Kufunika kwa kusanthula zigawo za mapulogalamu a chipani chachitatu (Software Composition Analysis - SCA) pakupanga chitukuko kukukulirakulira ndi kutulutsidwa kwa malipoti apachaka okhudzana ndi kuwonongeka kwa malaibulale otseguka, omwe amafalitsidwa ndi Synopsys, Sonatype, Snyk, ndi White Source. . Malinga ndi lipoti
Chimodzi mwazinthu zowonetsera kwambiri
Nkhaniyi ikambirana nkhani yosankha chida chochitira SCA potengera zotsatira za kusanthula. Kuyerekeza kogwira ntchito kwa zida kudzaperekedwanso. Njira yophatikizira mu CI/CD ndi kuthekera kophatikizana idzasiyidwa pazofalitsa zotsatila. Zida zambiri zidaperekedwa ndi OWASP
Momwe ntchito
Tiyeni tiwone momwe CPE imawonekera:
cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other
- Gawo: Zomwe zikuwonetsa kuti gawoli likukhudzana ndi kugwiritsa ntchito (a), makina ogwiritsira ntchito (o), zida (h) (zofunikira)
- Wogulitsa: Dzina Lopanga Zinthu (Zofunika)
- mankhwala: Dzina Logulitsa (Ndilofunika)
- Version: Mtundu wagawo (Chinthu chosatha)
- pomwe: Kusintha kwa phukusi
- Edition: Mtundu wa cholowa (Chinthu chochotsedwa)
- Language: Chilankhulo chofotokozedwa mu RFC-5646
- SW Edition: Mtundu wa mapulogalamu
- Cholinga cha SW: Mapulogalamu apakompyuta momwe zinthu zimagwirira ntchito
- Cholinga cha HW: Chilengedwe cha Hardware momwe mankhwalawa amagwirira ntchito
- Zina: Supplier kapena Product Information
Chitsanzo CPE chikuwoneka motere:
cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
Mzerewu umatanthawuza kuti CPE version 2.3 ikufotokoza gawo la ntchito kuchokera kwa wopanga pivotal_software
ndi mutu spring_framework
Mtundu wa 3.0.0. Ngati titsegula chiwopsezo
Ulalowu umagwiritsidwanso ntchito ndi zida za SCA. Mtundu wa URL wa phukusi uli motere:
scheme:type/namespace/name@version?qualifiers#subpath
- Chiwembu: Padzakhala nthawi zonse 'pkg' yosonyeza kuti iyi ndi URL ya phukusi (Yofunikira)
- Type: "Mtundu" wa phukusi kapena "protocol" ya phukusi, monga maven, npm, nuget, gem, pypi, etc. (Chinthu chofunikira)
- Malo a mayina: Dzina lina, monga ID ya gulu la Maven, mwiniwake wa zithunzi za Docker, wogwiritsa ntchito GitHub, kapena bungwe. Zosankha ndipo zimatengera mtundu.
- Name: Dzina laphukusi (lofunikira)
- Version: Mtundu wa phukusi
- Oyenerera: Zina zowonjezera zoyenerera phukusi, monga OS, zomangamanga, kugawa, ndi zina zotero. Zosankha ndi mtundu wamtundu.
- Njira yapansi: Njira yowonjezera mu phukusi yokhudzana ndi mizu ya phukusi
Mwachitsanzo:
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.commons/[email protected]
pkg:pypi/[email protected]
Chitsanzo cha momwe BOM ingawonekere mumtundu wa XML:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
</component>
<!-- More components here -->
</components>
</bom>
BOM itha kugwiritsidwa ntchito osati ngati magawo olowera a Dependency Track, komanso kuwerengera zida zamapulogalamu pamakina othandizira, mwachitsanzo, popereka mapulogalamu kwa kasitomala. Mu 2014, lamulo linaperekedwa ngakhale ku United States
Kubwerera ku SCA, Dependency Track ili ndi zophatikizira zokonzeka ndi Zidziwitso Platform monga Slack, machitidwe owongolera omwe ali pachiwopsezo ngati Kenna Security. Ndikoyeneranso kunena kuti Dependency Track, mwa zina, imazindikiritsa mapaketi akale ndipo imapereka zambiri zamalayisensi (chifukwa cha chithandizo cha SPDX).
Ngati tilankhula makamaka za mtundu wa SCA, ndiye kuti pali kusiyana kwakukulu.
