Red Hat SummitChapter 1. Overview of Red Hat Trusted Profile Analyzer
Red Hat Trusted Profile Analyzer (RHTPA) is a product within the Red Hat Trusted Software Supply Chain suite that helps organizations manage their software supply chain security and risk management. It empowers the DevSecOps teams to assess risk profiles across custom, third-party, and open source software components without slowing down development or increasing operational complexity. The Trusted Profile Analyzer service gives you a centralized, unified view of your application’s security profile, also called a Single Pane of Glass (SPOG) view. This SPOG view is powered by underlying RESTful application programming interfaces (APIs) and provides the basis for the RHTPA web console and notification services.
Exhort is the backend endpoint of Trusted Profile Analyzer where all the API requests get sent, to retrieve the necessary data to analyze, including package dependencies and vulnerabilities. The Red Hat Dependency Analytics (RHDA) integrated development environment (IDE) plugin uses this endpoint to generate vulnerability reports within the IDE framework.
The Trusted Profile Analyzer service operates by aggregating, managing, and analyzing the following critical security documentation:
- Software Bill of Materials (SBOMs): It stores, indexes, and queries SBOMs for all your custom, third-party, and open source software components, creating a shared system of record. It supports formats like CycloneDX and SPDX.
- Vulnerability Exploitability eXchange (VEX) : It is a security advisory issued by a software provider for specific vulnerabilities within a product.
- Common Vulnerabilities and Exposures (CVE) : It indicates a product’s exposure to attacks and malicious activities by giving it a score between 1 to 10, where 1 is the lowest exposure level and 10 is the highest exposure level.
The Trusted Profile Analyzer service can regularly import advisory and vulnerability data, and uses this data to cross-references data from SBOM documents. This can help teams interpret the potential impact based on metrics such as the Common Vulnerability Scoring System (CVSS), a standardized, open framework for scoring IT vulnerabilities, and helps them to prioritize and manage remediation efforts.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}