Red Hat SummitQuick Start Guide
Using the Red Hat Trusted Profile Analyzer managed service on Red Hat Hybrid Cloud Console
Abstract
Preface
Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Quick Start Guide!
This is a quick start guide on how to use the Trusted Profile Analyzer managed service on Red Hat’s Hybrid Cloud Console.
Chapter 1. Searching for vulnerability information
You can use the Trusted Profile Analyzer service to find existing Software Bill of Materials (SBOM), Vulnerability Exploitability eXchange (VEX) documents, and common vulnerability and exposure (CVE) information for Red Hat products and packages.
Trusted Profile Analyzer managed service provides only information for the following Red Hat products:
- Red Hat Enterprise Linux Universal Base Image (UBI) versions 8 and 9.
- The Java Quarkus library.
Prerequisites
- A Red Hat user account to access the Red Hat Hybrid Cloud Console.
Procedure
- Open a web browser.
- Go to the Application and Data Services home page on the Hybrid Cloud Console.
- If prompted, log in to the Hybrid Cloud Console with your credentials.
- On the navigation menu, click Trusted Profile Analyzer.
On the Trusted Profile Analyzer home page, click the Subscribe and launch button. A new web browser window opens to the Trusted Profile Analyzer console home page.
NoteBy subscribing, your registered email address goes onto the product mailing list, so you can receive information about new product developments.
- On the Home page, in the search field, enter your search criteria and click Search.
On the search results page, you can filter the results by Red Hat products, download SBOM files, view package vulnerability information, and view any possible remediations.
NoteThe number shown on the Advisories tab is how many times your search criteria made a match. On the Products and containers tab, the number in the Product advisories column shows the number of advisories for that specific product.
Chapter 2. Scanning a software bill of materials file
You can scan your custom software bill of materials (SBOM) manifest files for analysis by Red Hat.
Red Hat does not retain a copy of your scanned SBOM files.
Prerequisites
- A Red Hat user account to access the Red Hat Hybrid Cloud Console.
- An existing CycloneDX 1.3, 1.4, or 1.5 or Software Package Data Exchange (SPDX) 2.2, 2.3 manifest files.
Procedure
- Open a web browser.
- Go to the Application and Data Services home page on the Hybrid Cloud Console.
- If prompted, log in to the Hybrid Cloud Console with your credentials.
- On the navigation menu, click Trusted Profile Analyzer.
On the Trusted Profile Analyzer home page, click the Subscribe and launch button. A new web browser window opens to the Trusted Profile Analyzer console home page.
NoteBy subscribing, your registered email address goes onto the product mailing list, so you can receive information about new product developments.
- Click Scan SBOM from the navigation menu.
- You can drag-and-drop an SBOM manifest file onto the page, or click Load an SBOM.
- After scanning the SBOM file, you get a summary of the analysis, and specific vulnerability information for the packages included in your SBOM file.
Additional resources
- To learn how to create a software bill of materials file, see the Trusted Profile Analyzer Reference Guide for details.
Chapter 3. Configuring Visual Studio Code to use Dependency Analytics
You can gain access to Red Hat’s Trusted Profile Analyzer service by using the Dependency Analytics extension for Microsoft’s Visual Studio Code (VS Code) editor application. With this extension you get access to the latest open source vulnerability information, and insights about your application’s dependent packages. The Red Hat Dependency Analytics extension uses the following data sources for the most up-to-date vulnerability information available:
- The ONGuard service, integrates the Open Source Vulnerability (OSV) and the National Vulnerability Database (NVD) data sources. When given a set of packages to the ONGuard service, a query to OSV retrieves the associated vulnerability information, and then a query to NVD for public Common Vulnerability and Exposures (CVE) information.
Dependency Analytics supports the following programming languages:
- Maven
- Node
- Python
- Go
Visual Studio Code by default, executes binaries directly in a terminal found in your system’s PATH environment. You can configure Visual Studio Code to look somewhere else to run the necessary binaries. You can configure this by accessing the extension settings. Click the Workspace tab, search for the word executable, and specify the absolute path to the binary file you want to use for Maven, Node, Python, or Go.
The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.
Prerequisites
- Install Visual Studio Code on your workstation.
-
For Maven projects, analyzing a
pom.xmlfile, you must have themvnbinary in your system’sPATHenvironment. -
For Node projects, analyzing a
package.jsonfile, you must have thenpmbinary in your system’sPATHenvironment. -
For Go projects, analyzing a
go.modfile, you must have thegobinary in your system’sPATHenvironment. -
For Python projects, analyzing a
requirements.txtfile, you must have thepython3/pip3orpython/pipbinaries in your system’sPATHenvironment. Also, the Python application needs to be in VS Code’s interpreter path.
Procedure
- Open the Visual Studio Code application.
- From the file menu, click View, and click Extensions.
- Search the Marketplace for Red Hat Dependency Analytics.
- Click the Install button to install the extension. Wait for the installation to finish.
To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:
- Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency name, click Quick Fix, and click Detailed Vulnerability Report.
- Open a manifest file, and click the pie chart icon.
- Right click on a manifest file in the Explorer view, and click Red Hat Dependency Analytics Report….
- From the vulnerability pop-up alert message, click Open detailed vulnerability report.
Additional resources
- Red Hat Dependency Analytics Visual Studio marketplace page.
- The GitHub project.
Chapter 4. Configuring IntelliJ to use Dependency Analytics
You can gain access to Red Hat’s Trusted Profile Analyzer service by using the Dependency Analytics plugin for Jet Brains' IntelliJ IDEA application. With this plugin you get access to the latest open source vulnerability information, and insights about your application’s dependent packages. The Red Hat Dependency Analytics plugin uses the following data sources for the most up-to-date vulnerability information available:
- The ONGuard service, integrates the Open Source Vulnerability (OSV) and the National Vulnerability Database (NVD) data sources. When given a set of packages to the ONGuard service, a query to OSV retrieves the associated vulnerability information, and then a query to NVD for public Common Vulnerability and Exposures (CVE) information.
Dependency Analytics supports the following programming languages:
- Maven
- Node
- Python
- Go
The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.
Prerequisites
- Install IntelliJ IDEA on your workstation.
-
For Maven projects, analyzing a
pom.xmlfile, you must have themvnbinary in your system’sPATHenvironment. -
For Node projects, analyzing a
package.jsonfile, you must have thenpmbinary in your system’sPATHenvironment. -
For Go projects, analyzing a
go.modfile, you must have thegobinary in your system’sPATHenvironment. -
For Python projects, analyzing a
requirements.txtfile, you must have thepython3/pip3orpython/pipbinaries in your system’sPATHenvironment.
Procedure
- Open the IntelliJ application.
- From the file menu, click Settings , and click Plugins.
- Search the Marketplace for Red Hat Dependency Analytics.
- Click the INSTALL button to install the plug-in.
To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:
- Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency, and click Detailed Vulnerability Report.
- Right click on a manifest file in the Project window, and click Dependency Analytics Report.
Additional resources
- Red Hat’s Dependency Analytics Jet Brains marketplace page.
- The GitHub project.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}