Dependency Track savomereza pulojekitiyo ngati yolowera, koma BOM. Izi zikutanthauza kuti ngati tikufuna kuyesa polojekitiyi, choyamba tiyenera kupanga bom.xml, mwachitsanzo pogwiritsa ntchito CycloneDX. Chifukwa chake, Dependency Track imadalira mwachindunji CycloneDX. Pa nthawi yomweyo, amalola makonda. Izi ndi zomwe gulu la OZON linalemba
Tiyeni tifotokoze mwachidule zina mwazogwira ntchito, ndikuganiziranso zilankhulo zothandizidwa kuti ziwunikidwe:
Chilankhulo
Nexus IQ
Dependency Check
Dependency Track
Java
+
+
+
C / C ++
+
+
-
C#
+
+
-
.Net
+
+
+
erlang
-
-
+
JavaScript (NodeJS)
+
+
+
Php
+
+
+
Python
+
+
+
Ruby
+
+
+
Perl
-
-
-
Scala
+
+
+
Cholinga C
+
+
-
Swift
+
+
-
R
+
-
-
Go
+
+
+
Kugwira ntchito
Kugwira ntchito
Nexus IQ
Dependency Check
Dependency Track
Kutha kuwonetsetsa kuti zigawo zomwe zimagwiritsidwa ntchito mu code source zimafufuzidwa ngati zili ndi chilolezo
+
-
+
Kutha kusanthula ndikusanthula zofooka komanso ukhondo wazithunzi za Docker
+ Kuphatikiza ndi Clair
-
-
Kutha kukonza ndondomeko zachitetezo kuti mugwiritse ntchito malaibulale otseguka
+
-
-
Kutha kusanthula nkhokwe zotseguka zamagawo omwe ali pachiwopsezo
+ RubyGems, Maven, NPM, Nuget, Pypi, Conan, Bower, Conda, Go, p2, R, Yum, Helm, Docker, CocoaPods, Git LFS
-
+ Hex, RubyGems, Maven, NPM, Nuget, Pypi
Kupezeka kwa gulu la akatswiri ofufuza
+
-
-
Ntchito yotseka yotseka
+
+
+
Kugwiritsa ntchito database ya gulu lachitatu
+ Yotseka Sonatype database
+ Sonatype OSS, NPM Public Advisors
+ Sonatype OSS, NPM Public Advisors, RetireJS, VulnDB, yothandizira pankhokwe yake yomwe ili pachiwopsezo
Kutha kusefa magawo otseguka poyesa kutsitsa munjira yachitukuko molingana ndi ndondomeko zokhazikitsidwa
+
-
-
Malingaliro okonza zofooka, kupezeka kwa maulalo okonza
+
+- (malingana ndi kufotokozera m'malo osungira anthu)
+- (malingana ndi kufotokozera m'malo osungira anthu)
Kuyika paziwopsezo zomwe zapezeka mozama
+
+
+
Njira yofikira pamaudindo
+
-
+
Thandizo la CLI
+
+
+- (ya CycloneDX yokha)
Kuyesa / kusanja zofooka molingana ndi zomwe zafotokozedwa
+
-
+
Dashboard potengera mawonekedwe a ntchito
+
-
+
Kupanga malipoti mumtundu wa PDF
+
-
-
Kupanga malipoti mumtundu wa JSONCSV
+
+
-
Thandizo la chilankhulo cha Russia
-
-
-
Kuthekera kophatikiza
Kuphatikiza
Nexus IQ
Dependency Check
Dependency Track
Kuphatikiza kwa LDAP/Active Directory
+
-
+
Kuphatikizana ndi dongosolo lophatikizana losalekeza Bamboo
+
-
-
Kuphatikizika ndi kachitidwe kophatikizana kopitilira TeamCity
+
-
-
Kuphatikiza ndi njira yophatikizira yopitilira GitLab
+
+- (monga pulogalamu yowonjezera ya GitLab)
+
Kuphatikiza ndi njira yophatikizira yopitilira Jenkins
+
+
+
Kupezeka kwa mapulagini a IDE
+ IntelliJ, Eclipse, Visual Studio
-
-
Thandizo lophatikizira mwachizolowezi kudzera pa intaneti (API) ya chida
+
-
+
Dependency Check
Yambani kuyamba
Tiyeni tiyendetse Dependency Check pa pulogalamu yomwe ili pachiwopsezo dala
Kwa izi tidzagwiritsa ntchito
mvn org.owasp:dependency-check-maven:check
Zotsatira zake, dependency-check-report.html idzawonekera muzolemba zomwe mukufuna.
Tiyeni titsegule fayilo. Pambuyo zambiri zachidule za chiwerengero cha zofooka, tikhoza kuona zambiri zofooka ndi mkulu mlingo wa Severity ndi Chidaliro, kusonyeza phukusi, CPE, ndi chiwerengero cha CVEs.
Chotsatira chimabwera mwatsatanetsatane, makamaka maziko omwe chisankhocho chinapangidwira (umboni), ndiko kuti, BOM inayake.
Kenako pamabwera kufotokozera kwa CPE, PURL ndi CVE. Mwa njira, malingaliro owongolera sakuphatikizidwa chifukwa chosowa kwawo mu nkhokwe ya NVD.
Kuti muwone mwadongosolo zotsatira za scan, mutha kukonza Nginx ndi zoikamo zochepa, kapena kutumiza zolakwikazo ku dongosolo lowongolera zolakwika lomwe limathandizira zolumikizira ku Dependency Check. Mwachitsanzo, Defect Dojo.
Dependency Track
kolowera
Dependency Track, nawonso, ndi nsanja yochokera pa intaneti yokhala ndi ma graph owonetsera, kotero nkhani yokakamiza yosunga zolakwika munjira ya chipani chachitatu sichikutuluka pano.
Zolemba zothandizira kukhazikitsa ndi: Docker, WAR, Executable WAR.
Yambani kuyamba
Timapita ku URL ya utumiki wothamanga. Timalowetsa kudzera pa admin / admin, kusintha malowedwe ndi mawu achinsinsi, kenako kupita ku Dashboard. Chotsatira chomwe tingachite ndikupanga polojekiti yoyeserera ku Java mu Kunyumba/Mapulojekiti → Pangani Ntchito . Tiyeni titenge DVJA mwachitsanzo.
