OWASP依赖性检查:未分析JavaScript代码
我正在尝试使用 NPM 模块 owasp-dependency-check突出显示我的网络项目代码中可能存在的漏洞。我已经安装了最新的0.0.18版本。
我想分析我编写的自定义代码(目录src)和我的项目依赖的库(目录node_modules)。
package.json 中的任务(scripts 部分)内容如下:
"test:dependency": "owasp-dependency-check --project \"MY_PROJECT\" --scan \"src\" --scan \"node_modules\" --exclude \"dependency-check-bin\" --out \"owasp\" --format HTML"
启动后,似乎已正确指定了指令:
owasp-dependency-check: Running the dependency check ...
/home/workspace/MY_PROJECT/dependency-check-bin/dependency-check/bin/dependency-check.sh --out=owasp --project MY_PROJECT --scan src --scan node_modules --exclude dependency-check-bin --format HTML --data=/tmp/dependency-check-data
执行大约 10 分钟后,我发现一个文件 owasp/dependency -check-report.html 大小为 61MB (!?!)。我在浏览器中查看它,它包含对唯一目录dependency-check-bin的分析,该目录是owasp-dependency-check< /code> NPM 模块安装了一些可执行文件,我在分析中明确尝试跳过它们。
(讽刺的是,依赖项检查器本身使用的库中有 6 个中度到严重的漏洞...)
我的问题是:包中的任务定义有什么问题.json?我应该如何调用 owasp-dependency-check 来扫描 node_modules 和 src?
I am trying to use the NPM module owasp-dependency-check in order to highlight possible vulnerabilities in the code of my web project. I have installed version 0.0.18, the latest.
I want to analyse the custom code I wrote (directory src) and the libraries my project depends on (directory node_modules).
The task in package.json (section scripts) reads:
"test:dependency": "owasp-dependency-check --project \"MY_PROJECT\" --scan \"src\" --scan \"node_modules\" --exclude \"dependency-check-bin\" --out \"owasp\" --format HTML"
After the launch, it seems that the instructions have been specified correctly:
owasp-dependency-check: Running the dependency check ...
/home/workspace/MY_PROJECT/dependency-check-bin/dependency-check/bin/dependency-check.sh --out=owasp --project MY_PROJECT --scan src --scan node_modules --exclude dependency-check-bin --format HTML --data=/tmp/dependency-check-data
After about 10 minutes of execution, I find a file owasp/dependency-check-report.html with size of 61MB (!?!). I view it in the browser and it contains the analysis of the sole directory dependency-check-bin, which is the directory where the owasp-dependency-check NPM module installs some executables and which I explicitly try to skip in the analysis.
(ironically, there are 6 medium-to-critical vulnerabilities in the libraries that the dependency checker itself uses...)
My question is: what is wrong with my task definition in package.json? How should I invoke owasp-dependency-check in order to scan node_modules and src?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
答案是,由NPM模块的一个维护者提供给我。
在JavaScript的情况下,扫描不涉及目录,而是单个
package-lock.json文件。因此,正确的任务定义是:
The answer was given to me by one of the maintainers of the NPM module.
In the case of JavaScript the scan does not involve directories, but the single
package-lock.jsonfile.The correct task definition is therefore: