Ib feem tseem ceeb ntawm kev tswj hwm qhov tsis zoo yog kom nkag siab zoo thiab ruaj ntseg cov khoom siv ntawm cov khoom siv software uas tsim cov tshuab niaj hnub. Agile thiab DevOps pab pawg ua kom siv dav ntawm cov tsev qiv ntawv qhib thiab cov txheej txheem los txo cov sijhawm tsim kho thiab nqi. Tab sis qhov khoom plig no kuj muaj qhov tsis zoo: lub sijhawm los txais lwm tus neeg txoj kev ua yuam kev thiab qhov tsis zoo.
Pom tseeb, pab pawg yuav tsum paub tseeb tias qhov qhib qhov chaw twg suav nrog hauv nws cov ntawv thov, xyuas kom paub tseeb tias cov ntawv txhim khu kev qha tau rub tawm los ntawm cov chaw paub txog kev ntseeg siab, thiab rub tawm cov hloov kho tshiab ntawm cov khoom tom qab tau tshawb pom qhov tsis zoo yog patched.
Hauv cov ntawv tshaj tawm no, peb yuav saib kev siv OWASP Dependency Check kom rho tawm qhov tsim yog tias nws pom muaj teeb meem loj nrog koj cov cai.
Nyob rau hauv phau ntawv "Kev Txhim Kho Kev Ruaj Ntseg Hauv Kev Ua Haujlwm Zoo" nws tau piav qhia raws li hauv qab no. OWASP Dependency Check yog lub tshuab luam ntawv dawb uas teev tag nrho cov khoom siv qhib siv hauv daim ntawv thov thiab qhia txog qhov tsis zoo uas lawv muaj. Muaj cov qauv rau Java, .NET, Ruby (gemspec), PHP (composer), Node.js thiab Python, nrog rau qee qhov haujlwm C / C ++. Dependency Check integrates nrog ntau cov cuab yeej tsim, suav nrog Ant, Maven thiab Gradle, thiab txuas txuas txuas ntxiv servers zoo li Jenkins.
Dependency Check tshaj tawm tag nrho cov khoom uas paub qhov tsis zoo los ntawm NIST's National Vulnerability Database (NVD) thiab tau hloov kho nrog cov ntaub ntawv los ntawm NVD xov xwm pub.
Luckily, tag nrho cov no tuaj yeem ua tiav siv cov cuab yeej xws li OWASP Dependency Check project lossis cov kev lag luam xws li , , , Sonatype los yog .
Cov cuab yeej no tuaj yeem suav nrog hauv kev tsim cov kav dej kom tau txais cov khoom lag luam qhib qhov kev cia siab, txheeb xyuas cov ntawv qub qub ntawm cov tsev qiv ntawv thiab cov tsev qiv ntawv uas muaj qhov tsis zoo, thiab rho tawm tsim yog tias pom muaj teeb meem loj.
OWASP Dependency Check
Txhawm rau kuaj thiab ua kom pom tias Kev Tshawb Fawb Kev Ua Haujlwm Li Cas, peb siv qhov chaw khaws cia no .
Txhawm rau saib daim ntawv qhia HTML, koj yuav tsum teeb tsa nginx web server ntawm koj tus gitlab-khiav.
Piv txwv ntawm qhov tsawg kawg nkaus nginx config:
server {
listen 9999;
listen [::]:9999;
server_name _;
root /home/gitlab-runner/builds;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}Thaum kawg ntawm lub rooj sib txoos koj tuaj yeem pom daim duab no:
Ua raws li qhov txuas thiab saib daim ntawv qhia txog kev nyob ruaj khov.
Thawj qhov screenshot yog qhov saum toj kawg nkaus ntawm daim ntawv tshaj tawm nrog cov ntsiab lus.
Qhov thib ob screenshot qhia meej CVE-2017-5638. Ntawm no peb pom CVE qib thiab txuas rau kev siv dag zog.
Qhov thib peb screenshot yog cov ntsiab lus ntawm log4j-api-2.7.jar. Peb pom tias CVE qib yog 7.5 thiab 9.8.
Plaub lub screenshot yog cov ntsiab lus ntawm commons-fileupload-1.3.2.jar. Peb pom tias CVE qib yog 7.5 thiab 9.8.
Yog tias koj xav siv cov nplooj ntawv gitlab, ces nws yuav tsis ua haujlwm - txoj haujlwm poob yuav tsis tsim cov khoom cuav.
Piv txwv ntawm no .
Tsim cov zis: tsis muaj khoom cuav, Kuv tsis pom daim ntawv html. Koj yuav tsum sim Artifact: ib txwm
Kev tswj hwm qib ntawm CVE qhov tsis zoo
Cov kab tseem ceeb tshaj plaws hauv cov ntaub ntawv gitlab-ci.yaml:
mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7Nrog rau qhov tsis ua tiav ntawm qhov tsis ua tiav ntawm qhov tsis sib xws, koj tuaj yeem kho cov theem ntawm CVE qhov tsis zoo uas koj xav tau los teb.
Rub tawm NIST Vulnerability Database (NVD) los ntawm Is Taws Nem
Koj puas tau pom tias NIST tas li rub tawm NIST qhov tsis muaj peev xwm databases (NVD) los ntawm Is Taws Nem:
Txhawm rau rub tawm, koj tuaj yeem siv lub tshuab hluav taws xob
Cia peb nruab thiab tso nws.
yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirrorNist-data-mirror uploads NIST JSON CVE rau /var/www/repos/nist-data-mirror/ thaum pib thiab hloov kho cov ntaub ntawv txhua 24 teev.
Txhawm rau rub tawm CVE JSON NIST, koj yuav tsum teeb tsa nginx lub vev xaib server (piv txwv li, ntawm koj lub gitlab-khiav).
Piv txwv ntawm qhov tsawg kawg nkaus nginx config:
server {
listen 12345;
listen [::]:12345;
server_name _;
root /var/www/repos/nist-data-mirror/;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}Txhawm rau kom tsis txhob ua txoj kab ntev uas mvn tau pib, peb yuav txav cov kev txwv mus rau qhov sib txawv sib txawv DEPENDENCY_OPTS.
Qhov kawg tsawg kawg config .gitlab-ci.yml yuav zoo li no:
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"
cache:
paths:
- .m2/repository
verify:
stage: test
script:
- set +e
- mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
- export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
- echo "************************* URL Dependency-check-report.html *************************"
- echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
- set -e
- exit ${EXIT_CODE}
tags:
- shell
Tau qhov twg los: www.hab.com