A sample vulnerability definition using the WIP CycloneDX Vulnerability extension changes in CycloneDX/specification#44
tarting Nmap 6.40 ( http://nmap.org ) at 2013-11-15 09:36 GMT | |
Nmap scan report for monitorama.eu (141.101.116.49) | |
Host is up (0.012s latency). | |
Other addresses for monitorama.eu (not scanned): 141.101.117.49 | |
PORT STATE SERVICE | |
20/tcp filtered ftp-data | |
21/tcp filtered ftp | |
22/tcp filtered ssh | |
23/tcp filtered telnet | |
25/tcp filtered smtp |
# A Gemfile with a vulnerable version of rails in it | |
source "https://rubygems.org" | |
gem "rails", "3.2.13" | |
gem "bundler-audit" | |
gem "rspec" |
If you want to test your deployed Google App Engine applications (ie. not just the code you have in your source respository) you can do so with Snyk by downloading the artifacts from Google Cloud Storage. The following demostrates a proof-of-concept of doing so.
You'll need to setup a few Google Cloud tools
Ponderings on a generic bill of materials for software applications.
Package management manifests have some of this information but:
- Focus only on what's needed by the software packaging system
- Vary between languages
- Aren't typically shipped as part of the application
This gist is intended as a thought experiment, looking at what a generic bill of materials might look like.
Start a Docker cluster running on Kubernetes using the provided deployment file. Note this is intended to demonstrate what's possible and hardcodes a few values. The cluster is also set to run without TLS, which in production you would probably want to configure.
kubectl apply -f docker-deployment.yaml
This should give you a running Docker engine and service.
One of the neat things about the CNAB invocation images is that they are just Docker images. That means tools build to work with Docker images work nicely with CNAB. Snyk is one such tool, which can be used to determine vulnerabilities in Docker images.
With a little jq
and xargs
we can easily test our CNAB invocation images for a loaded bundle with Duffle like so.
$ duffle bundle show helloworld | jq .invocationImages[].image | xargs -L1 -I'{}' snyk test --docker {} 1081ms Tue 12 Nov 20:26:02 2019
Testing deislabs/helloworld-cnab:e9beebb5ff3fdadbeb6c4eb8ce240f4ccc077183...
NPM audit reports:
found 13 vulnerabilities (9 low, 1 moderate, 1 high, 2 critical) in 3756 scanned package
Snyk test (with the --dev
flag) reports:
Tested 731 dependencies for known issues, found 11 issues, 17 vulnerable paths.
On occasion you might have need to generate a set of certificates for a Puppet infrastructure, potentially as part of a provisioning process.
The following works but is not guarenteed to be secure or a good idea. If you follow these instructions then I'm assuming you know exactly what you're doing and you're solving an odd problem, or you're working on Puppet rather than with it.
First create a temporary master:
#!/bin/bash | |
declare -a commands=( | |
create | |
expose | |
run | |
set | |
explain | |
get |