如何利用npm审核?

时间:2019-06-21 21:17:23

标签: node.js npm reverse-engineering npmjs npm-audit

TLDR:是否可以将npm audit的漏洞检测功能用作一种轻松的服务,而不是当前的CLI实施?

npm在针对节点安全平台(NSP)漏洞数据库的每个安装请求上提供自动漏洞扫描,并在您尝试使用不安全代码时警告您。此外,npm audit递归地分析您的依赖关系树,以明确识别不安全的内容,建议替换或使用npm审核修复程序自动对其进行修复。

此功能很棒,我希望能够在Web应用程序中利用此漏洞扫描功能。那我为什么要这样做?

似乎大多数公司都托管一个内部JFrog存储库,该存储库需要不断更新和维护,以反映npmjs。但是,一种更有效的方法(在我看来)是创建一个嵌入了mitmproxy的简单Web应用程序。然后,此Web应用程序将更像是代理,并且将允许其基于自定义业务逻辑和/或npm审核漏洞报告的发现来过滤npm请求。这样做的好处是允许用户自定义其风险评估容忍度,并利用npmjs分发所请求的库。结果,这将使公司不再需要托管任何内部JFrog实例,并且有可能通过使npmjs处理所述库的托管来降低成本。

下面列出的是npm audit报告的一部分:

$ npm audit

示例审核报告:

                        === npm audit security report ===  

#                            ...  Removed unnecessary details                                                                                 

# Run  npm install jquery@3.4.1  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/796                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 88 vulnerabilities (63 low, 10 moderate, 15 high) in 36801 scanned packages
  run `npm audit fix` to fix 1 of them.
  87 vulnerabilities require semver-major dependency updates.

我发现npm audit利用以下URL进行漏洞检测:

https://nodesecurity.io/advisories/<id>

其中<id>是代表所讨论库的数字。在我的示例中:jquery =>796。

我不知道如何将这个组件名称复制到ID映射的末端,这只是为了花点时间了解漏洞详细信息。出于安全原因,故意混淆了该API的工作原理,并且通常大多数安全提供商都希望为其服务赚钱。

话虽如此,对于第一遍,知道<package>@<version>是否为高/中/低漏洞就足够了。我看到html页面中有一个嵌入的<script>标记,其中包含漏洞详细信息:

