Cloud Pak for Data Group

Package metadata scanning methods for Open Source Management Service

By Payas Goyal posted 15 days ago

  
osmscreen1.png
Open-source software can be an incredibly useful asset. But if you use open source packages that haven't been approved for use in your organization, you might end up with unexpected software vulnerabilities or legal implications. With the Open Source Management (OSM) service, you can easily identify packages that have been vetted by your organization. For more details about OSM service, pls go here

Each programming language provides different methods to extract the package name and versions in the environment. The following text describes the methods to extract package information i.e name and version for all installed packages and their dependencies for Python, JavaScript and R. This information can then be checked for existing vulnerabilities by using the following Open Source Management (OSM) API.

Python:

Python has two prevalent variants available - 2.x and 3.x. To retrieve the package information, run the following commands in the environment:

Python 2.x:
pip freeze

Python 3.x
pip3 freeze

The above commands give output in the following format name==version. For example:
MarkupSafe==1.1.1
mccabe==0.6.1
numpy==1.17.0

JavaScript:

In Javascript, unlike Python, the packages can be installed at local directory level and global level which are exclusive from each other. To retrieve the package information, run the following commands in the environment:

At directory level:
npm ll --parseable | awk -F':' '{print $2}' | sort -u

At global level:
npm ll -g --parseable | awk -F':' '{print $2}' | sort -u

This will give you output in form of name@version. For example:

json-schema-traverse@0.4.1
json-schema@0.2.3
json-stable-stringify-without-jsonify@1.0.1

R:

To retrieve the package information, run the following commands in the environment:

ip <- as.data.frame(installed.packages()[,c(1,3:4)])
ip <- ip[is.na(ip$Priority),1:2,drop=FALSE]
print(ip, row.names=FALSE)

This will give you output in following format:
Package     Version
abind           1.4-5
acepack      1.4.1
arules          1.6-3

The following Open Source Management API can be used to check the vulnerabilities for the provided package information in a Cloud Pak for Data cluster. Note that this API is currently in Beta version.

 API:
curl -k -X POST -H "Authorization: Bearer {token}" -H "accept: application/json"  -H "Content-Type: application/json" "https://{cpd_cluster_host}{:port}/osm/v1/vulnerable_packages" -d @sampleInput.json

Sample Input:
{
    "packages_data": [
        {
            "name": "syscp",
            "version": "1.4.2.1"
        },
        {
            "name": "Ruby Gem zk",
            "version": "1.9.5"
        },
        {
            "name": "drupal",
            "version": "5.0"
        }
    ]
}

Sample Output:
{
    "description": "The list indicates the vulnerable packages along with the vulnerability id from the input set of packages",
    "vulnerable_packages": [{
        "package_name": "drupal",
        "package_version": "5.0",
        "vulnerability_id": "CVE-2018-7600"
    }, {
        "package_name": "drupal",
        "package_version": "5.0",
        "vulnerability_id": "CVE-2018-7602"
    }, {
        "package_name": "drupal",
        "package_version": "5.0",
        "vulnerability_id": "CVE-2019-10909"
    }]
}

#Highlights-home
#Highlights
0 comments
279 views

Permalink