻia e kēlā RCE. I kēia hihia, e lilo ia i mea maikaʻi ʻole.
- No ka laʻana, ua loaʻa kahi CVE ma kahi ʻāpana puna-pūnaewele, a laila kuhikuhi ʻo SCA i ka CVE hoʻokahi i nā ʻāpana ʻē aʻe o ka Spring Framework, ʻoiai ʻaʻohe pili o ka CVE me nā mea ʻē aʻe. I kēia hihia e lilo ia i mea maikaʻi ʻole.
ʻO ka pahuhopu o ke aʻo ʻana ʻo ka Open Source project DVJA. ʻO ke aʻo ʻana i nā ʻāpana java wale nō (me ka ʻole o js).
Nā hualoaʻa hōʻuluʻulu
E hele pololei kākou i nā hopena o ka loiloi lima o nā mea nāwaliwali i ʻike ʻia. Hiki ke loaʻa ka hōʻike piha no kēlā me kēia CVE ma ka Appendix.
Nā hualoaʻa hōʻuluʻulu no nā pilikia āpau:
ʻO ka pākuhi
Nexus IQ
Nānā hilinaʻi
Track hilinaʻi
Ua ʻike ʻia ka nui o nā nāwaliwali
42
91
51
ʻO nā mea nāwaliwali i ʻike hewa ʻia (fase positive)
2 (4.76%)
62 (68,13%)
29 (56.86%)
ʻAʻohe pilikia pili i loaʻa (hewa hewa)
10
20
27
Nā hualoaʻa hōʻuluʻulu ma ka ʻāpana:
ʻO ka pākuhi
Nexus IQ
Nānā hilinaʻi
Track hilinaʻi
Huina huina i ikeia
62
47
59
Huina pilikia
16
13
10
ʻO nā ʻāpana palupalu i ʻike ʻole ʻia (fase positive)
1
5
0
ʻO nā ʻāpana palupalu i ʻike ʻole ʻia (fase positive)
0
6
6
E kūkulu kākou i nā kiʻi kiʻi no ka loiloi ʻana i ka lakio o ka maikaʻi ʻole a me ka maikaʻi ʻole i ka helu o nā nāwaliwali. Hōʻailona ʻia nā ʻāpana ma ke ʻano ākea, a ʻo nā mea nāwaliwali i ʻike ʻia i loko o ia mau mea i kaha ʻia i ke poʻo.
No ka hoʻohālikelike, ua hana ʻia kahi noiʻi like e ka hui Sonatype e hoʻāʻo ana i kahi papahana o nā ʻāpana 1531 e hoʻohana ana i ka OWASP Dependency Check. E like me kā mākou e ʻike ai, hoʻohālikelike ʻia ka ratio o ka walaʻau e hoʻoponopono i nā pane i kā mākou hopena.
Source:
E nānā i kekahi mau CVE mai kā mākou hopena scan e hoʻomaopopo i ke kumu o kēia mau hopena.
More
Helu
E nānā mua kākou i kekahi mau mea hoihoi e pili ana i ka Sonatype Nexus IQ.
Hōʻike ʻo Nexus IQ i kahi pilikia me ka deserialization me ka hiki ke hana RCE i ka Spring Framework i nā manawa he nui. CVE-2016-1000027 ma puna-pūnaewele:3.0.5 mua, a me CVE-2011-2894 ma puna-kumu:3.0.5 a me ka punawai-kumu:3.0.5. I ka wā mua, ʻike ʻia aia ke kope ʻia o ka nāwaliwali ma waena o nā CVE he nui. No ka mea, inā ʻoe e nānā iā CVE-2016-1000027 a me CVE-2011-2894 i ka waihona NVD, me he mea lā ua maopopo nā mea a pau.