Popeza Dependency Track imangovomereza BOM ngati cholowetsa, BOM iyi iyenera kubwezedwanso. Tiyeni titengerepo mwayi
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
Timapeza bom.xml ndikuyika fayilo mu polojekiti yomwe idapangidwa DVJA → Zodalira → Kwezani BOM.
Tiyeni tipite ku Administration → Analyzers. Timamvetsetsa kuti tili ndi Internal Analyzer yokha yomwe yathandizidwa, yomwe imaphatikizapo NVD. Tilumikizenso Sonatype OSS Index.
Chifukwa chake, timapeza chithunzi chotsatira cha polojekiti yathu:
Komanso pamndandandawu mutha kupeza chiwopsezo chimodzi chogwira ntchito ku Sonatype OSS:
Chokhumudwitsa chachikulu chinali chakuti Dependency Track savomerezanso malipoti a Dependency Check xml. Mitundu yaposachedwa yothandizidwa ndi kuphatikiza kwa Dependency Check inali 1.0.0 - 4.0.2, pomwe ndidayesa 5.3.2.
pano
Nexus IQ
Yambani kuyamba
Kuyika kwa Nexus IQ kumachokera ku zakale za
Mukalowa mu console, muyenera kupanga Bungwe ndi Ntchito.
Monga mukuonera, kukhazikitsidwa pa nkhani ya IQ kumakhala kovuta kwambiri, chifukwa tifunikanso kupanga ndondomeko zomwe zimagwiritsidwa ntchito pa "magawo" osiyanasiyana (dev, build, stage, release). Izi ndizofunikira kuti titseke zida zomwe zili pachiwopsezo pamene zikudutsa paipi pafupi ndi kupanga, kapena kuziletsa zikangolowa mu Nexus Repo ikatsitsidwa ndi opanga.
Kuti mumve kusiyana pakati pa gwero lotseguka ndi bizinesi, tiyeni tijambulenso Nexus IQ mofananamo. dvja-test-and-compare
:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=dvja-test-and-compare -Dclm.serverUrl=<NEXUSIQIP> -Dclm.username=<USERNAME> -Dclm.password=<PASSWORD>
Tsatirani ulalo wa lipoti lopangidwa pa intaneti ya IQ:
Apa mutha kuwona zophwanya mfundo zonse zomwe zikuwonetsa kufunikira kosiyana (kuchokera ku Info kupita ku Security Critical). Chilembo D pafupi ndi chigawocho chimatanthauza kuti chigawocho ndi Direct Dependency, ndipo chilembo T pafupi ndi chigawocho chimatanthauza kuti chigawocho ndi Transitive Dependency, ndiko kuti, chimasintha.
Mwa njira, lipoti
Ngati titsegula chimodzi mwazophwanya malamulo a Nexus IQ, tikhoza kuona kufotokozera kwa chigawocho, komanso Version Graph, yomwe imasonyeza malo omwe alipo mu nthawi ya graph, komanso nthawi yomwe chiwopsezocho chimatha. kukhala pachiwopsezo. Kutalika kwa makandulo pa graph kumasonyeza kutchuka kwa kugwiritsa ntchito chigawo ichi.
Ngati mupita ku gawo lachiwopsezo ndikukulitsa CVE, mutha kuwerenga kufotokozera zachiwopsezo ichi, malingaliro othetsera, komanso chifukwa chomwe gawoli linaphwanyidwa, ndiko kuti, kupezeka kwa kalasi. DiskFileitem.class
.
Tiyeni tifotokoze mwachidule zomwe zikugwirizana ndi zigawo za Java za chipani chachitatu, kuchotsa zigawo za js. M'makoloni tikuwonetsa kuchuluka kwa zofooka zomwe zidapezeka kunja kwa NVD.
Total Nexus IQ:
- Zomwe Zasinthidwa: 62
- Zodalira Zowonongeka: 16
- Zowopsa Zapezeka: 42 (8 sonatype db)
Kuwunika Kwathunthu:
- Zomwe Zasinthidwa: 47
- Zodalira Zowonongeka: 13
- Zowopsa Zapezeka: 91 (14 sonatype oss)
Total Dependency Track:
- Zomwe Zasinthidwa: 59
- Zodalira Zowonongeka: 10
- Zowopsa Zapezeka: 51 (1 sonatype oss)
M'masitepe otsatirawa, tidzasanthula zotsatira zomwe zapezedwa ndikuzindikira kuti ndi chiwopsezo chiti chomwe chili cholakwika chenicheni komanso chomwe chili cholakwika.
Chodzikanira
Ndemanga iyi sichowonadi chosatsutsika. Wolembayo analibe cholinga chowunikira chida chosiyana motsutsana ndi maziko a ena. Mfundo yowunikirayi inali kuwonetsa njira zogwiritsira ntchito zida za SCA ndi njira zowonera zotsatira zawo.
Kuyerekeza zotsatira
Zinthu:
Cholakwika chabodza pazovuta za chipani chachitatu ndi:
- CVE yosagwirizana ndi gawo lodziwika
- Mwachitsanzo, ngati chiwopsezo chazindikirika mu chimango cha struts2, ndipo chidacho chikuloza ku gawo la chimango cha struts-tiles framework, chomwe chiwopsezochi sichikugwira ntchito, ndiye kuti izi ndi zabodza.
