ProHoster > ื‘ืœื•ื’ > ืžื™ื ื”ืœ > ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ื—ืœืง ื—ืฉื•ื‘ ื‘ื ื™ื”ื•ืœ ืคื’ื™ืขื•ืช ื”ื•ื ืœื”ื‘ื™ืŸ ื”ื™ื˜ื‘ ื•ืœืื‘ื˜ื— ืืช ืฉืจืฉืจืช ื”ืืกืคืงื” โ€‹โ€‹ืฉืœ ืจื›ื™ื‘ื™ ื”ืชื•ื›ื ื” ื”ืžืจื›ื™ื‘ื™ื ืืช ื”ืžืขืจื›ื•ืช ื”ืžื•ื“ืจื ื™ื•ืช. ืฆื•ื•ืชื™ Agile ื•-DevOps ืขื•ืฉื™ื ืฉื™ืžื•ืฉ ื ืจื—ื‘ ื‘ืกืคืจื™ื•ืช ื•ื‘ืžืกื’ืจื•ืช ืงื•ื“ ืคืชื•ื— ื›ื“ื™ ืœื”ืคื—ื™ืช ืืช ื–ืžืŸ ื”ืคื™ืชื•ื— ื•ื”ืขืœื•ืช. ืื‘ืœ ืœืžื“ืœื™ื” ื”ื–ื• ื™ืฉ ื’ื ื—ื™ืกืจื•ืŸ: ื”ื”ื–ื“ืžื ื•ืช ืœืจืฉืช ืืช ื”ื˜ืขื•ื™ื•ืช ื•ื”ืคื’ื™ืขื•ืช ืฉืœ ืื ืฉื™ื ืื—ืจื™ื.

ื‘ืจื•ืจ ืฉื”ืฆื•ื•ืช ืฆืจื™ืš ืœื”ื™ื•ืช ื‘ื˜ื•ื— ืœื“ืขืช ืื™ืœื• ืจื›ื™ื‘ื™ ืงื•ื“ ืคืชื•ื— ื›ืœื•ืœื™ื ื‘ืืคืœื™ืงืฆื™ื•ืช ืฉืœื•, ืœื•ื•ื“ื ืฉื’ืจืกืื•ืช ืืžื™ื ื•ืช ื™ื“ื•ืขื•ืช ื™ื•ืจื“ื• ืžืžืงื•ืจื•ืช ืืžื™ื ื™ื ื™ื“ื•ืขื™ื, ื•ืœื”ื•ืจื™ื“ ื’ืจืกืื•ืช ืžืขื•ื“ื›ื ื•ืช ืฉืœ ืจื›ื™ื‘ื™ื ืœืื—ืจ ืชื™ืงื•ืŸ ื ืงื•ื“ื•ืช ืชื•ืจืคื” ืฉื”ืชื’ืœื• ืœืื—ืจื•ื ื”.

ื‘ืคื•ืกื˜ ื–ื”, ื ื‘ื—ืŸ ืืช ื”ืฉื™ืžื•ืฉ ื‘ื‘ื“ื™ืงืช ืชืœื•ืช ื‘-OWASP ื›ื“ื™ ืœื‘ื˜ืœ ื‘ื ื™ื™ื” ืื ื”ื™ื ืžื–ื”ื” ื‘ืขื™ื•ืช ื—ืžื•ืจื•ืช ื‘ืงื•ื“ ืฉืœืš.

