ืืืง ืืฉืื ืื ืืืื ืคืืืขืืช ืืื ืืืืื ืืืื ืืืืืื ืืช ืฉืจืฉืจืช ืืืกืคืงื โโืฉื ืจืืืื ืืชืืื ื ืืืจืืืืื ืืช ืืืขืจืืืช ืืืืืจื ืืืช. ืฆืืืชื Agile ื-DevOps ืขืืฉืื ืฉืืืืฉ ื ืจืื ืืกืคืจืืืช ืืืืกืืจืืช ืงืื ืคืชืื ืืื ืืืคืืืช ืืช ืืื ืืคืืชืื ืืืขืืืช. ืืื ืืืืืื ืืื ืืฉ ืื ืืืกืจืื: ืืืืืื ืืช ืืจืฉืช ืืช ืืืขืืืืช ืืืคืืืขืืช ืฉื ืื ืฉืื ืืืจืื.
ืืจืืจ ืฉืืฆืืืช ืฆืจืื ืืืืืช ืืืื ืืืขืช ืืืื ืจืืืื ืงืื ืคืชืื ืืืืืื ืืืคืืืงืฆืืืช ืฉืื, ืืืืื ืฉืืจืกืืืช ืืืื ืืช ืืืืขืืช ืืืจืื ืืืงืืจืืช ืืืื ืื ืืืืขืื, ืืืืืจืื ืืจืกืืืช ืืขืืืื ืืช ืฉื ืจืืืืื ืืืืจ ืชืืงืื ื ืงืืืืช ืชืืจืคื ืฉืืชืืื ืืืืจืื ื.
ืืคืืกื ืื, ื ืืื ืืช ืืฉืืืืฉ ืืืืืงืช ืชืืืช ื-OWASP ืืื ืืืื ืื ืืื ืื ืืื ืืืื ืืขืืืช ืืืืจืืช ืืงืื ืฉืื.
ืืกืคืจ "ืืืืืช ืคืืชืื ืืคืจืืืงืืื ืืจืืืื" ืื ืืชืืืจ ืืืืงืื. OWASP Dependency Check ืืื ืกืืจืง ืืื ืื ืฉืืงืืื ืืช ืื ืจืืืื ืืงืื ืืคืชืื ืืืฉืืฉืื ืืืคืืืงืฆืื ืืืจืื ืืช ืืคืืืขืืืืช ืฉืื ืืืืืื. ืืฉื ื ืืจืกืืืช ื-Java, .NET, Ruby (gemspec), PHP (ืืืืื), Node.js ื-Python, ืืื ืื ืืืื ืคืจืืืงืืื ืฉื C/C++. ืืืืงืช ืชืืืช ืืฉืชืืืช ืขื ืืื ืื ืืื ื ืคืืฆืื, ืืืื Ant, Maven ื-Gradle, ืืฉืจืชื ืืื ืืืจืฆืื ืืชืืฉืืื ืืื Jenkins.
ืืืืงืช ืชืืืช ืืืืืืช ืขื ืื ืืจืืืืื ืขื ืคืืืขืืืืช ืืืืขืืช ืืืกื ืื ืชืื ืื ืืืืืื ืืคืืืขืืช ืฉื NIST (NVD) ืืืชืขืืื ืช ืื ืชืื ืื ืืขืืืื ืืืฉืืช ืฉื NVD.
ืืืจืื ืืืื, ืื ืื ืืืื ืืืืขืฉืืช ืืืืคื ืืืืืืื ืืืืฆืขืืช ืืืื ืืื ืคืจืืืงื OWASP Dependency Check ืื ืชืืื ืืืช ืืกืืจืืืช ืืื
ืืืื ืืื ืืืืืื ืืืืืื ื-buildlines ืืืืื ืืืืืืืืช ืฉื ืชืืืช ืืงืื ืคืชืื, ืืืืืช ืืจืกืืืช ืืืืฉื ืืช ืฉื ืกืคืจืืืช ืืกืคืจืืืช ืืืืืืืช ืคืืืขืืืืช ืืืืขืืช, ืืืืื ืื ืืื ืื ืืชืืืืช ืืขืืืช ืืืืจืืช.
ืืืืงืช ืชืืืช OWASP
ืืื ืืืืืง ืืืืืืื ืืืฆื ืคืืขืืช ืืืืงืช ืืชืืืช, ืื ื ืืฉืชืืฉืื ืืืืืจ ืื
ืืื ืืืฆืื ืืช ืืื ื-HTML, ืขืืื ืืืืืืจ ืืช ืฉืจืช ืืืื ืืจื ื nginx ื-gitlab-runner ืฉืื.
