Ukubaluleka kokuhlaziywa kwezingxenye zesofthiwe yenkampani yangaphandle (I-Software Composition Analysis - SCA) kunqubo yokuthuthukiswa kuyakhula ngokukhishwa kwemibiko yaminyaka yonke ngobungozi bemitapo yolwazi yemithombo evulekile, eshicilelwa yi-Synopsys, Sonatype, Snyk, kanye Nomthombo Omhlophe. . Ngokombiko
Elinye lamacala abonisa kakhulu
Lesi sihloko sizoxoxa ngodaba lokukhetha ithuluzi lokuqhuba i-SCA ngokombono wekhwalithi yemiphumela yokuhlaziya. Ukuqhathanisa okusebenzayo kwamathuluzi nakho kuzonikezwa. Inqubo yokuhlanganisa ku-CI/CD namandla okuhlanganisa izoshiyelwa ekushicilelweni okulandelayo. Uhlu olubanzi lwamathuluzi lwethulwa yi-OWASP
Ukuthi isebenza kanjani
Ake sibheke ukuthi i-CPE ibukeka kanjani:
cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other
- ingxenye: Isibonakaliso sokuthi ingxenye ihlobene nohlelo lokusebenza (a), isistimu yokusebenza (o), ihadiwe (h) (Kuyadingeka)
- Umdayisi: Igama Lomkhiqizi Womkhiqizo (Liyadingeka)
- Product: Igama Lomkhiqizo (Kuyadingeka)
- version: Inguqulo yengxenye (Into ephelelwe yisikhathi)
- buyekeza: Isibuyekezo sephakheji
- I-Edition: Inguqulo yefa (Into eyehlisiwe)
- Ulimi: Ulimi luchazwe ku-RFC-5646
- Uhlelo lwe-SW: Inguqulo yesofthiwe
- Ithagethi SW: Imvelo yesofthiwe lapho umkhiqizo usebenza khona
- I-HW eqondiwe: Imvelo yehadiwe lapho umkhiqizo usebenza khona
- Okunye: Umhlinzeki noma Ulwazi Lomkhiqizo
Isibonelo se-CPE sibukeka kanje:
cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
Ulayini usho ukuthi inguqulo ye-CPE engu-2.3 ichaza ingxenye yohlelo lokusebenza kumkhiqizi pivotal_software
ngesihloko spring_framework
inguqulo 3.0.0. Uma sivula ubungozi
I-URL iphinde isetshenziswe ngamathuluzi e-SCA. Ifomethi ye-URL yephakheji imi kanje:
scheme:type/namespace/name@version?qualifiers#subpath
- Uhlelo: Kuzohlala kukhona 'pkg' ekhombisa ukuthi lena i-URL yephakheji (Iyadingeka)
- Uhlobo: "Uhlobo" lwephakheji noma "iphrothokholi" yephakheji, njenge-maven, npm, nuget, gem, pypi, njll. (Into edingekayo)
- Indawo yegama: Isiqalo segama elithile, njenge-ID yeqembu le-Maven, umnikazi wesithombe se-Docker, umsebenzisi we-GitHub, noma inhlangano. Ongakukhetha futhi kuncike ohlotsheni.
- Igama: Igama lephakheji (liyadingeka)
- version: Inguqulo yephakheji
- Abafaneleki: Idatha yokufaneleka eyengeziwe yephakheji, efana ne-OS, i-architecture, ukusatshalaliswa, njll. Ongakukhetha kanye nohlobo oluthile.
- Indlela engaphansi: Indlela eyengeziwe kuphakheji ehlobene nempande yephakheji
Isibonelo:
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.commons/[email protected]
pkg:pypi/[email protected]
Isibonelo sokuthi i-BOM ingase ibukeke kanjani ngefomethi ye-XML:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
</component>
<!-- More components here -->
</components>
</bom>
I-BOM ingasetshenziswa hhayi nje njengamapharamitha okokufaka we-Dependency Track, kodwa futhi nasekubhaleni izingxenye zesofthiwe kuchungechunge lokunikezela, isibonelo, ukuhlinzeka ngesofthiwe kukhasimende. Ngo-2014, kwaphakanyiswa nomthetho e-United States
Uma sibuyela ku-SCA, i-Dependency Track inokuhlanganiswa osekwenziwe kakade Nezinkundla Zezaziso ezifana ne-Slack, amasistimu okuphatha ubungozi njenge-Kenna Security. Kuyafaneleka futhi ukusho ukuthi i-Dependency Track, phakathi kwezinye izinto, ihlonza izinguqulo eziphelelwe yisikhathi zamaphakheji futhi inikeza ulwazi mayelana namalayisense (ngenxa yokusekelwa kwe-SPDX).
Uma sikhuluma ngokuqondile ngekhwalithi ye-SCA, khona-ke kukhona umehluko oyisisekelo.
