Qhov tseem ceeb ntawm kev txheeb xyuas cov khoom siv thib peb (Software Composition Analysis - SCA) hauv cov txheej txheem kev txhim kho yog loj hlob nrog kev tshaj tawm cov ntawv tshaj tawm txhua xyoo ntawm qhov tsis zoo ntawm cov tsev qiv ntawv qhib, uas tau luam tawm los ntawm Synopsys, Sonatype, Snyk, thiab Dawb Source . Raws li tsab ntawv ceeb toom
Ib qho piv txwv zoo tshaj plaws
Kab lus no yuav tham txog qhov teeb meem ntawm kev xaiv ib lub cuab yeej rau kev ua SCA los ntawm qhov pom ntawm qhov zoo ntawm cov txiaj ntsig kev soj ntsuam. Ib qho kev ua haujlwm sib piv ntawm cov cuab yeej tseem yuav muab. Cov txheej txheem ntawm kev koom ua ke rau hauv CI / CD thiab kev muaj peev xwm sib koom ua ke yuav raug tso tseg rau cov ntawv tshaj tawm tom ntej. Ntau yam cuab yeej tau nthuav tawm los ntawm OWASP
Yuav ua li cas nws ua hauj lwm
Cia peb saib seb CPE zoo li cas:
cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other
- Part: Qhov taw qhia tias cov khoom muaj feem cuam tshuam rau daim ntawv thov (a), kev ua haujlwm (o), kho vajtse (h) (Yuav tsum tau)
- Vendor: Khoom Lub Npe (yuav tsum tau)
- khoom: Lub npe khoom (yuav tsum tau)
- version: Component version (khoom tsis siv lawm)
- hloov tshiab: Pob hloov tshiab
- tsab: Legacy version (Cov khoom tsis txaus siab)
- Hais lus: lus Lus txhais hauv RFC-5646
- SW Edition: Software version
- Target SW: Software ib puag ncig uas cov khoom lag luam ua haujlwm
- Target HW: Hardware ib puag ncig uas cov khoom ua haujlwm
- Lwm yam: Tus neeg muab khoom lossis cov ntaub ntawv khoom
Ib qho piv txwv CPE zoo li no:
cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
Cov kab txhais tau hais tias CPE version 2.3 piav qhia txog daim ntawv thov kev tiv thaiv los ntawm cov chaw tsim khoom pivotal_software
nrog lub npe spring_framework
version 3.0.0. Yog peb qhib qhov tsis zoo
URL kuj tseem siv los ntawm SCA cov cuab yeej. Lub pob URL hom yog raws li nram no:
scheme:type/namespace/name@version?qualifiers#subpath
- Tswv yim: Yuav muaj ib txwm muaj 'pkg' qhia tias qhov no yog pob URL (Yuav tsum tau)
- hom: Cov "hom" ntawm pob lossis " raws tu qauv" ntawm pob, xws li maven, npm, nuget, lub pov haum, pypi, thiab lwm yam. (Yuav tsum tau khoom)
- Namespace: Qee lub npe ua ntej, xws li Maven pawg ID, Docker tus tswv duab, tus neeg siv GitHub, lossis lub koom haum. Yeem thiab nyob ntawm hom.
- Lub npe: Pob npe (yuav tsum tau)
- version: Pob version
- Kev tsim nyog: Cov ntaub ntawv tsim nyog ntxiv rau lub pob, xws li OS, architecture, kev faib tawm, thiab lwm yam. Kev xaiv thiab hom tshwj xeeb.
- Subpath: Ntxiv txoj hauv kev hauv pob txheeb ze rau pob hauv paus
Piv txwv li:
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.commons/[email protected]
pkg:pypi/[email protected]
Ib qho piv txwv ntawm qhov BOM yuav zoo li cas hauv XML hom:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
</component>
<!-- More components here -->
</components>
</bom>
BOM tuaj yeem siv tsis tau tsuas yog raws li cov ntaub ntawv nkag mus rau Dependency Track, tab sis kuj tseem siv cov khoom muag khoom hauv cov khoom siv, piv txwv li, muab software rau cov neeg siv khoom. Hauv xyoo 2014, txawm tias muaj ib txoj cai lij choj tau thov hauv Tebchaws Meskas
Rov qab mus rau SCA, Kev Ua Raws Li Txoj Cai tau npaj ua ke nrog Kev Ceeb Toom Platforms zoo li Slack, kev tswj hwm qhov tsis zoo xws li Kenna Security. Nws tseem tsim nyog hais tias Dependency Track, ntawm lwm yam, txheeb xyuas cov khoom qub qub ntawm cov pob khoom thiab muab cov ntaub ntawv hais txog cov ntawv tso cai (vim SPDX kev txhawb nqa).
Yog tias peb tham tshwj xeeb txog qhov zoo ntawm SCA, ces muaj qhov sib txawv ntawm qhov tseem ceeb.
