漏洞源合并与一致性校验（OSV-NVD-权重）最佳实践

核心要点校验 `CVE` 格式与 `CVSS` 范围；统一包名与版本格式。按 `CVE+包+版本` 去重；保留最高评分与最新来源时间。阈值与权重策略输出阻断与警告清单。实现示例type Advisory = { source: 'OSV' | 'NVD'; package: string; version: string; cve: string; cvss: number; time: number } function validCve(id: string): boolean { const m = /^CVE-(\d{4})-(\d{4,})$/.exec(id); if (!m) return false; const y = parseInt(m[1],10); return y >= 1999 && y <= new Date().getFullYear() } function validCvss(s: number): boolean { return s >= 0 && s <= 10 && Number.isFinite(s) } function semverValid(v: string): boolean { return /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?(?:\+[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?$/.test(v) } function key(a: Advisory): string { return `${a.cve}|${a.package}|${a.version}` } function merge(list: Advisory[]): Advisory[] { const m = new Map<string, Advisory>() for (const a of list) { if (!validCve(a.cve) || !validCvss(a.cvss) || !semverValid(a.version)) continue const k = key(a) const p = m.get(k) if (!p || a.cvss > p.cvss || a.time > p.time) m.set(k, a) } return Array.from(m.values()) } type Policy = { block: number; warn: number; weight: Record<'OSV'|'NVD', number> } function score(a: Advisory, policy: Policy): number { return a.cvss * (policy.weight[a.source] || 1) } function evaluate(list: Advisory[], policy: Policy): { blocked: Advisory[]; warned: Advisory[]; passed: Advisory[] } { const merged = merge(list) const blocked: Advisory[] = [] const warned: Advisory[] = [] const passed: Advisory[] = [] for (const a of merged) { const s = score(a, policy) if (s >= policy.block) blocked.push(a) else if (s >= policy.warn) warned.push(a) else passed.push(a) } return { blocked, warned, passed } } 审计与CI门禁输出阻断与警告清单并归档来源、评分与时间；阻断项直接失败。例外审批需设到期时间与责任人；到期自动恢复策略。