Cloud Pak for Data

Cloud Pak for Data

Come for answers. Stay for best practices. All we’re missing is you.

 View Only

Package metadata scanning methods for Open Source Management Service

By Payas Goyal posted Mon July 27, 2020 11:01 AM

  
osmscreen1.png
Open-source software can be an incredibly useful asset. But if you use open source packages that haven't been approved for use in your organization, you might end up with unexpected software vulnerabilities or legal implications. With the Open Source Management (OSM) service, you can easily identify packages that have been vetted by your organization. For more details about OSM service, pls go here

Each programming language provides different methods to extract the package name and versions in the environment. The following text describes the methods to extract package information i.e name and version for all installed packages and their dependencies for Python, JavaScript and R. This information can then be checked for existing vulnerabilities by using the following Open Source Management (OSM) API.

Python:

Python has two prevalent variants available - 2.x and 3.x. To retrieve the package information, run the following commands in the environment:

Python 2.x:
pip freeze

Python 3.x
pip3 freeze

The above commands give output in the following format name==version. For example:
MarkupSafe==1.1.1
mccabe==0.6.1
numpy==1.17.0

JavaScript:

In Javascript, unlike Python, the packages can be installed at local directory level and global level which are exclusive from each other. To retrieve the package information, run the following commands in the environment:

At directory level:
npm ll --parseable | awk -F':' '{print $2}' | sort -u

At global level:
npm ll -g --parseable | awk -F':' '{print $2}' | sort -u

This will give you output in form of name@version. For example:

json-schema-traverse@0.4.1
json-schema@0.2.3
json-stable-stringify-without-jsonify@1.0.1

R:

To retrieve the package information, run the following commands in the environment:

ip <- as.data.frame(installed.packages()[,c(1,3:4)])
ip <- ip[is.na(ip$Priority),1:2,drop=FALSE]
print(ip, row.names=FALSE)

This will give you output in following format:
Package     Version
abind           1.4-5
acepack      1.4.1
arules          1.6-3

The following Open Source Management API can be used to check the vulnerabilities for the provided package information in a Cloud Pak for Data cluster. Note that this API is currently in Beta version.

 API:
curl -k -X POST -H "Authorization: Bearer {token}" -H "accept: application/json"  -H "Content-Type: application/json" "https://{cpd_cluster_host}{:port}/osm/v1/vulnerable_packages" -d @sampleInput.json

Sample Input:
{
    "packages_data": [
        {
            "name": "syscp",
            "version": "1.4.2.1"
        },
        {
            "name": "Ruby Gem zk",
            "version": "1.9.5"
        },
        {
            "name": "drupal",
            "version": "5.0"
        }
    ]
}

Sample Output:
{
    "description": "The list indicates the vulnerable packages along with the vulnerability id from the input set of packages",
    "vulnerable_packages": [{
        "package_name": "drupal",
        "package_version": "5.0",
        "vulnerability_id": "CVE-2018-7600"
    }, {
        "package_name": "drupal",
        "package_version": "5.0",
        "vulnerability_id": "CVE-2018-7602"
    }, {
        "package_name": "drupal",
        "package_version": "5.0",
        "vulnerability_id": "CVE-2019-10909"
    }]
}



#CloudPakforDataGroup
#Highlights
#Highlights-home
0 comments
549 views

Permalink