I-Dependency Track ayiwamukeli iphrojekthi njengokufakiwe, kodwa kunalokho i-BOM. Lokhu kusho ukuthi uma sifuna ukuhlola iphrojekthi, sidinga kuqala ukukhiqiza i-bom.xml, isibonelo sisebenzisa i-CycloneDX. Ngakho, i-Dependency Track incike ngokuqondile ku-CycloneDX. Ngesikhathi esifanayo, ivumela ukwenza ngokwezifiso. Yilokhu okubhalwe yiqembu le-OZON
Ake sifingqe ezinye zezici zokusebenza, futhi sicabangele nezilimi ezisekelwayo ukuze zihlaziywe:
Ulimi
I-Nexus IQ
Hlola Ukuncika
Ithrekhi Yokuncika
Java
+
+
+
C / C ++
+
+
-
C#
+
+
-
.Net
+
+
+
U-Erlang
-
-
+
I-JavaScript (NodeJS)
+
+
+
PHP
+
+
+
Python
+
+
+
Ruby
+
+
+
I-Perl
-
-
-
Scala
+
+
+
Inhloso C
+
+
-
Swift
+
+
-
R
+
-
-
Go
+
+
+
Ukusebenza
Ukusebenza
I-Nexus IQ
Hlola Ukuncika
Ithrekhi Yokuncika
Ikhono lokuqinisekisa ukuthi izingxenye ezisetshenziswa kukhodi yomthombo zihlolelwa ubumsulwa obunelayisense
+
-
+
Ikhono lokuskena nokuhlaziya ubungozi kanye nokuhlanzeka kwelayisensi yezithombe ze-Docker
+ Ukuhlanganiswa noClair
-
-
Ikhono lokumisa izinqubomgomo zokuphepha ukuze kusetshenziswe amalabhulali omthombo ovulekile
+
-
-
Ikhono lokuskena amaqoqo omthombo ovulekile ukuze uthole izingxenye ezisengozini
+ RubyGems, Maven, NPM, Nuget, Pypi, Conan, Bower, Conda, Go, p2, R, Yum, Helm, Docker, CocoaPods, Git LFS
-
+ Hex, RubyGems, Maven, NPM, Nuget, Pypi
Ukutholakala kweqembu locwaningo oluyisipesheli
+
-
-
Ukusebenza kweluphu evaliwe
+
+
+
Ukusebenzisa isizindalwazi sezinkampani zangaphandle
+ Isizindalwazi esivaliwe se-Sonatype
+ Sonatype OSS, NPM Public Advisors
+ I-Sonatype OSS, i-NPM Public Advisors, i-RetireJS, i-VulnDB, isekela isizindalwazi sayo sokuba sengozini
Ikhono lokuhlunga izingxenye zomthombo ovulekile lapho uzama ukulayisha ku-loop yokuthuthukisa ngokuya ngezinqubomgomo ezimisiwe
+
-
-
Izincomo zokulungisa ubungozi, ukutholakala kwezixhumanisi zokulungiswa
+
+- (kuncike encazelweni egciniwe yomphakathi)
+- (kuncike encazelweni egciniwe yomphakathi)
Ukulinganisa ubungozi obutholiwe ngobunzima
+
+
+
Imodeli yokufinyelela esekelwe endimeni
+
-
+
Ukwesekwa kwe-CLI
+
+
+- (ye-CycloneDX kuphela)
Ukusampula/ukuhlunga ubungozi ngokuya ngemibandela ebekiwe
+
-
+
Ideshibhodi ngesimo sohlelo lokusebenza
+
-
+
Ikhiqiza imibiko ngefomethi ye-PDF
+
-
-
Ikhiqiza imibiko ngefomethi ye-JSONCSV
+
+
-
Ukusekelwa kolimi lwesiRashiya
-
-
-
Amakhono okuhlanganisa
Ukuhlanganisa
I-Nexus IQ
Hlola Ukuncika
Ithrekhi Yokuncika
Ukuhlanganiswa kwe-LDAP/Active Directory
+
-
+
Ukuhlanganiswa nesistimu yokuhlanganisa eqhubekayo yoqalo
+
-
-
Ukuhlanganisa nesistimu yokuhlanganisa eqhubekayo i-TeamCity
+
-
-
Ukuhlanganiswa nohlelo lokuhlanganisa oluqhubekayo lwe-GitLab
+
+- (njenge-plugin ye-GitLab)
+
Ukuhlanganiswa nesistimu yokuhlanganisa eqhubekayo i-Jenkins
+
+
+
Ukutholakala kwama-plugin e-IDE
+ IntelliJ, Eclipse, Visual Studio
-
-
Ukusekelwa kokuhlanganiswa ngokwezifiso ngamasevisi ewebhu (i-API) yethuluzi
+
-
+
Hlola Ukuncika
Isiqalo sokuqala
Masiqalise i-Dependency Check kuhlelo lokusebenza olusengozini ngamabomu
Kulokhu sizosebenzisa
mvn org.owasp:dependency-check-maven:check
Njengomphumela, i-dependency-check-report.html izovela kuhla lwemibhalo oluqondiwe.
Asivule ifayela. Ngemva kolwazi olufingqiwe mayelana nenani eliphelele lobungozi, singabona ulwazi mayelana nokuba sengozini ngezinga eliphezulu Lokuqina Nokuzithemba, okubonisa iphakheji, i-CPE, nenombolo yama-CVE.
Okulandelayo kuza ulwazi oluningiliziwe, ikakhulukazi isisekelo lapho isinqumo senziwa (ubufakazi), okungukuthi, i-BOM ethile.
Okulandelayo kuza incazelo ye-CPE, PURL kanye ne-CVE. Ngendlela, izincomo zokulungiswa azifakiwe ngenxa yokungabikho kwazo ku-NVD database.
Ukuze ubuke ngokuhlelekile imiphumela yokuskena, ungalungisa i-Nginx ngezilungiselelo ezincane, noma uthumele izinkinga eziwumphumela ohlelweni lokulawula amaphutha olusekela izixhumi ku-Dependency Check. Isibonelo, i-Defect Dojo.
Ithrekhi Yokuncika
setting
I-Dependency Track, yona, iyinkundla esekelwe kuwebhu enamagrafu wokubonisa, ngakho-ke inkinga ecindezelayo yokugcina okungalungile kusixazululo senkampani yangaphandle ayiveli lapha.