ʻĀpana
Palekana
puna-pūnaewele:3.0.5
CVE-2016-1000027
pūnāwai-context:3.0.5
CVE-2011-2894
puna-core:3.0.5
CVE-2011-2894
hōʻikeʻano
hōʻikeʻano
Ua kaulana loa ʻo CVE-2011-2894 ponoʻī. Ma ka hoike RemoteInvocationSerializingExporter
ma CVE-2011-2894, ʻike ʻia ka nāwaliwali ma HttpInvokerServiceExporter
. ʻO kēia ka Nexus IQ e haʻi mai iā mākou:
Eia nō naʻe, ʻaʻohe mea e like me kēia ma NVD, ʻo ia ke kumu e loaʻa ai i ka Dependency Check a me Dependency Track kēlā me kēia hewa hewa.
Mai ka wehewehe ʻana o CVE-2011-2894 hiki ke hoʻomaopopo ʻia aia maoli ka nāwaliwali ma ka punawai-context:3.0.5 a me ka punawai-core:3.0.5. Hiki ke ʻike ʻia ka hōʻoia ʻana o kēia ma kahi ʻatikala mai ka mea i ʻike i kēia nāwaliwali.
Helu
ʻĀpana
Palekana
hopena
struts2-core:2.3.30
CVE-2016-4003
wahahee
Inā mākou e aʻo i ka vulnerability CVE-2016-4003, e hoʻomaopopo mākou ua hoʻopaʻa ʻia ia ma ka mana 2.3.28, akā naʻe, hōʻike ʻo Nexus IQ iā mākou. Aia kahi memo ma ka wehewehe ʻana i ka vulnerability:
ʻO ia hoʻi, aia wale nō ka nāwaliwali i ka hui pū me kahi mana kahiko o ka JRE, a lākou i hoʻoholo ai e aʻo mai iā mākou. Eia nō naʻe, ke manaʻo nei mākou i kēia False Positive, ʻoiai ʻaʻole ia ka mea ʻino loa.
3
ʻĀpana
Palekana
hopena
xwork-core:2.3.30
CVE-2017-9804
oiaio
xwork-core:2.3.30
CVE-2017-7672
wahahee
Inā mākou e nānā i nā wehewehe o CVE-2017-9804 a me CVE-2017-7672, e hoʻomaopopo mākou ʻo ka pilikia URLValidator class
, me CVE-2017-9804 mai CVE-2017-7672. ʻO ka hele ʻana o ka lua o ka nāwaliwali ʻaʻole ia e lawe i kahi haʻahaʻa pono ʻē aʻe ma mua o ka piʻi ʻana o kona koʻikoʻi i Kiʻekiʻe, no laila hiki iā mākou ke noʻonoʻo i ka leo pono ʻole.
Ma ke ʻano holoʻokoʻa, ʻaʻohe mea maikaʻi ʻē aʻe i loaʻa no Nexus IQ.
Helu
Nui nā mea e kū ai ka IQ mai nā hoʻonā ʻē aʻe.
ʻĀpana
Palekana
hopena
puna-pūnaewele:3.0.5
CVE-2020-5398
oiaio
Ke ʻōlelo nei ka CVE i ka NVD e pili wale ana i nā mana 5.2.x ma mua o 5.2.3, 5.1.x ma mua o 5.1.13, a me nā mana 5.0.x ma mua o 5.0.16, akā naʻe, inā mākou e nānā i ka wehewehe CVE ma Nexus IQ. , a laila e ʻike mākou i kēia:
'Ōlelo Aʻo Deviation Hoʻolaha: Ua ʻike ka hui noiʻi palekana Sonatype ua hoʻokomo ʻia kēia nāwaliwali ma ka mana 3.0.2.RELEASE a ʻaʻole 5.0.x e like me ka ʻōlelo aʻoaʻo.
Hoʻopili ʻia kēia me kahi PoC no kēia nāwaliwali, e ʻōlelo ana aia ia ma ka mana 3.0.5.
Hoʻouna ʻia ka hewa hewa i ka Dependency Check a Dependency Track.
Helu
E nānā i ka maikaʻi wahaheʻe no Dependency Check a Dependency Track.
