Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Node Security Platform, nsp, npm audit @roppong...
Search
urahiroshi
May 29, 2018
Programming
1
890
Node Security Platform, nsp, npm audit @roppongi.js#3
Roppongi.js#3 の資料です
urahiroshi
May 29, 2018
Tweet
Share
More Decks by urahiroshi
See All by urahiroshi
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
8
4.9k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.6k
SET活動のすすめ.pdf
urahiroshi
1
1.5k
Other Decks in Programming
See All in Programming
毎日13時間もかかるバッチ処理をたった3日で60%短縮するためにやったこと
sho_ssk_
1
170
短期間での新規プロダクト開発における「コスパの良い」Goのテスト戦略」 / kamakura.go
n3xem
2
170
Haze - Real time background blurring
chrisbanes
1
520
선언형 UI에서의 상태관리
l2hyunwoo
0
180
return文におけるstd::moveについて
onihusube
1
1.2k
ブラウザ単体でmp4書き出すまで - muddy-web - 2024-12
yue4u
3
480
Итераторы в Go 1.23: зачем они нужны, как использовать, и насколько они быстрые?
lamodatech
0
840
今年一番支援させていただいたのは認証系サービスでした
satoshi256kbyte
1
260
Exploring: Partial and Independent Composables
blackbracken
0
100
ドメインイベント増えすぎ問題
h0r15h0
2
360
テスト自動化失敗から再挑戦しチームにオーナーシップを委譲した話/STAC2024 macho
ma_cho29
1
1.3k
生成AIでGitHubソースコード取得して仕様書を作成
shukob
0
480
Featured
See All Featured
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.9k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
Being A Developer After 40
akosma
87
590k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
29
2k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
5
450
Building Better People: How to give real-time feedback that sticks.
wjessup
365
19k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.2k
Transcript
Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in
Test) @urahiroshi (Hiroshi Urayama)
Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ
=> ύοέʔδͷϝϯςφʹ௨ => मਖ਼ or 45ܦաͰެ։͞ΕΔ (https://nodesecurity.io/report)
None
nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node
Security PlatformΛӡӦ͢Δ ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ(npm audit)͕Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ͏ ཧ༝ͳ͍ • GitHubϦϙδτϦΞʔΧΠϒԽ͞Ε͍ͯΔ
`nsp check`
npm audit •
[email protected]
,
[email protected]
͔Β͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ •
[email protected]
͔Βjsonग़ྗ(`npm audit —json`)੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕Ճ͞ΕɺΑΓ͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓੑͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ߹͕͋Δ (nspͳΒେ ৎͳͷʹ…) https://github.com/npm/npm/issues/20604
`npm audit`
yarnͷ߹ • nspnpm audityarn.lockʹඇରԠ - nsp: package.json͚ͩͰ੬ऑੑใදࣔ - npm audit:
ΤϥʔʹͳΔ
yarnͷ߹ 1. (nspͷ߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ͏ • ੵۃతʹ͏ཧ༝ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-
lock.json ʹม͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ https://github.com/yarnpkg/yarn/issues/5808
CIͰ͏ • CircleCIͷScheduling JobΛͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨ • ৄࡉCircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
• ຖ: ΞυόΠβϦҰཡʹมԽ͕͋ΕSlack௨ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ͏)
ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷߋ৽සଟ͍ͷͰɺӡ༻ίετ͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ߹ • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ 1.
ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ ༰ɺൃੜ݅Λ֬ೝ 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔அ ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯඞͣ҆શͩͱݴ͑ͳ͍ɻ੬ ऑੑͷ༰࣍ୈʣ
ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not
install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͍͠ • npmʹΈࠐ·Εͨ͜ͱͰɺͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰSET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