核心要点统一数据源与格式,校验 `CVE` 标识与 `CVSS` 范围有效性。阈值策略:达到或超过阈值即阻断;支持例外清单与到期时间。审计记录包含依赖、版本、CVE、评分、策略判定与审批信息。参数与规则CVE格式:`CVE-YYYY-NNNN`;年份范围与编号长度校验。CVSS范围:`0.0` 至 `10.0`;保留一位小数或两位小数。阈值示例:阻断 `>= 7.0`;警告 `5.0–6.9`;通过 `< 5.0`。实现示例type Advisory = { package: string; version: string; cve: string; cvss: number; url?: string; expiresAt?: number } function validCve(id: string): boolean { const m = /^CVE-(\d{4})-(\d{4,})$/.exec(id) if (!m) return false const year = parseInt(m[1], 10) return year >= 1999 && year <= new Date().getFullYear() } function validCvss(score: number): boolean { return score >= 0 && score <= 10 && Number.isFinite(score) } type Policy = { blockThreshold: number; warnThreshold: number; now: number } function inException(a: Advisory, exceptions: Map<string, number>, now: number): boolean { const key = `${a.package}@${a.version}:${a.cve}` const until = exceptions.get(key) return !!until && until >= now } function decide(a: Advisory, p: Policy, exceptions: Map<string, number>): 'block' | 'warn' | 'pass' { if (!validCve(a.cve) || !validCvss(a.cvss)) return 'block' if (inException(a, exceptions, p.now)) return 'pass' if (a.cvss >= p.blockThreshold) return 'block' if (a.cvss >= p.warnThreshold) return 'warn' return 'pass' } function evaluate(advisories: Advisory[], policy: Policy, exceptions: Map<string, number>): { blocked: Advisory[]; warned: Advisory[]; passed: Advisory[] } { const blocked: Advisory[] = [] const warned: Advisory[] = [] const passed: Advisory[] = [] for (const a of advisories) { const d = decide(a, policy, exceptions) if (d === 'block') blocked.push(a) else if (d === 'warn') warned.push(a) else passed.push(a) } return { blocked, warned, passed } } 审计与CI门禁构建前解析安全报告并执行策略;阻断项直接失败并输出详情。审计记录包含依赖、版本、CVE、CVSS、策略结果与例外到期时间。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复