内容简介:AddThen runIf you do not wish to include
MixAudit provides a mix deps.audit task to scan Mix dependencies for security vulnerabilities.
It draw its inspiration from tools like npm audit and bundler-audit .
Installation
Project dependency
Add mix_audit to the deps function in your project’s mix.exs file:
defp deps do
[
{:mix_audit, "~> 0.1", only: [:dev, :test], runtime: false}
]
end
Then run mix do deps.get, deps.compile inside your project’s directory.
Local escript
If you do not wish to include mix_audit in your project dependencies, you can install it as global escript :
$ mix escript.install hex mix_audit … * creating …/.mix/escripts/mix_audit
The only difference is that instead of using the mix deps.audit task, you will have to use the created executable.
Usage
To generate a security report, you can use the deps.audit Mix task:
$ mix deps.audit
Options
| Option | Type | Default | Description |
|---|---|---|---|
--path |
String | Current directory | The root path of the project to audit |
--format |
String | "human" |
The format of the report to generate ( "json" or "human" ) |
--ignore-advisory-ids |
String | "" |
Comma-separated list of advisory IDs to ignore |
--ignore-package-names |
String | "" |
Comma-separated list of package names to ignore |
Example
How does it work?
MixAudit builds two lists when it’s executed in a project:
- A list of security advisories fetched from the community-maintained
elixir-security-advisoriesrepository - A list of Mix dependencies from the various
mix.lockfiles in the project
Then, it loops through each project dependency and tries to find security advisories that apply to it (through its package name) and that match its version specification (through the advisory patched and unaffected version policies).
If one is found, a vulnerability (the combination of a security advisory and a project dependency ) is then added to the report.
The task will exit with a 0 status only if the report passes (ie. it reports no vulnerabilities). Otherwise, it will exit with a 1 status.
License
MixAudit is © 2020 Mirego and may be freely distributed under the New BSD license . See the LICENSE.md file.
The detective hat logo is based on this lovely icon by Vectors Point , from The Noun Project. Used under a Creative Commons BY 3.0 license.
About Mirego
Mirego is a team of passionate people who believe that work is a place where you can innovate and have fun. We’re a team of talented people who imagine and build beautiful Web and mobile applications. We come together to share ideas and change the world .
We also love open-source software and we try to give back to the community as much as we can.
以上所述就是小编给大家介绍的《Scan your Elixir project's dependencies for known vulnerabilities》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
算法艺术与信息学竞赛
刘汝佳 / 清华大学出版社 / 2004-1 / 45.00元
《算法艺术与信息学竞赛》较为系统和全面地介绍了算法学最基本的知识。这些知识和技巧既是高等院校“算法与数据结构”课程的主要内容,也是国际青少年信息学奥林匹克(IOI)竞赛和ACM/ICPC国际大学生程序设计竞赛中所需要的。书中分析了相当数量的问题。 本书共3章。第1章介绍算法与数据结构;第2章介绍数学知识和方法;第3章介绍计算机几何。全书内容丰富,分析透彻,启发性强,既适合读者自学,也适合于课......一起来看看 《算法艺术与信息学竞赛》 这本书的介绍吧!
