Open-source software can be an incredibly useful asset. But if you use open source packages that haven't been approved for use in your organization, you might end up with unexpected software vulnerabilities or legal implications. With the Open Source Management (OSM) service, you can easily identify packages that have been vetted by your organization. For more details about OSM service, pls go here.
Each programming language provides different methods to extract the package name and versions in the environment. The following text describes the methods to extract package information i.e name and version for all installed packages and their dependencies for Python, JavaScript and R. This information can then be checked for existing vulnerabilities by using the following Open Source Management (OSM) API.
Python:
Python has two prevalent variants available - 2.x and 3.x. To retrieve the package information, run the following commands in the environment:
Python 2.x:
pip freeze
Python 3.x
pip3 freezeThe above commands give output in the following format name==version. For example:
MarkupSafe==1.1.1
mccabe==0.6.1
numpy==1.17.0
JavaScript:
In Javascript, unlike Python, the packages can be installed at local directory level and global level which are exclusive from each other. To retrieve the package information, run the following commands in the environment:
At directory level:npm ll --parseable | awk -F':' '{print $2}' | sort -uAt global level:npm ll -g --parseable | awk -F':' '{print $2}' | sort -u
This will give you output in form of
name@version. For example:
json-schema-traverse@0.4.1
json-schema@0.2.3
json-stable-stringify-without-jsonify@1.0.1
R:
To retrieve the package information, run the following commands in the environment:
ip <- as.data.frame(installed.packages()[,c(1,3:4)])ip <- ip[is.na(ip$Priority),1:2,drop=FALSE]print(ip, row.names=FALSE)
This will give you output in following format:
Package Versionabind 1.4-5acepack 1.4.1arules 1.6-3The following
Open Source Management API can be used to check the vulnerabilities for the provided package information in a Cloud Pak for Data cluster. Note that this API is currently in Beta version.
API:
curl -k -X POST -H "Authorization: Bearer {token}" -H "accept: application/json" -H "Content-Type: application/json" "https://{cpd_cluster_host}{:port}/osm/v1/vulnerable_packages" -d @sampleInput.json
Sample Input:
{
"packages_data": [
{
"name": "syscp",
"version": "1.4.2.1"
},
{
"name": "Ruby Gem zk",
"version": "1.9.5"
},
{
"name": "drupal",
"version": "5.0"
}
]
}
Sample Output:
{
"description": "The list indicates the vulnerable packages along with the vulnerability id from the input set of packages",
"vulnerable_packages": [{
"package_name": "drupal",
"package_version": "5.0",
"vulnerability_id": "CVE-2018-7600"
}, {
"package_name": "drupal",
"package_version": "5.0",
"vulnerability_id": "CVE-2018-7602"
}, {
"package_name": "drupal",
"package_version": "5.0",
"vulnerability_id": "CVE-2019-10909"
}]
}
#Highlights-home#Highlights