{"id":25810,"date":"2024-03-04T17:08:51","date_gmt":"2024-03-04T16:08:51","guid":{"rendered":"https:\/\/www.codemotion.com\/magazine\/?p=25810"},"modified":"2024-03-04T17:08:52","modified_gmt":"2024-03-04T16:08:52","slug":"componenti-oss-vulnerabili-no-grazie","status":"publish","type":"post","link":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/","title":{"rendered":"Componenti OSS vulnerabili? No grazie!"},"content":{"rendered":"\n<p>In questo articolo introdurr\u00f2 il concetto di <strong>Software Composition Analysis (SCA)<\/strong>, spiegando come applicarlo all\u2019interno del ciclo di vita del software, utilizzando in questo caso <strong>Sonatype Nexus IQ Lifecycle<\/strong> come tool di <strong>dependency scanning<\/strong>, e mostrando possibili esempi di integrazione.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-vulnerabilita-su-software-open-source\">Vulnerabilit\u00e0 su software open-source<\/h2>\n\n\n\n<p>\u00c8 un dato di fatto che l\u201980-90% delle applicazioni moderne \u00e8 composta da componenti, la maggior parte dei quali \u00e8 <strong>Open Source Software (OSS)<\/strong>.<\/p>\n\n\n\n<p>Tali componenti potrebbero in alcuni casi presentare vulnerabilit\u00e0 di sicurezza che, se identificate dalla comunit\u00e0 open-source, vengono rese note al pubblico in modo che possano essere risolte nei successivi rilasci.<\/p>\n\n\n\n<p>Un esempio noto a tutti \u00e8 <strong>Log4J<\/strong>, che nel dicembre 2021 ha creato il panico nel mondo dell\u2019IT.<\/p>\n\n\n\n<p>Gli hacker, per comodit\u00e0, generalmente preferiscono sfruttare le vulnerabilit\u00e0 note <em>(Common Vulnerability and Exposures &#8211; CVEs)<\/em> presenti nelle componenti OSS piuttosto che ricercare le eventuali vulnerabilit\u00e0 introdotte nell\u2019applicazione da uno sviluppatore poco attento.<\/p>\n\n\n\n<p>Si tratta di vulnerabilit\u00e0 che in base alla loro natura possono essere impiegate per effettuare attacchi hacker di vario tipo (sql injection, cross-site scripting, ecc.).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-un-uso-sicuro-dell-open-source\">Un uso sicuro dell\u2019open-source<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>Come possiamo utilizzare ed integrare le componenti OSS nelle nostre applicazioni, senza avere impatti negativi sulla sicurezza?<\/em><\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>Come possiamo approfittare del valore accumulato dell\u2019open-source senza esporci a pericoli?<\/em><\/p>\n<\/blockquote>\n\n\n\n<p>La <strong>gestione delle componenti<\/strong> di progetto tramite tool di <strong>dependency scan<\/strong> ci fornisce le risposte a queste due domande. Questi ultimi permettono di analizzare le dipendenze di progetto di un&#8217;applicazione, alla ricerca di vulnerabilit\u00e0 di sicurezza note.<\/p>\n\n\n\n<p><strong>Monitorare<\/strong> in maniera continuativa le dipendenze di progetto utilizzate nel parco applicativo di un\u2019organizzazione, al fine di verificare se le versioni delle componenti attualmente utilizzate presentano o meno vulnerabilit\u00e0 di sicurezza, \u00e8 il pane e burro di qualsiasi processo di gestione del rischio dell\u2019open-source.<\/p>\n\n\n\n<p>In genere, le componenti vulnerabili identificate vengono classificate in base al <strong>fattore di rischio<\/strong> che rappresentano (basso, medio, alto, altissimo).<\/p>\n\n\n\n<p>La ricerca delle vulnerabilit\u00e0 non si limita all&#8217;analisi delle singole componenti, ma vengono prese in considerazione anche tutte le dipendenze transitive che utilizzano a loro volta.<\/p>\n\n\n\n<p>Considerando che:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>le vulnerabilit\u00e0 insite nelle versioni delle componenti OSS vengono scoperte man mano nel tempo dalla community;<\/li>\n\n\n\n<li>nella maggior parte dei casi \u00e8 sempre disponibile una versione pi\u00f9 recente della componente che risolve le vulnerabilit\u00e0 precedentemente incluse;<\/li>\n<\/ul>\n\n\n\n<p>l\u2019uso di tool di dependency scan, possibilmente con un basso tasso di falsi positivi (come <em>Sonatype Nexus IQ Lifecycle<\/em>), risulta fondamentale per elevare gli standard di sicurezza dei software ed evitare potenziali attacchi hacker.&nbsp;<\/p>\n\n\n\n<p>Secondo l\u2019ultimo report \u201c<em>State of the Software Supply Chain<\/em>\u201d di Sonatype, se consideriamo una componente OSS Maven vulnerabile nel repository \u201c<em>Maven Central<\/em>\u201d, si stima che il 96% delle volte \u00e8 gi\u00e0 disponibile una versione con il fix e dunque sicura. Questo significa che solo il 4% (percentuale trascurabile) dei problemi di sicurezza inerenti a queste componenti \u00e8 effettivamente inevitabile.<\/p>\n\n\n\n<p>Le versioni di componenti vulnerabili dovranno dunque essere aggiornate a versioni pi\u00f9 recenti che risultano sicure ed affidabili.