Karolo ea bohlokoa ea taolo ea ts'oaetso ke ho utloisisa ka botlalo le ho boloka ketane ea phepelo ea likarolo tsa software tse etsang litsamaiso tsa sejoale-joale. Lihlopha tsa Agile le DevOps li sebelisa haholo lilaebrari tsa mehloli e bulehileng le meralo ho fokotsa nako ea nts'etsopele le litšenyehelo. Empa khau ena e boetse e na le bothata: monyetla oa ho rua liphoso le bofokoli ba batho ba bang.
Ho hlakile hore sehlopha se lokela ho etsa bonnete ba hore se tseba hore na ke likarolo life tsa mohloli o bulehileng tse kenyellelitsoeng lits'ebetsong tsa sona, ho netefatsa hore liphetolelo tse tsebahalang tse tšepahalang li kopitsoa ho tsoa mehloling e tsebahalang e tšepahalang, le ho jarolla liphetolelo tse ntlafalitsoeng tsa likarolo ka mor'a hore bofokoli bo sa tsoa sibolloa bo kenngoe.
Ka poso ena, re tla sheba ho sebelisa OWASP Dependency Check ho hlakola moaho haeba e ka bona mathata a tebileng ka khoutu ea hau.
Bukeng ea "Development Security in Agile Projects" e hlalosoa ka tsela e latelang. OWASP Dependency Check ke sehatisi sa mahala se thathamisang likarolo tsohle tsa mohloli o bulehileng o sebelisoang ts'ebelisong mme se bonts'a bofokoli boo bo nang le bona. Ho na le liphetolelo tsa Java, .NET, Ruby (gempec), PHP (moqapi), Node.js le Python, hammoho le merero e meng ea C/C++. Dependency Check e hokahana le lisebelisoa tse tloaelehileng tsa kaho, ho kenyeletsoa Ant, Maven le Gradle, le li-server tse tsoelang pele tsa kopanyo joalo ka Jenkins.
Dependency Check e tlaleha likarolo tsohle tse nang le bofokoli bo tsebahalang ho tsoa ho NIST's National Vulnerability Database (NVD) 'me e nchafalitsoe ka lintlha tse tsoang ho liphepelo tsa litaba tsa NVD.
Ka lehlohonolo, sena sohle se ka etsoa ka bohona ho sebelisa lisebelisoa tse kang morero oa OWASP Dependency Check kapa mananeo a khoebo joalo ka.
Lisebelisoa tsena li ka kenyelletsoa liphaepheng tsa ho aha ho ipapisa le mehloli e bulehileng ea mehloli, ho tseba mefuta ea khale ea lilaebrari le lilaebrari tse nang le bofokoli bo tsebahalang, le ho hlakola meaho haeba mathata a tebileng a fumanoa.
Tlhahlobo ea Boitšetleho ba OWASP
Ho leka le ho bonts'a hore na Dependency Check e sebetsa joang, re sebelisa sebaka sena sa polokelo
Ho sheba tlaleho ea HTML, o hloka ho lokisa seva sa marang-rang sa nginx ho gitlab-runner ea hau.
Mohlala oa tlhophiso e nyane ea nginx:
server {
listen 9999;
listen [::]:9999;
server_name _;
root /home/gitlab-runner/builds;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Qetellong ea kopano u ka bona setšoantšo sena:
Latela sehokelo 'me u bone tlaleho ea Dependency Check.
Setšoantšo sa pele sa skrini ke karolo e ka holimo ea tlaleho e nang le kakaretso.
Lintlha tsa bobeli tsa skrini CVE-2017-5638. Mona re bona boemo ba CVE le lihokelo tsa liketso.
Setšoantšo sa boraro sa skrini ke lintlha tsa log4j-api-2.7.jar. Rea bona hore maemo a CVE ke 7.5 le 9.8.
Setšoantšo sa bone sa skrine ke lintlha tsa commons-fileupload-1.3.2.jar. Rea bona hore maemo a CVE ke 7.5 le 9.8.
Haeba u batla ho sebelisa maqephe a gitlab, joale e ke ke ea sebetsa - mosebetsi o oeleng o ke ke oa theha artifact.
Mohlala mona
Haha tlhahiso: ha ho na lintho tsa khale, ha ke bone tlaleho ea html. U lokela ho leka Artifact: kamehla
Ho laola boemo ba bofokoli ba CVE
Mohala oa bohlokoa ka ho fetisisa faeleng ea gitlab-ci.yaml:
mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7
Ka parameter ea failBuildOnCVSS u ka fetola boemo ba bofokoli ba CVE boo u hlokang ho arabela ho bona.
E khoasolla NIST Vulnerability Database (NVD) Marang-rang
Na u hlokometse hore NIST e lula e khoasolla marang-rang a NIST vulnerability database (NVD):
Ho jarolla, o ka sebelisa sesebelisoa
Ha re e kenye le ho e qala.
yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirror
Nist-data-mirror e kenya NIST JSON CVE ho /var/www/repos/nist-data-mirror/ ha e qala ebe e nchafatsa datha lihora tse ling le tse ling tse 24.
Ho khoasolla CVE JSON NIST, o hloka ho lokisa seva sa marang-rang sa nginx (mohlala, ho gitlab-runner ea hau).
Mohlala oa tlhophiso e nyane ea nginx:
server {
listen 12345;
listen [::]:12345;
server_name _;
root /var/www/repos/nist-data-mirror/;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
E le hore re seke ra etsa mola o molelele moo mvn e qalisoang teng, re tla suthisetsa liparamente mofuteng o fapaneng DEPENDENCY_OPTS.
config .gitlab-ci.yml ea ho qetela e tla shebahala tjena:
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"
cache:
paths:
- .m2/repository
verify:
stage: test
script:
- set +e
- mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
- export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
- echo "************************* URL Dependency-check-report.html *************************"
- echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
- set -e
- exit ${EXIT_CODE}
tags:
- shell
Source: www.habr.com