- CVE yosagwirizana ndi mtundu womwe wadziwika wagawolo
- Mwachitsanzo, kusatetezeka kumangiriridwa ndi mtundu wa python> 3.5 ndipo chida chimayika mtundu wa 2.7 ngati wosatetezeka - izi ndi zabodza, popeza chiwopsezochi chimagwira ntchito ku nthambi ya 3.x yokha.
- Kubwereza kwa CVE
- Mwachitsanzo, ngati SCA itchula CVE yomwe imathandiza RCE, ndiye kuti SCA imatchula CVE ya chigawo chomwecho chomwe chikugwiritsidwa ntchito kuzinthu za Cisco zomwe zakhudzidwa ndi RCEyo. Pachifukwa ichi zidzakhala zabodza.
- Mwachitsanzo, CVE idapezeka mu gawo la masika, pambuyo pake SCA imalozera ku CVE yomweyo m'zigawo zina za Spring Framework, pomwe CVE ilibe chochita ndi zigawo zina. Pachifukwa ichi zidzakhala zabodza.
Cholinga cha phunziroli chinali polojekiti ya Open Source DVJA. Kafukufukuyu adakhudza magawo a java okha (popanda js).
Zotsatira zachidule
Tiyeni tipite molunjika ku zotsatira za kuunikanso pamanja kwa zofooka zomwe zadziwika. Lipoti lathunthu la CVE iliyonse likupezeka mu Zowonjezera.
Zotsatira zachidule pazovuta zonse:
chizindikiro
Nexus IQ
Dependency Check
Dependency Track
Zosatetezeka zonse zadziwika
42
91
51
Zowopsa zomwe zazindikirika molakwika (zabodza)
2 (4.76%)
62 (68,13%)
29 (56.86%)
Palibe zovuta zomwe zapezeka (zabodza)
10
20
27
Chidule cha zotsatira potengera gawo:
chizindikiro
Nexus IQ
Dependency Check
Dependency Track
Zigawo zonse zodziwika
62
47
59
Total osatetezeka zigawo zikuluzikulu
16
13
10
Zodziwika molakwika zomwe zili pachiwopsezo (zabodza)
1
5
0
Zodziwika molakwika zomwe zili pachiwopsezo (zabodza)
0
6
6
Tiyeni tipange ma graph kuti tiwunikire chiŵerengero cha zokometsera zabodza ndi zabodza ku kuchuluka kwa zofooka zonse. Zigawo zimayikidwa mopingasa, ndipo zofooka zomwe zazindikirika mwa izo zimayikidwa molunjika.
Poyerekeza, kafukufuku wofananawo adachitidwa ndi gulu la Sonatype kuyesa pulojekiti ya zigawo za 1531 pogwiritsa ntchito OWASP Dependency Check. Monga tikuonera, chiŵerengero cha phokoso ku mayankho olondola chikufanana ndi zotsatira zathu.
Source:
Tiyeni tiwone ma CVE ena kuchokera pazotsatira zathu kuti timvetsetse chifukwa chazotsatirazi.
More
No.1
Tiyeni choyamba tione mfundo zosangalatsa za Sonatype Nexus IQ.
Nexus IQ ikuwonetsa vuto la deserialization ndikutha kuchita RCE mu Spring Framework kangapo. CVE-2016-1000027 mu spring-web:3.0.5 nthawi yoyamba, ndi CVE-2011-2894 m'masika:3.0.5 ndi spring-core:3.0.5. Poyamba, zikuwoneka kuti pali kubwereza kwa chiwopsezo pama CVE angapo. Chifukwa, ngati muyang'ana CVE-2016-1000027 ndi CVE-2011-2894 mu nkhokwe ya NVD, zikuwoneka kuti zonse ndi zoonekeratu.
Chothandizira
Chiwopsezo
tsamba la kasupe: 3.0.5
CVE-2016-1000027
nyengo yamasika: 3.0.5
CVE-2011-2894
Pakatikati: 3.0.5
CVE-2011-2894
mafotokozedwe
mafotokozedwe
CVE-2011-2894 palokha ndi yotchuka kwambiri. Mu lipoti RemoteInvocationSerializingExporter
mu CVE-2011-2894, kusatetezeka kumawonedwa mu HttpInvokerServiceExporter
. Izi ndi zomwe Nexus IQ imatiuza:
Komabe, palibe chonga ichi mu NVD, chifukwa chake Dependency Check ndi Dependency Track iliyonse imalandira zolakwika zabodza.
Komanso kuchokera ku kufotokozera kwa CVE-2011-2894 zikhoza kumveka kuti chiwopsezocho chilipodi pazochitika zonse za kasupe: 3.0.5 ndi spring-core: 3.0.5. Chitsimikizo cha izi chingapezeke m'nkhani kuchokera kwa munthu yemwe adapeza izi.
No.2
Chothandizira
Chiwopsezo
chifukwa
struts2-core: 2.3.30
CVE-2016-4003
ZONYENGA
Ngati tiphunzira za kusatetezeka kwa CVE-2016-4003, timvetsetsa kuti idakhazikitsidwa mu mtundu 2.3.28, komabe, Nexus IQ ikutiuza. Pali cholemba pofotokozera za kusatetezeka:
Ndiye kuti, chiwopsezocho chilipo molumikizana ndi mtundu wakale wa JRE, womwe adaganiza kutichenjeza. Komabe, timaganizira za False Positive, ngakhale sizoyipa kwambiri.
