CI/CD Pipeline Security & Shifting Left Part 2
A follow-up to my previous post I wanted to go back and remove the vulnerable code from and update the included libraries to fix any dependencies that were vulnerable.
First, let's have a look at what has changed simply with the passage of time...
Dependency-Track has not had a new SBOM for quite some time as the pipeline hasn't been run. However, it has continued to track vulnerabilities in the included components.
|Dependency-Track Apr 23|
|Defect Dojo Apr 23|
|Jenkins Blue Ocean Pipeline|
|Postman Tests Pass in Jenkins pipeline|
|Snyk Planetary-api Apr 23|
|Semgrep Dockerfile USER root Apr23|
|Dockerfile user root|