Detecting the fixed vulnerabilities (CVEs) of your artifacts while building - 8.0

Talend Software Development Life Cycle Best Practices Guide

Version
8.0
Language
English
Product
Talend Big Data
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Module
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend JobServer
Talend Studio
Content
Administration and Monitoring
Deployment
Design and Development

When using CI to build artifacts in big projects, you may want to detect which artifacts (Standard Jobs, Big Data Jobs, Routes) affected by Common Vulnerabilities and Exposures (CVEs) have been fixed since the latest Talend Studio update has been released.

Note: The option that allows you to detect fixed CVEs and report them in a file is available from org.talend.ci:builder-maven-plugin version 8.0.3 onwards (available from R2022-03). The detection of fixed CVEs for Route artifacts is supported from R2022-05.

Due to technical limitation:

  • The CVEs for the jars with the Talend-specific groupIds org.talend.libraries cannot be detected.
  • The CVEs for the jars used by Talend Studio but not by any component cannot be detected.
  • The CVEs for the artifacts built as OSGI Bundle or Microservice in the report are not accurate.

Building the CVE report

Here is an example of command to build a list of artifacts affected by the CVEs. This command can be executed before or after generating the POM files of your project artifacts.

# To generate a report file listing all CVEs
mvn org.talend.ci:builder-maven-plugin:8.0.3:detectCVE 
-Dgeneration.type=local
-Dproduct.path=/home/talend/talend_studio
-Dlicense.path=/home/talend/talend_studio/license 
-Dproduct.path=/home/talend/talend_studio/commandline/Talend-Studio-YYYYMMDD_1234-V8.0.X/
-Dtalend.studio.p2.base=https://update.talend.com/Studio/8/base
-Dtalend.studio.p2.update=https://update.talend.com/Studio/8/updates/R2022-03
-Dworkspace=/home/talend/talend_studio/CI/workspace
-DcveReportFilePath=/home/talend/talend_studio/CI/cvereport.csv
-s /home/talend/talend_studio/maven_user_settings.xml
This will create a report named cvereport.csv in the CI workspace. This report will contain all the CVEs affecting the artifacts of your existing project that have been fixed in the latest Talend Studio update:

Analyzing the CVE report

The following table details the columns of the generated Common Vulnerabilities and Exposures report.
Column name Definition
Status Can be:
  • Upgraded: The vulnerability has been fixed by upgrading the library to a new version
  • Removed: The vulnerability has been fixed by removing the library from the component/distribution/studio plugin dependencies
Fix Version The update version when the CVE has been fixed.

Example: R2022-03

Project Name Name of the project impacted by the Common Vulnerabilities and Exposures.

Example: CI_PROJECT

Item type Type of the artifact impacted by the Common Vulnerabilities and Exposures.

Example: PROCESS

Item ID Identifier of the artifact impacted by the Common Vulnerabilities and Exposures.

Example: _GXOmQFizEeiOq-rLS_Z-8g

Item Name Display name of the artifact impacted by the Common Vulnerabilities and Exposures.

Example: MyVeryComplexJob

GAV with CVE The Maven Group, Artifact, Version (GAV) of the JAR file that has unsolved vulnerabilities.

Example: org.apache.logging.log4j:log4j-core:2.13.2

GAV with CVE mitigated The Maven Group, Artifact, Version (GAV) of the JAR file that has fixed vulnerabilities.

Example: org.apache.logging.log4j:log4j-core:2.17.1

UsedByTalendComponent Can be:
  • True: The GAV with CVE has been fixed in the listed components but is still used by Talend Studio somewhere else.
  • False: The GAV with CVE has been completely removed from the Talend Studio component dependencies.
CVE-ID Identifier of the Common Vulnerabilities and Exposures. If not available, you will get CVE-NOT_DISCLOSED.

Example: CVE-2021-44228

CVSS The CVSS (Common Vulnerability Scoring System) score for rating the severity of security vulnerabilities in software. It can be between 0.0 and 10.0, with 10.0 being the most severe. For more information about CVSS, see https://nvd.nist.gov/vuln-metrics/cvss.
Component Names Name of the component impacted by the Common Vulnerabilities and Exposures. It can be the technical name used for code generation, or it can be studio if it impacts the whole Talend Studio.
Comment Additional comments.

Indicating from which Studio update version to build the CVE list

When building your CVE report, you can use the fromVersion parameter to indicate from which Studio update you want to compare and build the CVE report.
Note: As the option that allows you to detect the fixed CVEs is available from version R2022-03, the R2022-03 update contains all fixed CVEs since the release of Talend Studio version 8.0.1.

Here is an example of command to build a list of the fixed CVEs detected from version R2022-04:

# To generate a report file listing all fixed CVEs detected from R2022-04
mvn org.talend.ci:builder-maven-plugin:8.0.3:detectCVE 
-Dgeneration.type=local
-Dproduct.path=/home/talend/talend_studio
-Dlicense.path=/home/talend/talend_studio/license 
-Dproduct.path=/home/talend/talend_studio/commandline/Talend-Studio-YYYYMMDD_1234-V8.0.3/
-Dtalend.studio.p2.base=https://update.talend.com/Studio/8/base
-Dtalend.studio.p2.update=https://update.talend.com/Studio/8/updates/R2022-04
-DfromVersion=R2022-04
-DcveReportFilePath=/home/talend/talend_studio/CI/cvereport.csv
-s /home/talend/talend_studio/maven_user_settings.xml