Inxalenye ebalulekileyo yolawulo lobuthathaka kukuqonda ngokucokisekileyo kunye nokukhusela ikhonkco lokubonelela lamacandelo esoftware eyenza iinkqubo zanamhlanje. Amaqela e-Agile kunye ne-DevOps asebenzisa ngokubanzi amathala eencwadi avulekileyo kunye nezicwangciso zokunciphisa ixesha lophuhliso kunye neendleko. Kodwa le mbasa nayo inecala elisezantsi: ithuba lokuzuza njengelifa iimpazamo zabanye abantu kunye nobuthathaka.
Ngokucacileyo, iqela lifanele liqiniseke ukuba liyazi ukuba zeziphi iinxalenye zomthombo ovulekileyo ezibandakanyiweyo kwizicelo zayo, ziqinisekise ukuba iinguqulelo ezaziwayo ezithembekileyo zikhutshelwa kwimithombo eyaziwayo ethembekileyo, kwaye zikhuphele iinguqulelo ezihlaziyiweyo zamacandelo emva kokuba ubuthathaka obutsha bufunyenwe bukhutshiwe.
Kule post, siza kujonga ukusebenzisa i-OWASP yokuxhomekeka kuHlolo ukulahla ulwakhiwo ukuba lubona iingxaki ezinzulu ngekhowudi yakho.
Kwincwadi ethi "Uphuhliso loKhuseleko kwiiProjekthi ze-Agile" ichazwa ngolu hlobo lulandelayo. I-OWASP yokuxhomekeka ekuJonganyeni sisikena sasimahla esidwelisa onke amalungu emithombo evulelekileyo esetyenziswa kwisicelo kwaye sibonise ubuthathaka abakubo. Kukho iinguqulelo zeJava, .NET, Ruby (gempec), PHP (umqambi), iNode.js kunye nePython, kunye nezinye iiprojekthi zeC / C ++. I-Dependency Check idibanisa nezixhobo zokwakha eziqhelekileyo, kuquka i-Ant, i-Maven kunye ne-Gradle, kunye neeseva eziqhubekayo zokudibanisa ezifana ne-Jenkins.
Ukuxhomekeka ekuJonganyeni kuxela onke amacandelo anobuthathaka obaziwayo ukusuka kwiDatha yeNkcazelo yeSizwe yoVulnerability (NVD) ye-NIST kwaye ihlaziywa ngedatha evela kwi-NVD yeendaba zeendaba.
Ngethamsanqa, konke oku kunokwenziwa ngokuzenzekelayo kusetyenziswa izixhobo ezifana neprojekthi yokuJonga ukuxhomekeka kwe-OWASP okanye iinkqubo zorhwebo ezifana , , , Sonatype okanye .
Ezi zixhobo zinokubandakanywa kwimibhobho yokwakha ukuze kuluhlu oluzenzekelayo ukuxhomekeka kumthombo ovulekileyo, ukuchonga iinguqulelo eziphelelwe lixesha zamathala eencwadi kunye namathala eencwadi aqulethe ubuthathaka obaziwayo, kunye nokulahlwa kwezakhiwo ukuba kukho iingxaki ezinzulu zichongiwe.
UHlobo lokuxhomekeka kwe-OWASP
Ukuvavanya nokubonisa indlela uHlolo lokuXhomeka olusebenza ngayo, sisebenzisa le ndawo yokugcina .
Ukujonga ingxelo ye-HTML, kufuneka uqwalasele iseva yewebhu ye-nginx kwi-gitlab-runner yakho.
Umzekelo wolungiselelo oluncinci lwe-nginx:
server {
listen 9999;
listen [::]:9999;
server_name _;
root /home/gitlab-runner/builds;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}Ekupheleni kwendibano unokubona lo mfanekiso:
Landela ikhonkco kwaye ubone ingxelo yokuJonga ukuxhomekeka.
I-screenshot yokuqala yinxalenye ephezulu yengxelo kunye nesishwankathelo.
Iinkcukacha zesikrini sesibini CVE-2017-5638. Apha sibona inqanaba le-CVE kunye neekhonkco zokuxhaphaza.
Umfanekiso wesithathu wekhusi neenkcukacha zelog4j-api-2.7.jar. Siyabona ukuba amanqanaba e-CVE yi-7.5 kunye ne-9.8.
Umfanekiso weskrini wesine neenkcukacha ze-commons-fileupload-1.3.2.jar. Siyabona ukuba amanqanaba e-CVE yi-7.5 kunye ne-9.8.
Ukuba ufuna ukusebenzisa amaphepha e-gitlab, ngoko ayiyi kusebenza - umsebenzi owileyo awuyi kudala i-artifact.
Umzekelo apha .
Yakha imveliso: akukho zixhobo, andiyiboni ingxelo ye-html. Kuya kufuneka uzame i-Artifact: rhoqo
Ukulawula inqanaba lobuthathaka be-CVE
Owona mgca ubalulekileyo kwifayile ye-gitlab-ci.yaml:
mvn $MAVEN_CLI_OPTS test org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7NgefailBuildOnCVSS iparamitha ungalungelelanisa inqanaba lobuthathaka beCVE ekufuneka uphendule kubo.
Kuthotywa umthwalo weNIST kwiDathabase yoBubungozi (NVD) kwi-Intanethi
Uqaphele ukuba i-NIST ihlala ikhuphela i-NIST vulnerability databases (NVD) kwi-Intanethi:
Ukukhuphela, ungasebenzisa usetyenziso
Masiyifake kwaye siyiqalise.
yum -y install yum-plugin-copr
yum copr enable antonpatsev/nist_data_mirror_golang
yum -y install nist-data-mirror
systemctl start nist-data-mirrorI-Nist-data-mirror ilayisha i-NIST JSON CVE ukuya /var/www/repos/nist-data-mirror/ ekuqaliseni kwaye ihlaziya idatha rhoqo kwiiyure ezingama-24.
Ukukhuphela i-CVE JSON NIST, kufuneka uqwalasele iseva yewebhu ye-nginx (umzekelo, kwi-gitlab-runner yakho).
Umzekelo wolungiselelo oluncinci lwe-nginx:
server {
listen 12345;
listen [::]:12345;
server_name _;
root /var/www/repos/nist-data-mirror/;
location / {
autoindex on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}Ukuze singenzi umgca omde apho i-mvn iqaliswe khona, siyakuhambisa iiparameters kuguquko olwahlukileyo DEEPENDENCY_OPTS.
Uqwalaselo oluncinci lokugqibela .gitlab-ci.yml luya kujongeka ngolu hlobo:
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
DEPENDENCY_OPTS: "-DfailBuildOnCVSS=7 -DcveUrlModified=http://localhost:12345/nvdcve-1.1-modified.json.gz -DcveUrlBase=http://localhost:12345/nvdcve-1.1-%d.json.gz"
cache:
paths:
- .m2/repository
verify:
stage: test
script:
- set +e
- mvn $MAVEN_CLI_OPTS install org.owasp:dependency-check-maven:check $DEPENDENCY_OPTS || EXIT_CODE=$?
- export PATH_WITHOUT_HOME=$(pwd | sed -e "s//home/gitlab-runner/builds//g")
- echo "************************* URL Dependency-check-report.html *************************"
- echo "http://$HOSTNAME:9999$PATH_WITHOUT_HOME/target/dependency-check-report.html"
- set -e
- exit ${EXIT_CODE}
tags:
- shell
umthombo: www.habr.com