# 3
Chothandizira
Chiwopsezo
chifukwa
xwork-pachimake: 2.3.30
CVE-2017-9804
WOONA
xwork-pachimake: 2.3.30
CVE-2017-7672
ZONYENGA
Tikayang'ana mafotokozedwe a CVE-2017-9804 ndi CVE-2017-7672, tidzamvetsetsa kuti vuto ndi URLValidator class
, yokhala ndi CVE-2017-9804 yochokera ku CVE-2017-7672. Kukhalapo kwa chiwopsezo chachiwiri sikunyamula katundu wothandiza kupatulapo kuti kuuma kwake kwawonjezeka kufika Pamwamba, kotero tikhoza kuliona ngati phokoso losafunika.
Pazonse, palibe zabwino zina zabodza zomwe zidapezeka pa Nexus IQ.
No.4
Pali zinthu zingapo zomwe zimapangitsa IQ kukhala yosiyana ndi mayankho ena.
Chothandizira
Chiwopsezo
chifukwa
tsamba la kasupe: 3.0.5
CVE-2020-5398
WOONA
CVE mu NVD ikunena kuti imagwira ntchito pamitundu 5.2.x isanakwane 5.2.3, 5.1.x isanakwane 5.1.13, ndi mitundu 5.0.x isanakwane 5.0.16, komabe, ngati tiyang'ana mafotokozedwe a CVE mu Nexus IQ , ndiye tiwona zotsatirazi:
Chidziwitso Chopatuka pa Upangiri: Gulu lofufuza zachitetezo cha Sonatype lidapeza kuti kusatetezekaku kudayambika mu mtundu 3.0.2.RELEASE osati 5.0.x monga zafotokozedwera mu upangiri.
Izi zikutsatiridwa ndi PoC pachiwopsezo ichi, chomwe chimati chilipo mu mtundu wa 3.0.5.
Zonama zabodza zimatumizidwa ku Dependency Check ndi Dependency Track.
No.5
Tiyeni tiwone zabwino zabodza za Dependency Check ndi Dependency Track.
Dependency Check ikuwoneka bwino chifukwa ikuwonetsa ma CVE omwe amagwira ntchito pamadongosolo onse a NVD kuzinthu zomwe ma CVE awa sakugwira ntchito. Izi zikukhudza CVE-2012-0394, CVE-2013-2115, CVE-2014-0114, CVE-2015-0899, CVE-2015-2992, CVE-2016-1181, CVE-2016-1182, Zomwe Zimadalira ” ku struts-taglib:1.3.8 ndi struts-tiles-1.3.8. Zigawozi sizikugwirizana ndi zomwe zafotokozedwa mu CVE - kukonza zopempha, kutsimikizira tsamba, ndi zina zotero. Izi zili choncho chifukwa chakuti zomwe ma CVE ndi zigawo zake zimafanana ndi chimango chokha, ndichifukwa chake Dependency Check idachiwona ngati chiwopsezo.
Momwemonso ndi kasupe-tx:3.0.5, ndi zofanana ndi struts-core:1.3.8. Kwa struts-core, Dependency Check ndi Dependency Track apeza zofooka zambiri zomwe zimagwira ntchito ku struts2-core, yomwe kwenikweni ndi gawo losiyana. Pankhaniyi, Nexus IQ idamvetsetsa bwino chithunzichi ndipo mu CVEs yomwe idatulutsa, idawonetsa kuti struts-core idafika kumapeto kwa moyo ndipo ndikofunikira kusamukira ku struts2-core.
No.6
Nthawi zina, sibwino kutanthauzira cholakwika cha Dependency Check ndi Dependency Track. Makamaka CVE-2013-4152, CVE-2013-6429, CVE-2013-6430, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225, CVE-2014-0225, Dependency Check ndi Dependency Check Zomwe zimatchedwa kasupe-core:3.0.5 kwenikweni ndi za spring-web:3.0.5. Nthawi yomweyo, ena mwa ma CVE awa adapezekanso ndi Nexus IQ, komabe, IQ idawazindikiritsa ku gawo lina. Chifukwa ziwopsezo izi sizinapezeke mu kasupe-pachimake, sitinganene kuti iwo sali mu chimango mfundo ndi lotseguka gwero zida moyenerera analozera zofooka izi (iwo anaphonya pang'ono).
anapezazo
Monga tikuonera, kutsimikizira kudalirika kwa zofooka zomwe zazindikirika mwa kuwunika kwamanja sikumapereka zotsatira zosamveka, chifukwa chake pali mikangano. Zotsatira zake ndikuti yankho la Nexus IQ lili ndi chiwopsezo chochepa kwambiri chabodza komanso kulondola kwambiri.
Choyamba, izi ndi chifukwa chakuti gulu la Sonatype linakulitsa kufotokozera kwa chiopsezo chilichonse cha CVE kuchokera ku NVD m'mabuku ake, kusonyeza kusatetezeka kwa mtundu wina wa zigawo mpaka kalasi kapena ntchito, kuchita kafukufuku wowonjezera (mwachitsanzo. , kuyang'ana zovuta pamapulogalamu akale).