<\/p>\n\n\n\n<p>L\u2019upgrade delle versioni dei componenti potrebbe sembrare a prima vista un ulteriore effort per il team di development, rendendo meno agile gli sviluppi.<\/p>\n\n\n\n<p>Tuttavia, esiste sempre un trade-off tra la rapidit\u00e0 di sviluppo e lo sviluppo di un software sicuro e di qualit\u00e0. Se vogliamo colmarlo dobbiamo investire nell\u2019automazione e adottare best practice nella scelta delle versioni delle componenti da aggiornare <em>(es. evitando versioni di pre-release, ma preferendo le versioni maggiormente adottate dalla community)<\/em>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-code-review-e-devsecops\">Code-Review e DevSecOps<\/h2>\n\n\n\n<p>Per ridurre al minimo la probabilit\u00e0 di introdurre vulnerabilit\u00e0 di sicurezza, \u00e8 strettamente consigliato utilizzare rigide policy di <strong>code-review<\/strong>.<\/p>\n\n\n\n<p>Se il codice viene revisionato durante il processo di integrazione delle modifiche, pu\u00f2 essere bloccata la richiesta di merge (pull request) nel caso in cui vengano identificate:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Versioni di dipendenze utilizzate che presentano vulnerabilit\u00e0 note;<\/li>\n\n\n\n<li>Bad practices nel codice che comportano l\u2019introduzione di falle di sicurezza;<\/li>\n\n\n\n<li>Codice malevolo introdotto intenzionalmente dagli hacker nelle commit.<\/li>\n<\/ul>\n\n\n\n<p>Specialmente se si tratta di un progetto open-source, il rischio di caricare (nei repository target) versioni di componenti vulnerabili, sar\u00e0 cos\u00ec ridotto al minimo.<\/p>\n\n\n\n<p>La revisione pu\u00f2 avvenire sia <strong>manualmente<\/strong> tramite un esperto (es. sviluppatore senior) che analizza il codice e stabilisce se \u00e8 idoneo, che <strong>automaticamente<\/strong> tramite pipeline di CI\/CD.<\/p>\n\n\n\n<p>\u00c8 possibile introdurre in una pipeline di Continuous Integration (CI) appositi stage per effettuare:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>l\u2019analisi delle dipendenze di progetto (<strong>Dependency Scan<\/strong>) utilizzando tool dedicati;<\/li>\n\n\n\n<li>l\u2019analisi della qualit\u00e0 del codice (<strong>Quality Scan<\/strong>), utile per stabilire se il codice \u00e8 mantenibile e non usa bad-practice che potrebbero potenzialmente mettere a rischio il software;<\/li>\n\n\n\n<li>l\u2019analisi statica del codice sorgente alla ricerca di falle di sicurezza (<strong>Static Application Security Testing \u2013 SAST<\/strong>), basate sulla top ten di OWASP e su altri criteri.<\/li>\n<\/ul>\n\n\n\n<p>Esistono molti altri controlli di security che \u00e8 possibile integrare in pipeline, tuttavia, quelli sopra citati sono sicuramente i pi\u00f9 comuni.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/Cq2am3r.jpeg\" alt=\"\"\/><\/figure>\n<\/div>\n\n\n<p>Il risultato \u00e8 quello che si definisce <strong>DevSecOps<\/strong>, rendendo la software supply chain robusta alle vulnerabilit\u00e0, intervenendo tempestivamente con operazioni di remedation mirate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-software-bill-of-material-sbom\">Software Bill of Material (SBOM)<\/h2>\n\n\n\n<p>In USA sono entrate in vigore norme che hanno reso la <strong>SBOM (Software Bill Of Material)<\/strong> obbligatoria in diversi ambiti. Ad esempio, risulta obbligatorio per i fornitori che vendono software al governo federale e a produttori di dispositivi medici.<\/p>\n\n\n\n<p>La SBOM \u00e8 tipicamente un file in formato <em>CycloneDx <\/em>\/ <em>SPDX<\/em>, contenente tutti i dettagli del software a cui fa riferimento, tra cui:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>un <strong>elenco<\/strong> dettagliato di tutte le componenti utilizzate, inclusi framework, librerie, moduli e altre dipendenze;<\/li>\n\n\n\n<li>l&#8217;<strong>origine<\/strong> delle componenti, indicando se sono sviluppate internamente, derivate da software open-source o provenienti da terze parti;<\/li>\n\n\n\n<li>le informazioni sulle <strong>licenze<\/strong> associate a ciascuna componente;<\/li>\n\n\n\n<li><strong>collegamenti<\/strong> e informazioni relative a documentazione e risorse relative alle componenti di terze parti;<\/li>\n\n\n\n<li>eventuali altre <strong>informazioni<\/strong> e metadati rilevanti, come ad esempio note sulla sicurezza.<\/li>\n<\/ul>\n\n\n\n<p>La SBOM risulta fondamentale per la cybersecurity ed \u00e8 altamente richiesto in quanto fornisce tutti gli elementi per stimare il livello di rischio del software e gestire al meglio le eventuali minacce.&nbsp;<\/p>\n\n\n\n<p>Anche in Italia lo SBOM sta diventando sempre pi\u00f9 richiesto dalle PA.&nbsp;<\/p>\n\n\n\n<p>Per fortuna, tool come <em>Sonatype Nexus IQ Lifecycle<\/em>, consentono la generazione automatica dello SBOM di tutti i software nel parco applicativo con relativamente pochi passaggi.