<script integrity="sha512-2KUTRVRvbDU3H6wROMklMMJqo9viHDRE+eOC56AIunI3PWKmCX1sVagJux/7BdYxpbbdgUi2sDJGhHEl499Tzw==">window.__context__ = {"context":{"advisoryData":{"id":796,"created":"2019-04-02T21:06:11.895Z","updated":"2019-04-23T14:29:39.788Z","deleted":null,"title":"Prototype Pollution","found_by":{"link":"","name":"asgerf"},"reported_by":{"link":"","name":"asgerf"},"module_name":"jquery","cves":["CVE-2019-5428"],"vulnerable_versions":"\u003c3.4.0","patched_versions":"\u003e=3.4.0","overview":"Versions of `jquery`  prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for `Object` causing changes in properties that will exist on all objects.","recommendation":"Upgrade to version 3.4.0 or later.","references":"- [HackerOne Report](https://hackerone.com/reports/454365)","access":"public","severity":"moderate","cwe":"CWE-471","url":"https://npmjs.com/advisories/796","urls":{"detail":"/v1/advisories/advisory/796","prev":"/v1/advisories/advisory/795","next":"/v1/advisories/advisory/797"},"formatted":{"overview":"\u003cp\u003eVersions of \u003ccode\u003ejquery\u003c/code\u003e  prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for \u003ccode\u003eObject\u003c/code\u003e causing changes in properties that will exist on all objects.\u003c/p\u003e\n","recommendation":"\u003cp\u003eUpgrade to version 3.4.0 or later.\u003c/p\u003e\n","references":"\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://hackerone.com/reports/454365\" rel=\"nofollow\"\u003eHackerOne Report\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n","created":"Apr 2nd, 9:06:11 pm","updated":"Apr 23rd, 2:29:39 pm"}},"events":[{"id":1419,"advisory_id":796,"created":"2019-04-23T14:29:39.821Z","type":"published","message":"Advisory Published","formatted":{"created":"Apr 23rd, 2019"}},{"id":1354,"advisory_id":796,"created":"2019-04-02T21:06:11.904Z","type":"reported","message":"Reported by asgerf","formatted":{"created":"Apr 2nd, 2019"}}],"user":{"tfa":false,"name":"wright1242","isStaff":false,"deactivated":null,"avatars":{"small":"https://s.gravatar.com/avatar/c273b03158ed9f9f045f476897b235fa?size=50\u0026default=retro","medium":"https://s.gravatar.com/avatar/c273b03158ed9f9f045f476897b235fa?size=100\u0026default=retro","large":"https://s.gravatar.com/avatar/c273b03158ed9f9f045f476897b235fa?size=496\u0026default=retro"},"resource":{"fullname":"Nathan Wright"},"is_delegated":false,"email_verified":true,"created":{"ts":1553877333697,"rel":"3 months ago"},"updated":"2019-03-29T16:35:33.695Z"},"csrftoken":"plyisfZBsPE1Ede0ico2RTod6B60nd7l1qHPvREr-mw","notifications":[],"npmExpansions":["Nimble Porridge Muncher","Now, Push Me","Next Phenomenal Microbrewery","npm promulgates marsupials","Newton's Poleless Magnet","Nested Public Modules","New Powerful Machines","No Prize Money","Nostalgic Pickled Mango","Neolithic Populous Metropolis"],"isNpme":false},"chunks":{"commons":["commons.4d94cbb36d7d9f02c2f4.js","commons.4d94cbb36d7d9f02c2f4.js.map"],"styles":["styles.a34b113ba89c0a069aa9.css","minicssextractbug.ece81719b14e4fb51acb.js","styles.a34b113ba89c0a069aa9.css.map","minicssextractbug.ece81719b14e4fb51acb.js.map"],"advisories/detail":["advisories/detail.e640a34c8a03ac2c51e8.js","advisories/detail.e640a34c8a03ac2c51e8.js.map"],"advisories/list":["advisories/list.49eaf09da2c66523e9cd.js","advisories/list.49eaf09da2c66523e9cd.js.map"],"advisories/report":["advisories/report.6b5a536458e618cb3ae5.js","advisories/report.6b5a536458e618cb3ae5.js.map"],"advisories/versions":["advisories/versions.5ce20fcc3f3f3e620292.js","advisories/versions.5ce20fcc3f3f3e620292.js.map"],"auth/cli":["auth/cli.31c9a365866841fcc4fe.js","auth/cli.31c9a365866841fcc4fe.js.map"],"auth/common-passwords":["auth/common-passwords.32150bf4a63195186b9e.js","auth/common-passwords.32150bf4a63195186b9e.js.