ื‘ืกืคืจ "ืื‘ื˜ื—ืช ืคื™ืชื•ื— ื‘ืคืจื•ื™ืงื˜ื™ื ื–ืจื™ื–ื™ื" ื–ื” ืžืชื•ืืจ ื›ื“ืœืงืžืŸ. OWASP Dependency Check ื”ื•ื ืกื•ืจืง ื—ื™ื ืžื™ ืฉืžืงื˜ืœื’ ืืช ื›ืœ ืจื›ื™ื‘ื™ ื”ืงื•ื“ ื”ืคืชื•ื— ื”ืžืฉืžืฉื™ื ื‘ืืคืœื™ืงืฆื™ื” ื•ืžืจืื” ืืช ื”ืคื’ื™ืขื•ื™ื•ืช ืฉื”ื ืžื›ื™ืœื™ื. ื™ืฉื ืŸ ื’ืจืกืื•ืช ืœ-Java, .NET, Ruby (gemspec), PHP (ืžืœื—ื™ืŸ), Node.js ื•-Python, ื›ืžื• ื’ื ืœื›ืžื” ืคืจื•ื™ืงื˜ื™ื ืฉืœ C/C++. ื‘ื“ื™ืงืช ืชืœื•ืช ืžืฉืชืœื‘ืช ืขื ื›ืœื™ ื‘ื ื™ื™ื” ื ืคื•ืฆื™ื, ื›ื•ืœืœ Ant, Maven ื•-Gradle, ื•ืฉืจืชื™ ืื™ื ื˜ื’ืจืฆื™ื” ืžืชืžืฉื›ื™ื ื›ืžื• Jenkins.

ื‘ื“ื™ืงืช ืชืœื•ืช ืžื“ื•ื•ื—ืช ืขืœ ื›ืœ ื”ืจื›ื™ื‘ื™ื ืขื ืคื’ื™ืขื•ื™ื•ืช ื™ื“ื•ืขื•ืช ืžืžืกื“ ื”ื ืชื•ื ื™ื ื”ืœืื•ืžื™ ื”ืคื’ื™ืขื•ืช ืฉืœ NIST (NVD) ื•ืžืชืขื“ื›ื ืช ื‘ื ืชื•ื ื™ื ืžืขื“ื›ื•ืŸ ื—ื“ืฉื•ืช ืฉืœ NVD.

ืœืžืจื‘ื” ื”ืžื–ืœ, ื›ืœ ื–ื” ื™ื›ื•ืœ ืœื”ื™ืขืฉื•ืช ื‘ืื•ืคืŸ ืื•ื˜ื•ืžื˜ื™ ื‘ืืžืฆืขื•ืช ื›ืœื™ื ื›ืžื• ืคืจื•ื™ืงื˜ OWASP Dependency Check ืื• ืชื•ื›ื ื™ื•ืช ืžืกื—ืจื™ื•ืช ื›ืžื• ื‘ืจื•ื•ื– ืฉื—ื•ืจ, JFrog Xray, ืกื ื™ืง, ืžื—ื–ื•ืจ ื”ื—ื™ื™ื ืฉืœ Nexus ืกื•ื ื˜ื™ืค ืื• SourceClear.

ื›ืœื™ื ืืœื” ื™ื›ื•ืœื™ื ืœื”ื™ื›ืœืœ ื‘-buildlines ืœืžืœืื™ ืื•ื˜ื•ืžื˜ื™ืช ืฉืœ ืชืœื•ืช ื‘ืงื•ื“ ืคืชื•ื—, ืœื–ื”ื•ืช ื’ืจืกืื•ืช ืžื™ื•ืฉื ื•ืช ืฉืœ ืกืคืจื™ื•ืช ื•ืกืคืจื™ื•ืช ื”ืžื›ื™ืœื•ืช ืคื’ื™ืขื•ื™ื•ืช ื™ื“ื•ืขื•ืช, ื•ืœื‘ื˜ืœ ื‘ื ื™ื™ื” ืื ืžืชื’ืœื•ืช ื‘ืขื™ื•ืช ื—ืžื•ืจื•ืช.

ื‘ื“ื™ืงืช ืชืœื•ืช OWASP

ื›ื“ื™ ืœื‘ื“ื•ืง ื•ืœื”ื“ื’ื™ื ื›ื™ืฆื“ ืคื•ืขืœืช ื‘ื“ื™ืงืช ื”ืชืœื•ืช, ืื ื• ืžืฉืชืžืฉื™ื ื‘ืžืื’ืจ ื–ื” ื“ื•ื’ืžื” ืœื‘ื“ื™ืงืช ืชืœื•ืช.

