堆栈内存溢出
  繁体   English   中英

如何利用npm审计?

[英]How to leverage npm audit?

 原文  2019-06-21 21:17:23       node.js/ npm/ reverse-engineering/ npmjs/ npm-audit

问题描述

TLDR:是否可以利用npm audit的漏洞检测功能作为宁静服务而不是当前的CLI实现?

npm针对Node Security Platform(NSP)漏洞数据库提供针对每个安装请求的自动漏洞扫描,并在您尝试使用不安全的代码时向您发出警告。 此外, npm audit递归分析您的依赖关系树,以明确识别不安全的内容,推荐替换,或使用npm审计修复自动修复它。

此功能很棒,我希望能够在Web应用程序中利用此漏洞扫描功能。 那我为什么要这样做呢?

似乎大多数公司都拥有一个内部JFrog存储库,它经常需要更新和维护才能镜像npmjs 但是,一种更有效的方法(在我看来)是创建一个嵌入了mitmproxy的简单Web应用程序。 然后,此Web应用程序将更像是代理,并允许用户根据自定义业务逻辑和/或npm审计漏洞报告结果筛选出npm请求。 这样做的好处是可以自定义风险评估容差,并利用npmjs来分发所请求的库。 因此,这将驱逐公司托管任何内部JFrog实例的需要,并且可能通过让npmjs处理托管所述库来降低成本。

下面列出的是npm audit报告的一部分: 

$ npm audit

样本审计报告: 

                        === npm audit security report ===  

#                            ...  Removed unnecessary details                                                                                 

# Run  npm install jquery@3.4.1  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/796                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 88 vulnerabilities (63 low, 10 moderate, 15 high) in 36801 scanned packages
  run `npm audit fix` to fix 1 of them.
  87 vulnerabilities require semver-major dependency updates.

我看到npm audit正在利用以下url进行漏洞检测: 

https://nodesecurity.io/advisories/<id>

其中<id>是表示相关库的数字。 在我的例子中:jquery => 796。

我不知道如何将此组件名称复制到我的端点上的id映射,而不是强力手动操作,以便为漏洞详细信息提取响应。 我理解这个API的内部工作原因是出于安全原因而被故意混淆,并且通常大多数安全提供商都想为他们的服务赚钱。

话虽如此,第一遍知道<package>@<version>是高/中/低漏洞就足够了。 我看到html页面中有一个包含漏洞详细信息的嵌入式<script>标记: 

