CI/CD Pipeline Security & Shifting Left Part 2

 A follow-up to my previous post I wanted to go back and remove the vulnerable code from  and update the included libraries to fix any dependencies that were vulnerable. 

First, let's have a look at what has changed simply with the passage of time...

Dependency-Track has not had a new SBOM for quite some time as the pipeline hasn't been run.  However, it has continued to track vulnerabilities in the included components.

Dependency-Track Apr 23
The summary view shows the included versions with the number of vulnerabilities by severity.

Not only has Dependency-Track continued to do it's job quietly in the background but it has also been updating Defect Dojo as new vulnerabilities have been notified through it's vulnerability database feeds. 

Defect Dojo Apr 23
All of this happens based on the last SBOM ingested by Dependency-Track. Even if the pipeline has not been run in years and no new SBOM produced, it will continue to surface new vulnerabilities in the software components included as they are announced.

I corrected all of the vulnerable code and the pipeline ran all the tests.
Jenkins Blue Ocean Pipeline
All the tests now pass since the vulnerable code was mitigated with improved versions. 
Postman Tests Pass in Jenkins pipeline

As in the previous post I run Snyk integrated into the PyCharm IDE and I can view the results in the Snyk portal for my project. 
Snyk Planetary-api Apr 23
I have already updated the version of Python in my Dockerfile:

Note: There is still one issue with this Dockerfile. Next, I updated all the dependencies in the requirements.txt file using the python convention "~=" to specify the highest compatible version instead of a fixed version as I had before using "==". 

When the update is committed and pushed to GitHub the pipeline runs and a new SBOM is pushed to Dependency-Track.
Dependency-Track fixed dependencies Apr23

As can be seen, all dependencies remediated. 

Semgrep finds the final issue in the Dockerfile where the last user of the container is "root".

Semgrep Dockerfile USER root Apr23
Clicking on the link takes us to a detail view showing the offending line.
Dockerfile user root

Obviously this is something that could be fixed with a little work and moving the port number out of the ephemeral range. 

I just wanted to show how each security tool plays it's part in remediating those issues.

Comments

Post a Comment

Popular posts from this blog

Squid Proxy with SOF-ELK Part 1

Image
In this post I wanted show how a Squid Proxy could be used with OpenDNS to provide a simple but effective security for home  or small business. This blog post was inspired by the SANS course SEC530 Security Architecture & Engineering  which leads to the GIAC Defensible Security Architecture (GDSA) certification. This is a great course for anyone looking to develop and improve their 'full stack' defensive posture.  Monitoring is by courtesy of SOF-ELK , one of the many tools by those nice people at SANS .  SOF-ELK is used in a few SANS course including FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response ,  and SEC555 SIEM with Tactical Analytics . OpenDNS Enterprise is now Cisco Umbrella , however, the OpenDNS Home service is available for free and small businesses can use the Prosumer services for a modest fee. The fist step is to install a CentOS 7 minimal and then apply the latest updates. In order to use the OpenDNS Hom...
Read more

Squid Proxy with SOF-ELK Part 2 Analysis

Image
Firstly, I’m happy to report that I received a SANS SEC530 Red Challenge Coin for submitting a blog post that builds upon the SEC530 course subject matter for Squid Proxy with SOF-ELK Part 1 . Thank you very much  Justin Henderson and Ismael Valenzuela for the coin. Analysis In this post I wanted to go a little deeper into how to analyse Squid logs collected in SOF-ELK and develop some potential security use cases.  In Part 1 we configured Squid to use OpenDNS Home edition to block access to sites that were undesirable such as Gambling site and sites known to serve Malware. We also configured Kibana to show meaningful block codes rather than just the IP address that OpenDNS redirected them to when a user visited a blocked site. From the users perspective they will see a blocked message from OpenDNS like this: On SOF-ELK we can see the details of the block browsing as shown here: We can use the block type to create a visualisation to examine which type of block is prevalent ...
Read more

Netflow analysis with SiLK - Part 1 Installation

Image
About netsa SiLK SiLK provides a way to capture netflow and interrogate flow data. It can be used for a variety of purposes including situational awareness, forensics and anomaly detection. Installing SiLK Prerequisites Before installing SiLK examine the perquisites for the build. I’m using CentOS 6.3 minimal install with a virtual machine disk of 100GB in total with a separate partition for /data of about 60GB. The virtual machine will be allocated 4GB of RAM and 2 virtual processors. Configure the network settings for your lab environment. In order to use YUM for installing software the the lab system will require access to the Internet. Download the following source code files from the netsa CERT project home page libfixbuf-1.2.0.tar.gz netsa-python-1.3.tar.gz silk-2.5.0.tar.gz yaf-2.3.2.tar.gz Copy the required packages to the /usr/local/src directory. If you are using scp to copy over the packages dont’ forget ‘yum install openssh-clients’ first on the serv...
Read more