linux git 依赖,linuxea:gitlab-ci/cd Dependency依赖扫描两种方式 (五)

I. Dependency

如果正在使用GitLab CI / CD，则可以使用依赖项扫描来分析已知漏洞的依赖关系，方法是将CI作业包含在现有.gitlab-ci.yml文件中，或使用Auto DevOps 提供的自动依赖项扫描

依赖扫描参考：

https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html

https://docs.gitlab.com/ee/ci/examples/dependency_scanning.html

使用dependency-scanning替代Dependency-Check，我顺便介绍下Dependency-Check，在后面

https://github.com/jeremylong/DependencyCheck

支持的语言和包管理器

The following table shows which languages and package managers are supported and which tools are used.

JavaScript (npm, yarn) —>> gemnasium, Retire.js

Python (pip)—>> gemnasium

Ruby (gem)—>> gemnasium, bundler-audit

Java (Maven) —>> gemnasium

PHP (Composer) —>> gemnasium

集成GitLab

# 依赖扫描

4/8 dependency-scanning:

script:

– export SP_VERSION=$(echo “$CI_SERVER_VERSION” | sed ‘s/^$[0-9]*$.$[0-9]*$.*/1-2-stable/’)

– docker run –rm

–env DEP_SCAN_DISABLE_REMOTE_CHECKS=”${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}”

–volume “$PWD:/code”

–volume /etc/localtime:/etc/localtime:ro

–volume /var/run/docker.sock:/var/run/docker.sock

“registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION” /code

– date

artifacts:

paths: [gl-dependency-scanning-report.json]

# except:

# variables:

# – $CONTAINER_SCANNING_DISABLE

so，在gitlab官 提供的镜像中，很明显的这个 :Source code language/dependency manager is not yet supported for analyze

这里会产生几个文件

[gitlab-runner@linuxea-VM-Node_10_10_240_145 linuxea]$ ll OWASP-Dependency-Check/reports/

总用量 272

-rw-r–r– 1 gitlab-runner gitlab-runner 223 7月 1 21:09 dependency-check-report.csv

-rw-r–r– 1 gitlab-runner gitlab-runner 139030 7月 1 21:09 dependency-check-report.html

-rw-r–r– 1 gitlab-runner gitlab-runner 12086 7月 1 21:09 dependency-check-report.json

-rw-r–r– 1 gitlab-runner gitlab-runner 8964 7月 1 21:09 dependency-check-report.xml

-rw-r–r– 1 gitlab-runner gitlab-runner 110002 7月 1 21:09 dependency-check-vulnerability.html

[gitlab-runner@DS-VM-Node_10_10_240_145 linuxea]$

下载下来即可查看

除非另有说明，否则本站上的内容根据以下许可进行许可: CC署名-非商业性使用-相同方式共享4.0国际许可协议4.0进行许可

文章知识点与官方知识档案匹配，可进一步学习相关知识Git技能树首页概览2873 人正在系统学习中 相关资源：软件标书范本(技术部分)_软件技术标书-项目管理文档类资源-CSDN文库