问题
I'm trying to understand how npm audit command works.
By which algorithm it defines that there is a problem
and the most important one how it differentiates the level low / moderate / high / critical
回答1:
There is no algorithm. Only people.
What npm audit does is look at what package you are using and what version and compare it to npm's vulnerability database. Here's the web interface to that database: https://www.npmjs.com/advisories
If you click on any of the "problems" you will see 3 pieces of information: description of the problem, the recommended fix and a link to where the problem was reported.
As to how npm determines the severity of the problem, it does not. People determine the severity of the problems.
And almost all of it is done by volunteers. This is one of the promises of open-source: with enough eyes looking at your non-hidden code bugs can be spotted.
回答2:
npm audit is a security module use to find the vulnerabilities of npm packages, The vulnerability database are available on the website : https://www.npmjs.com/advisories
The vulnerability format is the following :
{
"id": <vulnerability id>,
"created_at": <creation date>,
"updated_at": <update date>,
"title": <vulnerability title>,
"author": {
"name": <contributor name>,
"website": <contributor website>,
"username": <contributor username>
},
"module_name": <product name>,
"publish_date": <publication date>,
"cves": [
<cve name (if existing)>
],
"vulnerable_versions": <vulnerable version(s)>,
"patched_versions": <fix version(s)>,
"overview": <vulnerability description>,
"recommendation": <vendor advisory>,
"references": [
<source list>
],
"cvss_vector": <CVSS vector in format AV:x/AC:x/PR:x/UI:x/S:x/C:x/I:x/A:x>,
"cvss_score": <criticity score (between 0 and 10)>,
"coordinating_vendor": <editor information>
}
The npm audit will match the package information with all vulnerabilities and return the matching vulnerabilities.
About the scoring, The CVSS scoring are used, you can find the documentation here : https://www.first.org/cvss/specification-document
来源:https://stackoverflow.com/questions/55569305/how-npm-audit-works