SECURITY
Build a software analysis Gitlab pipeline
In the second part of our web application security series, Tim Armstrong takes us through the essentials of software composition analysis.
Part Two!
Missed part one of this series? Then turn to page 66
OUR EXPERT
Tim Armstrong is a former lead engineer turned developer advocate specialising in networking, software development and security. Find him on Twitter as @omatachyru.
QUICK TIP
For a refresher on setting up CI/CD pipelines in GitLab, check out the previous tutorial in this series, or head on over to https://blog. plaintextnerds. com where there’s a dedicated tutorial series on GitLab CI/CD.
Software developers the world over have a hard enough time maintaining and securing their own code, so it’s fairly common for the libraries and docker containers used, especially in large projects, to be a few versions behind. When was the last time you actually audited 100 per cent of the code for all of the software used in any of your projects. Never, right? You don’t have time, you’re not an expert in every language, and by the time you were done you’d need to do it all again. Software composition analysis (SCA) solves this problem by effectively doing this for you.
In this tutorial, you’ll learn how to use a number of SCA tools to protect your code by extending the CI/CD pipeline created in the first part of this series, where we learned about static analysis and setting up a pipeline in GitLab CI. You can get a copy of where we left off by forking the repository at https://gitlab.com/plaintextnerds/web-app-security-tutorial1-lxf279, but we highly recommend picking up a copy of the previous issue and following that first if you can.
SCA tools such as Snyk, WhiteSource, Gemnasium and Dependabot scan your dependencies and containers for vulnerable versions, with the goal of either updating it for you via a pull request (PR) or notifying you of the issue. Each of them works in slightly different ways, uses different databases, and presents the data in different ways, so finding the right one for you takes some exploration. To this end, this tutorial will be looking at Dependabot which is open source, and Snyk which is reasonably priced and offers a free option for individuals and open source projects.
Snyk it to them!
Snyk is a hosted solution, so to get started you’re going to need to create an account. You can do this by going to https://app.snyk.io/loginand selecting the identity provider of your choice. There isn’t a direct registration option, which could be an issue for people who don’t trust any of the providers listed, but the selection is pretty big so it shouldn’t be a problem.