ื›ื“ื™ ืœื”ืฆื™ื’ ืืช ื“ื•ื— ื”-HTML, ืขืœื™ืš ืœื”ื’ื“ื™ืจ ืืช ืฉืจืช ื”ืื™ื ื˜ืจื ื˜ nginx ื‘-gitlab-runner ืฉืœืš.

ื“ื•ื’ืžื” ืœืชืฆื•ืจืช nginx ืžื™ื ื™ืžืœื™ืช:

server {
    listen       9999;
    listen       [::]:9999;
    server_name  _;
    root         /home/gitlab-runner/builds;

    location / {
        autoindex on;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

ื‘ืกื•ืฃ ื”ื”ืจื›ื‘ื” ืชื•ื›ืœื• ืœืจืื•ืช ืืช ื”ืชืžื•ื ื” ื”ื–ื•:

ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ืขืงื•ื‘ ืื—ืจ ื”ืงื™ืฉื•ืจ ื•ืจืื” ืืช ื“ื•ื— ื‘ื“ื™ืงืช ื”ืชืœื•ืช.

ืฆื™ืœื•ื ื”ืžืกืš ื”ืจืืฉื•ืŸ ื”ื•ื ื”ื—ืœืง ื”ืขืœื™ื•ืŸ ืฉืœ ื”ื“ื•ื— ืขื ืกื™ื›ื•ื.

ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ืคืจื˜ื™ ืฆื™ืœื•ื ืžืกืš ืฉื ื™ CVE-2017-5638. ื›ืืŸ ืื ื• ืจื•ืื™ื ืืช ืจืžืช ื”-CVE ื•ืงื™ืฉื•ืจื™ื ืœื ื™ืฆื•ืœื™ื.

ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ืฆื™ืœื•ื ื”ืžืกืš ื”ืฉืœื™ืฉื™ ื”ื•ื ืคืจื˜ื™ื ืฉืœ log4j-api-2.7.jar. ืื ื• ืจื•ืื™ื ืฉืจืžื•ืช CVE ื”ืŸ 7.5 ื•-9.8.

ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ืฆื™ืœื•ื ื”ืžืกืš ื”ืจื‘ื™ืขื™ ื”ื•ื ื”ืคืจื˜ื™ื ืฉืœ commons-fileupload-1.3.2.jar. ืื ื• ืจื•ืื™ื ืฉืจืžื•ืช CVE ื”ืŸ 7.5 ื•-9.8.

ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ืื ืืชื” ืจื•ืฆื” ืœื”ืฉืชืžืฉ ื‘ื“ืคื™ gitlab, ืื– ื–ื” ืœื ื™ืขื‘ื•ื“ - ืžืฉื™ืžื” ืฉื ืคืœื” ืœื ืชื™ืฆื•ืจ ื—ืคืฅ.

ื“ื•ื’ืžื” ื›ืืŸ https://gitlab.com/anton_patsev/dependency-check-example-gitlab-pages.

ื‘ื ื™ื™ืช ืคืœื˜: ืื™ืŸ ื—ืคืฆื™ื, ืื ื™ ืœื ืจื•ืื” ืืช ื“ื•ื— ื”-html. ื›ื“ืื™ ืœื ืกื•ืช ืืช Artifact: ืชืžื™ื“

https://gitlab.com/anton_patsev/dependency-check-example-gitlab-pages/-/jobs/400004246

ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ื”ืกื“ืจืช ืจืžืช ืคื’ื™ืขื•ื™ื•ืช CVE

ื”ืฉื•ืจื” ื”ื—ืฉื•ื‘ื” ื‘ื™ื•ืชืจ ื‘ืงื•ื‘ืฅ gitlab-ci.yaml:

mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7

ืขื ื”ืคืจืžื˜ืจ failBuildOnCVSS ืืชื” ื™ื›ื•ืœ ืœื”ืชืื™ื ืืช ืจืžืช ื”ืคื’ื™ืขื•ืช ืฉืœ CVE ืืœื™ื” ืืชื” ืฆืจื™ืš ืœื”ื’ื™ื‘.