Dependency Track tsis lees txais qhov project raws li cov tswv yim, tab sis theej BOM. Qhov no txhais tau tias yog peb xav sim qhov project, peb yuav tsum xub tsim bom.xml, piv txwv li siv CycloneDX. Yog li, Dependency Track yog ncaj qha nyob ntawm CycloneDX. Nyob rau tib lub sijhawm, nws tso cai rau kev hloov kho. Nov yog qhov pab pawg OZON sau
Cia peb xaus qee qhov kev ua haujlwm, thiab tseem xav txog cov lus txhawb rau kev tshuaj xyuas:
Lus
Nexus IQ
Dependency Check
Dependency Track
Java
+
+
+
C / C ++
+
+
-
C#
+
+
-
.Net
+
+
+
erlang
-
-
+
JavaScript (NodeJS)
+
+
+
PHP
+
+
+
Nab hab sej
+
+
+
Ruby
+
+
+
Perl
-
-
-
Scala
+
+
+
Lub Hom Phiaj C
+
+
-
swift
+
+
-
R
+
-
-
Go
+
+
+
Muaj nuj nqi
Muaj nuj nqi
Nexus IQ
Dependency Check
Dependency Track
Lub peev xwm los xyuas kom meej tias cov khoom siv hauv qhov chaws raug kuaj xyuas rau cov ntawv tso cai purity
+
-
+
Muaj peev xwm luam theej duab thiab txheeb xyuas qhov tsis zoo thiab daim ntawv tso cai huv rau Docker cov duab
+ Kev koom ua ke nrog Clair
-
-
Muaj peev xwm los teeb tsa kev ruaj ntseg cov cai siv qhib cov tsev qiv ntawv
+
-
-
Muaj peev xwm luam theej duab qhib qhov chaw khaws cia rau cov khoom tsis zoo
+ RubyGems, Maven, NPM, Nuget, Pypi, Conan, Bower, Conda, Go, p2, R, Yum, Helm, Docker, CocoaPods, Git LFS
-
+ Hex, RubyGems, Maven, NPM, Nuget, Pypi
Muaj pab pawg tshawb fawb tshwj xeeb
+
-
-
Kaw lub voj voog ua haujlwm
+
+
+
Siv cov ntaub ntawv thib peb
+ Kaw Sonatype database
+ Sonatype OSS, NPM Public Advisors
+ Sonatype OSS, NPM Public Advisors, RetireJS, VulnDB, kev txhawb nqa rau nws tus kheej cov ntaub ntawv tsis muaj zog
Muaj peev xwm lim cov khoom siv qhib thaum sim thauj mus rau hauv txoj kev loj hlob voj voog raws li cov cai tswjfwm
+
-
-
Cov lus pom zoo rau kev kho qhov tsis zoo, muaj qhov txuas rau kev kho
+
+- (nyob ntawm cov lus piav qhia hauv cov ntaub ntawv pej xeem)
+- (nyob ntawm cov lus piav qhia hauv cov ntaub ntawv pej xeem)
Kev txheeb xyuas qhov tsis zoo los ntawm qhov hnyav
+
+
+
Lub luag hauj lwm raws li tus qauv nkag
+
-
+
Kev txhawb nqa CLI
+
+
+- (tsuas yog rau CycloneDX)
Sampling/sorting of vulnerabilities raws li tau teev tseg
+
-
+
Dashboard los ntawm daim ntawv thov xwm txheej
+
-
+
Tsim cov ntawv ceeb toom hauv PDF hom
+
-
-
Tsim cov ntawv ceeb toom hauv JSONCSV hom
+
+
-
Lavxias teb sab lus txhawb
-
-
-
Integration peev xwm
Kev koom ua ke
Nexus IQ
Dependency Check
Dependency Track
LDAP/Active Directory kev koom ua ke
+
-
+
Kev koom ua ke nrog kev sib koom ua ke tsis tu ncua xyoob
+
-
-
Kev koom ua ke nrog kev sib koom ua ke tsis tu ncua TeamCity
+
-
-
Kev koom ua ke nrog kev sib koom ua ke txuas ntxiv GitLab
+
+- (raws li plugin rau GitLab)
+
Kev koom ua ke nrog kev sib koom ua ke txuas ntxiv Jenkins
+
+
+
Muaj cov plugins rau IDE
+ IntelliJ, dab noj hnub, Visual Studio
-
-
Kev them nyiaj yug rau kev cai sib koom ua ke ntawm web-services (API) ntawm lub cuab yeej
+
-
+
Dependency Check
Thawj pib
Cia peb khiav Dependency Check ntawm ib daim ntawv thov uas txhob txwm tshaj tawm
Rau qhov no peb yuav siv
mvn org.owasp:dependency-check-maven:check
Yog li ntawd, dependency-check-report.html yuav tshwm sim nyob rau hauv lub hom phiaj directory.
Cia peb qhib cov ntaub ntawv. Tom qab cov ntaub ntawv qhia txog tag nrho cov kev tsis zoo, peb tuaj yeem pom cov ntaub ntawv hais txog qhov tsis zoo nrog rau qib siab ntawm Severity thiab Confidence, qhia txog pob, CPE, thiab tus naj npawb ntawm CVEs.
Tom ntej no los txog cov ncauj lus kom ntxaws ntxiv, tshwj xeeb hauv lub hauv paus ntawm qhov kev txiav txim siab tau ua (cov pov thawj), uas yog, ib qho BOM.
Tom ntej no los txog CPE, PURL thiab CVE piav qhia. Los ntawm txoj kev, cov lus pom zoo rau kev kho tsis suav nrog vim lawv tsis nyob hauv NVD database.
Txhawm rau saib xyuas cov txiaj ntsig tau zoo, koj tuaj yeem teeb tsa Nginx nrog qhov tsawg kawg nkaus, lossis xa cov teeb meem tshwm sim mus rau qhov kev tswj hwm qhov tsis xws luag uas txhawb cov khoom sib txuas rau Dependency Check. Piv txwv li, Defect Dojo.
Dependency Track
chaw
Dependency Track, nyob rau hauv lem, yog lub web-based platform nrog cov duab graphs, yog li qhov teeb meem nias ntawm kev khaws cia tsis xws luag hauv qhov kev daws teeb meem thib peb tsis tshwm sim ntawm no.
Cov ntawv txhawb nqa rau kev teeb tsa yog: Docker, WAR, Executable WAR.
Thawj pib
Peb mus rau qhov URL ntawm qhov kev pabcuam ua haujlwm. Peb nkag rau hauv admin / admin, hloov tus ID nkag mus thiab lo lus zais, thiab tom qab ntawd nkag mus rau Dashboard. Tom ntej no peb yuav ua yog tsim ib qhov project rau kev xeem daim ntawv thov nyob rau hauv Java nyob rau hauv Tsev/Projects → Tsim Project . Cia peb ua tus DVJA ua piv txwv.