ืืืืื ืืชืฆืืจืช nginx ืืื ืืืืืช:
server {
listen 9999;
listen [::]:9999;
server_name _;
root /home/gitlab-runner/builds;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
ืืกืืฃ ืืืจืืื ืชืืืื ืืจืืืช ืืช ืืชืืื ื ืืื:
ืขืงืื ืืืจ ืืงืืฉืืจ ืืจืื ืืช ืืื ืืืืงืช ืืชืืืช.
ืฆืืืื ืืืกื ืืจืืฉืื ืืื ืืืืง ืืขืืืื ืฉื ืืืื ืขื ืกืืืื.
ืคืจืื ืฆืืืื ืืกื ืฉื ื CVE-2017-5638. ืืื ืื ื ืจืืืื ืืช ืจืืช ื-CVE ืืงืืฉืืจืื ืื ืืฆืืืื.
ืฆืืืื ืืืกื ืืฉืืืฉื ืืื ืคืจืืื ืฉื log4j-api-2.7.jar. ืื ื ืจืืืื ืฉืจืืืช CVE ืื 7.5 ื-9.8.
ืฆืืืื ืืืกื ืืจืืืขื ืืื ืืคืจืืื ืฉื commons-fileupload-1.3.2.jar. ืื ื ืจืืืื ืฉืจืืืช CVE ืื 7.5 ื-9.8.
ืื ืืชื ืจืืฆื ืืืฉืชืืฉ ืืืคื gitlab, ืื ืื ืื ืืขืืื - ืืฉืืื ืฉื ืคืื ืื ืชืืฆืืจ ืืคืฅ.
ืืืืื ืืื
ืื ืืืช ืคืื: ืืื ืืคืฆืื, ืื ื ืื ืจืืื ืืช ืืื ื-html. ืืืื ืื ืกืืช ืืช Artifact: ืชืืื
ืืกืืจืช ืจืืช ืคืืืขืืืืช CVE
ืืฉืืจื ืืืฉืืื ืืืืชืจ ืืงืืืฅ gitlab-ci.yaml:
mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7
ืขื ืืคืจืืืจ failBuildOnCVSS ืืชื ืืืื ืืืชืืื ืืช ืจืืช ืืคืืืขืืช ืฉื CVE ืืืื ืืชื ืฆืจืื ืืืืื.
ืืืจืืช ืืกื ืื ืชืื ืื ืืคืืืขืืช ืฉื NIST (NVD) ืืืืื ืืจื ื
ืืื ืฉืืช ืื ืฉ-NIST ืืืจืื ืื ืืืื ืืช ืืกืื ืื ืชืื ืื ืฉื NIST ืืคืืืขืืช (NVD) ืืืืื ืืจื ื:
ืืื ืืืืจืื, ืืชื ืืืื ืืืฉืชืืฉ ืืืื ืืฉืืจืืช
ืืืื ื ืชืงืื ืื ืคืขืื ืืืชื.
yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirror
Nist-data-mirror ืืขืื ืืช ื-NIST JSON CVE ืื /var/www/repos/nist-data-mirror/ ืืขืช ืืืคืขืื ืืืขืืื ืช ืืช ืื ืชืื ืื ืื 24 ืฉืขืืช.
ืืื ืืืืจืื CVE JSON NIST, ืขืืื ืืืืืืจ ืืช ืฉืจืช ืืืื ืืจื ื nginx (ืืืืืื, ื-gitlab-runner ืฉืื).
ืืืืื ืืชืฆืืจืช nginx ืืื ืืืืืช:
server {
listen 12345;
listen [::]:12345;
server_name _;
root /var/www/repos/nist-data-mirror/;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
ืืื ืื ืืขืฉืืช ืฉืืจื ืืจืืื ืืืื ืืืคืขื mvn, ื ืขืืืจ ืืช ืืคืจืืืจืื ืืืฉืชื ื ื ืคืจื DEPENDENCY_OPTS.
ืืชืฆืืจื ืืืื ืืืืืช ืืกืืคืืช .gitlab-ci.yml ืชืืจืื ืื:
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"
cache:
paths:
- .m2/repository
verify:
stage: test
script:
- set +e
- mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
- export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
- echo "************************* URL Dependency-check-report.html *************************"
- echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
- set -e
- exit ${EXIT_CODE}
tags:
- shell
ืืงืืจ: www.habr.com