ื”ื•ืจื“ืช ืžืกื“ ื”ื ืชื•ื ื™ื ื”ืคื’ื™ืขื•ืช ืฉืœ NIST (NVD) ืžื”ืื™ื ื˜ืจื ื˜

ื”ืื ืฉืžืช ืœื‘ ืฉ-NIST ืžื•ืจื™ื“ ื›ืœ ื”ื–ืžืŸ ืืช ืžืกื“ื™ ื”ื ืชื•ื ื™ื ืฉืœ NIST ื”ืคื’ื™ืขื•ืช (NVD) ืžื”ืื™ื ื˜ืจื ื˜:

ืฉื™ืžื•ืฉ ื‘ืกื•ืจืง ื”ืคื’ื™ืขื•ืช ืขื‘ื•ืจ ืกืคืจื™ื•ืช ืžืฉื•ืžืฉื•ืช Dependency-Check ื‘- GitlabCI

ื›ื“ื™ ืœื”ื•ืจื™ื“, ืืชื” ื™ื›ื•ืœ ืœื”ืฉืชืžืฉ ื‘ื›ืœื™ ื”ืฉื™ืจื•ืช nist_data_mirror_golang

ื‘ื•ืื• ื ืชืงื™ืŸ ื•ื ืคืขื™ืœ ืื•ืชื•.

yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirror

Nist-data-mirror ืžืขืœื” ืืช ื”-NIST JSON CVE ืืœ /var/www/repos/nist-data-mirror/ ื‘ืขืช ื”ื”ืคืขืœื” ื•ืžืขื“ื›ื ืช ืืช ื”ื ืชื•ื ื™ื ื›ืœ 24 ืฉืขื•ืช.

ื›ื“ื™ ืœื”ื•ืจื™ื“ CVE JSON NIST, ืขืœื™ืš ืœื”ื’ื“ื™ืจ ืืช ืฉืจืช ื”ืื™ื ื˜ืจื ื˜ nginx (ืœื“ื•ื’ืžื”, ื‘-gitlab-runner ืฉืœืš).

ื“ื•ื’ืžื” ืœืชืฆื•ืจืช nginx ืžื™ื ื™ืžืœื™ืช:

server {
    listen       12345;
    listen       [::]:12345;
    server_name  _;
    root         /var/www/repos/nist-data-mirror/;

    location / {
        autoindex on;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }

}

ื›ื“ื™ ืœื ืœืขืฉื•ืช ืฉื•ืจื” ืืจื•ื›ื” ื”ื™ื›ืŸ ืžื•ืคืขืœ mvn, ื ืขื‘ื™ืจ ืืช ื”ืคืจืžื˜ืจื™ื ืœืžืฉืชื ื” ื ืคืจื“ DEPENDENCY_OPTS.

ื”ืชืฆื•ืจื” ื”ืžื™ื ื™ืžืœื™ืช ื”ืกื•ืคื™ืช .gitlab-ci.yml ืชื™ืจืื” ื›ืš: 

variables:
  MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
  MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
  DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"

cache:
  paths:
    - .m2/repository

verify:
  stage: test
  script:
    - set +e
    - mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
    - export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
    - echo "************************* URL Dependency-check-report.html *************************"
    - echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
    - set -e
    - exit ${EXIT_CODE}
  tags:
    - shell

ืฆ'ืื˜ ื‘ื˜ืœื’ืจื ืขืœ DevOps ื•ืื‘ื˜ื—ื”
ืขืจื•ืฅ ื˜ืœื’ืจื DevSecOps / SSDLC - ืคื™ืชื•ื— ืžืื•ื‘ื˜ื—

ืžืงื•ืจ: www.habr.com

ื”ื•ืกืคืช ืชื’ื•ื‘ื”