Kūleʻa ʻo Dependency Check ma ka hōʻike ʻana i kēlā mau CVE e pili ana i ka hoʻolālā holoʻokoʻa ma NVD i kēlā mau ʻāpana i pili ʻole kēia mau CVE. Pili kēia iā CVE-2012-0394, CVE-2013-2115, CVE-2014-0114, CVE-2015-0899, CVE-2015-2992, CVE-2016-1181, CVE-2016-1182, ʻo ia ka hilinaʻi i luna. ” i struts-taglib:1.3.8 a me struts-tiles-1.3.8. ʻAʻole pili kēia mau ʻāpana i ka mea i wehewehe ʻia ma ka CVE - ka hoʻoponopono noi, hōʻoia ʻaoʻao, a pēlā aku. ʻO kēia ma muli o ka mea i loaʻa i kēia mau CVE a me nā ʻāpana like ʻo ia wale nō ka framework, ʻo ia ke kumu i manaʻo ai ʻo Dependency Check he mea palupalu.
ʻO ke kūlana like me ka puna-tx:3.0.5, a me kahi kūlana like me struts-core:1.3.8. No ka struts-core, Dependency Check a Dependency Track i loaʻa i ka nui o nā nāwaliwali i pili maoli i ka struts2-core, ʻo ia hoʻi he ʻano kaʻawale. I kēia hihia, hoʻomaopopo pono ʻo Nexus IQ i ke kiʻi a ma nā CVE i hoʻopuka ʻia, ua hōʻike ʻia ua hiki i ka struts-core i ka hopena o ke ola a pono e neʻe i struts2-core.
Helu
I kekahi mau kūlana, ʻaʻole kūpono ka wehewehe ʻana i kahi hewa Dependency Check a Dependency Track. Ma kahi o CVE-2013-4152, CVE-2013-6429, CVE-2013-6430, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225, CVE-2014-0225, ʻo ia ka Track Dependency Check and Dependency Check pili iā spring-core:3.0.5 no ka punawai-pūnaewele:3.0.5. I ka manawa like, ua loaʻa pū kekahi o kēia mau CVE e Nexus IQ, akā naʻe, ua ʻike pololei ʻo IQ iā lākou i kahi mea ʻē aʻe. No ka mea ʻaʻole i loaʻa kēia mau nāwaliwali i ka punawai-core, ʻaʻole hiki ke hoʻopaʻapaʻa ʻaʻole lākou i loko o ke kumumanaʻo ma ke kumu a me nā hāmeʻa open source i kuhikuhi pololei i kēia mau nāwaliwali (ua hala wale lākou).
haʻina
E like me kā mākou e ʻike ai, ʻo ka hoʻoholo ʻana i ka hilinaʻi o nā nāwaliwali i ʻike ʻia e ka loiloi manual ʻaʻole ia e hāʻawi i nā hopena i ʻike ʻole ʻia, ʻo ia ke kumu e kū mai ai nā pilikia hoʻopaʻapaʻa. ʻO nā hopena, ʻo ka Nexus IQ solution ka haʻahaʻa haʻahaʻa haʻahaʻa haʻahaʻa a me ka pololei kiʻekiʻe.
ʻO ka mea mua, ma muli o ka hoʻonui ʻana o ka hui Sonatype i ka wehewehe ʻana no kēlā me kēia CVE vulnerability mai NVD i kāna mau waihona, e hōʻike ana i nā nāwaliwali no kahi ʻano o nā ʻāpana i lalo i ka papa a i ʻole ka hana, ke alakaʻi ʻana i nā noiʻi hou (no ka laʻana. , ke nānā ʻana i nā nāwaliwali ma nā polokalamu polokalamu kahiko).