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-analisi-dipendenze-con-sonatype-lifecycle\">Analisi dipendenze con Sonatype Lifecycle<\/h2>\n\n\n\n<p>Prendendo in considerazione Sonatype Nexus IQ Server <em>(licenza Lifecycle)<\/em> come tool di dependency scan, vedremo come \u00e8 possibile utilizzarlo ed integrarlo nella nostra tool-chain software.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-estensione-browser-amp-nexus-iq-ide-integration\">Estensione browser &amp; Nexus IQ IDE Integration<\/h3>\n\n\n\n<p>L\u2019analisi delle dipendenze pu\u00f2 essere effettuata dai developer sulle loro macchine, in modo da ottenere uno short feedback loop gi\u00e0 nelle prime fasi iniziali di sviluppo e di scelta delle componenti.<\/p>\n\n\n\n<p>Tramite l\u2019<strong>estensione Chrome <\/strong>\u201c<a href=\"https:\/\/chromewebstore.google.com\/detail\/sonatype-nexus-iq-evaluat\/mjehedmoboadebjmbmobpedkdgenmlhd?pli=1\" target=\"_blank\" rel=\"noreferrer noopener\">Sonatype Nexus IQ Evaluation<\/a>\u201d \u00e8 possibile identificare versioni di componenti con vulnerabilit\u00e0 direttamente durante la navigazione sui siti web relativi ai repository pubblici (es. Maven Central, NPMJS.COM, ecc.).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/mNxsc10.png\" alt=\"\"\/><\/figure>\n<\/div>\n\n\n<p>Inoltre, nella maggior parte degli <strong>IDE di sviluppo<\/strong> (es. Eclipse, IntelliJ IDEA, Visual Studio, VS Code) esiste un\u2019estensione installabile che notifica al developer la presenza di versioni di componenti vulnerabili e\/o non affidabili.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/U5vrdIv.png\" alt=\"\"\/><\/figure>\n<\/div>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/6kxPWa7.png\" alt=\"\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-nexus-iq-web-ui-amp-cli\">Nexus IQ Web UI &amp; CLI<\/h3>\n\n\n\n<p>Utilizzando la <strong>web UI<\/strong>, la scansione delle dipendenze, \u00e8 possibile avviarla manualmente oppure schedularla, anche ad intervalli periodici.<\/p>\n\n\n\n<p>In alternativa, pu\u00f2 essere eseguita tramite la <a href=\"https:\/\/help.sonatype.com\/en\/download-and-compatibility.html\">Sonatype IQ <strong>CLI<\/strong><\/a>, tramite il seguente comando:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"Bash\" data-shcb-language-slug=\"bash\"><span><code class=\"hljs language-bash\">nexus-iq-cli \\\n  \u2013-application-id TestApp \\\n  \u2013-server-url http:\/\/localhost:8070 \\\n  --authentication &lt;nexus-user&gt;:&lt;nexus-pass&gt; \\\n  --stage develop \\\n  &lt;application-target-path&gt;<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">Bash<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">bash<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>Per ottenere l\u2019<em>Application ID <\/em>\u00e8 necessario censire la nostra applicazione nella piattaforma Nexus IQ, associandola ad un\u2019organizzazione.<\/p>\n\n\n\n<p>Nexus IQ consente di bollare l\u2019analisi effettuata in uno dei seguenti stage: <em>develop, build, release, operate<\/em>. Se non indicato come argomento, viene scelto automaticamente lo stage di \u201cbuild\u201d.<\/p>\n\n\n\n<p>Il target dell\u2019applicazione corrisponde al path della cartella di progetto oppure ad un package \/ archivio dove \u00e8 compressa l\u2019applicazione o sono presenti i compilati.<\/p>\n\n\n\n<p>Di seguito alcuni esempi di applicazioni target supportate in base al linguaggio di programmazione:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Java, utilizzando pacchetti .jar\/.ear\/.war (prodotti post-build);<\/li>\n\n\n\n<li>NPM (necessario: package.json e package-lock.json \/ yarn.lock);<\/li>\n\n\n\n<li>Python (necessario: file requirements.txt \/ file relativi a Poetry);<\/li>\n\n\n\n<li><em>Elenco completo: <\/em><a href=\"https:\/\/www.sonatype.com\/products\/language-and-package-support\"><em>https:\/\/www.sonatype.com\/products\/language-and-package-support<\/em><\/a><em>.<\/em><\/li>\n<\/ul>\n\n\n\n<p>Nexus IQ pu\u00f2 essere integrato anche nei package manager come plugin. Ad esempio, su Maven \u00e8 sufficiente aggiungere nel pom.xml il seguente contenuto:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\"><span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">build<\/span>&gt;<\/span>\n  <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">pluginManagement<\/span>&gt;<\/span>\n    <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">plugins<\/span>&gt;<\/span>\n      <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">plugin<\/span>&gt;<\/span>\n        <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">groupId<\/span>&gt;<\/span>com.sonatype.clm<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">groupId<\/span>&gt;<\/span>\n        <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">artifactId<\/span>&gt;<\/span>clm-maven-plugin<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">artifactId<\/span>&gt;<\/span>\n        <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">version<\/span>&gt;<\/span>2.1.1<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">version<\/span>&gt;<\/span>\n        <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">configuration<\/span>&gt;<\/span>\n          <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">serverUrl<\/span>&gt;<\/span>http:\/\/localhost:8070<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">serverUrl<\/span>&gt;<\/span>\n          <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">applicationId<\/span>&gt;<\/span>test<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">applicationId<\/span>&gt;<\/span>\n          <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">stage<\/span>&gt;<\/span>develop<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">stage<\/span>&gt;<\/span>\n\t  <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">serverId<\/span>&gt;<\/span>nexus-site<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">serverId<\/span>&gt;<\/span>\n        <span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">configuration<\/span>&gt;<\/span>\n      <span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">plugin<\/span>&gt;<\/span>\n    <span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">plugins<\/span>&gt;<\/span>\n  <span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">pluginManagement<\/span>&gt;<\/span>\n<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">build<\/span>&gt;<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>Le informazioni relative all\u2019autenticazione vengono invece memorizzate nel file settings.xml come da esempio <em>(in chiaro oppure facendo riferimento ad opportune variabili di ambiente configurate)<\/em>:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\"><span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">servers<\/span>&gt;<\/span>\n    <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">server<\/span>&gt;<\/span>\n         <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">id<\/span>&gt;<\/span>nexus-site<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">id<\/span>&gt;<\/span>\n         <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">username<\/span>&gt;<\/span>${env.NEXUS_USER}<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">username<\/span>&gt;<\/span>\n         <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">password<\/span>&gt;<\/span>${env.NEXUS_PASS}<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">password<\/span>&gt;<\/span>\n    <span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">server<\/span>&gt;<\/span>\n<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">servers<\/span>&gt;<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>ed eseguire la scansione delle dipendenze con il comando:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"Bash\" data-shcb-language-slug=\"bash\"><span><code class=\"hljs language-bash\">mvn package clm:evaluate -Dmaven.test.skip=<span class=\"hljs-literal\">true<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">Bash<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">bash<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>Se invece utilizzate Gradle come package manager, un plugin equivalente \u00e8 disponibile su: <a href=\"https:\/\/github.com\/sonatype-nexus-community\/scan-gradle-plugin\">https:\/\/github.com\/sonatype-nexus-community\/scan-gradle-plugin<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-nexus-iq-ci-cd-integration\">Nexus IQ CI\/CD Integration<\/h3>\n\n\n\n<p>Se rendiamo disponibile la CLI di Nexus IQ nell\u2019agent\/runner utilizzato da una pipeline di CI\/CD, \u00e8 possibile utilizzarla in uno specifico stage, generalmente posizionato dopo quello di build.<\/p>\n\n\n\n<p>Nel caso il job definito in tale stage vogliamo sia gestito all\u2019interno di un container, \u00e8 possibile utilizzare un\u2019immagine Docker ufficiale con la CLI a bordo, recuperabile da <a href=\"https:\/\/hub.docker.com\/r\/sonatype\">DockerHub<\/a>.<\/p>\n\n\n\n<p>Di seguito un esempio di job compatibile con una <strong>pipeline GitLab<\/strong>:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"YAML\" data-shcb-language-slug=\"yaml\"><span><code class=\"hljs language-yaml\"><span class=\"hljs-attr\">iq_policy_eval:<\/span>\n  <span class=\"hljs-attr\">stage:<\/span> <span class=\"hljs-string\">test<\/span>\n  <span class=\"hljs-attr\">image:<\/span> <span class=\"hljs-string\">sonatype\/gitlab-nexus-iq-pipeline:latest<\/span>\n  <span class=\"hljs-attr\">script:<\/span>\n    <span class=\"hljs-bullet\">-<\/span> <span class=\"hljs-string\">\/sonatype\/evaluate<\/span> <span class=\"hljs-string\">-i<\/span> <span class=\"hljs-string\">${CI_PROJECT_NAME}<\/span> <span class=\"hljs-string\">target\/*.war<\/span>\n  <span class=\"hljs-attr\">artifacts:<\/span>\n    <span class=\"hljs-attr\">name:<\/span> <span class=\"hljs-string\">\"policy-eval-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}\"<\/span>\n    <span class=\"hljs-attr\">paths:<\/span>\n      <span class=\"hljs-bullet\">-<\/span> <span class=\"hljs-string\">${CI_PROJECT_NAME}-policy-eval-report.html<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">YAML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">yaml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>che permette in aggiunta anche il salvataggio del report di analisi come job artifact.