Node Security Platform, nsp, npm audit @roppongi.js#3

Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in
Test) @urahiroshi (Hiroshi Urayama)

Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑ৘ใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ 
=> ύοέʔδͷϝϯςφʹ௨஌  => मਖ਼ or 45೔ܦաͰެ։͞ΕΔ  (https://nodesecurity.io/report)

nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑ৘ใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ஌͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node
Security PlatformΛӡӦ͢Δ  ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ஌(npm audit)͕૊Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ࢖͏ ཧ༝͸ͳ͍ • GitHubϦϙδτϦ΋ΞʔΧΠϒԽ͞Ε͍ͯΔ

`nsp check`

npm audit • npm@6.0.0, npm@5.10.0͔Β࢖͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹ΋ࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ    •
npm@6.1.0͔Βjsonग़ྗ(`npm audit —json`)΍੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit ﬁx`)ػೳ͕௥Ճ͞ΕɺΑΓ࢖͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓ׵ੑ͸ͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ৔߹͕͋Δ (nspͳΒେ ৎ෉ͳͷʹ…)  https://github.com/npm/npm/issues/20604

`npm audit`

yarnͷ৔߹ • nsp΋npm audit΋yarn.lockʹ͸ඇରԠ  - nsp: package.json͚ͩͰ੬ऑੑ৘ใදࣔ  - npm audit:
ΤϥʔʹͳΔ

yarnͷ৔߹ 1. (nspͷ৔߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ࢖͏ • ੵۃతʹ࢖͏ཧ༝͸ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-
lock.json ʹม׵͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ  https://github.com/yarnpkg/yarn/issues/5808

CIͰ࢖͏ • CircleCIͷScheduling JobΛ࢖ͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨஌ • ৄࡉ͸CircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)   
    • ຖ೔: ΞυόΠβϦҰཡʹมԽ͕͋Ε͹Slack௨஌ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ࢖͏)

ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷ਺΋ߋ৽ස౓΋ଟ͍ͷͰɺӡ༻ίετ͸͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ৔߹  • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ  1.
ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ಺ ༰ɺൃੜ৚݅Λ֬ೝ  2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔൑அ  ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯ΋ඞͣ҆શͩͱ͸ݴ͑ͳ͍ɻ੬ ऑੑͷ಺༰࣍ୈʣ

ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not
install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͠೉͍ • npmʹ૊Έࠐ·Εͨ͜ͱͰɺ΋ͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδ͸ࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ଴

͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰ͸SET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢

Node Security Platform, nsp, npm audit @roppong...

Node Security Platform, nsp, npm audit @roppongi.js#3

urahiroshi

More Decks by urahiroshi

Other Decks in Programming

Featured

Transcript

Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in

Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑ৘ใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ

nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑ৘ใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ஌͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node

`nsp check`

npm audit • npm@6.0.0, npm@5.10.0͔Β࢖͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹ΋ࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ    •

`npm audit`

yarnͷ৔߹ • nsp΋npm audit΋yarn.lockʹ͸ඇରԠ  - nsp: package.json͚ͩͰ੬ऑੑ৘ใදࣔ  - npm audit:

yarnͷ৔߹ 1. (nspͷ৔߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ࢖͏ • ੵۃతʹ࢖͏ཧ༝͸ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-

CIͰ࢖͏ • CircleCIͷScheduling JobΛ࢖ͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨஌ • ৄࡉ͸CircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)

ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷ਺΋ߋ৽ස౓΋ଟ͍ͷͰɺӡ༻ίετ͸͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ৔߹  • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ  1.

ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not

͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰ͸SET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