Izikripthi ezisekelwayo zokufakwa yilezi: I-Docker, IMPI, I-Executable WAR.
Isiqalo sokuqala
Siya ku-URL yesevisi esebenzayo. Singena ngo-admin/admin, sishintsha indawo yokungena ne-password, bese sifika kuDeshibhodi. Into elandelayo esizoyenza ukudala iphrojekthi yohlelo lokusebenza lokuhlola ku-Java ku Ikhaya/Amaphrojekthi → Dala Iphrojekthi . Ake sithathe i-DVJA njengesibonelo.
Njengoba i-Dependency Track ingamukela kuphela i-BOM njengokufakwayo, le BOM kufanele ibuyiswe. Asisebenzise ithuba
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
Sithola i-bom.xml bese silayisha ifayela kuphrojekthi edaliwe I-DVJA → Ukuncika → Layisha i-BOM.
Ake siye kokuthi Administration → Analyzers. Siyaqonda ukuthi sine-Analyzer Yangaphakathi kuphela enikwe amandla, ehlanganisa i-NVD. Masiphinde sixhume i-Sonatype OSS Index.
Ngakho, sithola isithombe esilandelayo sephrojekthi yethu:
Futhi ohlwini ungathola ukuba sengozini okukodwa okusebenzayo ku-Sonatype OSS:
Ukudumala okukhulu kwaba ukuthi i-Dependency Track ayisayamukeli imibiko ye-Dependency Check xml. Izinguqulo zakamuva ezisekelwayo zokuhlanganiswa kwe-Dependency Check bezingu-1.0.0 - 4.0.2, kuyilapho mina ngivivinye 5.3.2.
Lapha
I-Nexus IQ
Isiqalo sokuqala
Ukufakwa kwe-Nexus IQ kuvela kungobo yomlando ye-
Ngemva kokungena kukhonsoli, udinga ukudala Inhlangano kanye Nesicelo.
Njengoba ubona, ukusethwa esimweni se-IQ kuyinkimbinkimbi kakhulu, ngoba sidinga futhi ukudala izinqubomgomo ezisebenza "ezigabeni" ezihlukene (i-dev, build, stage, release). Lokhu kuyadingeka ukuze uvimbele izingxenye ezisengozini njengoba zidlula epayipini eliseduze nokukhiqizwa, noma ukuzivimba ngokushesha nje lapho zingena ku-Nexus Repo uma zilandwa onjiniyela.
Ukuze uzwe umehluko phakathi komthombo ovulekile kanye nebhizinisi, masenze ukuskena okufanayo nge-Nexus IQ ngendlela efanayo dvja-test-and-compare
:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=dvja-test-and-compare -Dclm.serverUrl=<NEXUSIQIP> -Dclm.username=<USERNAME> -Dclm.password=<PASSWORD>
Landela i-URL embikweni okhiqiziwe kusixhumi esibonakalayo sewebhu se-IQ:
Lapha ungabona konke ukwephulwa kwenqubomgomo okubonisa amaleveli okubaluleka ahlukene (kusuka kulwazi kuye kokubalulekile kwezokuvikela). Uhlamvu D eduze kwengxenye lusho ukuthi ingxenye i-Direct Dependency, kanti uhlamvu T eduze nengxenye lusho ukuthi ingxenye i-Transitive Dependency, okungukuthi, iyashintsha.
Ngendlela, umbiko
Uma sivula okukodwa kokwephulwa kwenqubomgomo ye-Nexus IQ, singabona incazelo yengxenye, kanye Negrafu Yenguqulo, ebonisa indawo yenguqulo yamanje kugrafu yesikhathi, kanye nokuthi ubungozi buphela kusiphi isikhathi. abe sengozini. Ukuphakama kwamakhandlela kugrafu kubonisa ukuduma kokusebenzisa le ngxenye.
Uma uya esigabeni sobungozi futhi wandise i-CVE, ungafunda incazelo yalokhu kuba sengozini, izincomo zokuqedwa, kanye nesizathu sokuthi kungani le ngxenye yephulwa, okungukuthi, ukuba khona kwekilasi. DiskFileitem.class
.
Ake sifingqe kuphela lezo ezihlobene nezingxenye ze-Java zenkampani yangaphandle, sisusa izingxenye ze-js. Kobakaki sibonisa inani lobungozi obutholwe ngaphandle kwe-NVD.
Isamba se-Nexus IQ:
- Ukuncika Okuskeniwe: 62
- Ukuncika engozini: 16
- Ubungozi butholakele: 42 (8 sonatype db)
Ukuhlola Ukuncika Okuphelele:
- Ukuncika Okuskeniwe: 47
- Ukuncika engozini: 13
- Ubungozi butholakele: 91 (14 sonatype oss)
Ingqikithi Yethrekhi Yokuncika:
- Ukuncika Okuskeniwe: 59
- Ukuncika engozini: 10
- Ubungozi butholakele: 51 (1 sonatype oss)
Ezinyathelweni ezilandelayo, sizohlaziya imiphumela etholiwe futhi sithole ukuthi ibuphi lobu buthakathaka obunesici sangempela nokuthi yikuphi okungelona iqiniso.
Umusho wokuzihlangula
Lokhu kubuyekezwa akulona iqiniso elingephikiswe. Umbhali wayengenawo umgomo wokugqamisa ithuluzi elihlukile ngokumelene nesizinda sabanye. Inhloso yokubuyekezwa kwakuwukukhombisa izindlela zokusebenza kwamathuluzi e-SCA nezindlela zokuhlola imiphumela yawo.