<\/p>\n\n\n\n<p>In questo caso le credenziali di autenticazione verranno recuperate dalle seguenti variabili di ambiente (definite come variabili di CI):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NEXUS_IQ_URL;<\/li>\n\n\n\n<li>NEXUS_IQ_USERNAME;<\/li>\n\n\n\n<li>NEXUS_IQ_PASSWORD.<\/li>\n<\/ul>\n\n\n\n<p>Su <strong>Jenkins<\/strong>, invece, \u00e8 disponibile un\u2019estensione ufficiale, scaricabile gratuitamente dal seguente link: <a href=\"https:\/\/download.sonatype.com\/integrations\/jenkins\/nexus-jenkins-plugin-3.19.1-01.hpi\">https:\/\/download.sonatype.com\/integrations\/jenkins\/nexus-jenkins-plugin-3.19.1-01.hpi<\/a>.<\/p>\n\n\n\n<p>Una volta installato e opportunamente configurato, \u00e8 possibile definire uno stage di dependency scan come da esempio:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"Groovy\" data-shcb-language-slug=\"groovy\"><span><code class=\"hljs language-groovy\">stage(<span class=\"hljs-string\">'Dependency Analysis'<\/span>) {\n    steps {\n        nexusPolicyEvaluation(\n<span class=\"hljs-symbol\">            iqApplication:<\/span> NEXUS_IQ_APP_ID,\n<span class=\"hljs-symbol\">            iqInstanceId:<\/span> <span class=\"hljs-string\">'nexus-iq-server'<\/span>,\n<span class=\"hljs-symbol\">            iqStage:<\/span> <span class=\"hljs-string\">'build'<\/span>\n        )\n    }          \n}<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">Groovy<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">groovy<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>In alcuni casi, potrebbe essere utile salvare anche lo SBOM che, come accennato precedentemente, viene automaticamente generato da Nexus IQ Lifecycle.<\/p>\n\n\n\n<p>Per ottenerlo \u00e8 sufficiente utilizzare le REST API dedicata di Nexus IQ, aggiungendo il seguente scripted step:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"Groovy\" data-shcb-language-slug=\"groovy\"><span><code class=\"hljs language-groovy\">withCredentials(&#91;usernamePassword(<span class=\"hljs-string\">credentialsId:<\/span> <span class=\"hljs-string\">'nexus-iq'<\/span>, <span class=\"hljs-string\">usernameVariable:<\/span> <span class=\"hljs-string\">'NEXUS_IQ_USER'<\/span>, <span class=\"hljs-string\">passwordVariable:<\/span> <span class=\"hljs-string\">'NEXUS_IQ_PASS'<\/span>)]) {\n    <span class=\"hljs-keyword\">for<\/span>(sbomType <span class=\"hljs-keyword\">in<\/span> &#91;<span class=\"hljs-string\">'cycloneDx'<\/span>, <span class=\"hljs-string\">'spdx'<\/span>]){\n        sh(<span class=\"hljs-string\">\"curl -u ${NEXUS_IQ_USER}:${NEXUS_IQ_PASS} -X GET --header Accept:application\/json ${NEXUS_IQ_URL}\/api\/v2\/${sbomType}\/1.4\/${NEXUS_IQ_APP_ID}\/stages\/build -o target\/sbom-${sbomType}.json\"<\/span>)\n    }\n    archiveArtifacts <span class=\"hljs-string\">artifacts:<\/span> <span class=\"hljs-string\">'target\/sbom-*.json'<\/span>, <span class=\"hljs-string\">onlyIfSuccessful:<\/span> <span class=\"hljs-literal\">true<\/span>\n}<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">Groovy<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">groovy<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>Di seguito alcune screenshot che mostrano il risultato finale su Jenkins, utilizzando una semplice pipeline di CI e l\u2019applicazione dummy \u201c<a href=\"https:\/\/github.com\/spring-projects\/spring-petclinic\">spring-petclinic<\/a>\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/e1F0PuL.png\" alt=\"\"\/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/Xl88ICn.png\" alt=\"\"\/><\/figure>\n<\/div>\n\n\n<p>Dal report possiamo notare che l\u2019applicazione analizzata presenta vulnerabilit\u00e0 ad alto rischio nelle versioni di diversi componenti. Sar\u00e0 necessario aggiornarle per rendere l\u2019applicazione pi\u00f9 sicura.<\/p>\n\n\n\n<p>Ad esempio, analizzando il grafico di version ranking del componente &#8220;jackson-core&#8221;, possiamo facilmente individuare la versione 2.15.3 come versione ottimale, priva di vulnerabilit\u00e0.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/8mOluW2.png\" alt=\"\" style=\"aspect-ratio:0.9509090909090909;width:528px;height:auto\"\/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-approfondimenti\">Approfondimenti<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/blog.sonatype.