Examining tools for assess package security and license rate in Azure DevOps

Examining tools for assess package security and license rate in Azure DevOps

When assessing package security and license compliance in Azure DevOps, it's crucial to choose the right tools and approaches based on your organization's needs.

You can take two primary approaches to perform these checks.

1. Scan a Centralized Artifact Repository:

Assess packages and dependencies stored in a repository, typically after they have been built or when you pull them for consumption.

2. Tooling During Build in Pipeline:

Perform security and license checks as part of the build pipeline, where packages and dependencies are being integrated and built.

Below, we’ll look at the tools available for each approach — Artifactory, SonarQube, and Mend (formerly WhiteSource Bolt) — and examine how each tool works in both approaches.

Approach 1: Scan Centralized Artifact Repository

What is it?

In this approach, you scan a centralized artifact repository (such as JFrog Artifactory or Azure Artifacts) to detect issues with the dependencies (security vulnerabilities, license violations, etc.) of your packaged software. This is usually done periodically or as part of a monitoring strategy to keep track of the state of the dependencies stored in the repository.

Tools for Centralized Artifact Repository Scanning

1. JFrog Artifactory

Overview:

JFrog Artifactory is a popular artifact repository manager that supports multiple package types (Maven, npm, NuGet, etc.). It provides built-in support for managing artifacts across different environments and supports integration with a variety of tools for security and compliance checks.

Security and License Scanning:

• JFrog Xray:

  Artifactory integrates with JFrog Xray, a tool for security and license scanning. Xray continuously scans and analyzes your binaries stored in Artifactory for known vulnerabilities and license violations, using a combination of open-source databases like the National Vulnerability Database (NVD) and CVEs.

• License Compliance:

  JFrog Xray also integrates with license compliance tools to detect licenses that might violate your organization’s policies. It provides insights into which open-source libraries are being used and whether their licenses are compatible with your policy.

Example Workflow:

• Artifacts are pushed to Artifactory.

• JFrog Xray scans the artifacts for vulnerabilities and license issues in the centralized repository.

• Results are provided via the Xray UI, integrated with Artifactory, or via a webhook into Azure DevOps.

2. Sonatype Nexus Repository

Overview:

Nexus Repository is another artifact repository manager that offers robust support for managing, storing, and retrieving artifacts. It integrates seamlessly with Nexus Lifecycle to provide security and license monitoring for the packages stored in the repository.

Security and License Scanning:

• Nexus Lifecycle:

  Integrates with Nexus Repository to continuously monitor artifacts in the repository for known vulnerabilities and licensing risks.

• Automated Scans:

  Nexus scans artifacts in the repository for open-source vulnerabilities (via databases like the NVD), and it flags issues based on your configured policies.

• License Risk Detection:

  The tool also tracks licenses and compliance across the repository to ensure no forbidden or non-compliant licenses are present.

Example Workflow:

• Artifacts are uploaded to Nexus Repository.

• Nexus Lifecycle runs automated security and license scans on the stored packages.

• Issues are flagged, and the team can take actions directly from the Nexus interface.

Approach 2: Tooling During Build in Pipeline

What is it?

In this approach, you integrate security and license compliance checks directly into your build pipeline in Azure DevOps. The idea is to check dependencies for vulnerabilities and license violations as part of the continuous integration (CI) process, before artifacts are stored or deployed.

Tools for Tooling During Build in Pipeline

1. Mend (formerly WhiteSource Bolt)

Overview:

Mend provides an extension for Azure DevOps (WhiteSource Bolt) that scans dependencies during the build process. It is particularly focused on open-source vulnerability scanning and license compliance checks.

Security and License Scanning:

• Vulnerability Scanning:

  Mend scans dependencies in real-time to detect known security vulnerabilities in your open-source packages. It checks against its extensive database of CVEs and vulnerability advisories.

• License Compliance:

  Mend provides a license compliance report to ensure that the open-source components you are using comply with your organization's licensing policies.

• Integration with Azure DevOps:

  The Mend (WhiteSource) extension integrates seamlessly with Azure DevOps pipelines, so the scan runs during the CI process, providing results as part of the build output.

Example Workflow:

• During the build, the WhiteSource Bolt task runs as part of the pipeline.

• Mend scans the project’s dependencies (from package managers like npm, Maven, Gradle) for vulnerabilities and license issues.

