garethr

A sample vulnerability definition using the WIP CycloneDX Vulnerability extension changes in CycloneDX/specification#44

garethr

tarting Nmap 6.40 ( http://nmap.org ) at 2013-11-15 09:36 GMT
Nmap scan report for monitorama.eu (141.101.116.49)
Host is up (0.012s latency).
Other addresses for monitorama.eu (not scanned): 141.101.117.49
PORT     STATE    SERVICE
20/tcp   filtered ftp-data
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
25/tcp   filtered smtp

garethr

# A Gemfile with a vulnerable version of rails in it
source "https://rubygems.org"
 
gem "rails", "3.2.13"
gem "bundler-audit"
gem "rspec"

garethr

Snyk and App Engine

If you want to test your deployed Google App Engine applications (ie. not just the code you have in your source respository) you can do so with Snyk by downloading the artifacts from Google Cloud Storage. The following demostrates a proof-of-concept of doing so.

Pre-requisites

You'll need to setup a few Google Cloud tools

garethr

Ponderings on a generic bill of materials for software applications.

Package management manifests have some of this information but:

1. Focus only on what's needed by the software packaging system
2. Vary between languages
3. Aren't typically shipped as part of the application

This gist is intended as a thought experiment, looking at what a generic bill of materials might look like.

garethr

Start a Docker cluster running on Kubernetes using the provided deployment file. Note this is intended to demonstrate what's possible and hardcodes a few values. The cluster is also set to run without TLS, which in production you would probably want to configure.

kubectl apply -f docker-deployment.yaml

This should give you a running Docker engine and service.

garethr

One of the neat things about the CNAB invocation images is that they are just Docker images. That means tools build to work with Docker images work nicely with CNAB. Snyk is one such tool, which can be used to determine vulnerabilities in Docker images.

With a little jq and xargs we can easily test our CNAB invocation images for a loaded bundle with Duffle like so.

$ duffle bundle show helloworld | jq .invocationImages[].image | xargs -L1 -I'{}' snyk test --docker {}                                                                                1081ms  Tue 12 Nov 20:26:02 2019

Testing deislabs/helloworld-cnab:e9beebb5ff3fdadbeb6c4eb8ce240f4ccc077183...

garethr

NPM audit reports:

found 13 vulnerabilities (9 low, 1 moderate, 1 high, 2 critical) in 3756 scanned package

Snyk test (with the --dev flag) reports:

Tested 731 dependencies for known issues, found 11 issues, 17 vulnerable paths.

garethr

Pre-generating Puppet certificates

On occasion you might have need to generate a set of certificates for a Puppet infrastructure, potentially as part of a provisioning process.

The following works but is not guarenteed to be secure or a good idea. If you follow these instructions then I'm assuming you know exactly what you're doing and you're solving an odd problem, or you're working on Puppet rather than with it.

First create a temporary master:

garethr

#!/bin/bash


declare -a commands=(
    create
    expose
    run
    set
    explain
    get