map"],"auth/escalate":["auth/escalate.5d3004f00377e61c65ff.js","auth/escalate.5d3004f00377e61c65ff.js.map"],"auth/forgot":["auth/forgot.4b4e93ca04ea1741a235.js","auth/forgot.4b4e93ca04ea1741a235.js.map"],"auth/forgot-sent":["auth/forgot-sent.b6a321ab13288fbdb321.js","auth/forgot-sent.b6a321ab13288fbdb321.js.map"],"auth/invite-signup":["auth/invite-signup.1374d727ca7f216f4df6.js","auth/invite-signup.1374d727ca7f216f4df6.js.map"],"auth/login":["auth/login.8d9b5fe8a19cbc186849.js","auth/login.8d9b5fe8a19cbc186849.js.map"],"auth/otp":["auth/otp.17f71c286c4ef5838c10.js","auth/otp.17f71c286c4ef5838c10.js.map"],"auth/reset-password":["auth/reset-password.b20251afbd7655b491c1.js","auth/reset-password.b20251afbd7655b491c1.js.map"],"auth/signup":["auth/signup.38e2de18a3d7d49e1901.js","auth/signup.38e2de18a3d7d49e1901.js.map"],"auth/sso-signup":["auth/sso-signup.8c3feddbe01f02ad701b.js","auth/sso-signup.8c3feddbe01f02ad701b.js.map"],"billing/detail":["billing/detail.7c30c25000cb18635fad.js","billing/detail.7c30c25000cb18635fad.js.map"],"billing/downgrade":["billing/downgrade.3be55cca5333d74807d5.js","billing/downgrade.3be55cca5333d74807d5.js.map"],"billing/upgrade":["billing/upgrade.aa74d23e03f79c2b1e56.js","billing/upgrade.aa74d23e03f79c2b1e56.js.map"],"contact/contact":["contact/contact.8662906bb6004554b3f2.js","contact/contact.8662906bb6004554b3f2.js.map"],"debug/badstatus":["debug/badstatus.c7bb04c58ae395906dbf.js","debug/badstatus.c7bb04c58ae395906dbf.js.map"],"debug/detail":["debug/detail.34b54844c3ec9f69e471.js","debug/detail.34b54844c3ec9f69e471.js.map"],"debug/failcomponent":["debug/failcomponent.d1f8803e2009818ef71d.js","debug/failcomponent.d1f8803e2009818ef71d.js.map"],"egg/egg":["egg/egg.4e4902966f9314b37154.js","egg/egg.4e4902966f9314b37154.js.map"],"enterprise/complete":["enterprise/complete.89eaa305053a6c0f8989.js","enterprise/complete.89eaa305053a6c0f8989.js.map"],"enterprise/license-paid":["enterprise/license-paid.ebe1bfa16a3d49069d9b.js","enterprise/license-paid.ebe1bfa16a3d49069d9b.js.map"],"enterprise/license-purchase":["enterprise/license-purchase.33b546c059bd99696cf0.js","enterprise/license-purchase.33b546c059bd99696cf0.js.map"],"enterprise/on-site-buy-now":["enterprise/on-site-buy-now.537497d98021ab3a5cb2.js","enterprise/on-site-buy-now.537497d98021ab3a5cb2.js.map"],"enterprise/on-site-contact-confirmation":["enterprise/on-site-contact-confirmation.30cef6ea069bb5b8d238.js","enterprise/on-site-contact-confirmation.30cef6ea069bb5b8d238.js.map"],"enterprise/on-site-trial":["enterprise/on-site-trial.c4299d1451374df8d233.js","enterprise/on-site-trial.c4299d1451374df8d233.js.map"],"enterprise/orgs-terms":["enterprise/orgs-terms.1d97d471a2406c7a0bfa.js","enterprise/orgs-terms.1d97d471a2406c7a0bfa.js.map"],"enterprise/signup-confirmation":["enterprise/signup-confirmation.01182145a57b51bf81d6.js","enterprise/signup-confirmation.01182145a57b51bf81d6.js.map"],"errors/not-found":["errors/not-found.233c66ddecbbf24ac4fc.js","errors/not-found.233c66ddecbbf24ac4fc.js.map"],"errors/server":["errors/server.dd29f86cfe1f6df5386d.js","errors/server.dd29f86cfe1f6df5386d.js.map"],"errors/template":["errors/template.66c3e6b9be4cdeeb1b31.js","errors/template.66c3e6b9be4cdeeb1b31.js.map"],"flatpage/flatpage":["flatpage/flatpage.a15b631354b26980e9d2.js","flatpage/flatpage.a15b631354b26980e9d2.js.map"],"homepage/homepage":["homepage/homepage.110dbed7fffb8ed42685.js","homepage/homepage.110dbed7fffb8ed42685.js.map"],"homepage/homepage-logged-in":["homepage/homepage-logged-in.8797a9ea2201ab4336cc.js","homepage/homepage-logged-in.8797a9ea2201ab4336cc.js.map"],"npme-2/invite":["npme-2/invite.2db2f811ab5b4ca10d5f.js","npme-2/invite.2db2f811ab5b4ca10d5f.js.map"],"npme-2/invites":["npme-2/invites.8878a423875defcf6c76.js","npme-2/invites.8878a423875defcf6c76