• If high-severity vulnerabilities are found or if non-compliant licenses are detected, the pipeline can be configured to fail the build.

Example YAML for Azure DevOps Pipeline:

xxxxxxxxxx
13
1
trigger:
2
  branches:
3
    include:
4
      - main
5
pool:
6
  vmImage: 'ubuntu-latest'
7
steps:
8
- task: WhiteSourceBolt@20
9
  inputs:
10
    licenseKey: $(MEND_LICENSE_KEY)
11
    projectName: '$(Build.DefinitionName)-$(Build.BuildId)'
12
    projectVersion: '$(Build.BuildId)'
13
    orgToken: $(MEND_ORG_TOKEN)

2. SonarQube

Overview:

SonarQube is a popular code quality tool that also supports security and license compliance scanning through integration with dependency scanners. Although SonarQube is primarily known for static code analysis (SAST), it also integrates with tools like OWASP Dependency-Check and SonarSource’s own vulnerability rules to perform software composition analysis (SCA).

Security and License Scanning:

• Security:

  SonarQube integrates with OWASP Dependency-Check to detect known vulnerabilities in open-source dependencies used in the project.

• License Compliance:

SonarQube can detect issues related to open-source licenses, ensuring that the licenses in your dependencies are compliant with your organization’s policies.

• Pipeline Integration:

  The SonarQube Azure DevOps extension allows you to run these checks directly in your pipeline, and the results are provided as part of the build summary.

Example Workflow:

• During the build, the SonarQube task runs and scans your project’s dependencies using Dependency-Check.

• Results are visualized within the SonarQube dashboard or in the Azure DevOps pipeline output.

• You can set quality gates to fail builds if certain vulnerabilities or non-compliant licenses are found.

Example YAML for Azure DevOps Pipeline:

xxxxxxxxxx
20
1
trigger:
2
  branches:
3
    include:
4
      - main
5
pool:
6
  vmImage: 'ubuntu-latest'
7
steps:
8
- task: SonarQubePrepare@4
9
  inputs:
10
    SonarQube: $(SONARQUBE_SERVICE_CONNECTION)
11
    scannerMode: 'CLI'
12
    configMode: 'manual'
13
    configFile: '$(Build.SourcesDirectory)/sonar-project.properties'
14
- task: SonarQubeAnalyze@4
15
  inputs:
16
    SonarQube: $(SONARQUBE_SERVICE_CONNECTION)
17
- task: SonarQubePublish@4
18
  inputs:
19
    SonarQube: $(SONARQUBE_SERVICE_CONNECTION)
20
    pollingTimeoutSec: '300'

3. Artifactory (via JFrog Xray Integration)

Overview:

You can use JFrog Xray to scan the artifacts stored in JFrog Artifactory. This provides a continuous security and license monitoring solution for artifacts after they are built and stored.

Security and License Scanning:

• Xray Scanning:

  JFrog Xray analyzes the binary artifacts and their dependencies to detect security vulnerabilities and license compliance issues, using deep analysis of the open-source components.

• Pipeline Integration:

  Artifactory can integrate with your Azure DevOps pipeline so that after build artifacts are created, they can be automatically scanned by Xray.

Example Workflow:

• After the build, the Artifactory task in the pipeline uploads the artifacts to the repository.

• JFrog Xray can be triggered to scan these artifacts for vulnerabilities and license compliance before they are deployed.

Example YAML for Azure DevOps Pipeline:

xxxxxxxxxx
10
1
steps:
2
- task: ArtifactoryGenericUpload@1
3
  inputs:
4
    serverEndpoint: 'your-artifactory-server'
5
    sourcePath: '$(Build.ArtifactStagingDirectory)/'
6
    targetRepository: 'libs-release-local'
7
- task: JFrogXray@1
8
  inputs:
9
    artifactoryService: 'your-artifactory-service'
10
    xrayTask: 'scan'

Comparison: Approach 1 vs Approach 2

Summary

Both Approach 1 (Scanning centralized artifact repositories) and Approach 2 (Tooling during the build pipeline) have their merits. Approach 1 is ideal for centralized monitoring of artifacts that are already built, while Approach 2 provides the advantage of checking dependencies in real-time during the CI process, catching issues before they make it into production.

For best practices, many organizations use a combination of both approaches, ensuring that they catch vulnerabilities and licensing issues at both the build stage and the artifact storage stage.