如今的軟體開發幾乎都會用到各種開源元件,我統計過公司一個不算大的項目,使用的開源元件數量就有300個之多,開源元件的安全問題越來越受到重視。dependency track是OWASP組織個一個開源項目,它可以實時分析依賴元件并識别漏洞,降低團隊軟體元件供應鍊的使用風險。dependency track的原理是分析生成的SBOM軟體物料清單,依據同步的漏洞資料庫識别出元件漏洞資訊,本文介紹如何安裝和使用dependency track工具。
安裝
使用docker-compose安裝時,需要確定Docker環境已搭建完成(參見windows系統下docker開發環境搭建)。如果你通過Docker Desktop for windows安裝了Docker,就不用擔心,因為預設會安裝好docker-compose。
curl -LO https://dependencytrack.org/docker-compose.yml
# 啟動容器之前如果需要修改資料庫配置,則參考下面的步驟修改docker-compose.yml檔案
docker-compose up -d
預設情況下使用的是内置資料庫,但官方不建議在生産環境用此資料庫,是以以PostgreSQL資料庫為例(可參考使用 Docker 安裝 PostgreSQL 資料庫進行環境搭建),在docker-compose.yml檔案中修改dtrack-apiserver資料庫部分的配置,具體參數根據實際情況進行定制。
version: '3.7'
#####################################################
# This Docker Compose file contains two services
# Dependency-Track API Server
# Dependency-Track FrontEnd
#####################################################
volumes:
dependency-track:
services:
dtrack-apiserver:
image: dependencytrack/apiserver
environment:
