Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Node Security Platform, nsp, npm audit @roppong...

urahiroshi
May 29, 2018
Programming
1
880

Node Security Platform, nsp, npm audit @roppongi.js#3

Roppongi.js#3 の資料です

urahiroshi

May 29, 2018
Tweet

More Decks by urahiroshi

See All by urahiroshi
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
8
4.7k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.6k
SET活動のすすめ.pdf
urahiroshi
1
1.5k

Other Decks in Programming

See All in Programming
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
900
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
Amazon Qを使ってIaCを触ろう!
maruto
0
400
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
110
初めてDefinitelyTypedにPRを出した話
syumai
0
410
광고 소재 심사 과정에 AI를 도입하여 광고 서비스 생산성 향상시키기
kakao
PRO
0
170
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
Laravel や Symfony で手っ取り早く
OpenAPI のドキュメントを作成する
azuki
2
120
ActiveSupport::Notifications supporting instrumentation of Rails apps with OpenTelemetry
ymtdzzz
1
230

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Teambox: Starting and Learning
jrom
133
8.8k
The World Runs on Bad Software
bkeepers
PRO
65
11k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Side Projects
sachag
452
42k
KATA
mclloyd
29
14k

Transcript

  1. Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in

    Test) @urahiroshi (Hiroshi Urayama)

  2. Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑ৘ใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ


    => ύοέʔδͷϝϯςφʹ௨஌
 => मਖ਼ or 45೔ܦաͰެ։͞ΕΔ
 (https://nodesecurity.io/report)
  3. None

  4. nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑ৘ใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ஌͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node

    Security PlatformΛӡӦ͢Δ
 ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ஌(npm audit)͕૊Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ࢖͏ ཧ༝͸ͳ͍ • GitHubϦϙδτϦ΋ΞʔΧΠϒԽ͞Ε͍ͯΔ

  5. `nsp check`

  6. npm audit • [email protected], [email protected]͔Β࢖͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹ΋ࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ
 
 •

    [email protected]͔Βjsonग़ྗ(`npm audit —json`)΍੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕௥Ճ͞ΕɺΑΓ࢖͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓ׵ੑ͸ͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ৔߹͕͋Δ (nspͳΒେ ৎ෉ͳͷʹ…)
 https://github.com/npm/npm/issues/20604

  7. `npm audit`

  8. yarnͷ৔߹ • nsp΋npm audit΋yarn.lockʹ͸ඇରԠ
 - nsp: package.json͚ͩͰ੬ऑੑ৘ใදࣔ
 - npm audit:

    ΤϥʔʹͳΔ

  9. yarnͷ৔߹ 1. (nspͷ৔߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ࢖͏ • ੵۃతʹ࢖͏ཧ༝͸ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-

    lock.json ʹม׵͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ
 https://github.com/yarnpkg/yarn/issues/5808

  10. CIͰ࢖͏ • CircleCIͷScheduling JobΛ࢖ͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨஌ • ৄࡉ͸CircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
 


    
 
 • ຖ೔: ΞυόΠβϦҰཡʹมԽ͕͋Ε͹Slack௨஌ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ࢖͏)

  11. ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷ਺΋ߋ৽ස౓΋ଟ͍ͷͰɺӡ༻ίετ͸͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ৔߹
 • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ
 1.

    ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ಺ ༰ɺൃੜ৚݅Λ֬ೝ
 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔൑அ
 ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯ΋ඞͣ҆શͩͱ͸ݴ͑ͳ͍ɻ੬ ऑੑͷ಺༰࣍ୈʣ

  12. ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not

    install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͠೉͍ • npmʹ૊Έࠐ·Εͨ͜ͱͰɺ΋ͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδ͸ࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ଴

  13. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰ͸SET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