Txij li Dependency Track tsuas tuaj yeem lees txais BOM raws li cov tswv yim, BOM no yuav tsum tau muab rov qab. Cia peb ua kom zoo dua
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
Peb tau txais bom.xml thiab thauj cov ntaub ntawv hauv qhov project tsim DVJA → Dependencies → Upload BOM.
Wb mus rau Administration → Analyzers. Peb nkag siab tias peb tsuas muaj Internal Analyzer enabled, uas suav nrog NVD. Wb kuj txuas Sonatype OSS Index.
Yog li, peb tau txais daim duab hauv qab no rau peb qhov project:
Tsis tas li hauv daim ntawv teev npe koj tuaj yeem pom ib qho tsis zoo siv rau Sonatype OSS:
Qhov kev poob siab tseem ceeb yog qhov Dependency Track tsis lees txais Dependency Check xml cov lus ceeb toom ntxiv lawm. Qhov kev txhawb nqa tshiab kawg ntawm Kev Tshawb Fawb Kev Sib Koom Tes yog 1.0.0 - 4.0.2, thaum kuv sim 5.3.2.
no
Nexus IQ
Thawj pib
Kev teeb tsa ntawm Nexus IQ los ntawm cov ntaub ntawv ntawm
Tom qab nkag mus rau hauv lub console, koj yuav tsum tsim lub Koom Haum thiab Daim Ntawv Thov.
Raws li koj tuaj yeem pom, kev teeb tsa hauv rooj plaub ntawm IQ yog qhov nyuaj me ntsis, vim tias peb kuj yuav tsum tsim cov cai uas siv tau rau ntau "theem" (dev, tsim, theem, tso tawm). Qhov no yog qhov tsim nyog los thaiv cov khoom tsis zoo thaum lawv txav mus los ntawm cov raj xa dej los ze zog rau kev tsim khoom, lossis los thaiv lawv sai li sai tau thaum lawv nkag mus rau hauv Nexus Repo thaum rub tawm los ntawm cov neeg tsim khoom.
Txhawm rau xav tias qhov sib txawv ntawm qhov qhib thiab kev lag luam, cia peb ua tib qho kev luam theej duab los ntawm Nexus IQ tib txoj kev los ntawm dvja-test-and-compare
:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=dvja-test-and-compare -Dclm.serverUrl=<NEXUSIQIP> -Dclm.username=<USERNAME> -Dclm.password=<PASSWORD>
Ua raws li URL rau cov ntawv tshaj tawm tsim hauv IQ web interface:
Ntawm no koj tuaj yeem pom txhua txoj cai ua txhaum cai qhia txog qib tseem ceeb sib txawv (los ntawm Cov Ntaub Ntawv rau Kev Ruaj Ntseg Tseem Ceeb). Tsab ntawv D nyob ib sab ntawm cov khoom txhais tau hais tias cov khoom siv yog Direct Dependency, thiab tsab ntawv T nyob ib sab ntawm cov khoom txhais tau tias cov khoom siv yog Transitive Dependency, uas yog, nws yog qhov hloov pauv.
Los ntawm txoj kev, tsab ntawv ceeb toom
Yog tias peb qhib ib qho ntawm Nexus IQ txoj cai ua txhaum cai, peb tuaj yeem pom cov lus piav qhia ntawm cov khoom tivthaiv, nrog rau Version Graph, uas qhia qhov chaw ntawm cov qauv tam sim no hauv lub sijhawm teeb tsa, nrog rau lub sijhawm twg qhov chaw tsis raug tso tseg. ua kom yooj yim. Qhov siab ntawm cov tswm ciab ntawm daim duab qhia tau hais tias muaj koob meej ntawm kev siv cov khoom no.
Yog tias koj mus rau ntu qhov tsis zoo thiab nthuav dav CVE, koj tuaj yeem nyeem cov lus piav qhia ntawm qhov tsis zoo no, cov lus pom zoo rau kev tshem tawm, nrog rau qhov laj thawj vim li cas cov khoom no tau ua txhaum, uas yog, muaj cov chav kawm. DiskFileitem.class
.
Cia peb xaus tsuas yog cov uas cuam tshuam nrog peb-tog Java Cheebtsam, tshem tawm cov khoom js. Hauv kab lus peb qhia txog tus lej ntawm qhov tsis zoo uas tau pom sab nraum NVD.
Tag nrho Nexus IQ:
- Dependencies Scanned: 62
- Kev Ua Phem Txhaum Cai: 16
- Vulnerabilities pom: 42 (8 sonatype db)
Total Dependency Check:
- Dependencies Scanned: 47
- Kev Ua Phem Txhaum Cai: 13
- Vulnerabilities pom: 91 (14 sonatype oss)
Total Dependency Track:
- Dependencies Scanned: 59
- Kev Ua Phem Txhaum Cai: 10
- Vulnerabilities pom: 51 (1 sonatype oss)
Hauv cov kauj ruam tom ntej, peb yuav txheeb xyuas cov txiaj ntsig tau txais thiab txheeb xyuas seb qhov twg ntawm cov kev tsis zoo no yog qhov tsis zoo tiag tiag thiab qhov twg yog qhov tsis zoo.
Tsis lees paub
Qhov kev tshuaj xyuas no tsis yog qhov tseeb indisputable. Tus sau tsis muaj lub hom phiaj los qhia txog ib qho cuab yeej cais tawm tsam lwm tus keeb kwm yav dhau los. Lub hom phiaj ntawm kev tshuaj xyuas yog los qhia cov txheej txheem ntawm kev ua haujlwm ntawm SCA cov cuab yeej thiab txoj hauv kev los xyuas lawv cov txiaj ntsig.