<script integrity="sha512-2KUTRVRvbDU3H6wROMklMMJqo9viHDRE+eOC56AIunI3PWKmCX1sVagJux/7BdYxpbbdgUi2sDJGhHEl499Tzw==">window.__context__ = {"context":{"advisoryData":{"id":796,"created":"2019-04-02T21:06:11.895Z","updated":"2019-04-23T14:29:39.788Z","deleted":null,"title":"Prototype Pollution","found_by":{"link":"","name":"asgerf"},"reported_by":{"link":"","name":"asgerf"},"module_name":"jquery","cves":["CVE-2019-5428"],"vulnerable_versions":"\u003c3.4.0","patched_versions":"\u003e=3.4.0","overview":"Versions of `jquery`  prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for `Object` causing changes in properties that will exist on all objects.","recommendation":"Upgrade to version 3.4.0 or later.","references":"- [HackerOne Report](https://hackerone.com/reports/454365)","access":"public","severity":"moderate","cwe":"CWE-471","url":"https://npmjs.com/advisories/796","urls":{"detail":"/v1/advisories/advisory/796","prev":"/v1/advisories/advisory/795","next":"/v1/advisories/advisory/797"},"formatted":{"overview":"\u003cp\u003eVersions of \u003ccode\u003ejquery\u003c/code\u003e  prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for \u003ccode\u003eObject\u003c/code\u003e causing changes in properties that will exist on all objects.\u003c/p\u003e\n","recommendation":"\u003cp\u003eUpgrade to version 3.4.0 or later.\u003c/p\u003e\n","references":"\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://hackerone.com/reports/454365\" rel=\"nofollow\"\u003eHackerOne Report\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n","created":"Apr 2nd, 9:06:11 pm","updated":"Apr 23rd, 2:29:39 pm"}},"events":[{"id":1419,"advisory_id":796,"created":"2019-04-23T14:29:39.821Z","type":"published","message":"Advisory Published","formatted":{"created":"Apr 23rd, 2019"}},{"id":1354,"advisory_id":796,"created":"2019-04-02T21:06:11.904Z","type":"reported","message":"Reported by asgerf","formatted":{"created":"Apr 2nd, 2019"}}],"user":{"tfa":false,"name":"wright1242","isStaff":false,"deactivated":null,"avatars":{"small":"https://s.gravatar.com/avatar/c273b03158ed9f9f045f476897b235fa?size=50\u0026default=retro","medium":"https://s.gravatar.com/avatar/c273b03158ed9f9f045f476897b235fa?size=100\u0026default=retro","large":"https://s.gravatar.com/avatar/c273b03158ed9f9f045f476897b235fa?size=496\u0026default=retro"},"resource":{"fullname":"Nathan Wright"},"is_delegated":false,"email_verified":true,"created":{"ts":1553877333697,"rel":"3 months ago"},"updated":"2019-03-29T16:35:33.695Z"},"csrftoken":"plyisfZBsPE1Ede0ico2RTod6B60nd7l1qHPvREr-mw","notifications":[],"npmExpansions":["Nimble Porridge Muncher","Now, Push Me","Next Phenomenal Microbrewery","npm promulgates marsupials","Newton's Poleless Magnet","Nested Public Modules","New Powerful Machines","No Prize Money","Nostalgic Pickled Mango","Neolithic Populous Metropolis"],"isNpme":false},"chunks":{"commons":["commons.4d94cbb36d7d9f02c2f4.js","commons.4d94cbb36d7d9f02c2f4.js.map"],"styles":["styles.a34b113ba89c0a069aa9.css","minicssextractbug.ece81719b14e4fb51acb.js","styles.a34b113ba89c0a069aa9.css.map","minicssextractbug.ece81719b14e4fb51acb.js.map"],"advisories/detail":["advisories/detail.e640a34c8a03ac2c51e8.js","advisories/detail.e640a34c8a03ac2c51e8.js.map"],"advisories/list":["advisories/list.49eaf09da2c66523e9cd.js","advisories/list.49eaf09da2c66523e9cd.js.map"],"advisories/report":["advisories/report.6b5a536458e618cb3ae5.js","advisories/report.6b5a536458e618cb3ae5.js.map"],"advisories/versions":["advisories/versions.5ce20fcc3f3f3e620292.js","advisories/versions.5ce20fcc3f3f3e620292.js.map"],"auth/cli":["auth/cli.31c9a365866841fcc4fe.js","auth/cli.31c9a365866841fcc4fe.js.map"],"auth/common-passwords":["auth/common-passwords.32150bf4a63195186b9e.js","auth/common-passwords.32150bf4a63195186b9e.js.