ʻO kahi ʻāpana koʻikoʻi o ka hoʻokele vulnerability ʻo ia ka hoʻomaopopo pono a hoʻopaʻa i ke kaulahao hoʻolako o nā ʻāpana lako polokalamu i hana i nā ʻōnaehana hou. Hoʻohana nui nā hui ʻo Agile a me DevOps i nā hale waihona puke wehe a me nā frameworks e hōʻemi i ka manawa hoʻomohala a me ke kumukūʻai. Akā, he haʻahaʻa ko kēia mekala: ʻo ka manawa kūpono e hoʻoili i nā hewa a me nā nāwaliwali o nā poʻe ʻē aʻe.
ʻIke loa, e ʻike pono ka hui e ʻike i nā ʻāpana open source i hoʻokomo ʻia i kāna mau noi, e hōʻoia i ka lawe ʻia ʻana o nā mana hilinaʻi i ʻike ʻia mai nā kumu hilinaʻi ʻike ʻia, a hoʻoiho i nā mana hou o nā ʻāpana ma hope o ka hoʻopaʻa ʻia ʻana o nā nāwaliwali hou.
Ma kēia pou, e nānā mākou i ka hoʻohana ʻana iā OWASP Dependency Check e kāpae i kahi kūkulu inā ʻike ia i nā pilikia koʻikoʻi me kāu code.
Ma ka puke "Development Security in Agile Projects" i wehewehe ʻia penei. ʻO ka OWASP Dependency Check kahi scanner manuahi e hoʻopaʻa inoa i nā ʻāpana kumu wehe āpau i hoʻohana ʻia i kahi noi a hōʻike i nā nāwaliwali o lākou. Aia nā mana no Java, .NET, Ruby (gemspec), PHP (composer), Node.js a me Python, a me kekahi mau papahana C/C++. Hoʻopili ka Dependency Check me nā mea hana maʻamau, me Ant, Maven a me Gradle, a me nā kikowaena hoʻohui mau e like me Jenkins.
Hōʻike ʻo Dependency Check i nā ʻāpana āpau me nā nāwaliwali i ʻike ʻia mai ka NIST's National Vulnerability Database (NVD) a ua hōʻano hou ʻia me ka ʻikepili mai nā hānai nūhou NVD.
ʻO ka mea pōmaikaʻi, hiki ke hana maʻalahi kēia mau mea me ka hoʻohana ʻana i nā mea hana e like me ka papahana OWASP Dependency Check a i ʻole nā papahana pāʻoihana e like me
Hiki ke hoʻokomo ʻia kēia mau mea hana i loko o ke kūkulu ʻana i nā paipu no ka hoʻopaʻa ʻana i nā kumu hilinaʻi wehe, ʻike i nā mana kahiko o nā hale waihona puke a me nā hale waihona puke i loaʻa nā nāwaliwali i ʻike ʻia, a kāpae i ke kūkulu ʻana inā ʻike ʻia nā pilikia koʻikoʻi.
ʻO ka nānā hilinaʻi o OWASP
No ka hoʻāʻo a hōʻike i ka hana ʻana o Dependency Check, hoʻohana mākou i kēia waihona
No ka ʻike ʻana i ka hōʻike HTML, pono ʻoe e hoʻonohonoho i ka kikowaena pūnaewele nginx ma kāu gitlab-runner.
ʻO kahi hiʻohiʻona o kahi config nginx liʻiliʻi:
server {
listen 9999;
listen [::]:9999;
server_name _;
root /home/gitlab-runner/builds;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Ma ka hopena o ka hui e ʻike ʻoe i kēia kiʻi:
E hahai i ka loulou a ʻike i ka hōʻike Dependency Check.
ʻO ka kiʻi paʻi kiʻi mua ka ʻāpana kiʻekiʻe o ka hōʻike me kahi hōʻuluʻulu.
Nā kikoʻī kiʻi kiʻi ʻelua CVE-2017-5638. Maanei mākou e ʻike ai i ka pae CVE a me nā loulou i ka hoʻohana.
ʻO ke kolu o ka paʻi kiʻi he kikoʻī o log4j-api-2.7.jar. ʻIke mākou he 7.5 a me 9.8 nā pae CVE.
ʻO ke kiʻi kiʻi ʻehā nā kikoʻī o commons-fileupload-1.3.2.jar. ʻIke mākou he 7.5 a me 9.8 nā pae CVE.
Inā makemake ʻoe e hoʻohana i nā ʻaoʻao gitlab, a laila ʻaʻole ia e hana - ʻaʻole e hana kahi hana hāʻule i kahi mea kiʻi.
Laʻana ma ʻaneʻi
Kūkulu i ka huahana: ʻaʻohe mea hana, ʻaʻole wau ʻike i ka hōʻike html. Pono ʻoe e hoʻāʻo iā Artifact: mau
Hoʻoponopono i ka pae o nā nāwaliwali CVE
ʻO ka laina koʻikoʻi ma ka faila gitlab-ci.yaml:
mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7
Me ka faile failBuildOnCVSS hiki iā ʻoe ke hoʻololi i ke kiʻekiʻe o nā nāwaliwali CVE āu e pono ai e pane.
Hoʻoiho i ka NIST Vulnerability Database (NVD) mai ka Pūnaewele
Ua ʻike paha ʻoe e hoʻoiho mau ana ʻo NIST i nā ʻikepili vulnerability database (NVD) mai ka Pūnaewele:
No ka hoʻoiho ʻana, hiki iā ʻoe ke hoʻohana i ka pono
E hoʻouka a hoʻomaka.
yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirror
Hoʻouka ʻo Nist-data-mirror i ka NIST JSON CVE i /var/www/repos/nist-data-mirror/ i ka hoʻomaka ʻana a hōʻano hou i ka ʻikepili i kēlā me kēia 24 hola.
No ka hoʻoiho ʻana iā CVE JSON NIST, pono ʻoe e hoʻonohonoho i ka kikowaena pūnaewele nginx (no ka laʻana, ma kāu gitlab-runner).
ʻO kahi hiʻohiʻona o kahi config nginx liʻiliʻi:
server {
listen 12345;
listen [::]:12345;
server_name _;
root /var/www/repos/nist-data-mirror/;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
I ʻole e hana i kahi laina lōʻihi kahi i hoʻokuʻu ʻia ai ka mvn, e hoʻoneʻe mākou i nā ʻāpana i kahi ʻokoʻa DEPENDENCY_OPTS.
ʻO ka hope liʻiliʻi config .gitlab-ci.yml e like me kēia:
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"
cache:
paths:
- .m2/repository
verify:
stage: test
script:
- set +e
- mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
- export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
- echo "************************* URL Dependency-check-report.html *************************"
- echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
- set -e
- exit ${EXIT_CODE}
tags:
- shell
Source: www.habr.com