Ukuqhathaniswa kwemiphumela
Izimo:
Iphozithivu engamanga yokuba sengozini kwengxenye yenkampani yangaphandle yilokhu:
- Ukungafani kwe-CVE nengxenye ekhonjiwe
- Isibonelo, uma ubungozi bubonakala kuhlaka lwe-struts2, futhi ithuluzi likhomba ingxenye yohlaka lwama-struts-tiles, lapho kungasebenzi khona lobu bungozi, kusho ukuthi lokhu kungumbono ongamanga.
- Ukungafani kwe-CVE nenguqulo ekhonjiwe yengxenye
- Isibonelo, ubungozi buboshelwe kunguqulo ye-python > 3.5 futhi ithuluzi limaka inguqulo 2.7 njengesengozini - lokhu kungumbono ongelona iqiniso, njengoba eqinisweni ubungozi busebenza kuphela egatsheni lomkhiqizo we-3.x
- I-CVE eyimpinda
- Isibonelo, uma i-SCA icacisa i-CVE evumela i-RCE, i-SCA icacisa i-CVE yaleyo ngxenye efanayo esebenza emikhiqizweni ye-Cisco ethintwa yileyo RCE. Kulokhu kuzoba yi-positive positive.
- Isibonelo, i-CVE itholwe engxenyeni yewebhu yasentwasahlobo, okwathi ngemva kwalokho i-SCA ikhomba ku-CVE efanayo kwezinye izingxenye ze-Spring Framework, kuyilapho i-CVE ingahlangene nezinye izingxenye. Kulokhu kuyoba okungelona iqiniso.
Inhloso yocwaningo kwakuyiphrojekthi ye-Open Source DVJA. Ucwaningo lubandakanya izingxenye ze-java kuphela (ngaphandle kwe-js).
Imiphumela efingqiwe
Ake siqonde ngqo emiphumeleni yokubuyekezwa mathupha kobungozi obuhlonziwe. Umbiko ogcwele we-CVE ngayinye ungatholakala kuSithasiselo.
Imiphumela efinyeziwe yabo bonke ubungozi:
Ipharamitha
I-Nexus IQ
Hlola Ukuncika
Ithrekhi Yokuncika
Isamba sobungozi esikhonjiwe
42
91
51
Ubungozi obukhonjwe ngokungalungile (okungelona iqiniso)
2 (4.76%)
62 (68,13%)
29 (56.86%)
Abukho ubungozi obuhlobene obutholakele (okungeyikho okungalungile)
10
20
27
Isifinyezo semiphumela ngokwengxenye:
Ipharamitha
I-Nexus IQ
Hlola Ukuncika
Ithrekhi Yokuncika
Isamba sezingxenye ezikhonjiwe
62
47
59
Isamba sezingxenye ezisengozini
16
13
10
Izingxenye ezisengozini ekhonjwe ngokungalungile (okungelona iqiniso)
1
5
0
Izingxenye ezisengozini ekhonjwe ngokungalungile (okungelona iqiniso)
0
6
6
Ake sakhe amagrafu abukwayo ukuze sihlole isilinganiso sephozithivu engamanga nenegethivu engamanga kwinani eliphelele lokuba sengozini. Izingxenye zimakwe ngokuvundlile, futhi ubungozi obubonakalayo kuzo zimakwa ziqonde phezulu.
Uma kuqhathaniswa, ucwaningo olufanayo lwenziwa ithimba le-Sonatype lihlola iphrojekthi yezingxenye ezingu-1531 lisebenzisa i-OWASP Dependency Check. Njengoba singabona, isilinganiso somsindo ezimpendulweni ezilungile sifana nemiphumela yethu.
Source:
Ake sibheke amanye ama-CVE emiphumeleni yethu yokuskena ukuze siqonde isizathu sale miphumela.
Funda kabanzi
No.1
Ake siqale sibheke amaphuzu athakazelisayo mayelana ne-Sonatype Nexus IQ.
I-Nexus IQ ikhomba inkinga ngokukhishwa kwe-deerialization namandla okwenza i-RCE ku-Spring Framework izikhathi eziningi. I-CVE-2016-1000027 kuwebhu yasentwasahlobo:3.0.5 okokuqala ngqa, kanye ne-CVE-2011-2894 kokuqukethwe kwentwasahlobo:3.0.5 kanye ne-spring-core:3.0.5. Ekuqaleni, kubonakala sengathi kunokuphindwaphindwa kokuba sengozini kuwo wonke ama-CVE amaningi. Ngoba, uma ubheka i-CVE-2016-1000027 kanye ne-CVE-2011-2894 ku-database ye-NVD, kubonakala sengathi yonke into isobala.
Isakhi
Ukuba sengozini
intwasahlobo-iwebhu:3.0.5
I-CVE-2016-1000027
intwasahlobo-ingqikithi:3.0.5
I-CVE-2011-2894
intwasahlobo-core:3.0.5
I-CVE-2011-2894
Incazelo
Incazelo
I-CVE-2011-2894 ngokwayo idume kakhulu. Embikweni RemoteInvocationSerializingExporter
ku-CVE-2011-2894, ubungozi bubonwa ku HttpInvokerServiceExporter
. Nakhu i-Nexus IQ esitshela yona:
Nokho, akukho okufana nalokhu ku-NVD, yingakho i-Dependency Check kanye ne-Dependency Track ngayinye zithola i-negative engamanga.
Futhi kusukela encazelweni ye-CVE-2011-2894 kungaqondwa ukuthi ubungozi bukhona ngempela kukho kokubili okuqukethwe kwentwasahlobo:3.0.5 kanye ne-spring-core:3.0.5. Ukuqinisekiswa kwalokhu kungatholwa kusihloko esivela kumuntu othole lobu bungozi.