map"],"auth/escalate":["auth/escalate.5d3004f00377e61c65ff.js","auth/escalate.5d3004f00377e61c65ff.js.map"],"auth/forgot":["auth/forgot.4b4e93ca04ea1741a235.js","auth/forgot.4b4e93ca04ea1741a235.js.map"],"auth/forgot-sent":["auth/forgot-sent.b6a321ab13288fbdb321.js","auth/forgot-sent.b6a321ab13288fbdb321.js.map"],"auth/invite-signup":["auth/invite-signup.1374d727ca7f216f4df6.js","auth/invite-signup.1374d727ca7f216f4df6.js.map"],"auth/login":["auth/login.8d9b5fe8a19cbc186849.js","auth/login.8d9b5fe8a19cbc186849.js.map"],"auth/otp":["auth/otp.17f71c286c4ef5838c10.js","auth/otp.17f71c286c4ef5838c10.js.map"],"auth/reset-password":["auth/reset-password.b20251afbd7655b491c1.js","auth/reset-password.b20251afbd7655b491c1.js.map"],"auth/signup":["auth/signup.38e2de18a3d7d49e1901.js","auth/signup.38e2de18a3d7d49e1901.js.map"],"auth/sso-signup":["auth/sso-signup.8c3feddbe01f02ad701b.js","auth/sso-signup.8c3feddbe01f02ad701b.js.map"],"billing/detail":["billing/detail.7c30c25000cb18635fad.js","billing/detail.7c30c25000cb18635fad.js.map"],"billing/downgrade":["billing/downgrade.3be55cca5333d74807d5.js","billing/downgrade.3be55cca5333d74807d5.js.map"],"billing/upgrade":["billing/upgrade.aa74d23e03f79c2b1e56.js","billing/upgrade.aa74d23e03f79c2b1e56.js.map"],"contact/contact":["contact/contact.8662906bb6004554b3f2.js","contact/contact.8662906bb6004554b3f2.js.map"],"debug/badstatus":["debug/badstatus.c7bb04c58ae395906dbf.js","debug/badstatus.c7bb04c58ae395906dbf.js.map"],"debug/detail":["debug/detail.34b54844c3ec9f69e471.js","debug/detail.34b54844c3ec9f69e471.js.map"],"debug/failcomponent":["debug/failcomponent.d1f8803e2009818ef71d.js","debug/failcomponent.d1f8803e2009818ef71d.js.map"],"egg/egg":["egg/egg.4e4902966f9314b37154.js","egg/egg.4e4902966f9314b37154.js.map"],"enterprise/complete":["enterprise/complete.89eaa305053a6c0f8989.js","enterprise/complete.89eaa305053a6c0f8989.js.map"],"enterprise/license-paid":["enterprise/license-paid.ebe1bfa16a3d49069d9b.js","enterprise/license-paid.ebe1bfa16a3d49069d9b.js.map"],"enterprise/license-purchase":["enterprise/license-purchase.33b546c059bd99696cf0.js","enterprise/license-purchase.33b546c059bd99696cf0.js.map"],"enterprise/on-site-buy-now":["enterprise/on-site-buy-now.537497d98021ab3a5cb2.js","enterprise/on-site-buy-now.537497d98021ab3a5cb2.js.map"],"enterprise/on-site-contact-confirmation":["enterprise/on-site-contact-confirmation.30cef6ea069bb5b8d238.js","enterprise/on-site-contact-confirmation.30cef6ea069bb5b8d238.js.map"],"enterprise/on-site-trial":["enterprise/on-site-trial.c4299d1451374df8d233.js","enterprise/on-site-trial.c4299d1451374df8d233.js.map"],"enterprise/orgs-terms":["enterprise/orgs-terms.1d97d471a2406c7a0bfa.js","enterprise/orgs-terms.1d97d471a2406c7a0bfa.js.map"],"enterprise/signup-confirmation":["enterprise/signup-confirmation.01182145a57b51bf81d6.js","enterprise/signup-confirmation.01182145a57b51bf81d6.js.map"],"errors/not-found":["errors/not-found.233c66ddecbbf24ac4fc.js","errors/not-found.233c66ddecbbf24ac4fc.js.map"],"errors/server":["errors/server.dd29f86cfe1f6df5386d.js","errors/server.dd29f86cfe1f6df5386d.js.map"],"errors/template":["errors/template.66c3e6b9be4cdeeb1b31.js","errors/template.66c3e6b9be4cdeeb1b31.js.map"],"flatpage/flatpage":["flatpage/flatpage.a15b631354b26980e9d2.js","flatpage/flatpage.a15b631354b26980e9d2.js.map"],"homepage/homepage":["homepage/homepage.110dbed7fffb8ed42685.js","homepage/homepage.110dbed7fffb8ed42685.js.map"],"homepage/homepage-logged-in":["homepage/homepage-logged-in.8797a9ea2201ab4336cc.js","homepage/homepage-logged-in.8797a9ea2201ab4336cc.js.map"],"npme-2/invite":["npme-2/invite.2db2f811ab5b4ca10d5f.js","npme-2/invite.2db2f811ab5b4ca10d5f.js.map"],"npme-2/invites":["npme-2/invites.8878a423875defcf6c76.js","npme-2/invites.8878a423875defcf6c76