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Blog di approfondimento sui temi DevSecOps a cura di Sonatype<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sonatype.com\/products\/vulnerability-scanner\" class=\"ek-link\">Estrai la SBOM da un\u2019applicazione a tua scelta<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sonatype.com\/state-of-the-software-supply-chain\/introduction\" target=\"_blank\" rel=\"noreferrer noopener\">9\u00b0 State of the Software Supply Chain Report<\/a><\/li>\n\n\n\n<li>Legislazione in materia di SBOM\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.cisa.gov\/sbom\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.cisa.gov\/sbom<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/cyber-resilience-act-factsheet\" target=\"_blank\" rel=\"noreferrer noopener\">European Cyber Resilience Act<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Per approfondire la metodologia DevSecOps e applicarla nella tua tool-chain software <a href=\"mailto:sales@profesia.it?subject=codemotion\" target=\"_blank\" rel=\"noreferrer noopener\">scrivimi<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In questo articolo introdurr\u00f2 il concetto di Software Composition Analysis (SCA), spiegando come applicarlo all\u2019interno del ciclo di vita del software, utilizzando in questo caso Sonatype Nexus IQ Lifecycle come tool di dependency scanning, e mostrando possibili esempi di integrazione. Vulnerabilit\u00e0 su software open-source \u00c8 un dato di fatto che l\u201980-90% delle applicazioni moderne \u00e8&#8230; <a class=\"more-link\" href=\"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/\">Read more<\/a><\/p>\n","protected":false},"author":236,"featured_media":21119,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":0,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_uag_custom_page_level_css":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[10287],"tags":[],"collections":[11708],"class_list":{"0":"post-25810","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-devops-it","8":"collections-dalla-community","9":"entry"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.9 (Yoast SEO v27.5) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Componenti OSS vulnerabili? No grazie! - Codemotion Magazine<\/title>\n<meta name=\"description\" content=\"Introduzione al concetto di SCA e Software Bills of Materials, con esempi di configurazione per dependency scanning.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Componenti OSS vulnerabili? No grazie!\" \/>\n<meta property=\"og:description\" content=\"Introduzione al concetto di SCA e Software Bills of Materials, con esempi di configurazione per dependency scanning.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/\" \/>\n<meta property=\"og:site_name\" content=\"Codemotion Magazine\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Codemotion.Italy\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-04T16:08:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-04T16:08:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"436\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"gflace\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@CodemotionIT\" \/>\n<meta name=\"twitter:site\" content=\"@CodemotionIT\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"gflace\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/\"},\"author\":{\"name\":\"gflace\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#\\\/schema\\\/person\\\/0b4e0b1079f3fe56e215676f59c71a30\"},\"headline\":\"Componenti OSS vulnerabili? No grazie!\",\"datePublished\":\"2024-03-04T16:08:51+00:00\",\"dateModified\":\"2024-03-04T16:08:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/\"},\"wordCount\":1698,\"publisher\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/iStock-1388056729.jpg\",\"articleSection\":[\"DevOps\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/\",\"url\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/\",\"name\":\"Componenti OSS vulnerabili? No grazie! - Codemotion Magazine\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/iStock-1388056729.jpg\",\"datePublished\":\"2024-03-04T16:08:51+00:00\",\"dateModified\":\"2024-03-04T16:08:52+00:00\",\"description\":\"Introduzione al concetto di SCA e Software Bills of Materials, con esempi di configurazione per dependency scanning.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/iStock-1388056729.jpg\",\"contentUrl\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/iStock-1388056729.jpg\",\"width\":800,\"height\":436,\"caption\":\"Payment Approved, online card Payment concept. Online invoice payment, electronic invoice. Smartphone device with receipt. Digital pay service or bank concept. Security transaction via credit card.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/componenti-oss-vulnerabili-no-grazie\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DevOps\",\"item\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/it\\\/devops-it\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Componenti OSS vulnerabili? No grazie!