Kev sib piv ntawm cov txiaj ntsig
Tej yam kev mob:
Qhov tsis tseeb qhov zoo rau qhov tsis zoo ntawm lwm tus neeg sab nrauv yog:
- CVE mismatch rau cov ntsiab lus txheeb xyuas
- Piv txwv li, yog tias muaj qhov tsis txaus ntseeg tau pom nyob rau hauv struts2 lub moj khaum, thiab cov cuab yeej taw qhia rau ib feem ntawm lub struts-tiles moj khaum, uas qhov tsis zoo no tsis siv, ces qhov no yog qhov tsis zoo.
- CVE mismatch rau qhov kev txheeb xyuas version ntawm cov khoom
- Piv txwv li, qhov tsis zoo yog khi rau python version> 3.5 thiab cov cuab yeej cim version 2.7 raws li qhov tsis zoo - qhov no yog qhov tsis zoo, vim qhov tseeb qhov tsis zoo tsuas yog siv rau 3.x cov khoom lag luam.
- Duplicate CVE
- Piv txwv li, yog tias SCA qhia txog CVE uas tso cai rau RCE, ces SCA qhia txog CVE rau tib yam khoom uas siv rau Cisco cov khoom cuam tshuam los ntawm RCE ntawd. Hauv qhov no nws yuav yog qhov tsis zoo.
- Piv txwv li, CVE tau pom nyob rau hauv lub caij nplooj ntoos hlav-web tivthaiv, tom qab uas SCA taw qhia rau tib CVE nyob rau hauv lwm yam Cheebtsam ntawm lub caij nplooj ntoos hlav Framework, thaum lub CVE tsis muaj dab tsi ua nrog rau lwm yam. Nyob rau hauv cov ntaub ntawv no nws yuav yog cuav zoo.
Lub hom phiaj ntawm txoj kev kawm yog Open Source project DVJA. Txoj kev tshawb no koom nrog tsuas yog java Cheebtsam (tsis muaj js).
Cov ntsiab lus tshwm sim
Cia peb mus ncaj nraim mus rau cov txiaj ntsig ntawm kev tshuaj xyuas phau ntawv qhia txog qhov tsis zoo. Daim ntawv qhia tag nrho rau txhua CVE tuaj yeem pom nyob rau hauv Cov Ntawv Ntxiv.
Summary results for all vulnerabilities:
Parameter
Nexus IQ
Dependency Check
Dependency Track
Tag nrho cov vulnerabilities raug txheeb xyuas
42
91
51
Kev txheeb xyuas qhov tsis raug (false positive)
2 (4.76%)
62 (68,13%)
29 (56.86%)
Tsis muaj teeb meem cuam tshuam pom (tsis muaj tseeb)
10
20
27
Summary tau los ntawm cov khoom:
Parameter
Nexus IQ
Dependency Check
Dependency Track
Tag nrho cov khoom raug txheeb xyuas
62
47
59
Tag nrho cov khoom tsis muaj zog
16
13
10
Kev txheeb xyuas qhov tsis zoo ntawm cov khoom tsis raug (false positive)
1
5
0
Kev txheeb xyuas qhov tsis zoo ntawm cov khoom tsis raug (false positive)
0
6
6
Cia peb tsim cov duab kos duab los ntsuas qhov sib piv ntawm qhov tsis tseeb qhov zoo thiab qhov tsis zoo tsis zoo rau tag nrho cov kev tsis zoo. Cheebtsam raug cim kab rov tav, thiab qhov tsis zoo uas pom nyob rau hauv lawv tau cim vertically.
Rau kev sib piv, ib qho kev tshawb fawb zoo sib xws tau ua los ntawm pab pawg Sonatype sim ib qhov project ntawm 1531 cov khoom siv OWASP Dependency Check. Raws li peb tuaj yeem pom, qhov piv ntawm lub suab nrov rau cov lus teb raug yog piv rau peb cov txiaj ntsig.
Tau qhov twg los:
Cia peb saib qee qhov CVEs los ntawm peb cov txiaj ntsig scan kom nkag siab vim li cas rau cov txiaj ntsig no.
Nyeem ntxiv
No.1
Cia peb xub saib qee cov ntsiab lus nthuav txog Sonatype Nexus IQ.
Nexus IQ taw qhia txog qhov teeb meem nrog deserialization nrog lub peev xwm ua RCE hauv Caij Nplooj Ntoos Hlav ntau zaus. CVE-2016-1000027 hauv caij nplooj ntoos hlav-web: 3.0.5 thawj zaug, thiab CVE-2011-2894 nyob rau hauv caij nplooj ntoos hlav- ntsiab lus: 3.0.5 thiab caij nplooj ntoos hlav-core: 3.0.5. Thaum xub thawj, nws zoo nkaus li tias muaj qhov tsis sib xws ntawm qhov tsis zoo hla ntau CVEs. Vim hais tias, yog tias koj saib CVE-2016-1000027 thiab CVE-2011-2894 hauv NVD database, nws zoo li txhua yam yog pom tseeb.
Txheej Txheem
Kom txhob raug
caij nplooj ntoos hlav-web: 3.0.5
CVE-2016-1000027
caij nplooj ntoos hlav- ntsiab lus: 3.0.5
CVE-2011-2894
caij nplooj ntoos hlav-core: 3.0.5
CVE-2011-2894
piav qhia
piav qhia
CVE-2011-2894 nws tus kheej yog nto moo heev. Hauv tsab ntawv ceeb toom RemoteInvocationSerializingExporter
nyob rau hauv CVE-2011-2894, qhov yooj yim yog pom nyob rau hauv HttpInvokerServiceExporter
. Nov yog qhov Nexus IQ qhia peb:
Txawm li cas los xij, tsis muaj dab tsi zoo li no hauv NVD, uas yog vim li cas Dependency Check thiab Dependency Track txhua tus tau txais qhov tsis zoo.
