How to track security vulnerabilities used in binaries? - security

I have a software bill of materials (SBOM) Excel file and I want to somehow track the vulnerabilities being reported for the libraries and applications in it. I know that most of SBOM tracking exists today basically integrated into the build process, but what about when we do not have a build process or only have an Excel file or let's say binary files? I can manually extract libraries list from a binary, but I have no idea if it is possible to basically give the list of software to an application and it alerts me whenever there is a CVE for the library (without integration to the build process). Is there any way to do it?
I heard about CycloneDX and SLSA framework (https://github.com/slsa-framework/slsa). But again Is it possible to do a track by inserting the software version manually? Because it seems like all existing tools are just for the build process and the only way for me is to literally join bug tracking websites mailing list and put a filter for each library that I have.
Any idea?

The OWASP Dependency-Track project does this. You can either load a CycloneDX SBOM with all the components or manually add them in the user interface.
As you already have the dependencies in an Excel spreadsheet, you could use the CycloneDX CLI tool to convert from CSV to CycloneDX format. Although you will need to adjust the column names to match what it is expecting.
The important part is what component identifier and vulnerability sources you are using. CPE is hard to use, but is the only component identifier currently supported by the NVD for CVEs. But OSS Index supports package URL which is much more useful for SBOM use cases.

Related

What is the best approach of building SAP Hybris application from scratch?

I'm trying to build my first app on Hybris, but I'm not sure what is the best approach to build such applications. Let's say I sell flowers in my store. Currently there are 2 ways how to do it:
Create accelerator template and then reconfigure application.
Building app from the beginning.
The first solution may look very attractive, but I don't think it is better solution because:
Hybris doesn't provide an accelerator for my specific solution (flowers), application reconfiguration may take a lot of time.
Some accelerators contain more that one store - other stores should be removed.
The mess in the database. I have to spend time and understand which tables should be removed.
The second approach seems the most logical, but in this case I have some doubts, because the speed of development will be significantly reduced. Moreover, I think that developing a simple store on Spring Boot will be much faster than learning the Hybris platform's extensions and how they work together.
In this case, how should I start develop my application?
Honestly, I don't have experience with building complete SAP Hybris application from the scratch yet, but I have some experience related to development of the SAP Hybris extensions, so I'll try to provide my potential approach because I don't see many answers here.
I'd do it as follows:
Get the whole commerce suite
Run one of the recipe with the installer script (choose one, which will be the best for you - one of the most popular/common recipes is b2c_acc)
Remove unwanted extensions from the localextensions.xml file if necessary
Add another extensions, if you need them
Depending on your use case, create your own extension basing on the one of templates with ant extgen task inside the hybris/bin/platform/ dir (e.g. yacceleratorstorefront, ybackoffice, yempty, etc.)
Add your custom extension (or extensions) to localextensions.xml file
Start your development within your custom extension created out of available template
I know, it's kind of "specific" platform. I hope this answer will help a bit.
Cheers

Suite/Advanced UI multiple packages

I have in my company many MSI installers that I want to unified them into a single MSI.
I understand Suite/Advanced UI project may fit that requirement.
I created a project, added 2 different packages and assign them features.
I want to view the features that each MSI has, maybe load it's dialog to the Suite project but I can't find a way to do that but only built a new dialog which will save properties and pass them to the sub MSI's.
If that is the only then what is the purpose of Suite project, I cant do that in a standard MSI or some C# code to run all my MSI's
Am I wrong?
There are multiple pieces to this question, so I'm going to answer them at a high level. That should help you figure out what you want more detail on so you can ask it in a new question.
It's possible to associate Suite/Advanced UI features with MSI features, but I don't really recommend it. There are a lot of caveats to the approach in that blog post. We've found that it typically works better to design your MSIs to be feature-level items, so that the entirety of any given MSI that is part of a Suite is either installed or skipped.
You are correct that is is not possible to dynamically explore the features of the MSI package. You can create pages with controls that reference Suite properties or features, but you're still back to the caveats of the above post.
The Suite/Advanced UI project is designed to unify the UI experience of installing multiple packages, whether carried locally or downloaded on demand. If they are all MSI packages, and you are willing to require Windows Installer 4.5, it can install them using transaction processing. You are absolutely correct that you could write your own bootstrap to do this, or to just script installing several MSI packages in a row, but doing so requires the usual trade-offs. (It may give a better fit, but it will likely take a lot more work if you want to replicate all the features already provided.)

