In recent years, due to the growing complexity of software, companies have faced increasing challenges related to security and dependency management. Dependency-Track is an excellent tool for managing and analyzing vulnerabilities in dependencies, aiming to enhance the security of the supply chain. This thesis focuses on the optimization and automation of Dependency-Track by making modifications to existing Maven plugins, such as Cyclonedx, for generating the Software Bill of Material (SBOM), and the dependency-track-maven-plugin for API automation. Cyclonedx's flexibility has been improved by correctly classifying the project types of various Maven project submodules, while new goals have been added to the Dependency-Track plugin to automatically manage the Vex.json file and suppress false positives. The results show a significant reduction in manual work and a simplification of the software dependency management processes, thanks to the implemented automations.
Negli ultimi anni, a causa della crescente complessità del software, le aziende hanno affrontato sfide sempre maggiori legate alla sicurezza e alla gestione delle dipendenze software. Dependency-Track è un'ottimo strumento per gestire ed analizzare le vulnerabilità nelle dipendenze, cercando di rendere più sicura la supply chain. Questa tesi si concentra sull'ottimizzazione e automazione di Dependency-Track, apportando modifiche ai plugin Maven esistenti, Cyclonedx, per la generazione del Software Bill of Material (SBOM), e dependency-track-maven-plugin per automazioni richieste API. Di cyclonedx ne è stata migliorata la flessibilità, andando a classificare correttamente i project type dei vari tipi di sottomoduli di un progetto Maven, mentre per Dependency-track sono state aggiunti dei goal in grado di gestire automaticamente il file Vex.json e sopprimere i falsi positivi. I risultati mostrano una significativa riduzione del lavoro manuale e una semplificazione dei processi di gestione delle dipendenze software, grazie alle automazioni.
Ottimizzazione e automazione della Dependency-Track nella catena di fornitura del software
COSTANTIN, RICCARDO ALBERTO
2023/2024
Abstract
In recent years, due to the growing complexity of software, companies have faced increasing challenges related to security and dependency management. Dependency-Track is an excellent tool for managing and analyzing vulnerabilities in dependencies, aiming to enhance the security of the supply chain. This thesis focuses on the optimization and automation of Dependency-Track by making modifications to existing Maven plugins, such as Cyclonedx, for generating the Software Bill of Material (SBOM), and the dependency-track-maven-plugin for API automation. Cyclonedx's flexibility has been improved by correctly classifying the project types of various Maven project submodules, while new goals have been added to the Dependency-Track plugin to automatically manage the Vex.json file and suppress false positives. The results show a significant reduction in manual work and a simplification of the software dependency management processes, thanks to the implemented automations.| File | Dimensione | Formato | |
|---|---|---|---|
|
Costantin_Riccardo_Alberto.pdf
accesso riservato
Dimensione
905.12 kB
Formato
Adobe PDF
|
905.12 kB | Adobe PDF |
The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License
https://hdl.handle.net/20.500.12608/70957