Tsis tas li los ntawm cov lus piav qhia ntawm CVE-2011-2894 nws tuaj yeem nkag siab tias qhov tsis zoo yog qhov muaj tseeb nyob rau hauv ob qho tib si caij nplooj ntoos hlav- ntsiab lus: 3.0.5 thiab caij nplooj ntoos hlav-core: 3.0.5. Kev lees paub ntawm qhov no tuaj yeem pom hauv ib tsab xov xwm los ntawm tus neeg uas pom qhov tsis zoo no.
No.2
Txheej Txheem
Kom txhob raug
tshwm sim
struts2-core: 2.3.30 Nws
CVE-2016-4003
cuav
Yog tias peb kawm txog qhov tsis muaj zog CVE-2016-4003, peb yuav nkag siab tias nws tau raug kho hauv version 2.3.28, txawm li cas los xij, Nexus IQ qhia rau peb. Muaj ib daim ntawv qhia hauv qhov kev piav qhia ntawm qhov tsis zoo:
Ntawd yog, qhov muaj qhov tsis zoo tsuas yog muaj nyob rau hauv kev sib txuas nrog cov qauv qub ntawm JRE, uas lawv tau txiav txim siab ceeb toom peb txog. Txawm li cas los xij, peb xav txog qhov False Positive, txawm tias tsis yog qhov phem tshaj.
# 3
Txheej Txheem
Kom txhob raug
tshwm sim
xwork-core: 2.3.30 Nws
CVE-2017-9804
TRUE
xwork-core: 2.3.30 Nws
CVE-2017-7672
cuav
Yog tias peb saib cov lus piav qhia ntawm CVE-2017-9804 thiab CVE-2017-7672, peb yuav nkag siab tias qhov teeb meem yog URLValidator class
, nrog CVE-2017-9804 stemming los ntawm CVE-2017-7672. Lub xub ntiag ntawm qhov tsis zoo thib ob tsis muaj qhov muaj txiaj ntsig zoo dua li qhov tseeb tias nws qhov hnyav tau nce mus rau Siab, yog li peb tuaj yeem xav txog nws tsis tsim nyog lub suab nrov.
Zuag qhia tag nrho, tsis muaj lwm yam tsis tseeb tau pom rau Nexus IQ.
No.4
Muaj ob peb yam uas ua rau IQ sawv tawm ntawm lwm cov kev daws teeb meem.
Txheej Txheem
Kom txhob raug
tshwm sim
caij nplooj ntoos hlav-web: 3.0.5
CVE-2020-5398
TRUE
CVE hauv NVD hais tias nws tsuas yog siv rau versions 5.2.x ua ntej 5.2.3, 5.1.x ua ntej 5.1.13, thiab versions 5.0.x ua ntej 5.0.16, txawm li cas los xij, yog peb saib CVE piav qhia hauv Nexus IQ , ces peb yuav pom cov hauv qab no:
Daim Ntawv Ceeb Toom Qhia Txog Kev Sib Deev: Pab pawg tshawb fawb kev nyab xeeb Sonatype tau tshawb pom tias qhov muaj qhov tsis zoo no tau qhia hauv version 3.0.2.RELEASE thiab tsis yog 5.0.x raws li tau hais hauv kev tawm tswv yim.
Qhov no yog ua raws li PoC rau qhov tsis zoo no, uas hais tias nws muaj nyob hauv version 3.0.5.
False negative yog xa mus rau Dependency Check thiab Dependency Track.
No.5
Cia peb saib qhov tsis zoo rau Kev Tshawb Fawb Txog Kev Tshawb Fawb thiab Kev Ua Raws Li Txoj Cai.
Dependency Check sawv tawm nyob rau hauv uas nws qhia txog cov CVEs uas siv rau tag nrho lub moj khaum hauv NVD rau cov Cheebtsam uas cov CVEs tsis siv. Qhov kev txhawj xeeb no yog CVE-2012-0394, CVE-2013-2115, CVE-2014-0114, CVE-2015-0899, CVE-2015-2992, CVE-2016-1181, CVE-2016-1182, uas tau txais kev kuaj xyuas ” to struts-taglib:1.3.8 and struts-tiles-1.3.8. Cov Cheebtsam no tsis muaj dab tsi cuam tshuam nrog qhov tau piav qhia hauv CVE - thov ua tiav, nplooj ntawv siv tau, thiab lwm yam. Qhov no yog vim qhov tseeb tias qhov CVEs thiab cov khoom muaj nyob rau hauv ib qho tsuas yog lub moj khaum, uas yog vim li cas Dependency Check suav tias yog qhov tsis zoo.
Tib qhov xwm txheej yog nrog caij nplooj ntoos hlav-tx: 3.0.5, thiab qhov xwm txheej zoo sib xws nrog struts-core: 1.3.8. Rau struts-core, Dependency Check thiab Dependency Track tau pom ntau qhov tsis zoo uas muaj feem xyuam rau struts2-core, uas yog qhov tseem ceeb ntawm cov txheej txheem cais. Nyob rau hauv rooj plaub no, Nexus IQ raug nkag siab txog daim duab thiab hauv CVEs uas nws tau tshaj tawm, nws tau qhia tias struts-core tau mus txog qhov kawg ntawm lub neej thiab nws yuav tsum tau tsiv mus rau struts2-core.