Chikoka chofunikira pazotsatira chimaseweredwanso ndi zofooka zomwe sizinaphatikizidwe mu NVD, komabe zilipo mu database ya Sonatype yokhala ndi chizindikiro cha SONATYPE. Malinga ndi lipoti
Zotsatira zake, Dependency Check imapanga phokoso lambiri, kusowa zigawo zina zosatetezeka. Dependency Track imapanga phokoso lochepa ndipo imazindikira zigawo zambiri, zomwe sizimapweteka maso pa intaneti.
Komabe, machitidwe akuwonetsa kuti gwero lotseguka liyenera kukhala njira zoyambira ku DevSecOps okhwima. Chinthu choyamba chomwe muyenera kuganizira pophatikiza SCA mu chitukuko ndi njira, kuganiza pamodzi ndi oyang'anira ndi ma dipatimenti ena okhudzana ndi zomwe ziyenera kuwoneka mu bungwe lanu. Zitha kuwoneka kuti ku bungwe lanu, poyamba, Dependency Check kapena Dependency Track idzakwaniritsa zosowa zonse zabizinesi, ndipo mayankho a Enterprise adzakhala kupitiliza koyenera chifukwa cha zovuta zomwe zikukula.
Zowonjezera A: Zotsatira Zachigawo
Mbiri:
- Zowopsa - zazikulu komanso zovuta kwambiri pagawoli
- Zapakatikati - Zofooka zapakatikati pamlingo wovuta kwambiri pagawo
- ZOONA - Nkhani yabwino
- ZABODZA - Nkhani zabodza zabwino
Chothandizira
Nexus IQ
Dependency Check
Dependency Track
chifukwa
dom4j: 1.6.1
High
High
High
WOONA
log4j-core: 2.3
High
High
High
WOONA
chipi4j: 1.2.14
High
High
-
WOONA
zosonkhanitsira wamba:3.1
High
High
High
WOONA
commons-fileupload: 1.3.2
High
High
High
WOONA
Commons-beanutils: 1.7.0
High
High
High
WOONA
wamba-codec: 1:10
sing'anga
-
-
WOONA
mysql-cholumikizira-java: 5.1.42
High
High
High
WOONA
kasupe-mawu:3.0.5
High
gawo silinapezeke
WOONA
tsamba la kasupe: 3.0.5
High
gawo silinapezeke
High
WOONA
nyengo yamasika: 3.0.5
sing'anga
gawo silinapezeke
-
WOONA
Pakatikati: 3.0.5
sing'anga
High
High
WOONA
struts2-config-browser-plugin:2.3.30
sing'anga
-
-
WOONA
kasupe-tx:3.0.5
-
High
-
ZONYENGA
struts-core: 1.3.8
High
High
High
WOONA
xwork-core: 2.3.30
High
-
-
WOONA
struts2-core: 2.3.30
High
High
High
WOONA
struts-taglib:1.3.8
-
High
-
ZONYENGA
struts-matiles-1.3.8
-
High
-
ZONYENGA
Zowonjezera B: Zotsatira Zachiwopsezo
Mbiri:
- Zowopsa - zazikulu komanso zovuta kwambiri pagawoli
- Zapakatikati - Zofooka zapakatikati pamlingo wovuta kwambiri pagawo
- ZOONA - Nkhani yabwino
- ZABODZA - Nkhani zabodza zabwino
Chothandizira
Nexus IQ
Dependency Check
Dependency Track
Kuvuta
chifukwa
ndemanga
dom4j: 1.6.1
CVE-2018-1000632
CVE-2018-1000632
CVE-2018-1000632
High
WOONA
CVE-2020-10683
CVE-2020-10683
CVE-2020-10683
High
WOONA
log4j-core: 2.3
CVE-2017-5645
CVE-2017-5645
CVE-2017-5645
High
WOONA
CVE-2020-9488
CVE-2020-9488
CVE-2020-9488
Low
WOONA
chipi4j: 1.2.14
CVE-2019-17571
CVE-2019-17571
-
High
WOONA
-
CVE-2020-9488
-
Low
WOONA
SONATYPE-2010-0053
-
-
High
WOONA
zosonkhanitsira wamba:3.1
-
CVE-2015-6420
CVE-2015-6420
High
ZONYENGA
Zobwerezedwa za RCE(OSSINDEX)
-
CVE-2017-15708
CVE-2017-15708
High
ZONYENGA
Zobwerezedwa za RCE(OSSINDEX)
SONATYPE-2015-0002
RCE (OSSINDEX)
RCE(OSSINDEX)
High
WOONA
commons-fileupload: 1.3.2
CVE-2016-1000031
CVE-2016-1000031
CVE-2016-1000031
High
WOONA
SONATYPE-2014-0173
-
-
sing'anga
WOONA
Commons-beanutils: 1.7.0
CVE-2014-0114
CVE-2014-0114
CVE-2014-0114
High
WOONA
-
CVE-2019-10086
CVE-2019-10086
High
ZONYENGA
Kusatetezeka kumangokhudza mitundu 1.9.2+
wamba-codec: 1:10
SONATYPE-2012-0050
-
-
sing'anga
WOONA
mysql-cholumikizira-java: 5.1.42
CVE-2018-3258
CVE-2018-3258
CVE-2018-3258
High
WOONA
CVE-2019-2692
CVE-2019-2692
-
sing'anga
WOONA
-
CVE-2020-2875
-
sing'anga
ZONYENGA
Chiwopsezo chofanana ndi CVE-2019-2692, koma ndi cholembera "zowukira zitha kukhudza kwambiri zinthu zina"
-
CVE-2017-15945
-
High
ZONYENGA
Zosagwirizana ndi mysql-connector-java
-
CVE-2020-2933
-
Low
ZONYENGA
Chithunzi cha CVE-2020-2934
CVE-2020-2934
CVE-2020-2934
-
sing'anga
WOONA
kasupe-mawu:3.0.5
CVE-2018-1270
gawo silinapezeke
-
High
WOONA
CVE-2018-1257
-
-
sing'anga
WOONA
tsamba la kasupe: 3.0.5
CVE-2016-1000027
gawo silinapezeke
-
High
WOONA
CVE-2014-0225
-
CVE-2014-0225
High
WOONA
CVE-2011-2730
-
-
High
WOONA
-
-
CVE-2013-4152
sing'anga
WOONA
CVE-2018-1272
-
-
High
WOONA
CVE-2020-5398
-
-
High
WOONA
Chitsanzo chokomera IQ: "Gulu lofufuza zachitetezo cha Sonatype lidapeza kuti kusatetezeka kumeneku kudayambika mu mtundu wa 3.0.2.RELEASE osati 5.0.x monga momwe zafotokozedwera mu upangiri."