Hoʻokani pū ʻia kekahi mana koʻikoʻi i nā hopena e kēlā mau nāwaliwali i hoʻokomo ʻole ʻia i ka NVD, akā aia naʻe i ka waihona Sonatype me ka māka SONATYPE. Wahi a ka hōʻike
ʻO ka hopena, hoʻopuka ʻo Dependency Check i ka walaʻau nui, nalo kekahi mau mea palupalu. Hoʻemi iki ʻo Dependency Track i ka walaʻau a ʻike i ka nui o nā ʻāpana, ʻaʻole ia e hōʻeha i nā maka ma ka ʻaoʻao pūnaewele.
Eia nō naʻe, hōʻike ka hoʻomaʻamaʻa ʻana e lilo ke kumu wehe i nā ʻanuʻu mua i ka DevSecOps makua. ʻO ka mea mua āu e noʻonoʻo ai i ka hoʻohui ʻana i ka SCA i ka hoʻomohala ʻana, ʻo ia ka noʻonoʻo pū ʻana me ka hoʻokele a me nā keʻena pili e pili ana i ke ʻano o nā kaʻina hana kūpono i kāu hui. Hiki paha i kāu hui, i ka wā mua, ʻo ka Dependency Check a i ʻole Dependency Track e uhi i nā pono ʻoihana āpau, a ʻo nā hoʻonā Enterprise e hoʻomau mau ʻia ma muli o ka ulu ʻana o ka paʻakikī o nā noi e kūkulu ʻia nei.
Pākuʻi A: Nā hualoaʻa maʻamau
Hōʻike:
- Kiʻekiʻe-kiʻekiʻe a koʻikoʻi pae vulnerability i loko o ka mea
- Medium — Nā nāwaliwali o ka pae koʻikoʻi waena ma ka ʻāpana
- OIAIO — Pilikia maikai maoli
- FALSE — Puka hoopunipuni
ʻĀpana
Nexus IQ
Nānā hilinaʻi
Track hilinaʻi
hopena
dom4j: 1.6.1
High
High
High
oiaio
log4j-kumu: 2.3
High
High
High
oiaio
log4j: 1.2.14
High
High
-
oiaio
nā ʻohi maʻamau:3.1
High
High
High
oiaio
commons-fileupload:1.3.2
High
High
High
oiaio
commons-beanutils:1.7.0
High
High
High
oiaio
codec maʻamau: 1:10
Medium
-
-
oiaio
mysql-connector-java: 5.1.42
High
High
High
oiaio
puna-hōʻike:3.0.5
High
ʻaʻole i loaʻa ka ʻāpana
oiaio
puna-pūnaewele:3.0.5
High
ʻaʻole i loaʻa ka ʻāpana
High
oiaio
pūnāwai-context:3.0.5
Medium
ʻaʻole i loaʻa ka ʻāpana
-
oiaio
puna-core:3.0.5
Medium
High
High
oiaio
struts2-config-browser-plugin:2.3.30
Medium
-
-
oiaio
puna-tx:3.0.5
-
High
-
wahahee
struts-core:1.3.8
High
High
High
oiaio
xwork-core: 2.3.30
High
-
-
oiaio
struts2-core: 2.3.30
High
High
High
oiaio
struts-taglib:1.3.8
-
High
-
wahahee
struts-tiles-1.3.8
-
High
-
wahahee
Pākuʻi B: Nā Hualoaʻa Pilikia
Hōʻike:
- Kiʻekiʻe-kiʻekiʻe a koʻikoʻi pae vulnerability i loko o ka mea
