Gawo lofunika kwambiri la kayendetsedwe ka chiopsezo ndikumvetsetsa bwino ndi kuteteza mndandanda wazinthu zamapulogalamu zomwe zimapanga machitidwe amakono. Magulu a Agile ndi DevOps amagwiritsa ntchito kwambiri malaibulale otseguka ndi zomangira kuti achepetse nthawi yachitukuko ndi mtengo. Koma mendulo iyi ilinso ndi zoyipa: mwayi wotengera zolakwa za anthu ena ndi zofooka.
Mwachiwonekere, gululo liyenera kuonetsetsa kuti likudziwa kuti ndi zigawo ziti zotseguka zomwe zikuphatikizidwa m'mapulogalamu ake, kuonetsetsa kuti zomasulira zodalirika zimatsitsidwa kuchokera kuzinthu zodalirika zodziwika, ndikutsitsa zosinthidwa zazigawo pambuyo pa zofooka zatsopano zomwe zapezeka.
Mu positi iyi, tiwona kugwiritsa ntchito OWASP Dependency Check kuti tichotse nyumba ngati iwona zovuta zazikulu ndi code yanu.
M'buku la "Development Security in Agile Projects" likufotokozedwa motere. OWASP Dependency Check ndi sikani yaulere yomwe imayika zida zonse zotseguka zomwe zimagwiritsidwa ntchito mu pulogalamu ndikuwonetsa zovuta zomwe zili. Pali mitundu ya Java, .NET, Ruby (gempec), PHP (wolemba), Node.js ndi Python, komanso mapulojekiti ena a C/C++. Dependency Check imaphatikizana ndi zida zomangira wamba, kuphatikiza Ant, Maven ndi Gradle, ndi maseva ophatikizana osalekeza ngati Jenkins.
Dependency Check ikuwonetsa zonse zomwe zili ndi zovuta zomwe zimadziwika kuchokera ku NIST's National Vulnerability Database (NVD) ndipo zimasinthidwa ndi data yochokera ku NVD news feed.
Mwamwayi, zonsezi zitha kuchitika zokha pogwiritsa ntchito zida monga projekiti ya OWASP Dependency Check kapena mapulogalamu amalonda monga.
Zida izi zitha kuphatikizidwa pamapaipi opangira kuti azitha kudalira magwero otseguka, kuzindikira mitundu yakale yamalaibulale ndi malaibulale omwe ali ndi zovuta zomwe zimadziwika, ndikuchotsa zomanga ngati zapezeka zovuta.
OWASP Dependency Check
Kuyesa ndikuwonetsa momwe Dependency Check imagwirira ntchito, timagwiritsa ntchito chosungirachi
Kuti muwone lipoti la HTML, muyenera kukonza seva ya nginx pa gitlab-runner yanu.
Chitsanzo cha kakhazikitsidwe kakang'ono ka nginx:
server {
listen 9999;
listen [::]:9999;
server_name _;
root /home/gitlab-runner/builds;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Pamapeto pa msonkhano mukhoza kuona chithunzi ichi:
Tsatirani ulalowu ndikuwona lipoti la Dependency Check.
Chojambula choyamba ndi gawo lapamwamba la lipoti lomwe lili ndi chidule.
Chithunzi chachiwiri chazithunzi CVE-2017-5638. Apa tikuwona mulingo wa CVE ndi maulalo pazochita.
Chithunzi chachitatu ndi tsatanetsatane wa log4j-api-2.7.jar. Tikuwona kuti milingo ya CVE ndi 7.5 ndi 9.8.
Chithunzi chachinayi ndi tsatanetsatane wa commons-fileupload-1.3.2.jar. Tikuwona kuti milingo ya CVE ndi 7.5 ndi 9.8.
Ngati mukufuna kugwiritsa ntchito masamba a gitlab, sizingagwire ntchito - ntchito yakugwa sipanga chojambula.
Chitsanzo apa
Pangani zotuluka: palibe zaluso, sindikuwona lipoti la html. Muyenera kuyesa Artifact: nthawi zonse
Kuwongolera mulingo wazovuta za CVE
Mzere wofunikira kwambiri pa fayilo ya gitlab-ci.yaml:
mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7
Ndi failBuildOnCVSS parameter mutha kusintha kuchuluka kwa ziwopsezo za CVE zomwe muyenera kuyankha.
Kutsitsa NIST Vulnerability Database (NVD) kuchokera pa intaneti
Kodi mwaona kuti NIST imatsitsa pafupipafupi NIST vulnerability databases (NVD) pa intaneti:
Kutsitsa, mutha kugwiritsa ntchito chida
Tiyeni tiyike ndikuyiyambitsa.
yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirror
Nist-data-mirror imakweza NIST JSON CVE kupita ku /var/www/repos/nist-data-mirror/ poyambitsa ndikusintha zomwezo maola 24 aliwonse.
Kuti mutsitse CVE JSON NIST, muyenera kukonza seva ya nginx (mwachitsanzo, pa gitlab-runner yanu).
Chitsanzo cha kakhazikitsidwe kakang'ono ka nginx:
server {
listen 12345;
listen [::]:12345;
server_name _;
root /var/www/repos/nist-data-mirror/;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Kuti tisapange mzere wautali pomwe mvn imakhazikitsidwa, tisuntha magawo mumitundu ina DEPENDENCY_OPTS.
config .gitlab-ci.yml yomaliza idzawoneka motere:
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"
cache:
paths:
- .m2/repository
verify:
stage: test
script:
- set +e
- mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
- export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
- echo "************************* URL Dependency-check-report.html *************************"
- echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
- set -e
- exit ${EXIT_CODE}
tags:
- shell
Source: www.habr.com