Oracle Cloud Infrastructure Documentation

Scanning Code for Vulnerabilities

The Application Dependency Management (ADM) service provides you with an integrated vulnerability knowledge base that you can use from the Oracle Cloud Infrastructure (OCI) DevOps build pipelines to detect vulnerabilities in the packages used for the build.

The ADM service facilitates the scanning of software packages using Common Vulnerability Scoring System (CVSS), which is an open framework for communicating the characteristics and severity of software vulnerabilities. For each dependency, a low CVSS score (for example 0.1) implies less severe security vulnerability whereas a high CVSS score (for example 10.0) implies high or critical security vulnerability. While scanning a code repository having multiple dependencies, ADM provides aggregated values like maxObservedCvssV2Score and maxObservedCvssV3Score.

Note

ADM supports scanning only Maven packages.

If you have custom Maven repositories, then OCI DevOps supports configuring them in the pom.xml file. A Project Object Model (POM) is an XML file that contains configuration details used by Maven to build the project. For configuring Maven repositories, see Setting up Multiple Repositories.

Vulnerability Audit Process

A vulnerability audit describes the vulnerabilities of your application and its dependencies. When you run a build using the OCI DevOps service, you can initiate a code scan for a new commit to the code repository. The vulnerability audit happens in the Managed Build stage.

The DevOps build pipeline uses a build specification file that contains build steps and settings to run a build. In the build spec file, a vulnerability audit step of type VulnerabilityAudit is added to instruct about the code scan. Example: 
steps:
  - type: VulnerabilityAudit        
    name: "Vulnerability Audit Step"  
    configuration:                   
      buildType: maven               
      pomFilePath: ${OCI_PRIMARY_SOURCE_DIR}/pom.xml 
      packagesToIgnore:
        - com.oracle.*
        - org.apache.logging
      maxPermissibleCvssV2Score: 10.0                
      maxPermissibleCvssV3Score: 10.0                
    knowledgeBaseId: ocid1.admknowledgebase.oc1.iad.restoftheocid 
    vulnerabilityAuditCompartmentId: ocid1.compartment.oc1..restoftheocid
    vulnerabilityAuditName: testReport

If vulnerabilities are found, then the build fails and a vulnerability audit summary is available to review the error. An audit summary is available even if no vulnerabilities are found. You can also view a detailed vulnerability audit report. For more information, see Getting Started with Application Dependency Management.

Required IAM Policy

Each service in Oracle Cloud Infrastructure (OCI) integrates with Identity and Access Management (IAM) for authentication and authorization. To grant users permission to access the DevOps build pipelines and other resources, you have to create dynamic groups and IAM policies. For creating dynamic groups and policies for build pipelines, see Build Pipeline Policies.

Build pipelines need to access ADM service's resources such as knowledge base for which you need to define certain specific IAM policies. See Policies for Accessing ADM Resources. For more details, see DevOps IAM Policies.