CI/CD Pipeline Security & Shifting Left Part 2

 A follow-up to my previous post I wanted to go back and remove the vulnerable code from  and update the included libraries to fix any dependencies that were vulnerable. 

First, let's have a look at what has changed simply with the passage of time...

Dependency-Track has not had a new SBOM for quite some time as the pipeline hasn't been run.  However, it has continued to track vulnerabilities in the included components.

Dependency-Track Apr 23
The summary view shows the included versions with the number of vulnerabilities by severity.

Not only has Dependency-Track continued to do it's job quietly in the background but it has also been updating Defect Dojo as new vulnerabilities have been notified through it's vulnerability database feeds. 

Defect Dojo Apr 23
All of this happens based on the last SBOM ingested by Dependency-Track. Even if the pipeline has not been run in years and no new SBOM produced, it will continue to surface new vulnerabilities in the software components included as they are announced.

I corrected all of the vulnerable code and the pipeline ran all the tests.
Jenkins Blue Ocean Pipeline
All the tests now pass since the vulnerable code was mitigated with improved versions. 
Postman Tests Pass in Jenkins pipeline

As in the previous post I run Snyk integrated into the PyCharm IDE and I can view the results in the Snyk portal for my project. 
Snyk Planetary-api Apr 23
I have already updated the version of Python in my Dockerfile:

Note: There is still one issue with this Dockerfile. Next, I updated all the dependencies in the requirements.txt file using the python convention "~=" to specify the highest compatible version instead of a fixed version as I had before using "==". 

When the update is committed and pushed to GitHub the pipeline runs and a new SBOM is pushed to Dependency-Track.
Dependency-Track fixed dependencies Apr23

As can be seen, all dependencies remediated. 

Semgrep finds the final issue in the Dockerfile where the last user of the container is "root".

Semgrep Dockerfile USER root Apr23
Clicking on the link takes us to a detail view showing the offending line.
Dockerfile user root

Obviously this is something that could be fixed with a little work and moving the port number out of the ephemeral range. 

I just wanted to show how each security tool plays it's part in remediating those issues.

Comments

Post a Comment

Popular posts from this blog

Squid Proxy with SOF-ELK Part 1

Image
In this post I wanted show how a Squid Proxy could be used with OpenDNS to provide a simple but effective security for home  or small business. This blog post was inspired by the SANS course SEC530 Security Architecture & Engineering  which leads to the GIAC Defensible Security Architecture (GDSA) certification. This is a great course for anyone looking to develop and improve their 'full stack' defensive posture.  Monitoring is by courtesy of SOF-ELK , one of the many tools by those nice people at SANS .  SOF-ELK is used in a few SANS course including FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response ,  and SEC555 SIEM with Tactical Analytics . OpenDNS Enterprise is now Cisco Umbrella , however, the OpenDNS Home service is available for free and small businesses can use the Prosumer services for a modest fee. The fist step is to install a CentOS 7 minimal and then apply the latest updates. In order to use the OpenDNS Home service I inst
Read more

Netflow analysis with SiLK - Part 1 Installation

Image
About netsa SiLK SiLK provides a way to capture netflow and interrogate flow data. It can be used for a variety of purposes including situational awareness, forensics and anomaly detection. Installing SiLK Prerequisites Before installing SiLK examine the perquisites for the build. I’m using CentOS 6.3 minimal install with a virtual machine disk of 100GB in total with a separate partition for /data of about 60GB. The virtual machine will be allocated 4GB of RAM and 2 virtual processors. Configure the network settings for your lab environment. In order to use YUM for installing software the the lab system will require access to the Internet. Download the following source code files from the netsa CERT project home page libfixbuf-1.2.0.tar.gz netsa-python-1.3.tar.gz silk-2.5.0.tar.gz yaf-2.3.2.tar.gz Copy the required packages to the /usr/local/src directory. If you are using scp to copy over the packages dont’ forget ‘yum install openssh-clients’ first on the serv
Read more

CI/CD Pipeline Security & Shifting Left

Image
Recently I have been doing far more AppSec work in Agile, Lean environment. I also took the SANS SEC 540 course Cloud Security and DevSecOps Automation  which has lots of really great exercises but I like to try to create some of my own examples.  In this one I wanted to create a CI/CD (Continuous Integration/Delivery) pipeline that integrates Static Analysis Software Testing (SAST) and Software Composition Analysis (SCA) and finally some Postman testing of API endpoints that include negative test (more on this later). To start with I needed some example code so I found an example and adapted it to my own needs. The code along with the other supporting files like the Jenkinsfile can found on my GitHub under Planetary-API . Please note, I don't claim to be the best coder in the world :-) I chose an API partly for simplicity of the examples and partly because there are things I wanted to explore further later in terms of bearer authentication and the use of JWTs (for another project
Read more