实现示例type NuDep = { id: string; version: string; source: string; sha256: string; sig?: { alg: 'RS256'; b64: string } }
const allowHosts = new Set<string>(['api.nuget.org','nuget.example.com'])
function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) }
function b64(s: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(s) }
function validSource(u: string): boolean { try { const x = new URL(u); return x.protocol === 'https:' && allowHosts.has(x.host) } catch { return false } }
function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) }
function evaluate(list: NuDep[]): { ok: boolean; errors: string[] } {
const errors: string[] = []
for (const d of list) {
if (!d.id || !semverLike(d.version)) errors.push(`id:${d.id}`)
if (!validSource(d.source)) errors.push(`source:${d.id}`)
if (!hex64(d.sha256)) errors.push(`hash:${d.id}`)
if (d.sig && (d.sig.alg !== 'RS256' || !b64(d.sig.b64))) errors.push(`sig:${d.id}`)
}
return { ok: errors.length === 0, errors }
}
审计与CI门禁审计来源域与哈希/签名;异常阻断并回退。变更需审批与归档,支持快速回溯。
发表评论 取消回复