依赖安全审计
CVE严重性级别(CVSS v3)
| 严重程度 | CVSS Score | 处理方式 |
|---|---|---|
| Critical | 9.0 – 10.0 | 立即修补(当天) |
| High | 7.0 – 8.9 | 1周内修补 |
| Medium | 4.0 – 6.9 | 1个月内修补 |
| Low | 0.1 – 3.9 | 下次发布时修补 |
npm / Node.js
# Run security audit npm audit # Auto-fix safe updates npm audit fix # Fix including breaking changes (test first!) npm audit fix --force # JSON output for CI integration npm audit --json | jq '.vulnerabilities' # Check specific package npm audit --package-lock-only
Go / Python / Java
# Go: check for known vulnerable modules
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Python: safety check
pip install safety
safety check --full-report
# Java: OWASP Dependency Check
mvn org.owasp:dependency-check-maven:check
# GitHub Dependabot (all languages)
# Add .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule: { interval: "weekly" }
Snyk集成
# Install Snyk CLI npm install -g snyk # Authenticate snyk auth # Test for vulnerabilities snyk test # Monitor continuously snyk monitor # Fix automatically snyk fix # CI/CD (fail build on high severity) snyk test --severity-threshold=high
依赖审计策略
- ☐ 每次PR在CI/CD中运行审计
- ☐ 阻止包含严重/高危漏洞的合并
- ☐ 每周自动依赖更新(Dependabot/Renovate)
- ☐ 维护软件物料清单(SBOM)