[研究] OWASP Dependency-Track 4.2.2 安裝 (CentOS 8.4)

[研究] OWASP Dependency-Track 4.2.2 第三方元件安全管理安裝 (CentOS 8.4)

2021-07-19

Dependency-Track 是一個智能組件分析平台 (intelligent Component Analysis platform)，允許組織識別和降低軟件供應鏈中的風險。Dependency-Track 通過利用「軟件物料清單」(Software Bill of Materials , SBOM))的功能，採用了一種獨特且非常有益的方法。這種方法提供了傳統「軟件組合分析」 (Software Composition Analysis , SCA) 無法實現的功能。

Dependency-Track 監控其產品組合中每個應用程序所有版本的組件使用情況，以便主動識別整個組織的風險。該平台採用 API 優先設計，非常適合在 CI/CD 環境中使用。

********************************************************************************

硬體需求：

 最低：4 GB RAM 推薦：16 GB RAM

 最低：2 CPU cores 推薦：4 CPU cores

********************************************************************************

安裝，續這篇

[研究]Docker Compose 安裝 (CentOS 8.4)
https://shaurong.blogspot.com/2021/07/docker-compose-centos-84.html

參考

OWASP Dependency-Track
https://owasp.org/www-project-dependency-track/

Dependency-Track is distributed as Docker containers.

Docker Compose

curl -LO https://dependencytrack.org/docker-compose.yml

docker-compose up -d

Docker Swarm

curl -LO https://dependencytrack.org/docker-compose.yml

docker swarm init

docker stack deploy -c docker-compose.yml dtrack

********************************************************************************

Docker Compose

執行

[john@localhost ~]$ curl -LO https://dependencytrack.org/docker-compose.yml      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                  Dload  Upload   Total   Spent    Left  Speed 100   367    0   367    0     0    433      0 --:--:-- --:--:-- --:--:--   433 100  4172  100  4172    0     0   3108      0  0:00:01  0:00:01 --:--:-- 12234

執行 (必須用 sudo 執行，否則會出錯)

[john@localhost ~]$ sudo docker-compose up -d Creating network "john_default" with the default driver Creating volume "john_dependency-track" with default driver Pulling dtrack-apiserver (dependencytrack/apiserver:)... latest: Pulling from dependencytrack/apiserver 801bfaa63ef2: Pull complete 4a641feb108f: Pull complete 4774cd11fd18: Pull complete e7fd8dcbde96: Pull complete eb4251459806: Pull complete a3ed95caeb02: Pull complete Digest: sha256:abe4431845152dcc4c880b4804bacee85957c0af1bd5c4907de8b74874abc8bf Status: Downloaded newer image for dependencytrack/apiserver:latest Pulling dtrack-frontend (dependencytrack/frontend:)... latest: Pulling from dependencytrack/frontend 0a6724ff3fcd: Pull complete 2a20c8805afe: Pull complete a9b20f2cd613: Pull complete 052722e881c1: Pull complete d5a0bab8d3a3: Pull complete 0bf9a1fd5e8d: Pull complete e48b15c2fbc5: Pull complete 5d932990ab62: Pull complete c005b81df4bc: Pull complete 4fea2642779f: Pull complete a3ed95caeb02: Pull complete 7e1abffa3584: Pull complete Digest: sha256:39eed5e251176100a2bb255c386a415f65c6cb84ff133465943a8ec2b6f0b92c Status: Downloaded newer image for dependencytrack/frontend:latest Creating john_dtrack-apiserver_1 ... done Creating john_dtrack-frontend_1 ... done [john@localhost ~]$ sudo docker-compose up -d john_dtrack-apiserver_1 is up-to-date john_dtrack-frontend_1 is up-to-date [john@localhost ~]$

********************************************************************************

Docker Swarm

[john@localhost ~]$ docker swarm init Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/swarm/init: dial unix /var/run/docker.sock: connect: permission denied [john@localhost ~]$ sudo docker swarm init Swarm initialized: current node (z42jodp6bp8nzsgsiz5uk07mz) is now a manager. To add a worker to this swarm, run the following command: docker swarm join --token SWMTKN-1-5h0kwu0lv4c52m7urz6dddwkp1tzmjftesn8ctj8l07cpm09by-5u5pzngbekkl0ky1wcs3dsp24 192.168.128.136:2377 To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions. [john@localhost ~]$

