node/js 漏洞
Vulnerabilities can exist in all products. The larger your software grows, the greater the potential for vulnerabilities.
所有產品中都可能存在漏洞。 您的軟件增長得越大,潛在的漏洞就越大。
Vulnerabilities create opportunities for exploits which could ruin both the user experience and the product itself.
漏洞爲利用創造了機會,可能破壞用戶體驗和產品本身。
Additionally, in today’s fast-paced world, the rate of vulnerabilities increase as companies demand rapid development (or update) processes. And exploiters are everywhere, looking to take advantage of them.
此外,在當今快節奏的世界中,隨着公司要求快速開發(或更新)流程,漏洞的發生率也在增加。 剝削者無處不在,希望利用它們。
That is why it’s important to check for vulnerabilities as early as possible in your applications. This can help you make sure that the final product is secure, and save you a lot of time in the long-run.
因此,儘早檢查應用程序中的漏洞很重要。 這可以幫助您確保最終產品是安全的,從長遠來看可以節省大量時間。
In this article, we'll look at six tools that will help you check for vulnerabilities in Node.js.
在本文中,我們將研究六個工具,這些工具將幫助您檢查Node.js中的漏洞。
Security vulnerabilities are very common in Node.js. As developers, we keep using open source tools because we do not want to reinvent the wheel. This makes development easier and faster for us, but at the same time it introduces possible vulnerabilities to our applications.
安全漏洞在Node.js中非常常見。 作爲開發人員,我們一直在使用開源工具,因爲我們不想重新發明輪子。 這使我們的開發更容易,更快捷,但同時又爲我們的應用程序引入了可能的漏洞。
The best we can do for ourselves is to continually verify the packages we use because the more dependencies we use, the more room there is for more vulnerabilities.
我們能爲自己做的最好的事情就是不斷驗證我們使用的軟件包,因爲我們使用的依賴項越多,存在更多漏洞的空間就越大。
Manually checking dependencies can be stressful and can increase development time. And going online to find out how vulnerable a package is before installing it can be time-consuming, especially for an application with many dependencies.
手動檢查依賴關係可能會很麻煩,並且會增加開發時間。 並且在安裝之前先上網查找軟件包的脆弱性可能是耗時的,特別是對於具有許多依賴性的應用程序而言。
This is why we need automated tools to help us with this process.
這就是爲什麼我們需要自動化工具來幫助我們完成此過程的原因。
Retire.js helps developers detect versions of libraries or modules with known vulnerabilities in Node.js applications.
Retire.js幫助開發人員檢測Node.js應用程序中具有已知漏洞的庫或模塊的版本。
It can be used in four ways:
它可以以四種方式使用:
A Grunt plugin (grunt-retire
), used to scan Grunt enabled applications.
Grunt插件( grunt-retire
),用於掃描啓用了Grunt的應用程序。
WhiteSource Renovate is a multi-platform and multi-language open source tool by WhiteSource which performs automated dependency updates in software updates.
WhiteSource Renovate是WhiteSource提供的一種多平臺,多語言的開源工具,可以在軟件更新中執行自動的依賴項更新。
It offers features such as automated pull requests when dependencies need updating, supports numerous platforms, easy modification, and lots more. All changelogs and commit histories are included in each update of the application.
它提供了一些功能,例如在需要更新依賴項時自動執行拉取請求,支持衆多平臺,易於修改等等。 所有更改日誌和提交歷史記錄都包含在應用程序的每次更新中。
It can be used in various ways such as:
它可以以多種方式使用,例如:
WhiteSource Renovate also has an on-premises solution that extends the CLI tool to add more features thereby making your applications more efficient.
WhiteSource Renovate還具有一個本地解決方案,該解決方案擴展了CLI工具以添加更多功能,從而使您的應用程序更高效。
Dependency-Check is a Software Composition Analysis (CPA) tool used for managing and securing open source software.
依賴關係檢查是一種軟件組成分析(CPA)工具,用於管理和保護開源軟件。
Developers can use it to identify publicly disclosed vulnerabilities in Node.js, Python, and Ruby.
開發人員可以使用它來識別Node.js,Python和Ruby中公開披露的漏洞。
The tool inspects the project's dependencies to gather information about every dependency. It determines if there is a Common Platform Enumeration (CPE) identifier for a given dependency, and if found, it generates a list of associated Common Vulnerability and Exposure (CVE) entries.
該工具檢查項目的依存關係,以收集有關每個依存關係的信息。 它確定給定依賴項是否存在通用平臺枚舉(CPE)標識符,如果找到,它將生成關聯的通用漏洞和披露(CVE)條目的列表。
Dependency-Check can be used as a CLI tool, a Maven plugin, an Ant Task and a Jenkins plugin.
Dependency-Check可用作CLI工具, Maven插件, Ant Task和Jenkins插件 。
The OSS Index allows developers to search for millions of components to discover the vulnerable and invulnerable ones. This assures developers that the components they plan on using are well protected.
OSS索引使開發人員可以搜索數百萬個組件,以發現易受攻擊和不受攻擊的組件。 這可以確保開發人員計劃使用的組件受到良好的保護。
They also provide developers with various tools and plugins for programming languages like JavaScript.
他們還爲開發人員提供了各種工具和插件,用於諸如JavaScript的編程語言。
These allow them to scan projects for open source vulnerabilites as well as integrate security into the development process of the project.
它們使他們可以掃描項目中的開源漏洞,並將安全性集成到項目的開發過程中。
Acunetix is a web application security scanner that allows developers to identify vulnerabilites in Node.js applications and enables them to fix the vulnerabilities to prevent hackers. It comes with a 14 day trial for testing applications.
Acunetix是一個Web應用程序安全掃描程序,可讓開發人員識別Node.js應用程序中的漏洞,並使他們能夠修復漏洞以防止黑客入侵。 它附帶一個爲期14天的測試應用程序試用版。
The benefits of using Acunetix to scan web applications are numerous. Some of them are:
使用Acunetix掃描Web應用程序的好處很多。 他們之中有一些是:
NodeJsScan is a static security code scanner. It is used for discovering security vulnerabilities in web applications, web services and serverless applications.
NodeJsScan是靜態安全代碼掃描程序。 它用於發現Web應用程序,Web服務和無服務器應用程序中的安全漏洞。
It can be used as a CLI tool (which allows NodeJsScan to be integrated with CI/CD pipelines), a web based application, and also has a Python API.
它可以用作CLI工具(允許NodeJsScan與CI / CD管道集成),基於Web的應用程序,並且還具有Python API。
Packages, libraries and components for Node.js applications are released regularly, and the fact that they are open source leaves room for vulnerabilities. This is true whether you're working with Node.js, Apache Struts vulnerabilities, or any other open source framework.
Node.js應用程序的軟件包,庫和組件會定期發佈,而它們是開源的事實爲漏洞留下了空間。 無論您使用的是Node.js, Apache Struts漏洞還是任何其他開源框架,這都是事實。
Developers need to watch out for vulnerabilities in new releases of packages and know when it's necessary to update packages. The tools above can ease the process of creating efficient and reliable products.
開發人員需要注意新版本軟件包中的漏洞,並知道何時需要更新軟件包。 上面的工具可以簡化創建高效,可靠產品的過程。
翻譯自: https://www.freecodecamp.org/news/6-tools-you-can-use-to-check-for-vulnerabilities-in-node-js/
node/js 漏洞