Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 1. Overview of Red Hat Trusted Profile Analyzer
Red Hat Trusted Profile Analyzer (RHTPA) is a product within the Red Hat Trusted Software Supply Chain suite that helps organizations manage their software supply chain security and risk management. It empowers DevSecOps teams to assess risk across custom, third-party, and open source components without slowing development or increasing operational complexity. The Trusted Profile Analyzer service gives you a centralized, unified view of your application’s security profile, also called a Single pane of glass (SPOG) view. This SPOG view is powered by underlying RESTful application programming interfaces (APIs) and provides the basis for the RHTPA web console and notification services.
Exhort is the Trusted Profile Analyzer backend endpoint. It receives API requests to retrieve analysis data, including package dependencies and vulnerabilities. The Red Hat Dependency Analytics (RHDA) integrated development environment (IDE) plugin uses this endpoint to generate vulnerability reports within the IDE framework.
The Trusted Profile Analyzer service operates by aggregating, managing, and analyzing the following critical security documentation:
- Software Bill of Materials (SBOMs): Stores, indexes, and queries SBOMs for all your custom, third-party, and open source software components, creating a shared system of record. It supports formats like CycloneDX and SPDX.
- Vulnerability Exploitability eXchange (VEX) : A security advisory issued by a software provider for specific vulnerabilities within a product.
- Common Vulnerabilities and Exposures (CVE) : Indicates a product’s exposure to attacks and malicious activities by giving it a score between 1 to 10, where 1 is the lowest exposure level and 10 is the highest exposure level.
The Trusted Profile Analyzer service can regularly import advisory and vulnerability data, and uses this data to cross-references data from SBOM documents. This helps teams interpret the impact by using metrics, such as the Common Vulnerability Scoring System (CVSS), to guide their remediation efforts.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}