[john@localhost ~]$ docker stack deploy -c docker-compose.yml dtrack Ignoring unsupported options: restart Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: dial unix /var/run/docker.sock: connect: permission denied [john@localhost ~]$ sudo docker stack deploy -c docker-compose.yml dtrack [sudo] password for john: Ignoring unsupported options: restart Creating network dtrack_default Creating service dtrack_dtrack-apiserver Creating service dtrack_dtrack-frontend [john@localhost ~]$

如果是使用虛擬機器環境，建議此時 PowerOff 關機，做一份快照 Snapshot。

原因請看下面

[研究] OWASP Dependency-Track 4.2.2 有時登入無反應，狀態一直 Restarting
https://shaurong.blogspot.com/2021/07/owasp-dependency-track-422-restarting.html

********************************************************************************

根據這裡 docker 設定檔 docker-compose.yml  中內容

Deploying Docker Container | Dependency-Track
https://docs.dependencytrack.org/getting-started/deploy-docker/

推測有2個連線網址

http://localhost:8081/

http://localhost:8080/

根據這裡，預設帳號密碼都是 admin，第一次登入會要求變更密碼，登出，再次登入。
https://docs.dependencytrack.org/getting-started/initial-startup/

要使用 DependencyTrack (以下簡稱DT)，需要先準備好一份SBOM（Software Bill of Material，軟體物料清單），然後發送給DT，等待DT完成掃描檢測之後，在DT的管理介面上查看結果。

在開發一個應用程式時，可能會用到一些第三方套件 (元件、Component、Packages)，SBOM包含了這些元件的訊息。要建立SBOM，若使用Gradle當建構工具，可用cyclonedx-gradle-plugin建立SBOM；如果用maven，可以用CycloneDX Maven Plugin。其他構建工具支持，可去CycloneDX的官網上查找。

https://cyclonedx.org/#implementations

DT官方建議用CyCloneDX 或 DependencyTrack Jenkins Plugin 外掛程式來完成BOM清單的推送。

https://docs.dependencytrack.org/best-practices/

Generating Software Bill of Materials - Jenkins Pipeline

https://devsecops-pipelines.ayushpriya.tech/generating_sbom/

********************************************************************************

補充：組態檔(Configuration) 所在
https://docs.dependencytrack.org/getting-started/configuration/

[john@localhost ~]$ sudo find / -name application.properties -print [sudo] password for john: find: ‘/run/user/1000/gvfs’: Permission denied /var/lib/docker/overlay2/7a2f89b76a10d2be7fc92d646f8571186c4f1fd23e977b97d4258637b1b71378/diff/tmp/jetty-0_0_0_0-8080-dependency-track-apiserver_war-_-any-10831297932236065821/webapp/WEB-INF/classes/application.properties /var/lib/docker/overlay2/7a2f89b76a10d2be7fc92d646f8571186c4f1fd23e977b97d4258637b1b71378/merged/tmp/jetty-0_0_0_0-8080-dependency-track-apiserver_war-_-any-10831297932236065821/webapp/WEB-INF/classes/application.properties [john@localhost ~]$

********************************************************************************

補充：container 和 docker-compose 目前狀態

[john@localhost ~]$ sudo docker-compose ps Name Command State Ports --------------------------------------------------------------------------------------------------------------------------- john_dtrack-apiserver_1 /bin/sh -c java $JAVA_OPTI ... Up (health: starting) 0.0.0.0:8081->8080/tcp,:::8081->8080/tcp john_dtrack-frontend_1 /docker-entrypoint.sh ngin ... Up 0.0.0.0:8080->8080/tcp,:::8080->8080/tcp [john@localhost ~]$

(完)

相關

Dependency-Track | Software Bill of Materials (SBOM) Analysis | OWASP
https://dependencytrack.org/

使用相依性追蹤程式延伸模組來規劃和追蹤小組和組織之間的相依性 - Azure DevOps | Microsoft Docs
https://docs.microsoft.com/zh-tw/azure/devops/boards/extensions/dependency-tracker?view=azure-devops

用DependencyTrack管理第三方组件安全（一）
https://mawei.blog/2020/dependency-practice-guide-part-one

用DependencyTrack管理第三方组件安全（二）
https://mawei.blog/2020/dependency-practice-guide-part-two

用DependencyTrack管理第三方组件安全（三）
https://mawei.blog/2020/dependency-practice-guide-part-three

Dependency-Track vs Dependency-Check Comparison
https://docs.dependencytrack.org/odt-odc-comparison/