- Medium — Nā nāwaliwali o ka pae koʻikoʻi waena ma ka ʻāpana
- OIAIO — Pilikia maikai maoli
- FALSE — Puka hoopunipuni
ʻĀpana
Nexus IQ
Nānā hilinaʻi
Track hilinaʻi
Kaumaha
hopena
manaʻo hoʻopuka
dom4j: 1.6.1
CVE-2018-1000632
CVE-2018-1000632
CVE-2018-1000632
High
oiaio
CVE-2020-10683
CVE-2020-10683
CVE-2020-10683
High
oiaio
log4j-kumu: 2.3
CVE-2017-5645
CVE-2017-5645
CVE-2017-5645
High
oiaio
CVE-2020-9488
CVE-2020-9488
CVE-2020-9488
Low
oiaio
log4j: 1.2.14
CVE-2019-17571
CVE-2019-17571
-
High
oiaio
-
CVE-2020-9488
-
Low
oiaio
SONATYPE-2010-0053
-
-
High
oiaio
nā ʻohi maʻamau:3.1
-
CVE-2015-6420
CVE-2015-6420
High
wahahee
Hoʻopālua RCE(OSSINDEX)
-
CVE-2017-15708
CVE-2017-15708
High
wahahee
Hoʻopālua RCE(OSSINDEX)
SONATYPE-2015-0002
RCE (OSSINDEX)
RCE(OSSINDEX)
High
oiaio
commons-fileupload:1.3.2
CVE-2016-1000031
CVE-2016-1000031
CVE-2016-1000031
High
oiaio
SONATYPE-2014-0173
-
-
Medium
oiaio
commons-beanutils:1.7.0
CVE-2014-0114
CVE-2014-0114
CVE-2014-0114
High
oiaio
-
CVE-2019-10086
CVE-2019-10086
High
wahahee
Hoʻopili wale ka nāwaliwali i nā mana 1.9.2+
codec maʻamau: 1:10
SONATYPE-2012-0050
-
-
Medium
oiaio
mysql-connector-java: 5.1.42
CVE-2018-3258
CVE-2018-3258
CVE-2018-3258
High
oiaio
CVE-2019-2692
CVE-2019-2692
-
Medium
oiaio
-
CVE-2020-2875
-
Medium
wahahee
ʻO ka nāwaliwali like ʻole e like me CVE-2019-2692, akā me ka memo "hiki i nā hoʻouka ke hopena i nā huahana hou aʻe"
-
CVE-2017-15945
-
High
wahahee
ʻAʻole pili i ka mysql-connector-java
-
CVE-2020-2933
-
Low
wahahee
Kalua o CVE-2020-2934
CVE-2020-2934
CVE-2020-2934
-
Medium
oiaio
puna-hōʻike:3.0.5
CVE-2018-1270
ʻaʻole i loaʻa ka ʻāpana
-
High
oiaio
CVE-2018-1257
-
-
Medium
oiaio
puna-pūnaewele:3.0.5
CVE-2016-1000027
ʻaʻole i loaʻa ka ʻāpana
-
High
oiaio
CVE-2014-0225
-
CVE-2014-0225
High
oiaio
CVE-2011-2730
-
-
High
oiaio
-
-
CVE-2013-4152
Medium
oiaio
CVE-2018-1272
-
-
High
oiaio
CVE-2020-5398
-
-
High
oiaio
ʻO kahi hiʻohiʻona hoʻohālike e pili ana i ka IQ: "Ua ʻike ka hui noiʻi palekana Sonatype ua hoʻokomo ʻia kēia nāwaliwali ma ka mana 3.0.2.RELEASE a ʻaʻole 5.0.x e like me ka ʻōlelo aʻoaʻo."