.js.map"],"npme-2/login":["npme-2/login.a9b772e49ae0412bf666.js","npme-2/login.a9b772e49ae0412bf666.js.map"],"npme-2/overrides/components/tutorials/creating-org":["npme-2/overrides/components/tutorials/creating-org.71f7d5901781c193fb73.js","npme-2/overrides/components/tutorials/creating-org.71f7d5901781c193fb73.js.map"],"npme-2/overrides/components/tutorials/default-registry":["npme-2/overrides/components/tutorials/default-registry.475fb9f18556bd682949.js","npme-2/overrides/components/tutorials/default-registry.475fb9f18556bd682949.js.map"],"npme-2/overrides/components/tutorials/installing-package":["npme-2/overrides/components/tutorials/installing-package.2b04ab2356a096fd5a49.js","npme-2/overrides/components/tutorials/installing-package.2b04ab2356a096fd5a49.js.map"],"npme-2/overrides/components/tutorials/publishing-package":["npme-2/overrides/components/tutorials/publishing-package.5697dc8704d72ac9ced0.js","npme-2/overrides/components/tutorials/publishing-package.5697dc8704d72ac9ced0.js.map"],"npme-2/overrides/components/tutorials/tabs":["npme-2/overrides/components/tutorials/tabs.df1dac1eefb18c4859bc.js","npme-2/overrides/components/tutorials/tabs.df1dac1eefb18c4859bc.js.map"],"npme-2/overrides/homepage":["npme-2/overrides/homepage.c385707ae0df1411a2a1.js","npme-2/overrides/homepage.c385707ae0df1411a2a1.js.map"],"npme-2/overrides/orgs/create":["npme-2/overrides/orgs/create.796a1ec58f26a83b0b55.js","npme-2/overrides/orgs/create.796a1ec58f26a83b0b55.js.map"],"npme-2/reports":["npme-2/reports.c848851d64a15951a1ef.js","npme-2/reports.c848851d64a15951a1ef.js.map"],"npme-2/settings":["npme-2/settings.d0c798bb186ce82f3ea8.js","npme-2/settings.d0c798bb186ce82f3ea8.js.map"],"npme-2/setup":["npme-2/setup.8ebd15e786c914775153.js","npme-2/setup.8ebd15e786c914775153.js.map"],"npme-2/sso-config":["npme-2/sso-config.28c27038f210cf50638a.js","npme-2/sso-config.28c27038f210cf50638a.js.map"],"npme-2/users":["npme-2/users.eeb8e1c64514e5683330.js","npme-2/users.eeb8e1c64514e5683330.js.map"],"npme/invite":["npme/invite.ffae73172929956e34eb.js","npme/invite.ffae73172929956e34eb.js.map"],"npme/invites":["npme/invites.44e371e54eac0a082e0d.js","npme/invites.44e371e54eac0a082e0d.js.map"],"npme/login":["npme/login.ab849e614586290dfb37.js","npme/login.ab849e614586290dfb37.js.map"],"npme/overrides/components/tutorials/creating-org":["npme/overrides/components/tutorials/creating-org.471161dde8734e77baa4.js","npme/overrides/components/tutorials/creating-org.471161dde8734e77baa4.js.map"],"npme/overrides/components/tutorials/default-registry":["npme/overrides/components/tutorials/default-registry.17619197ac9ebf75f78b.js","npme/overrides/components/tutorials/default-registry.17619197ac9ebf75f78b.js.map"],"npme/overrides/components/tutorials/installing-package":["npme/overrides/components/tutorials/installing-package.e55b3915848c09265955.js","npme/overrides/components/tutorials/installing-package.e55b3915848c09265955.js.map"],"npme/overrides/components/tutorials/publishing-package":["npme/overrides/components/tutorials/publishing-package.0e248bac8e84760c3a3c.js","npme/overrides/components/tutorials/publishing-package.0e248bac8e84760c3a3c.js.map"],"npme/overrides/components/tutorials/tabs":["npme/overrides/components/tutorials/tabs.1f4c0ff4d1338c5cb611.js","npme/overrides/components/tutorials/tabs.1f4c0ff4d1338c5cb611.js.map"],"npme/overrides/homepage":["npme/overrides/homepage.4955c4963ed9fa476105.js","npme/overrides/homepage.4955c4963ed9fa476105.js.map"],"npme/overrides/orgs/create":["npme/overrides/orgs/create.a7fa242e75db505a14cc.js","npme/overrides/orgs/create.a7fa242e75db505a14cc.js.map"],"npme/settings":["npme/settings.58e57b118bbd7878e2ed.js","npme/settings.58e57b118bbd7878e2ed.js.map"],"npme/setup":["npme/setup.c348ba66cd10e64fba12.js","npme/setup.c348ba66cd10e64fba12.js.map"],"npme/sso-config":["npme/sso-config.fc863259ffafbadaac78.js","npme/sso-config.fc863259ffafbadaac78.js.map"],"npme/users":["npme/users.7bf881838868fa2e8146.js","npme/users.7bf881838868fa2e8146.js.map"],"orgs/create":["orgs/create.25acfbc854056d91faab.js","orgs/create.25acfbc854056d91faab.js.map"],"orgs/detail":["orgs/detail.a0fc09a1dafcc608f604.js","orgs/detail.a0fc09a1dafcc608f604.js.map"],"orgs/invite":["orgs/invite.bb4dd212f2a1638cd111.js","orgs/invite.bb4dd212f2a1638cd111.js.map"],"orgs/upgrade":["orgs/upgrade.720c3caf2998a6f28cd5.js","orgs/upgrade.720c3caf2998a6f28cd5.js.map"],"package-list/dependents-list":["package-list/dependents-list.2dce05752934fcbcbe4f.js","package-list/dependents-list.2dce05752934fcbcbe4f.js.map"],"package-list/most-depended":["package-list/most-depended.f7001bbcaa0641bf4f40.js","package-list/most-depended.f7001bbcaa0641bf4f40.js.map"],"package-list/recently-updated":["package-list/recently-updated.37fbdf8fec827ddacad3.js","package-list/recently-updated.37fbdf8fec827ddacad3.js.map"],"package/package":["package/package.a8b3c84300ae1382adf1.js","package/package.a8b3c84300ae1382adf1.js.map"],"partners/detail":["partners/detail.455f79e0b6e62b2b62c8.js","partners/detail.455f79e0b6e62b2b62c8.js.map"],"partners/join":["partners/join.64518905a4506bd65cb0.js","partners/join.64518905a4506bd65cb0.js.map"],"partners/thanks":["partners/thanks.ff01ac06bf6bc9dca957.js","partners/thanks.ff01ac06bf6bc9dca957.js.map"],"profile/profile":["profile/profile.225a06aa9545bb306666.js","profile/profile.225a06aa9545bb306666.js.map"],"search/search":["search/search.7a1e54cf3d045148dbc1.js","search/search.7a1e54cf3d045148dbc1.js.map"],"settings/change-password":["settings/change-password.70b297e43c57d042ce46.js","settings/change-password.70b297e43c57d042ce46.js.map"],"settings/email":["settings/email.fadfc72c579bb081162b.js","settings/email.fadfc72c579bb081162b.js.map"],"settings/memberships":["settings/memberships.410836fc226dd288ffb8.js","settings/memberships.410836fc226dd288ffb8.js.map"],"settings/packages":["settings/packages.64c297193727a8e51542.js","settings/packages.64c297193727a8e51542.js.map"],"settings/profile":["settings/profile.833a150cc274224f5f70.js","settings/profile.833a150cc274224f5f70.js.map"],"teams/create":["teams/create.b9f70a2ae9de1915d420.js","teams/create.b9f70a2ae9de1915d420.js.map"],"teams/detail":["teams/detail.d4664bced272f9d0a3ad.js","teams/detail.d4664bced272f9d0a3ad.js.map"],"teams/list":["teams/list.261cf5f94b9192a3daab.js","teams/list.261cf5f94b9192a3daab.js.map"],"teams/packages":["teams/packages.71096da465263d66286d.js","teams/packages.71096da465263d66286d.js.map"],"teams/users":["teams/users.674a8b5b623059964462.js","teams/users.674a8b5b623059964462.js.map"],"tfa/enable":["tfa/enable.18fb4a852c69318b5589.js","tfa/enable.18fb4a852c69318b5589.js.map"],"tfa/showTFAQRCode":["tfa/showTFAQRCode.eb7002f5007a27821807.js","tfa/showTFAQRCode.eb7002f5007a27821807.js.map"],"tfa/showTFASuccess":["tfa/showTFASuccess.d060dc3061cf308203c2.js","tfa/showTFASuccess.d060dc3061cf308203c2.js.map"],"tfa/tfa-mode-selection":["tfa/tfa-mode-selection.a16db0ac7e3f02c6f5d3.js","tfa/tfa-mode-selection.a16db0ac7e3f02c6f5d3.js.map"],"tfa/tfa-password-entry":["tfa/tfa-password-entry.be0ca4c5433e4802b5ac.js","tfa/tfa-password-entry.be0ca4c5433e4802b5ac.js.map"],"tokens/create":["tokens/create.0a64e73c9a20dc823d2a.js","tokens/create.0a64e73c9a20dc823d2a.js.map"],"tokens/list":["tokens/list.1d67b6a2423c57d4efcd.js","tokens/list.1d67b6a2423c57d4efcd.js.map"],"vouchers/view":["vouchers/view.cc023324f08f48ef3082.js","vouchers/view.cc023324f08f48ef3082.js.map"]},"hash":"4d94cbb36d7d9f02c2f4","name":"advisories/detail","containerId":"app","headerName":"x-spiferack","publicPath":"https://static.npmjs.com/"}</script>