CVE-2013-6429
-
-
sing'anga
WOONA
CVE-2014-0054
-
CVE-2014-0054
sing'anga
WOONA
CVE-2013-6430
-
-
sing'anga
WOONA
nyengo yamasika: 3.0.5
CVE-2011-2894
gawo silinapezeke
-
sing'anga
WOONA
Pakatikati: 3.0.5
-
CVE-2011-2730
CVE-2011-2730
High
WOONA
CVE-2011-2894
CVE-2011-2894
CVE-2011-2894
sing'anga
WOONA
-
-
CVE-2013-4152
sing'anga
ZONYENGA
Kubwereza kwa kusatetezeka komweku mu intaneti yamasika
-
CVE-2013-4152
-
sing'anga
ZONYENGA
Chiwopsezocho chikukhudzana ndi gawo lapa intaneti
-
CVE-2013-6429
CVE-2013-6429
sing'anga
ZONYENGA
Chiwopsezocho chikukhudzana ndi gawo lapa intaneti
-
CVE-2013-6430
-
sing'anga
ZONYENGA
Chiwopsezocho chikukhudzana ndi gawo lapa intaneti
-
CVE-2013-7315
CVE-2013-7315
sing'anga
ZONYENGA
SPLIT kuchokera ku CVE-2013-4152. + Chiwopsezocho chikugwirizana ndi gawo lawebusayiti yamasika
-
CVE-2014-0054
CVE-2014-0054
sing'anga
ZONYENGA
Chiwopsezocho chikukhudzana ndi gawo lapa intaneti
-
CVE-2014-0225
-
High
ZONYENGA
Chiwopsezocho chikukhudzana ndi gawo lapa intaneti
-
-
CVE-2014-0225
High
ZONYENGA
Kubwereza kwa kusatetezeka komweku mu intaneti yamasika
-
CVE-2014-1904
CVE-2014-1904
sing'anga
ZONYENGA
Kusatetezeka kumakhudzana ndi gawo la spring-web-mvc
-
CVE-2014-3625
CVE-2014-3625
sing'anga
ZONYENGA
Kusatetezeka kumakhudzana ndi gawo la spring-web-mvc
-
CVE-2016-9878
CVE-2016-9878
High
ZONYENGA
Kusatetezeka kumakhudzana ndi gawo la spring-web-mvc
-
CVE-2018-1270
CVE-2018-1270
High
ZONYENGA
Kwa masika-mawu/mauthenga akasupe
-
CVE-2018-1271
CVE-2018-1271
sing'anga
ZONYENGA
Kusatetezeka kumakhudzana ndi gawo la spring-web-mvc
-
CVE-2018-1272
CVE-2018-1272
High
WOONA
CVE-2014-3578
CVE-2014-3578 (OSSINDEX)
CVE-2014-3578
sing'anga
WOONA
SONATYPE-2015-0327
-
-
Low
WOONA
struts2-config-browser-plugin:2.3.30
SONATYPE-2016-0104
-
-
sing'anga
WOONA
kasupe-tx:3.0.5
-
CVE-2011-2730
-
High
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2011-2894
-
High
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2013-4152
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2013-6429
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2013-6430
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2013-7315
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2014-0054
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2014-0225
-
High
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2014-1904
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2014-3625
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2016-9878
-
High
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2018-1270
-
High
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2018-1271
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
-
CVE-2018-1272
-
sing'anga
ZONYENGA
Chiwopsezocho sichinatchulidwe ndi kasupe-tx
struts-core: 1.3.8
-
CVE-2011-5057 (OSSINDEX)
sing'anga
FASLE
Kusatetezeka kwa Struts 2
-
CVE-2012-0391 (OSSINDEX)
CVE-2012-0391
High
ZONYENGA
Kusatetezeka kwa Struts 2
-
CVE-2014-0094 (OSSINDEX)
CVE-2014-0094
sing'anga
ZONYENGA
Kusatetezeka kwa Struts 2
-
CVE-2014-0113 (OSSINDEX)
CVE-2014-0113
High
ZONYENGA
Kusatetezeka kwa Struts 2
CVE-2016-1182
3VE-2016-1182
-
High
WOONA
-
-
CVE-2011-5057
sing'anga
ZONYENGA
Kusatetezeka kwa Struts 2
-
CVE-2012-0392 (OSSINDEX)
CVE-2012-0392
High
ZONYENGA
Kusatetezeka kwa Struts 2
-
CVE-2012-0393 (OSSINDEX)
CVE-2012-0393
sing'anga
ZONYENGA
Kusatetezeka kwa Struts 2
CVE-2015-0899
CVE-2015-0899
-
High
WOONA
-
CVE-2012-0394
CVE-2012-0394
sing'anga
ZONYENGA
Kusatetezeka kwa Struts 2
-
CVE-2012-0838 (OSSINDEX)
CVE-2012-0838
High
ZONYENGA
Kusatetezeka kwa Struts 2
-
CVE-2013-1965 (OSSINDEX)
CVE-2013-1965
High
ZONYENGA
Kusatetezeka kwa Struts 2
-
CVE-2013-1966 (OSSINDEX)
CVE-2013-1966
High
FASLE
Kusatetezeka kwa Struts 2
-
CVE-2013-2115
CVE-2013-2115
High
FASLE
Kusatetezeka kwa Struts 2
-
CVE-2013-2134 (OSSINDEX)
CVE-2013-2134
High
FASLE
Kusatetezeka kwa Struts 2
-
CVE-2013-2135 (OSSINDEX)
CVE-2013-2135
High
FASLE
Kusatetezeka kwa Struts 2
CVE-2014-0114
CVE-2014-0114
-
High
WOONA
-
CVE-2015-2992
CVE-2015-2992
sing'anga
ZONYENGA
Kusatetezeka kwa Struts 2
-
CVE-2016-0785 (OSSINDEX)
CVE-2016-0785
High
ZONYENGA
Kusatetezeka kwa Struts 2
CVE-2016-1181
CVE-2016-1181
-
High
WOONA
-
CVE-2016-4003 (OSSINDEX)
CVE-2016-4003
High
ZONYENGA
Kusatetezeka kwa Struts 2
xwork-pachimake: 2.3.30
CVE-2017-9804
-
-
High
WOONA
SONATYPE-2017-0173
-
-
High
WOONA
CVE-2017-7672
-
-
High
ZONYENGA
Chithunzi cha CVE-2017-9804
SONATYPE-2016-0127
-
-
High
WOONA
struts2-core: 2.3.30
-
CVE-2016-6795
CVE-2016-6795
High
WOONA
-
CVE-2017-9787
CVE-2017-9787
High
WOONA
-
CVE-2017-9791
CVE-2017-9791
High
WOONA
-
CVE-2017-9793
-
High
ZONYENGA
Chithunzi cha CVE-2018-1327
-
CVE-2017-9804
-
High
WOONA
-
CVE-2017-9805
CVE-2017-9805
High
WOONA
CVE-2016-4003
-
-
sing'anga
ZONYENGA
Imagwira ntchito ku Apache Struts 2.x mpaka 2.3.28, yomwe ili mtundu 2.3.30. Komabe, kutengera kufotokozera, CVE ndiyovomerezeka pamtundu uliwonse wa Struts 2 ngati JRE 1.7 kapena kuchepera ikugwiritsidwa ntchito. Zikuwoneka kuti adaganiza zotilimbikitsanso pano, koma zikuwoneka ngati ZABODZA
-
CVE-2018-1327
CVE-2018-1327
High
WOONA
CVE-2017-5638
CVE-2017-5638
CVE-2017-5638
High
WOONA
Chiwopsezo chomwechi chomwe ma hackers a Equifax adagwiritsa ntchito mu 2017
CVE-2017-12611
CVE-2017-12611
-
High
WOONA
CVE-2018-11776
CVE-2018-11776
CVE-2018-11776
High
WOONA
struts-taglib:1.3.8
-
CVE-2012-0394
-
sing'anga
ZONYENGA
Za struts2-core
-
CVE-2013-2115
-
High
ZONYENGA
Za struts2-core
-
CVE-2014-0114
-
High
ZONYENGA
Kwa commons-beanutils
-
CVE-2015-0899
-
High
ZONYENGA
Sizikugwira ntchito ku taglib
-
CVE-2015-2992
-
sing'anga
ZONYENGA
Amatanthauza struts2-core
-
CVE-2016-1181
-
High
ZONYENGA
Sizikugwira ntchito ku taglib
-
CVE-2016-1182
-
High
ZONYENGA
Sizikugwira ntchito ku taglib
struts-matiles-1.3.8
-
CVE-2012-0394
-
sing'anga
ZONYENGA
Za struts2-core
-
CVE-2013-2115
-
High
ZONYENGA
Za struts2-core
-
CVE-2014-0114
-
High
ZONYENGA
Pansi commons-beanutils
-
CVE-2015-0899
-
High
ZONYENGA
Sichikugwira ntchito pa matailosi
-
CVE-2015-2992
-
sing'anga
ZONYENGA
Za struts2-core
-
CVE-2016-1181
-
High
ZONYENGA
Sizikugwira ntchito ku taglib
-
CVE-2016-1182
-
High
ZONYENGA
Sizikugwira ntchito ku taglib
Source: www.habr.com