核心要点统一数据源与格式,校验 `CVE` 标识与 `CVSS` 范围有效性。阈值策略:达到或超过阈值即阻断;支持例外清单与到期时间。审计记录包含依赖、版本、CVE、评分、策略判定与审批信息。参数与规则CVE格式:`CVE-YYYY-NNNN`;年份范围与编号长度校验。CVSS范围:`0.0` 至 `10.0`;保留一位小数或两位小数。阈值示例:阻断 `>= 7.0`;警告 `5.0–6.9`;通过 `< 5.0`。实现示例type Advisory = { package: string; version: string; cve: string; cvss: number; url?: string; expiresAt?: number }
function validCve(id: string): boolean {
const m = /^CVE-(\d{4})-(\d{4,})$/.exec(id)
if (!m) return false
const year = parseInt(m[1], 10)
return year >= 1999 && year <= new Date().getFullYear()
}
function validCvss(score: number): boolean {
return score >= 0 && score <= 10 && Number.isFinite(score)
}
type Policy = { blockThreshold: number; warnThreshold: number; now: number }
function inException(a: Advisory, exceptions: Map<string, number>, now: number): boolean {
const key = `${a.package}@${a.version}:${a.cve}`
const until = exceptions.get(key)
return !!until && until >= now
}
function decide(a: Advisory, p: Policy, exceptions: Map<string, number>): 'block' | 'warn' | 'pass' {
if (!validCve(a.cve) || !validCvss(a.cvss)) return 'block'
if (inException(a, exceptions, p.now)) return 'pass'
if (a.cvss >= p.blockThreshold) return 'block'
if (a.cvss >= p.warnThreshold) return 'warn'
return 'pass'
}
function evaluate(advisories: Advisory[], policy: Policy, exceptions: Map<string, number>): { blocked: Advisory[]; warned: Advisory[]; passed: Advisory[] } {
const blocked: Advisory[] = []
const warned: Advisory[] = []
const passed: Advisory[] = []
for (const a of advisories) {
const d = decide(a, policy, exceptions)
if (d === 'block') blocked.push(a)
else if (d === 'warn') warned.push(a)
else passed.push(a)
}
return { blocked, warned, passed }
}
审计与CI门禁构建前解析安全报告并执行策略;阻断项直接失败并输出详情。审计记录包含依赖、版本、CVE、CVSS、策略结果与例外到期时间。
发表评论 取消回复