No.2
Isakhi
Ukuba sengozini
Umphumela
struts2-core:2.3.30
I-CVE-2016-4003
FALSE
Uma sifunda ngobungozi be-CVE-2016-4003, sizoqonda ukuthi yalungiswa kunguqulo engu-2.3.28, nokho, i-Nexus IQ iyasibikela. Kukhona inothi encazelweni yokuba sengozini:
Okusho ukuthi, ubungozi bukhona kuphela ngokuhlangana nenguqulo yakudala ye-JRE, abanqume ukusixwayisa ngayo. Noma kunjalo, sibheka lokhu Okuhle Kwamanga, nakuba kungekubi kakhulu.
Inombolo 3
Isakhi
Ukuba sengozini
Umphumela
I-xwork-core:2.3.30
I-CVE-2017-9804
TRUE
I-xwork-core:2.3.30
I-CVE-2017-7672
FALSE
Uma sibheka izincazelo ze-CVE-2017-9804 kanye ne-CVE-2017-7672, sizoqonda ukuthi inkinga URLValidator class
, ene-CVE-2017-9804 evela ku-CVE-2017-7672. Ukuba sengozini kwesibili akuthwali yimuphi umthwalo owusizo ngaphandle kweqiniso lokuthi ubukhali bakho bukhuphukele Phezulu, ngakho-ke singakubheka njengomsindo ongadingekile.
Sekukonke, awekho amanye amaphozithivu angamanga atholakele ku-Nexus IQ.
No.4
Kunezinto ezimbalwa ezenza i-IQ igqame kwezinye izixazululo.
Isakhi
Ukuba sengozini
Umphumela
intwasahlobo-iwebhu:3.0.5
I-CVE-2020-5398
TRUE
I-CVE ku-NVD ithi isebenza kuphela kuzinguqulo ezingu-5.2.x ngaphambi kuka-5.2.3, 5.1.x ngaphambi kuka-5.1.13, nezinguqulo ezingu-5.0.x ngaphambi kuka-5.0.16, nokho, uma sibheka incazelo ye-CVE ku-Nexus IQ , khona-ke sizobona okulandelayo:
Isaziso Sokuchezuka Esilulekayo: Ithimba locwaningo lwezokuvikela le-Sonatype lithole ukuthi lobu bungozi bethulwe ngenguqulo 3.0.2.RELEASE hhayi 5.0.x njengoba kushiwo kuseluleko.
Lokhu kulandelwa i-PoC yalokhu kuba sengcupheni, ethi ikhona kunguqulo 3.0.5.
Okunegethivu okungelona iqiniso kuthunyelwa ku-Dependency Check kanye ne-Dependency Track.
No.5
Ake sibheke amanga e-Dependency Check kanye ne-Dependency Track.
I-Dependency Check igqama ngokuthi ibonisa lawo ma-CVE asebenza kulo lonke uhlaka lwe-NVD kulezo zingxenye lawa ma-CVE angasebenzi kuzo. Lokhu kuthinta i-CVE-2012-0394, CVE-2013-2115, CVE-2014-0114, CVE-2015-0899, CVE-2015-2992, CVE-2016-1181, CVE-2016-1182 “Ukuncika ” ku-struts-taglib:1.3.8 kanye nama-struts-tiles-1.3.8. Lezi zingxenye azihlangene nakancane nalokho okuchazwe ku-CVE - ukucutshungulwa kwesicelo, ukuqinisekiswa kwekhasi, nokunye. Lokhu kungenxa yokuthi lokho lawa ma-CVE kanye nezingxenye ezifanayo kuwuhlaka kuphela, yingakho i-Dependency Check ikubheka njengento esengozini.
Isimo esifanayo singe-spring-tx:3.0.5, kanye nesimo esifanayo ne-struts-core:1.3.8. Ku-struts-core, Ukuhlolwa Kokuncika kanye Nethrekhi Yokuncika bathole ubungozi obuningi obusebenza ku-struts2-core, okuwuhlaka oluhlukile. Kulokhu, i-Nexus IQ yasiqonda kahle isithombe futhi kuma-CVE ewakhiphile, yabonisa ukuthi i-struts-core isifinyelele ekupheleni kwempilo futhi kwakudingeka ukuthi ithuthele ku-struts2-core.
No.6
Kwezinye izimo, akulungile ukuhumusha iphutha elisobala lokuhlola ukuncika kanye ne-Dependency Track. Ikakhulukazi i-CVE-2013-4152, CVE-2013-6429, CVE-2013-6430, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225, CVE-2014-0225, i-Dependency Check kanye ne-Dependency Check I-spring-core:3.0.5 empeleni ingeye-spring-web:3.0.5. Ngesikhathi esifanayo, amanye alawa ma-CVE aphinde atholwa yi-Nexus IQ, nokho, i-IQ iwahlonze kahle kwenye ingxenye. Ngenxa yokuthi lobu bungozi abutholakalanga ku-spring-core, ngeke kuphikiswe ukuthi abekho kuhlaka ngokomthetho futhi amathuluzi omthombo ovulekile aveze kahle lobu bungozi (bavele baphuthelwa kancane).
okutholakele
Njengoba singabona, ukunquma ukwethembeka kobungozi obuhlonziwe ngokubuyekeza mathupha akunikezi imiphumela ecacile, yingakho kuphakama izinkinga eziyimpikiswano. Imiphumela iwukuthi isixazululo se-Nexus IQ sinenani eliphansi kakhulu lokuphozithiza okungamanga kanye nokunemba okuphezulu kakhulu.
