Scanning Code for Vulnerabilities
The Application Dependency Management (ADM) service provides you with an integrated vulnerability knowledge base that you can use from the Oracle Cloud Infrastructure (OCI) DevOps build pipelines to detect vulnerabilities in the packages used for the build.
The ADM service facilitates the scanning of software packages using Common Vulnerability
Scoring System (CVSS), which is an open framework for communicating the
characteristics and severity of software vulnerabilities. For each dependency, a low CVSS
score (for example 0.1) implies less severe security vulnerability whereas a high CVSS score
(for example 10.0) implies high or critical security vulnerability. While scanning a code
repository having multiple dependencies, ADM provides aggregated values like
maxObservedCvssV2Score
and maxObservedCvssV3Score
.
ADM supports scanning only Maven packages.
If you have custom Maven repositories, then OCI DevOps supports configuring them in the pom.xml file. A Project Object Model (POM) is an XML file that contains configuration details used by Maven to build the project. For configuring Maven repositories, see Setting up Multiple Repositories.
Vulnerability Audit Process
A vulnerability audit describes the vulnerabilities of your application and its dependencies. When you run a build using the OCI DevOps service, you can initiate a code scan for a new commit to the code repository. The vulnerability audit happens in the Managed Build stage.
VulnerabilityAudit
is
added to instruct about the code scan. Example:
steps:
- type: VulnerabilityAudit
name: "Vulnerability Audit Step"
configuration:
buildType: maven
pomFilePath: ${OCI_PRIMARY_SOURCE_DIR}/pom.xml
packagesToIgnore:
- com.oracle.*
- org.apache.logging
maxPermissibleCvssV2Score: 10.0
maxPermissibleCvssV3Score: 10.0
knowledgeBaseId: ocid1.admknowledgebase.oc1.iad.restoftheocid
vulnerabilityAuditCompartmentId: ocid1.compartment.oc1..restoftheocid
vulnerabilityAuditName: testReport
If vulnerabilities are found, then the build fails and a vulnerability audit summary is available to review the error. An audit summary is available even if no vulnerabilities are found. You can also view a detailed vulnerability audit report. For more information, see Getting Started with Application Dependency Management.
Required IAM Policy
Each service in Oracle Cloud Infrastructure (OCI) integrates with Identity and Access Management (IAM) for authentication and authorization. To grant users permission to access the DevOps build pipelines and other resources, you have to create dynamic groups and IAM policies. For creating dynamic groups and policies for build pipelines, see Build Pipeline Policies.
Build pipelines need to access ADM service's resources such as knowledge base for which you need to define certain specific IAM policies. See Policies for Accessing ADM Resources. For more details, see DevOps IAM Policies.