CVE-2013-6429
-
-
Medium
oiaio
CVE-2014-0054
-
CVE-2014-0054
Medium
oiaio
CVE-2013-6430
-
-
Medium
oiaio
pūnāwai-context:3.0.5
CVE-2011-2894
ʻaʻole i loaʻa ka ʻāpana
-
Medium
oiaio
puna-core:3.0.5
-
CVE-2011-2730
CVE-2011-2730
High
oiaio
CVE-2011-2894
CVE-2011-2894
CVE-2011-2894
Medium
oiaio
-
-
CVE-2013-4152
Medium
wahahee
ʻO ka lua o ka nāwaliwali like ma ka punawelewele
-
CVE-2013-4152
-
Medium
wahahee
ʻO ka nāwaliwali e pili ana i ka mea puna-pūnaewele
-
CVE-2013-6429
CVE-2013-6429
Medium
wahahee
ʻO ka nāwaliwali e pili ana i ka mea puna-pūnaewele
-
CVE-2013-6430
-
Medium
wahahee
ʻO ka nāwaliwali e pili ana i ka mea puna-pūnaewele
-
CVE-2013-7315
CVE-2013-7315
Medium
wahahee
SPLIT mai CVE-2013-4152. + E pili ana ka nāwaliwali i ka ʻāpana puna-pūnaewele
-
CVE-2014-0054
CVE-2014-0054
Medium
wahahee
ʻO ka nāwaliwali e pili ana i ka mea puna-pūnaewele
-
CVE-2014-0225
-
High
wahahee
ʻO ka nāwaliwali e pili ana i ka mea puna-pūnaewele
-
-
CVE-2014-0225
High
wahahee
ʻO ka lua o ka nāwaliwali like ma ka punawelewele
-
CVE-2014-1904
CVE-2014-1904
Medium
wahahee
Pili ka mea palupalu i ka mea puna-web-mvc
-
CVE-2014-3625
CVE-2014-3625
Medium
wahahee
Pili ka mea palupalu i ka mea puna-web-mvc
-
CVE-2016-9878
CVE-2016-9878
High
wahahee
Pili ka mea palupalu i ka mea puna-web-mvc
-
CVE-2018-1270
CVE-2018-1270
High
wahahee
No ka puna-hōʻike / puna-message
-
CVE-2018-1271
CVE-2018-1271
Medium
wahahee
Pili ka mea palupalu i ka mea puna-web-mvc
-
CVE-2018-1272
CVE-2018-1272
High
oiaio
CVE-2014-3578
CVE-2014-3578 (OSSINDEX)
CVE-2014-3578
Medium
oiaio
SONATYPE-2015-0327
-
-
Low
oiaio
struts2-config-browser-plugin:2.3.30
SONATYPE-2016-0104
-
-
Medium
oiaio
puna-tx:3.0.5
-
CVE-2011-2730
-
High
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2011-2894
-
High
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2013-4152
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2013-6429
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2013-6430
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2013-7315
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2014-0054
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2014-0225
-
High
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2014-1904
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2014-3625
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2016-9878
-
High
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2018-1270
-
High
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2018-1271
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
-
CVE-2018-1272
-
Medium
wahahee
ʻAʻole kikoʻī ka nāwaliwali i ka spring-tx
struts-core:1.3.8
-
CVE-2011-5057 (OSSINDEX)
Medium
FASLE
Pilikia i nā Struts 2
-
CVE-2012-0391 (OSSINDEX)
CVE-2012-0391
High
wahahee
Pilikia i nā Struts 2
-
CVE-2014-0094 (OSSINDEX)
CVE-2014-0094
Medium
wahahee
Pilikia i nā Struts 2
-
CVE-2014-0113 (OSSINDEX)
CVE-2014-0113
High
wahahee
Pilikia i nā Struts 2