Okokuqala, lokhu kungenxa yokuthi ithimba le-Sonatype lanweba incazelo yokuba sengozini ngakunye kwe-CVE kusuka ku-NVD kusizindalwazi sayo, okubonisa ubungozi benguqulo ethile yezingxenye ukuya ekilasini noma umsebenzi, lenza ucwaningo olwengeziwe (ngokwesibonelo. , ukuhlola ubungozi ezinguqulweni zesofthiwe ezindala).
Ithonya elibalulekile emiphumeleni liphinde lidlalwe yilabo bungozi obungafakiwe ku-NVD, kodwa noma kunjalo bukhona kusizindalwazi se-Sonatype esinophawu lwe-SONATYPE. Ngokombiko
Ngenxa yalokho, i-Dependency Check ikhiqiza umsindo omkhulu, ishoda ezinye izingxenye ezisengozini. I-Dependency Track ikhiqiza umsindo omncane futhi ithola inani elikhulu lezingxenye, ezingalimazi ngokubonakalayo amehlo kusixhumi esibonakalayo sewebhu.
Nokho, ukuzijwayeza kubonisa ukuthi umthombo ovulekile kufanele ube izinyathelo zokuqala eziya ku-DevSecOps evuthiwe. Into yokuqala okufanele ucabange ngayo lapho uhlanganisa i-SCA ekuthuthukisweni yizinqubo, okungukuthi, ukucabanga ndawonye nabaphathi kanye neminyango ehlobene ngokuthi izinqubo ezifanele kufanele zibukeke kanjani enhlanganweni yakho. Kungase kuvele ukuthi enhlanganweni yakho, ekuqaleni, i-Dependency Check noma i-Dependency Track izofaka zonke izidingo zebhizinisi, futhi izixazululo ze-Enterprise zizoba ukuqhubeka okunengqondo ngenxa yobunkimbinkimbi obukhulayo bezinhlelo zokusebenza ezithuthukiswayo.
Isithasiselo A: Imiphumela Yengxenye
Inganekwane:
- Ubungozi bezinga eliphezulu—eliphezulu nelibucayi engxenyeni
- Okumaphakathi - Ukuba sengcupheni kwezinga elibalulekile elimaphakathi engxenyeni
- IQINISO - Udaba oluhle lweqiniso
- AMANGA - Indaba engalungile
Isakhi
I-Nexus IQ
Hlola Ukuncika
Ithrekhi Yokuncika
Umphumela
dom4j: 1.6.1
High
High
High
TRUE
log4j-core: 2.3
High
High
High
TRUE
log4j: 1.2.14
High
High
-
TRUE
commons-amaqoqo:3.1
High
High
High
TRUE
commons-fileupload:1.3.2
High
High
High
TRUE
commons-beanutils: 1.7.0
High
High
High
TRUE
commons-codec:1:10
Medium
-
-
TRUE
mysql-isixhumi-java:5.1.42
High
High
High
TRUE
intwasahlobo-inkulumo:3.0.5
High
ingxenye ayitholakali
TRUE
intwasahlobo-iwebhu:3.0.5
High
ingxenye ayitholakali
High
TRUE
intwasahlobo-ingqikithi:3.0.5
Medium
ingxenye ayitholakali
-
TRUE
intwasahlobo-core:3.0.5
Medium
High
High
TRUE
struts2-config-browser-plugin:2.3.30
Medium
-
-
TRUE
intwasahlobo-tx:3.0.5
-
High
-
FALSE
i-struts-core:1.3.8
High
High
High
TRUE
I-xwork-core: 2.3.30
High
-
-
TRUE
i-struts2-core: 2.3.30
High
High
High
TRUE
i-struts-taglib:1.3.8
-
High
-
FALSE
ama-struts-tiles-1.3.8
-
High
-
FALSE
Isithasiselo B: Imiphumela Yokuba sengcupheni
Inganekwane:
- Ubungozi bezinga eliphezulu—eliphezulu nelibucayi engxenyeni
- Okumaphakathi - Ukuba sengcupheni kwezinga elibalulekile elimaphakathi engxenyeni
- IQINISO - Udaba oluhle lweqiniso
- AMANGA - Indaba engalungile
Isakhi
I-Nexus IQ
Hlola Ukuncika
Ithrekhi Yokuncika
Ubunzima
Umphumela
Amazwana
dom4j: 1.6.1
I-CVE-2018-1000632
I-CVE-2018-1000632
I-CVE-2018-1000632
High
TRUE
I-CVE-2020-10683
I-CVE-2020-10683
I-CVE-2020-10683
High
TRUE
log4j-core: 2.3
I-CVE-2017-5645
I-CVE-2017-5645
I-CVE-2017-5645
High
TRUE
I-CVE-2020-9488
I-CVE-2020-9488
I-CVE-2020-9488
ongaphakeme
TRUE
log4j: 1.2.14
I-CVE-2019-17571
I-CVE-2019-17571
-
High
TRUE
-
I-CVE-2020-9488
-
ongaphakeme
TRUE
I-SONATYPE-2010-0053
-
-
High
TRUE
commons-amaqoqo:3.1
-
I-CVE-2015-6420
I-CVE-2015-6420
High
FALSE
Izimpinda ze-RCE(OSSINDEX)
-
I-CVE-2017-15708
I-CVE-2017-15708
High
FALSE
Izimpinda ze-RCE(OSSINDEX)
I-SONATYPE-2015-0002
I-RCE (OSSINDEX)
I-RCE(OSSINDEX)
High
TRUE
commons-fileupload:1.3.2
I-CVE-2016-1000031
I-CVE-2016-1000031
I-CVE-2016-1000031
High
TRUE
I-SONATYPE-2014-0173
-
-
Medium
TRUE
commons-beanutils: 1.7.0
I-CVE-2014-0114
I-CVE-2014-0114
I-CVE-2014-0114
High
TRUE
-
I-CVE-2019-10086
I-CVE-2019-10086
High