No.6
Hauv qee qhov xwm txheej, nws tsis ncaj ncees los txhais qhov pom tseeb ntawm Kev Tshawb Fawb Txog Kev Tshawb Fawb thiab Kev Ua Raws Li Kev Ua Haujlwm yuam kev. Tshwj xeeb yog CVE-2013-4152, CVE-2013-6429, CVE-2013-6430, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225, CVE-2014-0225, Qhov Kev Nyob Mus Ib Txhis ntaus nqi rau lub caij nplooj ntoos hlav-core: 3.0.5 tiag tiag belongs rau lub caij nplooj ntoos hlav-web: 3.0.5. Tib lub sijhawm, qee qhov CVEs no kuj pom los ntawm Nexus IQ, txawm li cas los xij, IQ raug txheeb xyuas lawv mus rau lwm qhov. Vim tias qhov tsis muaj qhov tsis zoo no tsis pom nyob rau lub caij nplooj ntoo hlav-ntxhais, nws tsis tuaj yeem sib cav tias lawv tsis nyob hauv lub hauv paus ntsiab lus thiab qhib cov cuab yeej tau taw qhia qhov tsis zoo no (lawv nyuam qhuav plam me ntsis).
tshawb pom
Raws li peb tuaj yeem pom, kev txiav txim siab qhov kev ntseeg siab ntawm qhov tsis zoo los ntawm kev tshuaj xyuas phau ntawv tsis muab cov txiaj ntsig tsis meej, uas yog vim li cas cov teeb meem tsis sib haum xeeb tshwm sim. Cov txiaj ntsig yog tias cov tshuaj Nexus IQ muaj qhov qis tshaj qhov tsis raug zoo thiab qhov tseeb tshaj plaws.
Ua ntej tshaj plaws, qhov no yog vim qhov tseeb tias pab pawg Sonatype nthuav dav cov lus piav qhia rau txhua qhov CVE qhov tsis zoo los ntawm NVD hauv nws cov ntaub ntawv, qhia txog qhov tsis zoo rau ib qho tshwj xeeb ntawm cov khoom mus rau hauv chav kawm lossis kev ua haujlwm, ua kev tshawb fawb ntxiv (piv txwv li. , txheeb xyuas qhov tsis zoo ntawm cov software qub qub).
Ib qho tseem ceeb ntawm cov txiaj ntsig kuj tseem ua si los ntawm cov qhov tsis zoo uas tsis suav nrog NVD, tab sis tseem muaj nyob hauv Sonatype database nrog SONATYPE cim. Raws li tsab ntawv ceeb toom
Raws li qhov tshwm sim, Dependency Check ua rau lub suab nrov ntau, uas ploj lawm qee qhov tsis zoo. Dependency Track ua suab nrov tsawg thiab pom cov khoom siv ntau, uas tsis pom kev ua rau lub qhov muag nyob hauv lub vev xaib interface.
Txawm li cas los xij, kev xyaum qhia tau hais tias qhib qhov chaw yuav tsum dhau los ua thawj kauj ruam ntawm kev paub tab DevSecOps. Thawj qhov uas koj yuav tsum xav txog thaum sib koom ua ke SCA rau hauv kev txhim kho yog cov txheej txheem, uas yog, xav ua ke nrog kev tswj hwm thiab cov koom haum cuam tshuam txog cov txheej txheem zoo li cas yuav tsum zoo li hauv koj lub koom haum. Tej zaum nws yuav tig tawm tias rau koj lub koom haum, thaum xub thawj, Dependency Check lossis Dependency Track yuav npog tag nrho cov kev xav tau ntawm kev lag luam, thiab Enterprise cov kev daws teeb meem yuav yog qhov txuas ntxiv vim qhov nyuaj ntawm cov ntawv thov raug tsim.
Daim Ntawv Ntxiv A: Cov ntsiab lus tau txais
Dab Neeg:
- High-high thiab tseem ceeb theem vulnerabilities nyob rau hauv cov khoom
- Medium — Vulnerabilities ntawm nruab nrab criticality theem nyob rau hauv lub Cheebtsam
- TRUE — Qhov teeb meem zoo tiag tiag
- FALSE - Qhov teeb meem tsis zoo
Txheej Txheem
Nexus IQ
Dependency Check
Dependency Track
tshwm sim
dom4j: 1.6.1
High
High
High
TRUE
log4j-core: 2.3
High
High
High
TRUE
log4j: 1.2.14
High
High
-
TRUE
Commons-Collections: 3.1
High
High
High
TRUE
commons-fileupload: 1.3.2
High
High
High
TRUE
commons-beanutils: 1.7.0
High
High
High
TRUE
commons-codec:1:10
Medium
-
-
TRUE
mysql-connector-java:5.1.42
High
High
High
TRUE
Caij nplooj ntoos hlav-qhia: 3.0.5
High
yam tsis pom
TRUE
caij nplooj ntoos hlav-web: 3.0.5
High
yam tsis pom
High
TRUE
caij nplooj ntoos hlav- ntsiab lus: 3.0.5
Medium
yam tsis pom
-
TRUE
caij nplooj ntoos hlav-core: 3.0.5
Medium
High
High
TRUE
struts2-config-browser-plugin: 2.3.30
Medium
-
-
TRUE
spring-tx: 3.0.5
-
High
-
cuav
Cov tub ntxhais kawm: 1.3.8
High
High
High
TRUE
xwork-core: 2.3.30 Nws
High
-
-
TRUE
struts2-core: 2.3.30 Nws
High
High
High
TRUE
struts-taglib: 1.3.8
-
High
-
cuav
txz -> ../All-1.3.8
-
High
-
cuav
Daim Ntawv Ntxiv B: Cov txiaj ntsig tsis zoo
Dab Neeg:
- High-high thiab tseem ceeb theem vulnerabilities nyob rau hauv cov khoom
- Medium — Vulnerabilities ntawm nruab nrab criticality theem nyob rau hauv lub Cheebtsam