我可以使用任何其他开源安全扫描工具,例如:Snyk,OWASP等,只要我可以将此漏洞检测功能用作Web服务即可。还有其他尝试/使用的想法吗?

任何帮助将不胜感激!

更新:

Node Security似乎正在利用国家漏洞数据库(NVD)来解决开放源漏洞,并已将模块映射到常见漏洞和暴露。一个人可以以多种形式here获取整个CVE数据集。也许可以将这些数据反向映射?我看到在嵌入式<script>标记内,有许多模块在讨论中。直接相关的两个字段是:cvesmodule_name。在我的示例jquery中,module_name指向所讨论的模块,而cves似乎是上述CVE数据集中的一对一映射。这样一来,便可以将整个数据集读入数据库,并将该数据库用作查找的真实来源。所以问题真的变成了:

节点安全性如何将CVE映射到module_names?这是手动操作还是替代数据集中有更多列/字段?

更新2

NVDSnyk均提供RSS源,用于检测库的漏洞。在后台,这正是npm audit在安装库或运行审计时用来确定高/中/低漏洞的工具。这些RSS feed有多种格式,实际上很容易解析。此外,它们具有模块与固有漏洞的映射。

话虽如此,如果您想利用这些开源扫描仪,一个人必须遵守其指定的许可证和使用规则。例如,Snyx的RSS提要使用以下规则:

  

Snyk的漏洞DB RSS提要。         此数据库(提要和存储库)已根据AGPL-v3许可证获得许可,该许可证通常允许在内部使用,但禁止将该DB嵌入另一个产品或服务中,除非该产品和所提供的服务是开源的,并且已获得AGPL-v3许可证。 **对于Snyk漏洞数据库的其他许可,请通过contact@snyk.io与我们联系**

对于某些需要注意的问题:

您将利用npmjs(这是开源的),这就是重点。 Npmjs将保存您所有的库,并且您将按预期使用npmjs。如果您需要更多的隐私,例如使用供内部使用的私有范围的模块,则可以直接向npmjs支付。抱歉,我不清楚,因为这样做的目的是仅使用npmjs而不是支付第三方实体为您托管JFrog存储库。

关于许可问题,您应始终遵守有关软件使用或重新分发的法律。

1 个答案:

答案 0 :(得分:2)

TLDR:使用RSS提要来检测由NVD和Snyk提供的库的漏洞,遵守其指定的许可和使用规则

NVD和Snyk均提供RSS提要,用于检测库的漏洞。在后台,这正是npm audit在安装库或运行审计时用来确定高/中/低漏洞的工具。这些RSS feed有多种格式,实际上很容易解析。此外,它们具有模块与引入的漏洞的映射。

话虽如此,如果您想利用这些开源漏洞扫描程序,一个人必须遵守其指定的许可和使用规则。例如,Snyx的RSS提要的使用规则如下:

  

Snyk的漏洞DB RSS提要。此数据库(提要和存储库)已根据AGPL-v3许可证获得许可,该许可证通常允许在内部使用,但禁止将该DB嵌入另一个产品或服务中,除非该产品和所提供的服务是开源的,并且已获得AGPL-v3许可证。 **对于Snyk漏洞数据库的其他许可,请通过contact@snyk.io与我们联系**

欢呼