CVE-2016-1182
3VE-2016-1182
-
High
oiaio
-
-
CVE-2011-5057
Medium
wahahee
Pilikia i nā Struts 2
-
CVE-2012-0392 (OSSINDEX)
CVE-2012-0392
High
wahahee
Pilikia i nā Struts 2
-
CVE-2012-0393 (OSSINDEX)
CVE-2012-0393
Medium
wahahee
Pilikia i nā Struts 2
CVE-2015-0899
CVE-2015-0899
-
High
oiaio
-
CVE-2012-0394
CVE-2012-0394
Medium
wahahee
Pilikia i nā Struts 2
-
CVE-2012-0838 (OSSINDEX)
CVE-2012-0838
High
wahahee
Pilikia i nā Struts 2
-
CVE-2013-1965 (OSSINDEX)
CVE-2013-1965
High
wahahee
Pilikia i nā Struts 2
-
CVE-2013-1966 (OSSINDEX)
CVE-2013-1966
High
FASLE
Pilikia i nā Struts 2
-
CVE-2013-2115
CVE-2013-2115
High
FASLE
Pilikia i nā Struts 2
-
CVE-2013-2134 (OSSINDEX)
CVE-2013-2134
High
FASLE
Pilikia i nā Struts 2
-
CVE-2013-2135 (OSSINDEX)
CVE-2013-2135
High
FASLE
Pilikia i nā Struts 2
CVE-2014-0114
CVE-2014-0114
-
High
oiaio
-
CVE-2015-2992
CVE-2015-2992
Medium
wahahee
Pilikia i nā Struts 2
-
CVE-2016-0785 (OSSINDEX)
CVE-2016-0785
High
wahahee
Pilikia i nā Struts 2
CVE-2016-1181
CVE-2016-1181
-
High
oiaio
-
CVE-2016-4003 (OSSINDEX)
CVE-2016-4003
High
wahahee
Pilikia i nā Struts 2
xwork-core:2.3.30
CVE-2017-9804
-
-
High
oiaio
SONATYPE-2017-0173
-
-
High
oiaio
CVE-2017-7672
-
-
High
wahahee
Kalua o CVE-2017-9804
SONATYPE-2016-0127
-
-
High
oiaio
struts2-core:2.3.30
-
CVE-2016-6795
CVE-2016-6795
High
oiaio
-
CVE-2017-9787
CVE-2017-9787
High
oiaio
-
CVE-2017-9791
CVE-2017-9791
High
oiaio
-
CVE-2017-9793
-
High
wahahee
Kalua o CVE-2018-1327
-
CVE-2017-9804
-
High
oiaio
-
CVE-2017-9805
CVE-2017-9805
High
oiaio
CVE-2016-4003
-
-
Medium
wahahee
Pili ia Apache Struts 2.x a hiki i 2.3.28, ʻo ia ka mana 2.3.30. Eia naʻe, ma muli o ka wehewehe ʻana, kūpono ka CVE no kekahi mana o Struts 2 inā hoʻohana ʻia ʻo JRE 1.7 a i ʻole. ʻIke ʻia ua hoʻoholo lākou e hōʻoia hou iā mākou ma aneʻi, akā ʻoi aku ka like me FALSE
-
CVE-2018-1327
CVE-2018-1327
High
oiaio
CVE-2017-5638
CVE-2017-5638
CVE-2017-5638
High
oiaio
ʻO ka nāwaliwali like ʻole i hoʻohana ʻia e ka poʻe hackers Equifax ma 2017
CVE-2017-12611
CVE-2017-12611
-
High
oiaio
CVE-2018-11776
CVE-2018-11776
CVE-2018-11776
High
oiaio
struts-taglib:1.3.8
-
CVE-2012-0394
-
Medium
wahahee
No nā struts2-core
-
CVE-2013-2115
-
High
wahahee
No nā struts2-core
-
CVE-2014-0114
-
High
wahahee
No nā commons-beanutils
-
CVE-2015-0899
-
High
wahahee
ʻAʻole pili i ka taglib
-
CVE-2015-2992
-
Medium
wahahee
E pili ana i struts2-core
-
CVE-2016-1181
-
High
wahahee
ʻAʻole pili i ka taglib
-
CVE-2016-1182
-
High
wahahee
ʻAʻole pili i ka taglib
struts-tiles-1.3.8
-
CVE-2012-0394
-
Medium
wahahee
No nā struts2-core
-
CVE-2013-2115
-
High
wahahee
No nā struts2-core
-
CVE-2014-0114
-
High
wahahee
Ma lalo o commons-beanutils
-
CVE-2015-0899
-
High
wahahee
ʻAʻole pili i nā tile
-
CVE-2015-2992
-
Medium
wahahee
No nā struts2-core
-
CVE-2016-1181
-
High
wahahee
ʻAʻole pili i ka taglib
-
CVE-2016-1182
-
High
wahahee
ʻAʻole pili i ka taglib
Source: www.habr.com