- TRUE — Qhov teeb meem zoo tiag tiag
- FALSE - Qhov teeb meem tsis zoo
Txheej Txheem
Nexus IQ
Dependency Check
Dependency Track
Qhov tseem ceeb
tshwm sim
saib
dom4j: 1.6.1
CVE-2018-1000632
CVE-2018-1000632
CVE-2018-1000632
High
TRUE
CVE-2020-10683
CVE-2020-10683
CVE-2020-10683
High
TRUE
log4j-core: 2.3
CVE-2017-5645
CVE-2017-5645
CVE-2017-5645
High
TRUE
CVE-2020-9488
CVE-2020-9488
CVE-2020-9488
Tsawg
TRUE
log4j: 1.2.14
CVE-2019-17571
CVE-2019-17571
-
High
TRUE
-
CVE-2020-9488
-
Tsawg
TRUE
SIAB-2010-0053
-
-
High
TRUE
Commons-Collections: 3.1
-
CVE-2015-6420
CVE-2015-6420
High
cuav
Duplicates RCE(OSSINDEX)
-
CVE-2017-15708
CVE-2017-15708
High
cuav
Duplicates RCE(OSSINDEX)
SIAB-2015-0002
RCE (OSSINDEX)
RCE (OSSINDEX)
High
TRUE
commons-fileupload: 1.3.2
CVE-2016-1000031
CVE-2016-1000031
CVE-2016-1000031
High
TRUE
SIAB-2014-0173
-
-
Medium
TRUE
commons-beanutils: 1.7.0
CVE-2014-0114
CVE-2014-0114
CVE-2014-0114
High
TRUE
-
CVE-2019-10086
CVE-2019-10086
High
cuav
Qhov yooj yim tsuas yog siv rau version 1.9.2+
commons-codec:1:10
SIAB-2012-0050
-
-
Medium
TRUE
mysql-connector-java:5.1.42
CVE-2018-3258
CVE-2018-3258
CVE-2018-3258
High
TRUE
CVE-2019-2692
CVE-2019-2692
-
Medium
TRUE
-
CVE-2020-2875
-
Medium
cuav
Tib qhov tsis zoo li CVE-2019-2692, tab sis nrog daim ntawv "kev tawm tsam yuav cuam tshuam rau cov khoom lag luam ntxiv"
-
CVE-2017-15945
-
High
cuav
Tsis cuam tshuam rau mysql-connector-java
-
CVE-2020-2933
-
Tsawg
cuav
Luam tawm ntawm CVE-2020-2934
CVE-2020-2934
CVE-2020-2934
-
Medium
TRUE
Caij nplooj ntoos hlav-qhia: 3.0.5
CVE-2018-1270
yam tsis pom
-
High
TRUE
CVE-2018-1257
-
-
Medium
TRUE
caij nplooj ntoos hlav-web: 3.0.5
CVE-2016-1000027
yam tsis pom
-
High
TRUE
CVE-2014-0225
-
CVE-2014-0225
High
TRUE
CVE-2011-2730
-
-
High
TRUE
-
-
CVE-2013-4152
Medium
TRUE
CVE-2018-1272
-
-
High
TRUE
CVE-2020-5398
-
-
High
TRUE
Ib qho piv txwv piv txwv hauv kev pom zoo ntawm IQ: "Cov pab pawg tshawb fawb kev nyab xeeb Sonatype tau tshawb pom tias qhov muaj qhov tsis zoo no tau qhia hauv version 3.0.2.RELEASE thiab tsis yog 5.0.x raws li tau hais hauv kev tawm tswv yim."
CVE-2013-6429
-
-
Medium
TRUE
CVE-2014-0054
-
CVE-2014-0054
Medium
TRUE
CVE-2013-6430
-
-
Medium
TRUE
caij nplooj ntoos hlav- ntsiab lus: 3.0.5
CVE-2011-2894
yam tsis pom
-
Medium
TRUE
caij nplooj ntoos hlav-core: 3.0.5
-
CVE-2011-2730
CVE-2011-2730
High
TRUE
CVE-2011-2894
CVE-2011-2894
CVE-2011-2894
Medium
TRUE
-
-
CVE-2013-4152
Medium
cuav
Duplicate ntawm tib qhov tsis zoo nyob rau lub caij nplooj ntoos hlav-web
-
CVE-2013-4152
-
Medium
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web tivthaiv
-
CVE-2013-6429
CVE-2013-6429
Medium
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web tivthaiv
-
CVE-2013-6430
-
Medium
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web tivthaiv
-
CVE-2013-7315
CVE-2013-7315
Medium
cuav
SPLIT los ntawm CVE-2013-4152. + Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web tivthaiv
-
CVE-2014-0054
CVE-2014-0054
Medium
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web tivthaiv
-
CVE-2014-0225
-
High
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web tivthaiv
-
-
CVE-2014-0225
High
cuav
Duplicate ntawm tib qhov tsis zoo nyob rau lub caij nplooj ntoos hlav-web
-
CVE-2014-1904
CVE-2014-1904
Medium
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web-mvc tivthaiv
-
CVE-2014-3625
CVE-2014-3625
Medium
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web-mvc tivthaiv
-
CVE-2016-9878
CVE-2016-9878
High
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web-mvc tivthaiv
-
CVE-2018-1270
CVE-2018-1270
High
cuav
Rau caij nplooj ntoos hlav-qhia/caij nplooj ntoos hlav-lus
-
CVE-2018-1271
CVE-2018-1271
Medium
cuav
Qhov tsis zoo cuam tshuam rau lub caij nplooj ntoos hlav-web-mvc tivthaiv
-
CVE-2018-1272
CVE-2018-1272
High
TRUE
CVE-2014-3578
CVE-2014-3578 (OSSINDEX)
CVE-2014-3578
Medium
TRUE
SIAB-2015-0327
-
-
Tsawg
TRUE
struts2-config-browser-plugin: 2.3.30
SIAB-2016-0104
-
-
Medium
TRUE
spring-tx: 3.0.5
-
CVE-2011-2730
-
High
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2011-2894
-
High