FALSE
Ukuba sengozini kusebenza kuphela ezinguqulweni ezingu-1.9.2+
commons-codec:1:10
I-SONATYPE-2012-0050
-
-
Medium
TRUE
mysql-isixhumi-java:5.1.42
I-CVE-2018-3258
I-CVE-2018-3258
I-CVE-2018-3258
High
TRUE
I-CVE-2019-2692
I-CVE-2019-2692
-
Medium
TRUE
-
I-CVE-2020-2875
-
Medium
FALSE
Ukuba sengozini okufanayo njenge-CVE-2019-2692, kodwa ngenothi "ukuhlasela kungase kube nomthelela omkhulu kumikhiqizo eyengeziwe"
-
I-CVE-2017-15945
-
High
FALSE
Akuhambisani ne-mysql-connector-java
-
I-CVE-2020-2933
-
ongaphakeme
FALSE
Impinda ye-CVE-2020-2934
I-CVE-2020-2934
I-CVE-2020-2934
-
Medium
TRUE
intwasahlobo-inkulumo:3.0.5
I-CVE-2018-1270
ingxenye ayitholakali
-
High
TRUE
I-CVE-2018-1257
-
-
Medium
TRUE
intwasahlobo-iwebhu:3.0.5
I-CVE-2016-1000027
ingxenye ayitholakali
-
High
TRUE
I-CVE-2014-0225
-
I-CVE-2014-0225
High
TRUE
I-CVE-2011-2730
-
-
High
TRUE
-
-
I-CVE-2013-4152
Medium
TRUE
I-CVE-2018-1272
-
-
High
TRUE
I-CVE-2020-5398
-
-
High
TRUE
Isibonelo esingokomfanekiso esivuna i-IQ: “Ithimba locwaningo lwezokuphepha le-Sonatype lithole ukuthi lobu bungozi bungeniswe kunguqulo 3.0.2.RELEASE hhayi 5.0.x njengoba kushiwo kuseluleko.”
I-CVE-2013-6429
-
-
Medium
TRUE
I-CVE-2014-0054
-
I-CVE-2014-0054
Medium
TRUE
I-CVE-2013-6430
-
-
Medium
TRUE
intwasahlobo-ingqikithi:3.0.5
I-CVE-2011-2894
ingxenye ayitholakali
-
Medium
TRUE
intwasahlobo-core:3.0.5
-
I-CVE-2011-2730
I-CVE-2011-2730
High
TRUE
I-CVE-2011-2894
I-CVE-2011-2894
I-CVE-2011-2894
Medium
TRUE
-
-
I-CVE-2013-4152
Medium
FALSE
Impinda yokuba sengozini okufanayo kuwebhu yentwasahlobo
-
I-CVE-2013-4152
-
Medium
FALSE
Ukuba sengozini kuhlobene nengxenye yewebhu yentwasahlobo
-
I-CVE-2013-6429
I-CVE-2013-6429
Medium
FALSE
Ukuba sengozini kuhlobene nengxenye yewebhu yentwasahlobo
-
I-CVE-2013-6430
-
Medium
FALSE
Ukuba sengozini kuhlobene nengxenye yewebhu yentwasahlobo
-
I-CVE-2013-7315
I-CVE-2013-7315
Medium
FALSE
I-SPLIT kusuka ku-CVE-2013-4152. + Ukuba sengozini kuhlobene nengxenye yewebhu yasentwasahlobo
-
I-CVE-2014-0054
I-CVE-2014-0054
Medium
FALSE
Ukuba sengozini kuhlobene nengxenye yewebhu yentwasahlobo
-
I-CVE-2014-0225
-
High
FALSE
Ukuba sengozini kuhlobene nengxenye yewebhu yentwasahlobo
-
-
I-CVE-2014-0225
High
FALSE
Impinda yokuba sengozini okufanayo kuwebhu yentwasahlobo
-
I-CVE-2014-1904
I-CVE-2014-1904
Medium
FALSE
Ukuba sengozini kuhlobene nengxenye ye-spring-web-mvc
-
I-CVE-2014-3625
I-CVE-2014-3625
Medium
FALSE
Ukuba sengozini kuhlobene nengxenye ye-spring-web-mvc
-
I-CVE-2016-9878
I-CVE-2016-9878
High
FALSE
Ukuba sengozini kuhlobene nengxenye ye-spring-web-mvc
-
I-CVE-2018-1270
I-CVE-2018-1270
High
FALSE
Okwenkulumo yasentwasahlobo/imiyalezo yasentwasahlobo
-
I-CVE-2018-1271
I-CVE-2018-1271
Medium
FALSE
Ukuba sengozini kuhlobene nengxenye ye-spring-web-mvc
-
I-CVE-2018-1272
I-CVE-2018-1272
High
TRUE
I-CVE-2014-3578
I-CVE-2014-3578 (OSSINDEX)
I-CVE-2014-3578
Medium
TRUE
I-SONATYPE-2015-0327
-
-
ongaphakeme
TRUE
struts2-config-browser-plugin:2.3.30
I-SONATYPE-2016-0104
-
-
Medium
TRUE
intwasahlobo-tx:3.0.5
-
I-CVE-2011-2730
-
High
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2011-2894
-
High
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2013-4152
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2013-6429
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2013-6430
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2013-7315
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2014-0054
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2014-0225
-
High
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2014-1904
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2014-3625
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2016-9878
-
High
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2018-1270
-
High
