TheKoguryo's Tech Blog

 Version 2023.11.20

Warning

This content has been generated by machine translation. The translations are automated and have not undergone human review or validation.

3.5 Checking for package vulnerabilities when building DevOps services

Source Code Scanning for Vulnerability Scanning

The Application Dependency Management (ADM) service provides vulnerability scanning for library packages used to build source code within the OCI DevOps build pipeline. The build specification provides the VulnerabilityAudit type for vulnerability checking.

Currently only supports scanning for Maven packages.

Vulnerability Check Build Step

Add the VulnerabilityAudit type to the build specification and configure the related settings as shown below. To use it, you need to create a Knowledge Base in the Application Dependency Management (ADM) service beforehand.

  • VulnerabilityAudit example

    steps:
      - type: VulnerabilityAudit
        name: "Vulnerability Audit Step"
        configuration:
          buildType: maven
          pomFilePath: ${OCI_PRIMARY_SOURCE_DIR}/pom.xml
          packagesToIgnore:
            - com.oracle.*
            - org.apache.logging
          maxPermissibleCvssV2Score: 10.0
          maxPermissibleCvssV3Score: 10.0
        knowledgeBaseId: ocid1.admknowledgebase.oc1.iad.restoftheocid
        vulnerabilityAuditCompartmentId: ocid1.compartment.oc1..restoftheocid
        vulnerabilityAuditName: testReport
    
    • configuration/buildType: Currently only maven is supported.

    • configuration/packagesToIgnore: Specifies the packages to exclude from vulnerability scanning.

    • configuration/maxPermissibleCvssV2Score: Marks the build as Failed and aborts if the specified score is exceeded.

    • configuration/maxPermissibleCvssV3Score: Marks the build as Failed and aborts if the specified score is exceeded.

    • knowledgeBaseId: OCID of Knowledge Base in Application Dependency Management (ADM) service

    • Vulnerability score

Create a Knowledge Base in Application Dependency Management (ADM) Service
  1. Log in to the OCI console.

  2. From the top left hamburger menu, go to Developer Services > App Dependency Management > Knowledge Bases.

  3. Select the target compartment and click Create Knowledge Base to create it.

    • Name: Ex) oci-hol-knowledge-base

    image-20220525183055617

  4. Go to the generated Knowledge Base details and copy the OCID.

    image-20220525183520499

  1. Add the following to the Policy created for DevOps.

    Allow dynamic-group BuildDynamicGroup to use adm-knowledge-bases in compartment <YourCompartmentName>
    Allow dynamic-group BuildDynamicGroup to manage adm-vulnerability-audits in compartment <YourCompartmentName>
    

Create a DevOps Project

To proceed, generate the source code by following 3.1 Automating deployment of Spring Boot app to OKE using DevOps service, and Build Stage of Build Pipeline Add the following process in the state created until.

Changes for vulnerability

If you create a project with the latest Spring Boot version, there may be no vulnerabilities due to simple code. Downgrade to the older older version as shown below to force occurrence.

  1. Lower the Spring Boot version in pom.xml of the source code. Ex) 2.6.5

    ...
            <parent>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-parent</artifactId>
                    <version>2.6.5</version>
                    <relativePath/> <!-- lookup parent from repository -->
            </parent>
    ...
    
Add Vulnerability Checking to Build Step
  1. Define Build Spec

    • Define build_spec.yaml in the root path of the developed spring-boot-hello source code as follows.

    • build_spec.yaml

      • Added a Vulnerability Audit Step step to check for vulnerabilities before building the code to the existing build spec. We set a low score to stop the build due to a vulnerability issue.
      version: 0.1
      component: build
      timeoutInSeconds: 6000
      shell: bash
      env:
        variables:
          appName: "spring-boot-hello"
      
        exportedVariables:
          - APP_NAME
          - OCIR_PATH
          - TAG
      
      steps:
        - type: Command
          name: "Init exportedVariables"
          timeoutInSeconds: 4000
          command: |
            APP_NAME=$appName
            echo $APP_NAME            
      
        - type: VulnerabilityAudit        
          name: "Vulnerability Audit Step"  
          configuration:                   
            buildType: maven               
            pomFilePath: ${OCI_PRIMARY_SOURCE_DIR}/pom.xml 
            packagesToIgnore:
              - com.oracle.*
            maxPermissibleCvssV2Score: 9.0                
            maxPermissibleCvssV3Score: 9.0                
          knowledgeBaseId: ocid1.admknowledgebase.oc1.ap-chuncheon-1...
          vulnerabilityAuditName: spring-boot-hello-vulnerability-audit
      
        - type: Command
          name: "Build Source"
          timeoutInSeconds: 4000
          command: |
            echo "build"
            mvn clean install            
      
        - type: Command
          timeoutInSeconds: 400
          name: "Build Source - Post"
          command: |
            echo "add dependency"
            mkdir -p target/dependency && (cd target/dependency; jar -xf ../*.jar)            
      
        - type: Command
          name: "Define Image Tag - Commit ID"
          timeoutInSeconds: 30
          command: |
            COMMIT_ID=`echo ${OCI_TRIGGER_COMMIT_HASH} | cut -c 1-7`
            BUILDRUN_HASH=`echo ${OCI_BUILD_RUN_ID} | rev | cut -c 1-7`
            [ -z "$COMMIT_ID" ] && TAG=$BUILDRUN_HASH || TAG=$COMMIT_ID            
      
        - type: Command
          name: "Define OCIR Path"
          timeoutInSeconds: 30
          command: |
            TENANCY_NAMESPACE=`oci os ns get --query data --raw-output`
            REPO_NAME=$appName
            OCIR_PATH=$OCI_RESOURCE_PRINCIPAL_REGION.ocir.io/$TENANCY_NAMESPACE/$REPO_NAME            
      
        - type: Command
          timeoutInSeconds: 400
          name: "Containerize"
          command: |
            docker build -t new-generated-image .
            docker images            
      
        - type: Command
          name: "Check exportedVariables"
          timeoutInSeconds: 30
          command: |  
            [ -z "$APP_NAME" ] && APP_NAME=unknown          
            [ -z "$OCIR_PATH" ] && OCIR_PATH=unknown    
            [ -z "$TAG" ] && TAG=unknown
            echo "APP_NAME: " $APP_NAME      
            echo "OCIR_PATH: " $OCIR_PATH
            echo "TAG: " $TAG
      
      outputArtifacts:
        - name: output-image
          type: DOCKER_IMAGE
          location: new-generated-image  
      
  2. Save the written code in the Code Repository through the git command.

    git add .
    git commit -m "build spec"
    git push
    
test
  1. Go to the build pipeline you created and run the build pipeline via Start Manual Run.

  2. You can see that the vulnerability check fails during the build process.

    image-20220525192815183

  3. Click View Details by clicking the three dots in the upper right corner to view the details.

  4. In Details, you can view summary information of the vulnerability scan results.

    image-20220525193023234

  5. Click the report name to view the entire report.

    image-20220525193435267

  6. You can check the detailed information registered in the vulnerability database by clicking the vulnerability code link.

    image-20220525193651779



As an individual, this article was written with my personal time. There may be errors in the content of the article, and the opinions in the article are personal opinions.

Last updated on 26 May 2022