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2013-4152
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2013-6429
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2013-6430
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2013-7315
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2014-0054
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2014-0225
-
High
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2014-1904
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2014-3625
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2016-9878
-
High
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2018-1270
-
High
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2018-1271
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
-
CVE-2018-1272
-
Medium
cuav
Qhov yooj yim tsis yog tshwj xeeb rau spring-tx
Cov tub ntxhais kawm: 1.3.8
-
CVE-2011-5057 (OSSINDEX)
Medium
FASLE
Vulnerability rau Struts 2
-
CVE-2012-0391 (OSSINDEX)
CVE-2012-0391
High
cuav
Vulnerability rau Struts 2
-
CVE-2014-0094 (OSSINDEX)
CVE-2014-0094
Medium
cuav
Vulnerability rau Struts 2
-
CVE-2014-0113 (OSSINDEX)
CVE-2014-0113
High
cuav
Vulnerability rau Struts 2
CVE-2016-1182
3 ZPO 2016-1182
-
High
TRUE
-
-
CVE-2011-5057
Medium
cuav
Vulnerability rau Struts 2
-
CVE-2012-0392 (OSSINDEX)
CVE-2012-0392
High
cuav
Vulnerability rau Struts 2
-
CVE-2012-0393 (OSSINDEX)
CVE-2012-0393
Medium
cuav
Vulnerability rau Struts 2
CVE-2015-0899
CVE-2015-0899
-
High
TRUE
-
CVE-2012-0394
CVE-2012-0394
Medium
cuav
Vulnerability rau Struts 2
-
CVE-2012-0838 (OSSINDEX)
CVE-2012-0838
High
cuav
Vulnerability rau Struts 2
-
CVE-2013-1965 (OSSINDEX)
CVE-2013-1965
High
cuav
Vulnerability rau Struts 2
-
CVE-2013-1966 (OSSINDEX)
CVE-2013-1966
High
FASLE
Vulnerability rau Struts 2
-
CVE-2013-2115
CVE-2013-2115
High
FASLE
Vulnerability rau Struts 2
-
CVE-2013-2134 (OSSINDEX)
CVE-2013-2134
High
FASLE
Vulnerability rau Struts 2
-
CVE-2013-2135 (OSSINDEX)
CVE-2013-2135
High
FASLE
Vulnerability rau Struts 2
CVE-2014-0114
CVE-2014-0114
-
High
TRUE
-
CVE-2015-2992
CVE-2015-2992
Medium
cuav
Vulnerability rau Struts 2
-
CVE-2016-0785 (OSSINDEX)
CVE-2016-0785
High
cuav
Vulnerability rau Struts 2
CVE-2016-1181
CVE-2016-1181
-
High
TRUE
-
CVE-2016-4003 (OSSINDEX)
CVE-2016-4003
High
cuav
Vulnerability rau Struts 2
xwork-core: 2.3.30 Nws
CVE-2017-9804
-
-
High
TRUE
SIAB-2017-0173
-
-
High
TRUE
CVE-2017-7672
-
-
High
cuav
Luam tawm ntawm CVE-2017-9804
SIAB-2016-0127
-
-
High
TRUE
struts2-core: 2.3.30 Nws
-
CVE-2016-6795
CVE-2016-6795
High
TRUE
-
CVE-2017-9787
CVE-2017-9787
High
TRUE
-
CVE-2017-9791
CVE-2017-9791
High
TRUE
-
CVE-2017-9793
-
High
cuav
Luam tawm ntawm CVE-2018-1327
-
CVE-2017-9804
-
High
TRUE
-
CVE-2017-9805
CVE-2017-9805
High
TRUE
CVE-2016-4003
-
-
Medium
cuav
Muaj feem xyuam rau Apache Struts 2.x mus txog 2.3.28, uas yog version 2.3.30. Txawm li cas los xij, raws li cov lus piav qhia, CVE siv tau rau txhua qhov version ntawm Struts 2 yog tias siv JRE 1.7 lossis tsawg dua. Pom tau tias lawv tau txiav txim siab rov tuav peb ntawm no, tab sis nws zoo li FALSE dua
-
CVE-2018-1327
CVE-2018-1327
High
TRUE
CVE-2017-5638
CVE-2017-5638
CVE-2017-5638
High
TRUE
Tib qhov tsis zoo uas Equifax hackers tau siv hauv 2017
CVE-2017-12611
CVE-2017-12611
-
High
TRUE
CVE-2018-11776
CVE-2018-11776
CVE-2018-11776
High
TRUE
struts-taglib: 1.3.8
-
CVE-2012-0394
-
Medium
cuav
Rau struts2-core
-
CVE-2013-2115
-
High
cuav
Rau struts2-core
-
CVE-2014-0114
-
High
cuav
Rau cov neeg laus - beanutils
-
CVE-2015-0899
-
High
cuav
Tsis siv rau taglib
-
CVE-2015-2992
-
Medium
cuav
Hais txog struts2-core
-
CVE-2016-1181
-
High
cuav
Tsis siv rau taglib
-
CVE-2016-1182
-
High
cuav
Tsis siv rau taglib
txz -> ../All-1.3.8
-
CVE-2012-0394
-
Medium
cuav
Rau struts2-core
-
CVE-2013-2115
-
High
cuav
Rau struts2-core
-
CVE-2014-0114
-
High
cuav
Nyob rau hauv commons-beanutils
-
CVE-2015-0899
-
High
cuav
Tsis siv rau cov vuas
-
CVE-2015-2992
-
Medium
cuav
Rau struts2-core
-
CVE-2016-1181
-
High
cuav
Tsis siv rau taglib
-
CVE-2016-1182
-
High
cuav
Tsis siv rau taglib
Tau qhov twg los: www.hab.com