\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#website\",\"url\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/\",\"name\":\"Codemotion Magazine\",\"description\":\"We code the future. Together\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#organization\",\"name\":\"Codemotion\",\"url\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2019\\\/11\\\/codemotionlogo.png\",\"contentUrl\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2019\\\/11\\\/codemotionlogo.png\",\"width\":225,\"height\":225,\"caption\":\"Codemotion\"},\"image\":{\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/Codemotion.Italy\\\/\",\"https:\\\/\\\/x.com\\\/CodemotionIT\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/#\\\/schema\\\/person\\\/0b4e0b1079f3fe56e215676f59c71a30\",\"name\":\"gflace\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/59cd0f70-aeec-11ee-998a-b778bc9d7fff-100x100.png\",\"url\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/59cd0f70-aeec-11ee-998a-b778bc9d7fff-100x100.png\",\"contentUrl\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/59cd0f70-aeec-11ee-998a-b778bc9d7fff-100x100.png\",\"caption\":\"gflace\"},\"description\":\"I am an IT enthusiast with a particular love for the world of DevOps and MLOps. Through innovative tools and advanced practices, I seek to create synergy between software development and release in a production environment. Let's automate, deploy, and iterate! \ud83d\ude80 #DevOps #DevSecOps #MLOps #TechEnthusiast\",\"sameAs\":[\"https:\\\/\\\/www.profesia.it\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/giampaolo-flace-3ab817175\\\/\"],\"url\":\"https:\\\/\\\/www.codemotion.com\\\/magazine\\\/author\\\/gflace\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Componenti OSS vulnerabili? No grazie! - Codemotion Magazine","description":"Introduzione al concetto di SCA e Software Bills of Materials, con esempi di configurazione per dependency scanning.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/","og_locale":"en_US","og_type":"article","og_title":"Componenti OSS vulnerabili? No grazie!","og_description":"Introduzione al concetto di SCA e Software Bills of Materials, con esempi di configurazione per dependency scanning.","og_url":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/","og_site_name":"Codemotion Magazine","article_publisher":"https:\/\/www.facebook.com\/Codemotion.Italy\/","article_published_time":"2024-03-04T16:08:51+00:00","article_modified_time":"2024-03-04T16:08:52+00:00","og_image":[{"width":800,"height":436,"url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg","type":"image\/jpeg"}],"author":"gflace","twitter_card":"summary_large_image","twitter_creator":"@CodemotionIT","twitter_site":"@CodemotionIT","twitter_misc":{"Written by":"gflace","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/#article","isPartOf":{"@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/"},"author":{"name":"gflace","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/0b4e0b1079f3fe56e215676f59c71a30"},"headline":"Componenti OSS vulnerabili? No grazie!","datePublished":"2024-03-04T16:08:51+00:00","dateModified":"2024-03-04T16:08:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/"},"wordCount":1698,"publisher":{"@id":"https:\/\/www.codemotion.com\/magazine\/#organization"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/#primaryimage"},"thumbnailUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg","articleSection":["DevOps"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/","url":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/","name":"Componenti OSS vulnerabili? No grazie! - Codemotion Magazine","isPartOf":{"@id":"https:\/\/www.codemotion.com\/magazine\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/#primaryimage"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/#primaryimage"},"thumbnailUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg","datePublished":"2024-03-04T16:08:51+00:00","dateModified":"2024-03-04T16:08:52+00:00","description":"Introduzione al concetto di SCA e Software Bills of Materials, con esempi di configurazione per dependency scanning.","breadcrumb":{"@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/#primaryimage","url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg","contentUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg","width":800,"height":436,"caption":"Payment Approved, online card Payment concept. Online invoice payment, electronic invoice. Smartphone device with receipt. Digital pay service or bank concept. Security transaction via credit card."},{"@type":"BreadcrumbList","@id":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/componenti-oss-vulnerabili-no-grazie\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.codemotion.com\/magazine\/"},{"@type":"ListItem","position":2,"name":"DevOps","item":"https:\/\/www.codemotion.com\/magazine\/it\/devops-it\/"},{"@type":"ListItem","position":3,"name":"Componenti OSS vulnerabili? No grazie!"