Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Quick Start Guide

Red Hat Trusted Profile Analyzer 2

Using the Red Hat Trusted Profile Analyzer managed service on Red Hat Hybrid Cloud Console

Red Hat Trusted Documentation Team

Abstract

This Quick Start Guide gives users the essential information to start using the Red Hat Trusted Profile Analyzer managed service on Red Hat Hybrid Cloud Console.

Preface
复制链接

Welcome to the Red Hat Trusted Profile Analyzer (RHTPA) Quick Start Guide!

This is a quick start guide on how to use the Trusted Profile Analyzer managed service on the Red Hat Hybrid Cloud Console.

Chapter 1. Searching for vulnerability information
复制链接

You can use the Trusted Profile Analyzer managed service to find existing Software Bill of Materials (SBOM) documents, Vulnerability Exploitability eXchange (VEX) documents, license information, and common vulnerability and exposure (CVE) information, along advisory information for Red Hat products and software packages.

Important

Trusted Profile Analyzer managed service provides only information for the following Red Hat products:

  • Red Hat Enterprise Linux Universal Base Image (UBI) versions 8 and 9.
  • The Java Quarkus library.

Prerequisites

  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.

Procedure

  1. Open a web browser.
  2. Go to the Application Services home page on the Hybrid Cloud Console.
  3. If prompted, log in to the Hybrid Cloud Console with your credentials.
  4. On the navigation menu, click Trusted Profile Analyzer.
  5. A new web browser window opens to the Trusted Profile Analyzer console home page. From the Trusted Profile Analyzer home page, on the navigational menu, click Search.
  6. Enter your search criteria into the dialog box to begin your search.

  7. On the search results page, you can filter the results by Red Hat products, download SBOM files, view package vulnerability and advisory information, along with any possible remediations.

    Note

    The number shown on the Advisories tab is how many times your search criteria made a match.

Chapter 2. Scanning a software bill of materials file
复制链接

You can scan your software bill of materials (SBOM) documents for analysis by using the Red Hat Trusted Profile Analyzer (RHTPA) managed service on the Red Hat Hybrid Cloud Console, or by using your own running instance of RHTPA. The Trusted Profile Analyzer service can analyze a standard SBOM, Artificial Intelligence Bill of Materials (AIBOM) containing language models, and Cryptographic Bill of Materials (CBOM) containing keys, certificates, and libraries.

Important

Red Hat does not retain a copy of your scanned SBOM documents.

Prerequisites

  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.
  • An existing CycloneDX 1.3, 1.4, 1.5, 1.6 or Software Package Data Exchange (SPDX) 2.2, 2.3 document files.

Procedure

  1. Open a web browser.
  2. Go to the Application Services home page on the Hybrid Cloud Console.
  3. If prompted, log in to the Hybrid Cloud Console with your credentials.
  4. On the navigation menu, click Trusted Profile Analyzer.
  5. A new web browser window opens to the Trusted Profile Analyzer console home page.
  6. Click SBOMs from the navigation menu.
  7. Click the Generate vulnerability report button.
  8. You can drag and drop your SBOM file directly to this page, or click the Browse Files button, then choose the SBOM file you want to scan.
  9. After RHTPA scans the SBOM file, you get a summary of the analysis, and any specific vulnerability information for the packages included in your SBOM file.

You can gain access to Red Hat’s Trusted Profile Analyzer (RHTPA) service by using the Dependency Analytics extension for Microsoft’s Visual Studio Code application. With this extension you get access to the latest open source vulnerability information, and insights about your application’s dependent packages.

Dependency Analytics supports the following programming languages:

  • Maven

  • Gradle

    • Groovy
    • Kotlin DSL
  • NPM
  • PNPM

  • Yarn

    • Berry
    • Classic
  • Python
  • Go
Important

Visual Studio Code by default, executes binaries directly in a terminal found in your system’s PATH environment. You can configure Visual Studio Code to look somewhere else to run the necessary binaries. You can configure this by accessing the extension settings. Click the Workspace tab, search for the word executable, and specify the absolute path to the binary file you want to use for Maven, Node, Python, or Go.

Note

The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.

Prerequisites

  • Install Visual Studio Code on your workstation.
  • For Maven projects, analyzing a pom.xml file, you must have the mvn binary in your system’s PATH environment.
  • For NPM projects, analyzing a package.json file, you must have the npm binary in your system’s PATH environment.
  • For Go projects, analyzing a go.mod file, you must have the go binary in your system’s PATH environment.
  • For Python projects, analyzing a requirements.txt file, you must have the python3/pip3 or python/pip binaries in your system’s PATH environment. Also, the Python application needs to be in VS Code’s interpreter path.

Procedure

  1. Open the Visual Studio Code application.
  2. From the file menu, click View, and click Extensions.
  3. Search the Marketplace for Red Hat Dependency Analytics.
  4. Click the Install button to install the extension. Wait for the installation to finish.

  5. To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:

    • Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency name, click Quick Fix, and click Detailed Vulnerability Report.
    • Open a manifest file, and click the pie chart icon.
    • Right click the manifest file in the Explorer view, and click Red Hat Dependency Analytics Report…​.
    • From the vulnerability pop-up alert message, click Open detailed vulnerability report.

  6. If you want to exclude specific packages for analysis, you can use the exhortignore as a comment tag for your specific programming language.

    • For Maven, update the pom.xml file: 

      ...
<dependency> <!--exhortignore-->
  <groupId>...</groupId>
  <artifactId>...</artifactId>
  <version>...</version>
</dependency>
...
      Copy to Clipboard Toggle word wrap

    • For Go, update the go.mod file: 

      module github.com/trustify-da/SaaSi/deployer

go 1.19

require (
        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
        github.com/emicklei/go-restful/v3 v3.9.0 // indirect
        github.com/go-logr/logr v1.2.3 // indirect //exhortignore

)
...
      Copy to Clipboard Toggle word wrap

    • For Python, update the requirements.txt file: 

      ...
click==8.0.4 #exhortignore
...
      Copy to Clipboard Toggle word wrap

    • For Gradle, update the build.gradle file: 

      plugins {
id 'java'
}

group = 'groupName'
version = 'version'

repositories {
    mavenCentral()
}

dependencies {
    implementation "groupId:artifactId:version" // exhortignore
}
test {
    useJUnitPlatform()
}
      Copy to Clipboard Toggle word wrap

You can gain access to Red Hat’s Trusted Profile Analyzer service by using the Dependency Analytics plugin for Jet Brains' IntelliJ IDEA application. This plugin gives you access to the latest open source vulnerability information, and insights about your application’s dependent packages.

Dependency Analytics supports the following programming languages:

  • Maven

  • Gradle

    • Groovy
    • Kotlin DSL
  • NPM
  • PNPM

  • Yarn

    • Berry
    • Classic
  • Python
  • Go
Note

The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.

Prerequisites

  • Install IntelliJ IDEA on your workstation.
  • For Maven projects, analyzing a pom.xml file, you must have the mvn binary in your system’s PATH environment.
  • For Node projects, analyzing a package.json file, you must have the npm binary in your system’s PATH environment.
  • For Go projects, analyzing a go.mod file, you must have the go binary in your system’s PATH environment.
  • For Python projects, analyzing a requirements.txt file, you must have the python3/pip3 or python/pip binaries in your system’s PATH environment.

Procedure

  1. Open the IntelliJ application.
  2. From the file menu, click Settings , and click Plugins.
  3. Search the Marketplace for Red Hat Dependency Analytics.
  4. Click the INSTALL button to install the plugin.

  5. To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:

    • Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency, and click Detailed Vulnerability Report.
    • Right click the manifest file in the Project window, and click Dependency Analytics Report.

  6. If you want to exclude specific packages for analysis, you can use the exhortignore as a comment tag for your specific programming language.

    • For Maven, update the pom.xml file: 

      ...
<dependency> <!--exhortignore-->
  <groupId>...</groupId>
  <artifactId>...</artifactId>
  <version>...</version>
</dependency>
...
      Copy to Clipboard Toggle word wrap

    • For Go, update the go.mod file: 

      module github.com/trustify-da/SaaSi/deployer

go 1.19

require (
        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
        github.com/emicklei/go-restful/v3 v3.9.0 // indirect
        github.com/go-logr/logr v1.2.3 // indirect //exhortignore

)
...
      Copy to Clipboard Toggle word wrap

    • For Python, update the requirements.txt file: 

      ...
click==8.0.4 #exhortignore
...
      Copy to Clipboard Toggle word wrap

    • For Gradle, update the build.gradle file: 

      plugins {
id 'java'
}

group = 'groupName'
version = 'version'

repositories {
    mavenCentral()
}

dependencies {
    implementation "groupId:artifactId:version" // exhortignore
}
test {
    useJUnitPlatform()
}
      Copy to Clipboard Toggle word wrap

Legal Notice
复制链接

Copyright © Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部