How do I create transferable dll's for a specific website functionality?

VS2013 update 5, MVC5 using Areas
I have a stand-alone function programmed for a website. The functionality is a specific user interface to collect survey responses in a particular way. It has several controllers, a model and a group of views. The functionality is completely contained in an Area of the project, except for the Shared _Layout file that provides the main menu for consistency.
'Is it possible for me to' / 'how do I' compile this Area into a single or set of .dll file(s) that I could then add conveniently to other websites? I'm assuming creating something for transfer/download is very standard functionality. For example, I used Elmah.MVC for this site. What I want to do is pretty much create a package that can be downloaded in a similar way to how we integrate Elmah.MVC into a site. (Be certain I'm not talking about creating error logging software, I'm only using Elmah.MVC as an example of software that is easily integrated into other website applications.)
I've never compiled any website functionality into a .dll(s) for use elsewhere and would appreciate either some specific guidance, or perhaps what would be easier is to provide a link with a good step by step tutorial or explanation for how to do this. Most of what I've found on the web describes bits and pieces of doing this, but it's not enough for me to feel confident with it.
It seems to me there are a lot of 'moving parts' to taking a particular piece of an MVC application and turning it into something that is easily added to other projects.
A particular issue I don't quite grasp is the difference in downloaded packages between getting code and getting just the .dll(s). For instance, when I download an MVC5 site, I get controllers, models and views, but when I download Elmah I get a .dll and no code files. Also, I do understand the concept of transforms, but I'm just struggling right now with even getting from my programmed application into a 'package' regardless of the transforms that make it easy to integrate into another website.
These are just some of my questions I have about how to perform this particular process in developing deliverable and/or shareable software.
What you are looking to do is create a portable MVC Area project. A Portable Area is a set of reusable multi page functionality can be dropped into an application to provide rich functionality without having to custom build functionality that is literally the same in every application. An MVC Portable Area is really just a dll that contains the views, controllers, scripts, etc… needed to use in a website that is either a Web Forms website or an MVC website. A developer can use them for a reusable widget or a complete engine. I have actually used them for both. Here is a link with some basic info to get started. http://elegantcode.com/2012/04/06/mvc-portable-areas/

In Tkinter, are you able to insert a feature where the user can upload an image?

I am working on a project where students within my school can buy and sell their revision books with the purpose of it being cheaper and accessible.
I will be using python 3.3 to program this system, with the aid of Tkinter. I am not fully used to the system, so this is where your help would be appreciated. One of the features on the system will allow the students to upload a picture of the book cover to show the condition and act as an image descriptor really.
Will I be able to insert this feature?
Thanks
Yes.
Answering 'How' is out of scope for this site until you try something, fail, and post a specific question. Include your OS in any further questions.
Two starting hints: The 3.x version of the pillow package, which you can install with 'pip', can be used to convert image files from one format to another. Tcl/tk 8.5 can only handle .gif and .bmp files. 8.6 can also handle .png files. On Windows, 3.4 comes with tcl/tk 8.6. For this, among other reasons, I strongly recommend starting with the latest Python, currently 3.4.2, if you possible can.
That said, I suspect you would be better off writing a 'web' application, using a browser for the user interface to communicate with a server program that connects to a database.

javax.microedition package documentation

I have to design a mobile application as my mini project. I cannot find the documentation of javax.microedition in my java folder. I tried searching it online, but all the websites have vague information. I need proper details of this package. Where can I find it?
tried searching it online, but all the websites have vague information
Did you try different search engines? I always switch to alternative engine when I feel that one I usually prefer doesn't do the trick.
Don't know if your case but to me results of search for "javax.microedition package" were totally different depending on engine. While one engine ("good") gave me a needed link at the top of the very first page, another had it buried at 7th page ("bad", really bad).
Anyway, there's pretty detailed and accurate answer at SDN Mobility Reference FAQ - J2ME Package Listing:
Question
What package names are defined in the J2ME environment?
Answer
The J2ME environment introduces a number of Java packages. These are almost exclusively placed into the package javax.microedition. The few exceptions are technologies that could be used in one or more other editions of the Java platform as well. For example, because you might use Bluetooth technology in either J2ME or J2SE, the Java APIs for Bluetooth specification (JSR 82) uses the package names javax.bluetooth and javax.obex.
The table shows the package names specified by the J2ME JSRs, as defined by the Java Community Process (JCP). It includes...
...continue reading at above link if you're interested in more details

Resources