# The Dependency-Track container can be configured using any of the
# available configuration properties defined in:
# https://docs.dependencytrack.org/getting-started/configuration/
# All properties are upper case with periods replaced by underscores.
#
# Database Properties
- ALPINE_DATABASE_MODE=external
- ALPINE_DATABASE_URL=jdbc:postgresql://192.168.19.103:5432/dtrack
- ALPINE_DATABASE_DRIVER=org.postgresql.Driver
- ALPINE_DATABASE_USERNAME=dtrack
- ALPINE_DATABASE_PASSWORD=changeme
- ALPINE_DATABASE_POOL_ENABLED=true
- ALPINE_DATABASE_POOL_MAX_SIZE=20
- ALPINE_DATABASE_POOL_MIN_IDLE=10
- ALPINE_DATABASE_POOL_IDLE_TIMEOUT=300000
- ALPINE_DATABASE_POOL_MAX_LIFETIME=600000
#
# Optional LDAP Properties
# - ALPINE_LDAP_ENABLED=true
# - ALPINE_LDAP_SERVER_URL=ldap://ldap.example.com:389
# - ALPINE_LDAP_BASEDN=dc=example,dc=com
# - ALPINE_LDAP_SECURITY_AUTH=simple
# - ALPINE_LDAP_BIND_USERNAME=
# - ALPINE_LDAP_BIND_PASSWORD=
# - ALPINE_LDAP_AUTH_USERNAME_FORMAT=%[email protected]
# - ALPINE_LDAP_ATTRIBUTE_NAME=userPrincipalName
# - ALPINE_LDAP_ATTRIBUTE_MAIL=mail
# - ALPINE_LDAP_GROUPS_FILTER=(&(objectClass=group)(objectCategory=Group))
# - ALPINE_LDAP_USER_GROUPS_FILTER=(member:1.2.840.113556.1.4.1941:={USER_DN})
# - ALPINE_LDAP_GROUPS_SEARCH_FILTER=(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*))
# - ALPINE_LDAP_USERS_SEARCH_FILTER=(&(objectClass=user)(objectCategory=Person)(cn=*{SEARCH_TERM}*))
# - ALPINE_LDAP_USER_PROVISIONING=false
# - ALPINE_LDAP_TEAM_SYNCHRONIZATION=false
#
# Optional OpenID Connect (OIDC) Properties
# - ALPINE_OIDC_ENABLED=true
# - ALPINE_OIDC_ISSUER=https://auth.example.com/auth/realms/example
# - ALPINE_OIDC_CLIENT_ID=
# - ALPINE_OIDC_USERNAME_CLAIM=preferred_username
# - ALPINE_OIDC_TEAMS_CLAIM=groups
# - ALPINE_OIDC_USER_PROVISIONING=true
# - ALPINE_OIDC_TEAM_SYNCHRONIZATION=true
#
# Optional HTTP Proxy Settings
# - ALPINE_HTTP_PROXY_ADDRESS=proxy.example.com
# - ALPINE_HTTP_PROXY_PORT=8888
# - ALPINE_HTTP_PROXY_USERNAME=
# - ALPINE_HTTP_PROXY_PASSWORD=
# - ALPINE_NO_PROXY=
#
# Optional HTTP Outbound Connection Timeout Settings. All values are in seconds.
# - ALPINE_HTTP_TIMEOUT_CONNECTION=30
# - ALPINE_HTTP_TIMEOUT_SOCKET=30
# - ALPINE_HTTP_TIMEOUT_POOL=60
#
# Optional Cross-Origin Resource Sharing (CORS) Headers
# - ALPINE_CORS_ENABLED=true
# - ALPINE_CORS_ALLOW_ORIGIN=*
# - ALPINE_CORS_ALLOW_METHODS=GET, POST, PUT, DELETE, OPTIONS
# - ALPINE_CORS_ALLOW_HEADERS=Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count, *
# - ALPINE_CORS_EXPOSE_HEADERS=Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count
# - ALPINE_CORS_ALLOW_CREDENTIALS=true
# - ALPINE_CORS_MAX_AGE=3600
#
# Optional metrics properties
# - ALPINE_METRICS_ENABLED=true
# - ALPINE_METRICS_AUTH_USERNAME=
# - ALPINE_METRICS_AUTH_PASSWORD=
#
# Optional environmental variables to enable default notification publisher templates override and set the base directory to search for templates
# - DEFAULT_TEMPLATES_OVERRIDE_ENABLED=false
# - DEFAULT_TEMPLATES_OVERRIDE_BASE_DIRECTORY=/data
#
# Optional configuration for the Snyk analyzer
# - SNYK_THREAD_BATCH_SIZE=10
#
# Optional environmental variables to provide more JVM arguments to the API Server JVM, i.e. "-XX:ActiveProcessorCount=8"
# - EXTRA_JAVA_OPTIONS=
deploy:
resources:
limits:
memory: 12288m
reservations:
memory: 8192m
restart_policy:
condition: on-failure
ports:
- '8081:8080'
volumes:
- 'dependency-track:/data'
restart: unless-stopped
dtrack-frontend:
image: dependencytrack/frontend
depends_on:
- dtrack-apiserver
environment:
# The base URL of the API server.
# NOTE:
# * This URL must be reachable by the browsers of your users.
# * The frontend container itself does NOT communicate with the API server directly, it just serves static files.
# * When deploying to dedicated servers, please use the external IP or domain of the API server.
- API_BASE_URL=http://localhost:8081
# - "OIDC_ISSUER="
# - "OIDC_CLIENT_ID="
# - "OIDC_SCOPE="
# - "OIDC_FLOW="
# - "OIDC_LOGIN_BUTTON_TEXT="
# volumes:
# - "/host/path/to/config.json:/app/static/config.json"
ports:
- "8080:8080"
restart: unless-stopped
初次啟動
docker-compose up -d指令執行成功後,通路8080端口使用admin/admin預設賬戶登入,根據提示修改密碼,注意點選Change password按鈕之後響應稍慢,請耐心等待一會,之後跳轉到登入頁面,輸入新密碼之後就可以正常登入了。
建立項目及團隊
首先建立一個項目,Classifier支援應用、容器、作業系統、架構等多種類型,示例選擇Application。
Access Management選項建立團隊,dependency track的定位是為組織的安全團隊使用,為團隊增加BOM_UPLOAD、POLICY_VIOLATION_ANALYSIS、PROJECT_CREATION_UPLOAD、VIEW_PORTFOLIO、VIEW_VULNERABILITY、VULNERABILITY_ANALYSIS權限,複制API Keys作為後續認證令牌。
生成SBOM
為了為Dependency Track提供SBOM以進行漏洞分析,使用jenkins作為CI/CD的話建議使用Dependency-Track插件。一旦插件安裝成功且生效後,就可以在系統配置中看到Dependency-Track的配置項,輸入後端URL位址和上面團隊的API Keys,如果連接配接測試成功,就會顯示出如下成功資訊。
建立jenkins項目,建構步驟執行打包和生成SBOM執行
mvn -Pprod clean -DskipTests=true install
mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom
建構後操作選擇”Publish BOM to Dependency-Track“,配置相關項
- Dependency-Track project可以直接下拉進行選擇
- Artifact為生成bom.xml檔案路徑
-
Enable synchronous publishing mode:
如果不勾選,項目建構完成後,直接通路dependency track前端檢視分析結果;
如果勾選,項目建構完成後,會等待dependency track分析完成後,調用api讀取分析結果,并可以在jenkins建構資訊中檢視。同時,可以設定各級别等級漏洞的門限值,以此判定建構是否成功。
勾選Enable synchronous publishing mode,可以跟蹤每次建構的漏洞數量趨勢
建構結果漏洞分析結果概要
建構結果漏洞詳情
參考文獻
- Introduction | Dependency-Track (dependencytrack.org)