}]},{"@type":"WebSite","@id":"https:\/\/www.codemotion.com\/magazine\/#website","url":"https:\/\/www.codemotion.com\/magazine\/","name":"Codemotion Magazine","description":"We code the future. Together","publisher":{"@id":"https:\/\/www.codemotion.com\/magazine\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.codemotion.com\/magazine\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.codemotion.com\/magazine\/#organization","name":"Codemotion","url":"https:\/\/www.codemotion.com\/magazine\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/","url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png","contentUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png","width":225,"height":225,"caption":"Codemotion"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Codemotion.Italy\/","https:\/\/x.com\/CodemotionIT"]},{"@type":"Person","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/0b4e0b1079f3fe56e215676f59c71a30","name":"gflace","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2024\/01\/59cd0f70-aeec-11ee-998a-b778bc9d7fff-100x100.png","url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2024\/01\/59cd0f70-aeec-11ee-998a-b778bc9d7fff-100x100.png","contentUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2024\/01\/59cd0f70-aeec-11ee-998a-b778bc9d7fff-100x100.png","caption":"gflace"},"description":"I am an IT enthusiast with a particular love for the world of DevOps and MLOps. Through innovative tools and advanced practices, I seek to create synergy between software development and release in a production environment. Let's automate, deploy, and iterate! \ud83d\ude80 #DevOps #DevSecOps #MLOps #TechEnthusiast","sameAs":["https:\/\/www.profesia.it\/","https:\/\/www.linkedin.com\/in\/giampaolo-flace-3ab817175\/"],"url":"https:\/\/www.codemotion.com\/magazine\/author\/gflace\/"}]}},"featured_image_src":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-600x400.jpg","featured_image_src_square":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-600x436.jpg","author_info":{"display_name":"gflace","author_link":"https:\/\/www.codemotion.com\/magazine\/author\/gflace\/"},"uagb_featured_image_src":{"full":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg",800,436,false],"thumbnail":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-150x150.jpg",150,150,true],"medium":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-300x164.jpg",300,164,true],"medium_large":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-768x419.jpg",768,419,true],"large":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg",800,436,false],"1536x1536":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg",800,436,false],"2048x2048":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg",800,436,false],"small-home-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg",100,55,false],"sidebar-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-180x128.jpg",180,128,true],"genesis-singular-images":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729.jpg",800,436,false],"archive-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-400x225.jpg",400,225,true],"gb-block-post-grid-landscape":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-600x400.jpg",600,400,true],"gb-block-post-grid-square":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2023\/06\/iStock-1388056729-600x436.jpg",600,436,true]},"uagb_author_info":{"display_name":"gflace","author_link":"https:\/\/www.codemotion.com\/magazine\/author\/gflace\/"},"uagb_comment_info":0,"uagb_excerpt":"In questo articolo introdurr\u00f2 il concetto di Software Composition Analysis (SCA), spiegando come applicarlo all\u2019interno del ciclo di vita del software, utilizzando in questo caso Sonatype Nexus IQ Lifecycle come tool di dependency scanning, e mostrando possibili esempi di integrazione. Vulnerabilit\u00e0 su software open-source \u00c8 un dato di fatto che l\u201980-90% delle applicazioni moderne \u00e8&#8230;&hellip;","lang":"it","_links":{"self":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/25810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/users\/236"}],"replies":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/comments?post=25810"}],"version-history":[{"count":2,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/25810\/revisions"}],"predecessor-version":[{"id":26266,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/25810\/revisions\/26266"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/media\/21119"}],"wp:attachment":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/media?parent=25810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/categories?post=25810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/tags?post=25810"},{"taxonomy":"collections","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/collections?post=25810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}