Skip to content
This repository has been archived by the owner on Apr 10, 2021. It is now read-only.
/ 10x-dux-vuls-eval Public archive

Infrastructure for 10x-dux-app analysis with the vuls.io toolset.

License

Notifications You must be signed in to change notification settings

18F/10x-dux-vuls-eval

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

10x Dependency Upgrades Project

Background

This is the main software and Infrastructure-as-Code repository for the 10x Dependency Upgrade (DUX) Phase 2 project,including an evaluation of just-in-time dependency analysis of software at deployment time using the open-source vuls project.

The original Phase 1 research and our additive research that led to this prototype can be found here and interested parties can request access from 10x.

The determination at the conclusion of 10x Dependency Upgrades Phase 2 was a no, meaning this project will not move forward. The code is provided for historical review and/or to be potentially revived by other researchers or engineers.

More information about the overall 10x process can bee found on the 10x website.

Project Documentation

Project documentation is in the ./docs directory.

Deployment instructions for developers or DevOps engineers are in ./docs/DEPLOY.md.

Architecture and design rationale are in ./docs/ARCHITECTURE.md.

Project Directory Structure

  • Custom container build components are in the ./docker directory.
  • Project documentation is in the ./docs directory.
  • Custom shell scripts for DevOps and container runtime are in ./scripts.
  • Deprecated copy of Terraform modules for direct deployment, now converted to CloudFoundry, are in ./terraform.

Source Code Repositories

  1. 10x-dux-vuls-eval: this repository, the umbrella source code and IaC repository.
  2. vuls-cloudfoundry-buildpack: source code for the sidecar buildpack to mediate communication between a client cloud.gov and the target server for aggregating vulnerability data.
  3. 10x-dux-app: an example vulnerable application with a sample Python vulnerability (CVE-2019-7164) to illustrate the importance of risk management and environmental context of reported dependency vulnerabilities.
  4. vuls: a fork of upstream vuls source code to evaluate custom requirements for this project.
  5. vulsrepo: a fork of upstream vulsrepo source code to evaluate custom requirements for a user interface for this project.

About

Infrastructure for 10x-dux-app analysis with the vuls.io toolset.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published