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2018-1271
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
-
I-CVE-2018-1272
-
Medium
FALSE
Ukuba sengozini akuqondile ku-spring-tx
i-struts-core:1.3.8
-
I-CVE-2011-5057 (OSSINDEX)
Medium
I-FASLE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2012-0391 (OSSINDEX)
I-CVE-2012-0391
High
FALSE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2014-0094 (OSSINDEX)
I-CVE-2014-0094
Medium
FALSE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2014-0113 (OSSINDEX)
I-CVE-2014-0113
High
FALSE
Ukuba sengozini kwe-Struts 2
I-CVE-2016-1182
3VE-2016-1182
-
High
TRUE
-
-
I-CVE-2011-5057
Medium
FALSE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2012-0392 (OSSINDEX)
I-CVE-2012-0392
High
FALSE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2012-0393 (OSSINDEX)
I-CVE-2012-0393
Medium
FALSE
Ukuba sengozini kwe-Struts 2
I-CVE-2015-0899
I-CVE-2015-0899
-
High
TRUE
-
I-CVE-2012-0394
I-CVE-2012-0394
Medium
FALSE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2012-0838 (OSSINDEX)
I-CVE-2012-0838
High
FALSE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2013-1965 (OSSINDEX)
I-CVE-2013-1965
High
FALSE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2013-1966 (OSSINDEX)
I-CVE-2013-1966
High
I-FASLE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2013-2115
I-CVE-2013-2115
High
I-FASLE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2013-2134 (OSSINDEX)
I-CVE-2013-2134
High
I-FASLE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2013-2135 (OSSINDEX)
I-CVE-2013-2135
High
I-FASLE
Ukuba sengozini kwe-Struts 2
I-CVE-2014-0114
I-CVE-2014-0114
-
High
TRUE
-
I-CVE-2015-2992
I-CVE-2015-2992
Medium
FALSE
Ukuba sengozini kwe-Struts 2
-
I-CVE-2016-0785 (OSSINDEX)
I-CVE-2016-0785
High
FALSE
Ukuba sengozini kwe-Struts 2
I-CVE-2016-1181
I-CVE-2016-1181
-
High
TRUE
-
I-CVE-2016-4003 (OSSINDEX)
I-CVE-2016-4003
High
FALSE
Ukuba sengozini kwe-Struts 2
I-xwork-core:2.3.30
I-CVE-2017-9804
-
-
High
TRUE
I-SONATYPE-2017-0173
-
-
High
TRUE
I-CVE-2017-7672
-
-
High
FALSE
Impinda ye-CVE-2017-9804
I-SONATYPE-2016-0127
-
-
High
TRUE
struts2-core:2.3.30
-
I-CVE-2016-6795
I-CVE-2016-6795
High
TRUE
-
I-CVE-2017-9787
I-CVE-2017-9787
High
TRUE
-
I-CVE-2017-9791
I-CVE-2017-9791
High
TRUE
-
I-CVE-2017-9793
-
High
FALSE
Impinda ye-CVE-2018-1327
-
I-CVE-2017-9804
-
High
TRUE
-
I-CVE-2017-9805
I-CVE-2017-9805
High
TRUE
I-CVE-2016-4003
-
-
Medium
FALSE
Isebenza ku-Apache Struts 2.x kufika ku-2.3.28, okuyinguqulo 2.3.30. Nokho, ngokusekelwe encazelweni, i-CVE isebenza kunoma iyiphi inguqulo ye-Struts 2 uma i-JRE 1.7 noma ngaphansi isetshenziswa. Ngokusobala banqume ukusiqinisekisa kabusha lapha, kodwa kubukeka sengathi AMANGA
-
I-CVE-2018-1327
I-CVE-2018-1327
High
TRUE
I-CVE-2017-5638
I-CVE-2017-5638
I-CVE-2017-5638
High
TRUE
Ubungozi obufanayo obaxhashazwa ngabaduni be-Equifax ngo-2017
I-CVE-2017-12611
I-CVE-2017-12611
-
High
TRUE
I-CVE-2018-11776
I-CVE-2018-11776
I-CVE-2018-11776
High
TRUE
i-struts-taglib:1.3.8
-
I-CVE-2012-0394
-
Medium
FALSE
Okwe-struts2-core
-
I-CVE-2013-2115
-
High
FALSE
Okwe-struts2-core
-
I-CVE-2014-0114
-
High
FALSE
Okwe-commons-beanutils
-
I-CVE-2015-0899
-
High
FALSE
Ayisebenzi ku-taglib
-
I-CVE-2015-2992
-
Medium
FALSE
Ibhekisela ku-struts2-core
-
I-CVE-2016-1181
-
High
FALSE
Ayisebenzi ku-taglib
-
I-CVE-2016-1182
-
High
FALSE
Ayisebenzi ku-taglib
ama-struts-tiles-1.3.8
-
I-CVE-2012-0394
-
Medium
FALSE
Okwe-struts2-core
-
I-CVE-2013-2115
-
High
FALSE
Okwe-struts2-core
-
I-CVE-2014-0114
-
High
FALSE
Ngaphansi kwe-commons-beanutils
-
I-CVE-2015-0899
-
High
FALSE
Ayisebenzi kumathayela
-
I-CVE-2015-2992
-
Medium
FALSE
Okwe-struts2-core
-
I-CVE-2016-1181
-
High
FALSE
Ayisebenzi ku-taglib
-
I-CVE-2016-1182
-
High
FALSE
Ayisebenzi ku-taglib
Source: www.habr.com