Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Quick Start Guide

Red Hat Trusted Profile Analyzer 2

Using the Red Hat Trusted Profile Analyzer managed service on Red Hat Hybrid Cloud Console

Red Hat Trusted Documentation Team

Abstract

This Quick Start Guide gives users the essential information to start using the Red Hat Trusted Profile Analyzer managed service on Red Hat Hybrid Cloud Console.

Preface
复制链接

Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Quick Start Guide!

This is a quick start guide on how to use the Trusted Profile Analyzer managed service on the Red Hat Hybrid Cloud Console.

Chapter 1. Searching for vulnerability information
复制链接

You can use the Trusted Profile Analyzer managed service to find existing Software Bill of Materials (SBOM) documents, Vulnerability Exploitability eXchange (VEX) documents, license information, and common vulnerability and exposure (CVE) information, along advisory information for Red Hat products and software packages.

Important

Trusted Profile Analyzer managed service provides only information for the following Red Hat products:

  • Red Hat Enterprise Linux Universal Base Image (UBI) versions 8 and 9.
  • The Java Quarkus library.

Prerequisites

  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.

Procedure

  1. Open a web browser.
  2. Go to the Application Services home page on the Hybrid Cloud Console.
  3. If prompted, log in to the Hybrid Cloud Console with your credentials.
  4. On the navigation menu, click Trusted Profile Analyzer.
  5. A new web browser window opens to the Trusted Profile Analyzer console home page. From the Trusted Profile Analyzer home page, on the navigational menu, click Search.
  6. Enter your search criteria into the dialog box to begin your search.

  7. On the search results page, you can filter the results by Red Hat products, download SBOM files, view package vulnerability and advisory information, along with any possible remediations.

    Note

    The number shown on the Advisories tab is how many times your search criteria made a match.

Chapter 2. Scanning a software bill of materials file
复制链接

You can scan software bill of materials (SBOM) documents using the Red Hat Trusted Profile Analyzer service on Hybrid Cloud Console or your own {acronym} instance. The Trusted Profile Analyzer service can analyze a standard SBOM, Artificial Intelligence Bill of Materials (AIBOM) containing language models, and Cryptographic Bill of Materials (CBOM) containing keys, certificates, and libraries.

Important

Red Hat does not retain a copy of your scanned SBOM documents.

Prerequisites

  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.
  • An existing CycloneDX 1.3, 1.4, 1.5, 1.6 or Software Package Data Exchange (SPDX) 2.2, 2.3 document files.

Procedure

  1. Open a web browser.
  2. Go to the Application Services home page on the Hybrid Cloud Console.
  3. If prompted, log in to the Hybrid Cloud Console with your credentials.
  4. On the navigation menu, click Trusted Profile Analyzer.
  5. A new web browser window opens to the Trusted Profile Analyzer console home page.
  6. Click SBOMs from the navigation menu.
  7. Click the Generate vulnerability report button.
  8. You can drag and drop your SBOM file directly to this page, or click the Browse Files button, then choose the SBOM file you want to scan.
  9. After {acronym} scans the SBOM file, you get a summary of the analysis, and any specific vulnerability information for the packages included in your SBOM file.

You can gain access to Red Hat’s Trusted Profile Analyzer (RHTPA) service by using the Dependency Analytics extension for Microsoft’s Visual Studio Code application. With this extension you get access to the latest open source vulnerability information, and insights about your application’s dependent packages.

Dependency Analytics supports the analysis of Dockerfiles, and the following package managers:

  • Maven

  • Gradle

    • Groovy DSL
    • Kotlin DSL
  • NPM
  • PNPM

  • Yarn

    • Berry
    • Classic
  • Python PIP
  • Go mod
Important

Visual Studio Code by default, executes binaries directly in a terminal found in your system’s PATH environment. You can configure Visual Studio Code to look somewhere else to run the necessary binaries. You can configure this by accessing the extension settings. Click the Workspace tab, search for the word executable, and specify the absolute path to the binary file you want to use for Maven, Node, Python, or Go.

Note

The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.

Prerequisites

  • Install Visual Studio Code on your workstation.
  • For Dockerfiles, the syft binary must be in your system’s PATH environment.
  • For Maven projects, analyzing a pom.xml file, you must have the mvn binary in your system’s PATH environment.
  • For NPM projects, analyzing a package.json file, you must have the npm binary in your system’s PATH environment.
  • For Go projects, analyzing a go.mod file, you must have the go binary in your system’s PATH environment.
  • For Python projects, analyzing a requirements.txt file, you must have the python3/pip3 or python/pip binaries in your system’s PATH environment. Also, the Python application needs to be in VS Code’s interpreter path.
  • For Gradle projects, analyzing a build.gradle file for Groovy DSL, or a build.gradle.kts file for Kotlin DSL.

