[研究] OWASP Dependency-Track 4.2.2 第三方元件安全管理安裝 (Ubuntu 20.04.2 LTS x64)
2021-07-24
Dependency-Track 是一個智能組件分析平台 (intelligent Component Analysis platform),允許組織識別和降低軟件供應鏈中的風險。Dependency-Track 通過利用「軟件物料清單」(Software Bill of Materials , SBOM))的功能,採用了一種獨特且非常有益的方法。這種方法提供了傳統「軟件組合分析」 (Software Composition Analysis , SCA) 無法實現的功能。
Dependency-Track 監控其產品組合中每個應用程序所有版本的組件使用情況,以便主動識別整個組織的風險。該平台採用 API 優先設計,非常適合在 CI/CD 環境中使用。
********************************************************************************
硬體需求:
最低:4 GB RAM 推薦:16 GB RAM
最低:2 CPU cores 推薦:4 CPU cores
********************************************************************************
安裝,續這篇
[研究]Docker Compose 1.29.2 安裝 (Ubuntu 20.04.2 LTS x64)
https://shaurong.blogspot.com/2021/07/docker-compose-1292-ubuntu-20042-lts-x64.html
參考
OWASP Dependency-Track
https://owasp.org/www-project-dependency-track/
Dependency-Track is distributed as Docker containers.
Docker Compose
curl -LO https://dependencytrack.org/docker-compose.yml
docker-compose up -d
Docker Swarm
curl -LO https://dependencytrack.org/docker-compose.yml
docker swarm init
docker stack deploy -c docker-compose.yml dtrack
********************************************************************************
Docker Compose
執行
tom@ubuntu20042:~$ curl -LO https://dependencytrack.org/docker-compose.yml
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 367 0 367 0 0 491 0 --:--:-- --:--:-- --:--:-- 491
100 4172 100 4172 0 0 3526 0 0:00:01 0:00:01 --:--:-- 18378
tom@ubuntu20042:~$ |
執行 (必須用 sudo 執行,否則會出錯)
tom@ubuntu20042:~$ sudo docker-compose up -d Creating network "tom_default" with the default driver Creating volume "tom_dependency-track" with default driver Pulling dtrack-apiserver (dependencytrack/apiserver:)... latest: Pulling from dependencytrack/apiserver 801bfaa63ef2: Pull complete 4a641feb108f: Pull complete 4774cd11fd18: Pull complete e7fd8dcbde96: Pull complete eb4251459806: Pull complete a3ed95caeb02: Pull complete Digest: sha256:abe4431845152dcc4c880b4804bacee85957c0af1bd5c4907de8b74874abc8bf Status: Downloaded newer image for dependencytrack/apiserver:latest Pulling dtrack-frontend (dependencytrack/frontend:)... latest: Pulling from dependencytrack/frontend 0a6724ff3fcd: Pull complete 2a20c8805afe: Pull complete a9b20f2cd613: Pull complete 052722e881c1: Pull complete d5a0bab8d3a3: Pull complete 0bf9a1fd5e8d: Pull complete e48b15c2fbc5: Pull complete 5d932990ab62: Pull complete c005b81df4bc: Pull complete 4fea2642779f: Pull complete a3ed95caeb02: Pull complete 7e1abffa3584: Pull complete Digest: sha256:39eed5e251176100a2bb255c386a415f65c6cb84ff133465943a8ec2b6f0b92c Status: Downloaded newer image for dependencytrack/frontend:latest Creating tom_dtrack-apiserver_1 ... done Creating tom_dtrack-frontend_1 ... done tom@ubuntu20042:~$ sudo docker-compose up -d
tom_dtrack-apiserver_1 is up-to-date
tom_dtrack-frontend_1 is up-to-date
tom@ubuntu20042:~$ |
********************************************************************************
如果是使用虛擬機器環境,建議此時 PowerOff 關機,做一份快照 Snapshot。
原因請看下面
[研究] OWASP Dependency-Track 4.2.2 有時登入無反應,狀態一直 Restarting
https://shaurong.blogspot.com/2021/07/owasp-dependency-track-422-restarting.html
********************************************************************************
根據這裡 docker 設定檔 docker-compose.yml 中內容
Deploying Docker Container | Dependency-Track
https://docs.dependencytrack.org/getting-started/deploy-docker/
推測有2個連線網址
根據這裡,預設帳號密碼都是 admin,第一次登入會要求變更密碼,登出,再次登入。
https://docs.dependencytrack.org/getting-started/initial-startup/
(下圖) 和 CentOS 上安裝 Dependency-Track 情況一樣,遠端看得到登入畫面,但是按下 Login 無反應
要使用 DependencyTrack (以下簡稱DT),需要先準備好一份SBOM(Software Bill of Material,軟體物料清單),然後發送給DT,等待DT完成掃描檢測之後,在DT的管理介面上查看結果。
補充:組態檔(Configuration) 所在
https://docs.dependencytrack.org/getting-started/configuration/
tom@ubuntu20042:~$ sudo find / -name application.properties -print
/var/lib/docker/overlay2/5e78f2967e4746985aa80f0b336986666857ce77d41aa1c4dd61a7bb540dd179/diff/tmp/jetty-0_0_0_0-8080-dependency-track-apiserver_war-_-any-4035016832563111209/webapp/WEB-INF/classes/application.properties
/var/lib/docker/overlay2/5e78f2967e4746985aa80f0b336986666857ce77d41aa1c4dd61a7bb540dd179/merged/tmp/jetty-0_0_0_0-8080-dependency-track-apiserver_war-_-any-4035016832563111209/webapp/WEB-INF/classes/application.properties
find: ‘/run/user/1000/gvfs’: Permission denied
tom@ubuntu20042:~$
|
********************************************************************************
補充:container 和 docker-compose 目前狀態
tom@ubuntu20042:~$ sudo docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------------------------------
tom_dtrack-apiserver_1 /bin/sh -c java $JAVA_OPTI ... Up (healthy) 0.0.0.0:8081->8080/tcp,:::8081->8080/tcp
tom_dtrack-frontend_1 /docker-entrypoint.sh ngin ... Up 0.0.0.0:8080->8080/tcp,:::8080->8080/tcp
tom@ubuntu20042:~$ |
(完)
相關
Dependency-Track | Software Bill of Materials (SBOM) Analysis | OWASP
https://dependencytrack.org/
使用相依性追蹤程式延伸模組來規劃和追蹤小組和組織之間的相依性 - Azure DevOps | Microsoft Docs
https://docs.microsoft.com/zh-tw/azure/devops/boards/extensions/dependency-tracker?view=azure-devops
用DependencyTrack管理第三方组件安全(一)
https://mawei.blog/2020/dependency-practice-guide-part-one
用DependencyTrack管理第三方组件安全(二)
https://mawei.blog/2020/dependency-practice-guide-part-two
用DependencyTrack管理第三方组件安全(三)
https://mawei.blog/2020/dependency-practice-guide-part-three
Dependency-Track vs Dependency-Check Comparison
https://docs.dependencytrack.org/odt-odc-comparison/
沒有留言:
張貼留言