.js.map"],"npme-2/login":["npme-2/login.a9b772e49ae0412bf666.js","npme-2/login.a9b772e49ae0412bf666.js.map"],"npme-2/overrides/components/tutorials/creating-org":["npme-2/overrides/components/tutorials/creating-org.71f7d5901781c193fb73.js","npme-2/overrides/components/tutorials/creating-org.71f7d5901781c193fb73.js.map"],"npme-2/overrides/components/tutorials/default-registry":["npme-2/overrides/components/tutorials/default-registry.475fb9f18556bd682949.js","npme-2/overrides/components/tutorials/default-registry.475fb9f18556bd682949.js.map"],"npme-2/overrides/components/tutorials/installing-package":["npme-2/overrides/components/tutorials/installing-package.2b04ab2356a096fd5a49.js","npme-2/overrides/components/tutorials/installing-package.2b04ab2356a096fd5a49.js.map"],"npme-2/overrides/components/tutorials/publishing-package":["npme-2/overrides/components/tutorials/publishing-package.5697dc8704d72ac9ced0.js","npme-2/overrides/components/tutorials/publishing-package.5697dc8704d72ac9ced0.js.map"],"npme-2/overrides/components/tutorials/tabs":["npme-2/overrides/components/tutorials/tabs.df1dac1eefb18c4859bc.js","npme-2/overrides/components/tutorials/tabs.df1dac1eefb18c4859bc.js.map"],"npme-2/overrides/homepage":["npme-2/overrides/homepage.c385707ae0df1411a2a1.js","npme-2/overrides/homepage.c385707ae0df1411a2a1.js.map"],"npme-2/overrides/orgs/create":["npme-2/overrides/orgs/create.796a1ec58f26a83b0b55.js","npme-2/overrides/orgs/create.796a1ec58f26a83b0b55.js.map"],"npme-2/reports":["npme-2/reports.c848851d64a15951a1ef.js","npme-2/reports.c848851d64a15951a1ef.js.map"],"npme-2/settings":["npme-2/settings.d0c798bb186ce82f3ea8.js","npme-2/settings.d0c798bb186ce82f3ea8.js.map"],"npme-2/setup":["npme-2/setup.8ebd15e786c914775153.js","npme-2/setup.8ebd15e786c914775153.js.map"],"npme-2/sso-config":["npme-2/sso-config.28c27038f210cf50638a.js","npme-2/sso-config.28c27038f210cf50638a.js.map"],"npme-2/users":["npme-2/users.eeb8e1c64514e5683330.js","npme-2/users.eeb8e1c64514e5683330.js.map"],"npme/invite":["npme/invite.ffae73172929956e34eb.js","npme/invite.ffae73172929956e34eb.js.map"],"npme/invites":["npme/invites.44e371e54eac0a082e0d.js","npme/invites.44e371e54eac0a082e0d.js.map"],"npme/login":["npme/login.ab849e614586290dfb37.js","npme/login.ab849e614586290dfb37.js.map"],"npme/overrides/components/tutorials/creating-org":["npme/overrides/components/tutorials/creating-org.471161dde8734e77baa4.js","npme/overrides/components/tutorials/creating-org.471161dde8734e77baa4.js.map"],"npme/overrides/components/tutorials/default-registry":["npme/overrides/components/tutorials/default-registry.17619197ac9ebf75f78b.js","npme/overrides/components/tutorials/default-registry.17619197ac9ebf75f78b.js.map"],"npme/overrides/components/tutorials/installing-package":["npme/overrides/components/tutorials/installing-package.e55b3915848c09265955.js","npme/overrides/components/tutorials/installing-package.e55b3915848c09265955.js.map"],"npme/overrides/components/tutorials/publishing-package":["npme/overrides/components/tutorials/publishing-package.0e248bac8e84760c3a3c.js","npme/overrides/components/tutorials/publishing-package.0e248bac8e84760c3a3c.js.map"],"npme/overrides/components/tutorials/tabs":["npme/overrides/components/tutorials/tabs.1f4c0ff4d1338c5cb611.js","npme/overrides/components/tutorials/tabs.1f4c0ff4d1338c5cb611.js.map"],"npme/overrides/homepage":["npme/overrides/homepage.4955c4963ed9fa476105.js","npme/overrides/homepage.4955c4963ed9fa476105.js.map"],"npme/overrides/orgs/create":["npme/overrides/orgs/create.a7fa242e75db505a14cc.js","npme/overrides/orgs/create.a7fa242e75db505a14cc.js.map"],"npme/settings":["npme/settings.58e57b118bbd7878e2ed.js","npme/settings.58e57b118bbd7878e2ed.js.map"],"npme/setup":["npme/setup.c348ba66cd10e64fba12.js","npme/setup.c348ba66cd10e64fba12.js.map"],"npme/sso-config":["npme/sso-config.fc863259ffafbadaac78.js","npme/sso-config.fc863259ffafbadaac78.js.map"],"npme/users":["npme/users.7bf881838868fa2e8146.js","npme/users.7bf881838868fa2e8146.js.map"],"orgs/create":["orgs/create.25acfbc854056d91faab.js","orgs/create.25acfbc854056d91faab.js.map"],"orgs/detail":["orgs/detail.a0fc09a1dafcc608f604.js","orgs/detail.a0fc09a1dafcc608f604.js.map"],"orgs/invite":["orgs/invite.bb4dd212f2a1638cd111.js","orgs/invite.bb4dd212f2a1638cd111.js.map"],"orgs/upgrade":["orgs/upgrade.720c3caf2998a6f28cd5.js","orgs/upgrade.720c3caf2998a6f28cd5.js.map"],"package-list/dependents-list":["package-list/dependents-list.2dce05752934fcbcbe4f.js","package-list/dependents-list.2dce05752934fcbcbe4f.js.map"],"package-list/most-depended":["package-list/most-depended.f7001bbcaa0641bf4f40.js","package-list/most-depended.f7001bbcaa0641bf4f40.js.map"],"package-list/recently-updated":["package-list/recently-updated.37fbdf8fec827ddacad3.js","package-list/recently-updated.37fbdf8fec827ddacad3.js.map"],"package/package":["package/package.a8b3c84300ae1382adf1.js","package/package.a8b3c84300ae1382adf1.js.map"],"partners/detail":["partners/detail.455f79e0b6e62b2b62c8.js","partners/detail.455f79e0b6e62b2b62c8.js.map"],"partners/join":["partners/join.64518905a4506bd65cb0.js","partners/join.64518905a4506bd65cb0.js.map"],"partners/thanks":["partners/thanks.ff01ac06bf6bc9dca957.js","partners/thanks.ff01ac06bf6bc9dca957.js.map"],"profile/profile":["profile/profile.225a06aa9545bb306666.js","profile/profile.225a06aa9545bb306666.js.map"],"search/search":["search/search.7a1e54cf3d045148dbc1.js","search/search.7a1e54cf3d045148dbc1.js.map"],"settings/change-password":["settings/change-password.70b297e43c57d042ce46.js","settings/change-password.70b297e43c57d042ce46.js.map"],"settings/email":["settings/email.fadfc72c579bb081162b.js","settings/email.fadfc72c579bb081162b.js.map"],"settings/memberships":["settings/memberships.410836fc226dd288ffb8.js","settings/memberships.410836fc226dd288ffb8.js.map"],"settings/packages":["settings/packages.64c297193727a8e51542.js","settings/packages.64c297193727a8e51542.js.map"],"settings/profile":["settings/profile.833a150cc274224f5f70.js","settings/profile.833a150cc274224f5f70.js.map"],"teams/create":["teams/create.b9f70a2ae9de1915d420.js","teams/create.b9f70a2ae9de1915d420.js.map"],"teams/detail":["teams/detail.d4664bced272f9d0a3ad.js","teams/detail.d4664bced272f9d0a3ad.js.map"],"teams/list":["teams/list.261cf5f94b9192a3daab.js","teams/list.261cf5f94b9192a3daab.js.map"],"teams/packages":["teams/packages.71096da465263d66286d.js","teams/packages.71096da465263d66286d.js.map"],"teams/users":["teams/users.674a8b5b623059964462.js","teams/users.674a8b5b623059964462.js.map"],"tfa/enable":["tfa/enable.18fb4a852c69318b5589.js","tfa/enable.18fb4a852c69318b5589.js.map"],"tfa/showTFAQRCode":["tfa/showTFAQRCode.eb7002f5007a27821807.js","tfa/showTFAQRCode.eb7002f5007a27821807.js.map"],"tfa/showTFASuccess":["tfa/showTFASuccess.d060dc3061cf308203c2.js","tfa/showTFASuccess.d060dc3061cf308203c2.js.map"],"tfa/tfa-mode-selection":["tfa/tfa-mode-selection.a16db0ac7e3f02c6f5d3.js","tfa/tfa-mode-selection.a16db0ac7e3f02c6f5d3.js.map"],"tfa/tfa-password-entry":["tfa/tfa-password-entry.be0ca4c5433e4802b5ac.js","tfa/tfa-password-entry.be0ca4c5433e4802b5ac.js.map"],"tokens/create":["tokens/create.0a64e73c9a20dc823d2a.js","tokens/create.0a64e73c9a20dc823d2a.js.map"],"tokens/list":["tokens/list.1d67b6a2423c57d4efcd.js","tokens/list.1d67b6a2423c57d4efcd.js.map"],"vouchers/view":["vouchers/view.cc023324f08f48ef3082.js","vouchers/view.cc023324f08f48ef3082.js.map"]},"hash":"4d94cbb36d7d9f02c2f4","name":"advisories/detail","containerId":"app","headerName":"x-spiferack","publicPath":"https://static.npmjs.com/"}</script>