Procedure

  1. Open the Visual Studio Code application.
  2. From the file menu, click View, and click Extensions.
  3. Search the Marketplace for Red Hat Dependency Analytics.
  4. Click the Install button to install the extension. Wait for the installation to finish.

  5. To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:

    • Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency name, click Quick Fix, and click Detailed Vulnerability Report.
    • Open a manifest file, and click the pie chart icon.
    • Right click the manifest file in the Explorer view, and click Red Hat Dependency Analytics Report…​.
    • From the vulnerability pop-up alert message, click Open detailed vulnerability report.

  6. If you want to exclude specific packages for analysis, you can use the exhortignore as a comment tag for your specific programming language.

    • For Maven, update the pom.xml file: 

      ...
<dependency> <!--exhortignore-->
  <groupId>...</groupId>
  <artifactId>...</artifactId>
  <version>...</version>
</dependency>
...
      Copy to Clipboard Toggle word wrap

    • For Go, update the go.mod file: 

      module github.com/trustify-da/SaaSi/deployer

go 1.19

require (
        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
        github.com/emicklei/go-restful/v3 v3.9.0 // indirect
        github.com/go-logr/logr v1.2.3 // indirect //exhortignore

)
...
      Copy to Clipboard Toggle word wrap

    • For Python, update the requirements.txt file: 

      ...
click==8.0.4 #exhortignore
...
      Copy to Clipboard Toggle word wrap

    • For Gradle, update the build.gradle file: 

      plugins {
id 'java'
}

group = 'groupName'
version = 'version'

repositories {
    mavenCentral()
}

dependencies {
    implementation "groupId:artifactId:version" // exhortignore
}
test {
    useJUnitPlatform()
}
      Copy to Clipboard Toggle word wrap

You can gain access to Red Hat’s Trusted Profile Analyzer service by using the Dependency Analytics plugin for Jet Brains' IntelliJ IDEA application. This plugin gives you access to the latest open source vulnerability information, and insights about your application’s dependent packages.

Dependency Analytics supports the analysis of Dockerfiles, and the following package managers:

  • Maven

  • Gradle

    • Groovy DSL
    • Kotlin DSL
  • NPM
  • PNPM

  • Yarn

    • Berry
    • Classic
  • Python PIP
  • Go mod
Note

The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.

Prerequisites

  • Install IntelliJ IDEA on your workstation.
  • For Dockerfiles, the syft binary must be in your system’s PATH environment.
  • For Maven projects, analyzing a pom.xml file, you must have the mvn binary in your system’s PATH environment.
  • For Node projects, analyzing a package.json file, you must have the npm binary in your system’s PATH environment.
  • For Go projects, analyzing a go.mod file, you must have the go binary in your system’s PATH environment.
  • For Python projects, analyzing a requirements.txt file, you must have the python3/pip3 or python/pip binaries in your system’s PATH environment.
  • For Gradle projects, analyzing a build.gradle file for Groovy DSL, or a build.gradle.kts file for Kotlin DSL.

Procedure

  1. Open the IntelliJ application.
  2. From the file menu, click Settings , and click Plugins.
  3. Search the Marketplace for Red Hat Dependency Analytics.
  4. Click the INSTALL button to install the plugin.

  5. To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:

    • Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency, and click Detailed Vulnerability Report.
    • Right click the manifest file in the Project window, and click Dependency Analytics Report.

  6. If you want to exclude specific packages for analysis, you can use the exhortignore as a comment tag for your specific programming language.

    • For Maven, update the pom.xml file: 

      ...
<dependency> <!--exhortignore-->
  <groupId>...</groupId>
  <artifactId>...</artifactId>
  <version>...</version>
</dependency>
...
      Copy to Clipboard Toggle word wrap

    • For Go, update the go.mod file: 

      module github.com/trustify-da/SaaSi/deployer

go 1.19

require (
        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
        github.com/emicklei/go-restful/v3 v3.9.0 // indirect
        github.com/go-logr/logr v1.2.3 // indirect //exhortignore

)
...
      Copy to Clipboard Toggle word wrap

    • For Python, update the requirements.txt file: 

      ...
click==8.0.4 #exhortignore
...
      Copy to Clipboard Toggle word wrap

    • For Gradle, update the build.gradle file: 

      plugins {
id 'java'
}

group = 'groupName'
version = 'version'

repositories {
    mavenCentral()
}

dependencies {
    implementation "groupId:artifactId:version" // exhortignore
}
test {
    useJUnitPlatform()
}
      Copy to Clipboard Toggle word wrap

Legal Notice
复制链接

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部