O se vaega taua o le pulega fa'aletonu o le malamalama lelei lea ma fa'amautu le sapalai o vaega fa'akomepiuta e fausia ai faiga fa'aonaponei. O 'au a Agile ma DevOps latou te fa'aogaina tele faletusi ma fa'avae e fa'aitiitia ai le taimi ma le tau. Ae o lenei pine foi e i ai se itu i lalo: o le avanoa e faŹ»atosina ai mea sese ma faŹ»afitauli a isi tagata.
E manino lava, e tatau i le 'au ona mautinoa e iloa poŹ»o fea vaega o punaoa tatala o loŹ»o aofia ai i ana talosaga, faŹ»amautinoa o loŹ»o laŹ»uina mai faŹ»amatalaga faŹ»atuatuaina mai punaoa faŹ»atuatuaina, ma laŹ»u mai faŹ»afouga fou o vaega pe a maeŹ»a ona faŹ»apipiŹ»i faŹ»afitauli fou.
I lenei pou, o le a matou vaŹ»avaŹ»ai i le faŹ»aogaina o le OWASP Dependency Check e faŹ»ateŹ»a ai se fale pe afai e iloa ai faŹ»afitauli matuia i lau code.
I le tusi "Development Security in Agile Projects" o loŹ»o faŹ»amatalaina faŹ»apea. OWASP Dependency Check o se si'i fua e fa'avasega uma vaega fa'apogai o lo'o fa'aogaina i totonu o se talosaga ma fa'aalia ai le fa'aletonu o lo'o iai. O loŹ»o i ai faŹ»amatalaga mo Java, .NET, Ruby (gemspec), PHP (fatu pese), Node.js ma Python, faŹ»apea foŹ»i ma nisi o galuega C/C++. Fa'alagolago Fa'alagolago e tu'ufa'atasia ma meafaigaluega fau masani, e aofia ai Ant, Maven ma Gradle, ma fa'aauau fa'aumau fa'atasi e pei o Jenkins.
O le Su'esu'ega Fa'alagolago e lipoti atu vaega uma o lo'o i ai fa'afitauli fa'aletonu mai le NIST's National Vulnerability Database (NVD) ma fa'afou i fa'amaumauga mai tala fou a le NVD.
O le mea e laki ai, o nei mea uma e mafai ona otometi ona faŹ»aogaina meafaigaluega e pei ole OWASP Dependency Check project poŹ»o polokalame faŹ»apisinisi pei o , , , Sonatype po o .
O nei meafaigaluega e mafai ona aofia ai i le fausiaina o paipa e otometi ai le suŹ»esuŹ»eina o punaoa tatala faŹ»alagolago, faŹ»amaonia lomiga tuai o faletusi ma faletusi o loŹ»o i ai faŹ»afitauli faŹ»apitoa, ma faŹ»agata le fausiaina pe a maua ni faŹ»afitauli matuia.
OWASP Fa'alagolago Siaki
Ina ia faŹ»ataŹ»itaŹ»i ma faŹ»aalia pe faŹ»afefea ona galue le Dependency Check, matou te faŹ»aogaina lenei fale teu oloa .
Ina ia matamata i le lipoti HTML, e te manaŹ»omia le faŹ»atulagaina o le nginx web server i lau gitlab-runner.
Fa'ata'ita'iga o se la'ititi nginx config:
server {
listen 9999;
listen [::]:9999;
server_name _;
root /home/gitlab-runner/builds;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}I le faaiuga o le faŹ»apotopotoga e mafai ona e vaŹ»ai i le ata lenei:
Mulimuli i le so'oga ma va'ai le lipoti o le Siaki Fa'alagolago.
O le ata muamua o le pito i luga o le lipoti ma se aotelega.
Fa'amatalaga fa'amalama lona lua CVE-2017-5638. O iinei tatou te vaŹ»aia ai le maualuga o le CVE ma fesoŹ»otaŹ»iga i faŹ»aoga.
O le faŹ»amalama lona tolu o faŹ»amatalaga o le log4j-api-2.7.jar. Matou te vaŹ»aia o tulaga CVE e 7.5 ma 9.8.
O le faŹ»amalama lona fa o faŹ»amatalaga o commons-fileupload-1.3.2.jar. Matou te vaŹ»aia o tulaga CVE e 7.5 ma 9.8.
Afai e te manaŹ»o e faŹ»aaoga itulau gitlab, o le a le aoga - o se galuega pa'Å« o le a le faia ai se mea.
Faataitaiga iinei .
Fausia galuega: leai ni mea faŹ»apitoa, ou te le vaŹ»ai i le lipoti html. E tatau ona e taumafai Artifact: i taimi uma
FaŹ»atonutonuina le maualuga o faŹ»afitauli o le CVE
Ole laina pito sili ona taua ile faila gitlab-ci.yaml:
mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7Faatasi ai ma le failBuildOnCVSS parameter e mafai ona e fetuutuunai le maualuga o le CVE vulnerabilities e te manaŹ»omia e tali atu ai.
Si'itia le NIST Vulnerability Database (NVD) mai le Initaneti
Ua e maitauina o le NIST o loŹ»o faŹ»apipiŹ»iina i taimi uma le NIST faŹ»amatalaga faŹ»aletonu (NVD) mai le Initaneti:
Ina ia download, e mafai ona e faŹ»aogaina le aoga
Tatou fa'apipi'i ma fa'alauiloa.
yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirrorNist-data-mirror e tuŹ»uina atu le NIST JSON CVE i /var/www/repos/nist-data-mirror/ i luga o le amataga ma faŹ»afouina faŹ»amaumauga i 24 itula uma.
Ina ia sii mai CVE JSON NIST, e tatau ona e faŹ»apipiŹ»i le nginx web server (mo se faŹ»ataŹ»itaŹ»iga, i luga o lau gitlab-runner).
Fa'ata'ita'iga o se la'ititi nginx config:
server {
listen 12345;
listen [::]:12345;
server_name _;
root /var/www/repos/nist-data-mirror/;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}Ina ia aua le faia se laina umi lea e faŹ»alauiloa ai le mvn, o le a matou faŹ»anofoina faŹ»amau i se isi fesuiaiga DEPENDENCY_OPTS.
Ole la'ititi la'ititi config .gitlab-ci.yml ole a fa'apea:
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"
cache:
paths:
- .m2/repository
verify:
stage: test
script:
- set +e
- mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
- export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
- echo "************************* URL Dependency-check-report.html *************************"
- echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
- set -e
- exit ${EXIT_CODE}
tags:
- shell
puna: www.habr.com