我对任何其他开源安全扫描工具开放,例如:Snyk,OWASP等......只要我可以将此漏洞检测功能用作Web服务。 关于还有什么可以尝试/使用的任何想法?

任何帮助将不胜感激!

更新:

似乎Node Security正在利用国家漏洞数据库( NVD )来解决开源漏洞,并将模块映射到常见漏洞和暴露 (CVE)。 可以在此处以多种形式获取整个CVE数据集。 也许这些数据可以反转映射? 我在嵌入式<script>标签中看到有问题的模块有很多字段。 直接相关的两个字段是: cvesmodule_name 其中module_name指向有问题的模块,在我的示例jquery中, cves似乎是来自上述CVE数据集的一对一映射 这将允许人们将整个数据集读入数据库并使用该数据库作为查找的真实来源。 所以问题真的变成了:

Node Security如何将CVE映射到module_names? 这是手动操作还是备用数据集中有更多列/字段?

更新2

NVDSnyk都提供用于库的漏洞检测的RSS源。 在引擎盖下,这正是npm审计用于确定安装库或运行审计时的高/中/低漏洞的内容。 这些RSS源有多种格式,实际上很容易解析。 此外,他们还有模块映射到漏洞。

话虽如此,如果您想利用这些开源扫描程序, 必须遵守其指定的许可证和使用规则。 例如,Snyx的RSS使用规则如下:

Snyk的漏洞数据库RSS源。 此DB(订阅源和存储库)根据AGPL-v3许可证进行许可,该许可证通常允许在内部使用,但禁止将DB嵌入​​到其他产品或服务中,除非该产品和提供的服务是开源的并且符合AGPL-v3许可证。 **有关Snyk漏洞数据库的其他许可,请通过contact@snyk.io**与我们联系

至于一些关注的问题:

你会利用npmjs(这是开源的),这就是重点。 Npmjs将保存您的所有库,并且您将按预期使用npmjs。 如果您需要更多隐私,您可以直接支付npmjs,例如私人范围的模块供内部使用。 很抱歉,如果我不清楚,因为目的只是使用npmjs而不是支付第三方实体为您托管JFrog仓库。

至于对许可证的关注,您应该始终遵守有关软件使用或再分发的法律。

1 个解决方案

解决方案1
 1 已采纳  2019-08-20 23:22:59

TLDR:使用RSS源进行库的漏洞检测,由NVD和Snyk提供, 遵守其指定的许可证和使用规则

NVD和Snyk都提供用于库的漏洞检测的RSS源。 在引擎盖下,这正是npm审计用于确定安装库或运行审计时的高/中/低漏洞的内容。 这些RSS源有多种格式,实际上很容易解析。 此外,他们还有模块映射到漏洞。

话虽如此,如果您想利用这些开源漏洞扫描程序, 必须遵守其指定的许可证和使用规则 例如,Snyx的RSS使用规则如下:

Snyk的漏洞数据库RSS源。 此DB(订阅源和存储库)根据AGPL-v3许可证进行许可,该许可证通常允许在内部使用,但禁止将DB嵌入​​到其他产品或服务中,除非该产品和提供的服务是开源的并且符合AGPL-v3许可证。 **有关Snyk漏洞数据库的其他许可,请通过contact@snyk.io**与我们联系

干杯

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何解决 NPM 审计漏洞? 如何将 npm 审核与 NPM 工作区一起使用? NPM模块-如何利用package.json文件? 如何克服 Electron 的 npm 审计修复失败? 如何使用 loadVirtual 和 ENOLOCK 修复 npm 审计错误? npm 审计与纱线审计 npm 审计 EINVALIDTAGNAME NPM 审计警告 NPM审计修复 NPM 审计漏洞
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM