I am working with JFrog XRay, which has scanned our Artifactory and identified a vulnerability in a third party library which is a depdendency of my application.
From the component scan, I click on the CVE number and get this information
**Details**
Summary [CVE-XXX-YYY] Improper Input Validation
Type Security
Severity Critical
....
Infected Component __internal component__
Source Version 1.2.3
However there is no suggested "resolution". For example, "upgrade to 1.2.4" or "upgrade to 2.0.1".
Ideally I dont want to have to install all versions of this component and scan them individually.
And in this case the "References" links are not so helpful.
Any advice on the proper workflow to find a safe upgrade to a vulnerable component identified in JFrog Xray would be most helpful here.
The fix version is not always available when a new vulnerability is reported in the NVD, that's why Jfrog Xray does not always show it, in case that the fix version is not available, options are :
if the vulnerable software versions have a range (1.2,1.5] then fixed version can any version before 1.2 include or any version after 1.5
if the vulnerable software versions have an open range above, example (1.2,) then fixed version can any version before 1.2 and include
if the vulnerable software versions have an open range below, example:(,1.2) then fixed version can any version after 1.2 and include
Note: The best will be to look for the 'fix version' field where it specifies exactly the version that fixes the problem
if it's not specified, the above can give guides to some level.
Jfrog Xray will report 'fix version' only if the information is available on the source (where the vulnerability was reported)
Related
I just upgraded from SonarQube 6.1 to 6.7.7. For SonarJava, it automatically installed 4.15.0.12310 (it was 4.10.0.10260 before). In the Marketplace, when I hover over the available versions from 5.0-5.13, it says “Incompatible”. When I hover over 5.13.1+, it says “Requires system update”. What does it mean for it to be incompatible if it doesn’t require a system update?
I am seeing this with various other plugins as well, such as SonarPython, which had 1.8 automatically installed. I had to manually install 1.9.1 in order to get this bug fix (which is why I originally upgraded the server): https://community.sonarsource.com/t/python-s1481-code-smell-unused-local-variables-should-be-removed-false-positive-with-string-interpolation/8961
I could manually install newer versions of other plugins as well, but I don’t know if that’s safe.
I also can’t find an official plugin compatibility matrix, since this only shows 7.9+: https://docs.sonarqube.org/latest/instance-administration/plugin-version-matrix/
Incompatible means that the plugin does not work with the version of SonarQube you have installed.
An example of an incompatible plugin would be one where the plugin relied on an API that was removed in your current SonarQube version. You may be able to use that version of the plugin if you downgraded your SonarQube instance to a previous version.
Requires system update means you need to upgrade SonarQube in order to install the plugin.
For what it's worth, the states as described by the API documentation are:
Update status values are:
COMPATIBLE: plugin is compatible with current SonarQube instance.
INCOMPATIBLE: plugin is not compatible with current SonarQube instance.
REQUIRES_SYSTEM_UPGRADE: plugin requires SonarQube to be upgraded before being installed.
DEPS_REQUIRE_SYSTEM_UPGRADE: at least one plugin on which the plugin is dependent requires SonarQube to be upgraded.
I'm trying to update Sonarqube usage to the latest LTS Community version, which at present is version 6.7.5. Prior to the upgrade I have been using sonarqube 5.4 and the Github plugin, and with these when we make Github pull requests the Sonarqube analysis runs in "preview" scan mode and makes comments on the pull request for any issues the scan finds. This setup is largely following this pattern.
However, with the upgrade to 6.7.5 this same flow is no longer working. The Github plugin
"is deprecated, and its functionality more than replaced by the
Developer Edition."
I understand that the Developer version of Sonarqube has pull request commenting built-in, but I have a strong preference to continue using the Community version due to the cost differences. Essentially, something that was once free and part of the open source version seems to have been removed or broken in the latest free and open source version because a similar paid option now exists. So I am trying to find a way to preserve the previous Community version usage with the latest Community Sonarqube version. 6.7.5 Community version runs the Github plugin (even though it the plugin is deprecated), but so far I have been unable to get things to make comments on the Github pull requests.
Is there a combination of parameters/plugins that will allow my 6.7.5 Community version of Sonarqube to analyze and make comments on a Github pull request?
These may be relevant:
https://community.sonarsource.com/t/after-upgrade-to-sq-6-7-5-target-sonar-issues-report-issues-report-light-html-is-not-produced/1921
https://jira.sonarsource.com/browse/SONAR-9770
https://community.sonarsource.com/t/preview-mode-ignored/1234
I believe in my case the issue was that after upgrading the rule sets changed, so the rules I initially thought were being used with 6.7.5 were not in fact being applied. This gave the impression that Sonarqube was not commenting on the pull request and led to my question. But after enabling the rules appropriately I was able to see it comment on GitHub pull requests as expected. So this appears to be a case of user error!
I want to check if my project dependencies have any updates.
I've used
versions:dependency-updates-report
But I have some performance problems with it which I was unable to solve. Now I'm trying to use
org.owasp.dependency-check-maven:check
But I could not reproduce their example:
I'm getting similar look but I can't get 4 last columns (Next Version, Next Incremental, Next Minor, Next Major) which is most important for me.
How to reproduce this example?
(full disclosure - I am the founder of meterian)
You may want to consider a commercial product like sourceclear, snyk or meterian.
The meterian client is very easy to use, you can quickly check any maven or gradle project with no changes to the code: get the client, cd into the project folder, run it, see the results.
It's free for open source projects, badges are available for GitHub, and at the moment commercial use is not charged.
Hope this helps.
You will not reproduce the given report with org.owasp.dependency-check-maven because the shown report is created with versions-maven-plugin.
This are two different plugins.
org.owasp.dependency-check-maven is to find vulnerabilities according to the NVD in dependencies whereas versions-maven-plugin is for checking for newer versions, independent of vulnerabilities.
I liked the package design (later renamed to file design) feature in SonarQube to detect cycles inside my application. See this old blog post:
http://www.sonarqube.org/fight-back-design-erosion-by-breaking-cycles-with-sonar/
In the recent 6.0 version of SonarQube I can't find this anymore, there is a design plugin but that only seems to be supported until version 4.5.6. Am I overlooking something or is the file design feature just gone?
Design-related services were dropped in version 5.2.
After a while I installed sonarqube 5.6 today and wondered where the dependency matrix feature is.
I found this SO question, but it is about sonarqube 4.5.
I also searched the update center to see if I must install a additional plugin now, but I had no success.
Does anyone know how to get the package design widget back?
I just found the answer. Sadly the package design widget is not available anymore.
Since sonarqube 5.2...
All design-related features were dropped
See http://www.sonarqube.org/sonarqube-5-2-in-screenshots/ section Also worth noting
All design-related features were dropped in this version (see SONAR-6553 for details), including Package Tangle Index and related metrics.