node/js 漏洞_6个可用于检查Node.js中漏洞的工具

node/js 漏洞

Vulnerabilities can exist in all products. The larger your software grows, the greater the potential for vulnerabilities.

所有产品中都可能存在漏洞。 您的软件增长得越大,潜在的漏洞就越大。

Vulnerabilities create opportunities for exploits which could ruin both the user experience and the product itself.


Additionally, in today’s fast-paced world, the rate of vulnerabilities increase as companies demand rapid development (or update) processes. And exploiters are everywhere, looking to take advantage of them.

此外,在当今快节奏的世界中,随着公司要求快速开发(或更新)流程,漏洞的发生率也在增加。 剥削者无处不在,希望利用它们。

That is why it’s important to check for vulnerabilities as early as possible in your applications. This can help you make sure that the final product is secure, and save you a lot of time in the long-run.

因此,尽早检查应用程序中的漏洞很重要。 这可以帮助您确保最终产品是安全的,从长远来看可以节省大量时间。

In this article, we'll look at six tools that will help you check for vulnerabilities in Node.js.


Node.js中的漏洞 (Vulnerabilities in Node.js)

Security vulnerabilities are very common in Node.js. As developers, we keep using open source tools because we do not want to reinvent the wheel. This makes development easier and faster for us, but at the same time it introduces possible vulnerabilities to our applications.

安全漏洞在Node.js中非常常见。 作为开发人员,我们一直在使用开源工具,因为我们不想重新发明轮子。 这使我们的开发更容易,更快捷,但同时又为我们的应用程序引入了可能的漏洞。

The best we can do for ourselves is to continually verify the packages we use because the more dependencies we use, the more room there is for more vulnerabilities.


Manually checking dependencies can be stressful and can increase development time. And going online to find out how vulnerable a package is before installing it can be time-consuming, especially for an application with many dependencies.

手动检查依赖关系可能会很麻烦,并且会增加开发时间。 并且在安装之前先上网查找软件包的脆弱性可能是耗时的,特别是对于具有许多依赖性的应用程序而言。

This is why we need automated tools to help us with this process.


用于检查Node.js中漏洞的工具 (Tools for Checking for Vulnerabilities in Node.js)

1. Retire.js (1. Retire.js)


Retire.js helps developers detect versions of libraries or modules with known vulnerabilities in Node.js applications.


It can be used in four ways:


  • A command line scanner to scan a Node.js application.

  • A Grunt plugin (grunt-retire), used to scan Grunt enabled applications.

    Grunt插件( grunt-retire ),用于扫描启用了Grunt的应用程序。

  • Browser extensions (Chrome and Firefox). These scan visited sites for references to insecure libraries and puts warnings in the developer console.

    浏览器扩展(Chrome和Firefox)。 这些扫描访问的站点以引用不安全的库,并在开发人员控制台中发出警告。
  • Burp and OWASP Zap Plugin, used for penetration testing.

    Burp和OWASP Zap插件,用于渗透测试。

2. WhiteSource翻新 (2. WhiteSource Renovate)

WhiteSource Renovate

WhiteSource Renovate is a multi-platform and multi-language open source tool by WhiteSource which performs automated dependency updates in software updates.

WhiteSource RenovateWhiteSource提供的一种多平台,多语言的开源工具,可以在软件更新中执行自动的依赖项更新。

It offers features such as automated pull requests when dependencies need updating, supports numerous platforms, easy modification, and lots more. All changelogs and commit histories are included in each update of the application.

它提供了一些功能,例如在需要更新依赖项时自动执行拉取请求,支持众多平台,易于修改等等。 所有更改日志和提交历史记录都包含在应用程序的每次更新中。

It can be used in various ways such as:


  • A command-line tool for automating the process of updating dependencies to invulnerable dependencies.

  • Github Application for performing the automation process on GitHub repositories

  • GitLab Applications for integrating the automation process on GitLab repositories


WhiteSource Renovate also has an on-premises solution that extends the CLI tool to add more features thereby making your applications more efficient.

WhiteSource Renovate还具有一个本地解决方案,该解决方案扩展了CLI工具以添加更多功能,从而使您的应用程序更高效。

3.OWASP依赖性检查 (3.OWASP Dependency-Check)

OWASP Dependency-Check

Dependency-Check is a Software Composition Analysis (CPA) tool used for managing and securing open source software.


Developers can use it to identify publicly disclosed vulnerabilities in Node.js, Python, and Ruby.


The tool inspects the project's dependencies to gather information about every dependency. It determines if there is a Common Platform Enumeration (CPE) identifier for a given dependency, and if found, it generates a list of associated Common Vulnerability and Exposure (CVE) entries.

该工具检查项目的依存关系,以收集有关每个依存关系的信息。 它确定给定依赖项是否存在通用平台枚举(CPE)标识符,如果找到,它将生成关联的通用漏洞和披露(CVE)条目的列表。

Dependency-Check can be used as a CLI tool, a Maven plugin, an Ant Task and a Jenkins plugin.

Dependency-Check可用作CLI工具, Maven插件, Ant TaskJenkins插件

4. OSS索引 (4. OSS INDEX)


The OSS Index allows developers to search for millions of components to discover the vulnerable and invulnerable ones. This assures developers that the components they plan on using are well protected.

OSS索引使开发人员可以搜索数百万个组件,以发现易受攻击和不受攻击的组件。 这可以确保开发人员计划使用的组件受到良好的保护。

They also provide developers with various tools and plugins for programming languages like JavaScript.


These allow them to scan projects for open source vulnerabilites as well as integrate security into the development process of the project.


5. Acutinex (5. Acutinex)


Acunetix is a web application security scanner that allows developers to identify vulnerabilites in Node.js applications and enables them to fix the vulnerabilities to prevent hackers. It comes with a 14 day trial for testing applications.

Acunetix是一个Web应用程序安全扫描程序,可让开发人员识别Node.js应用程序中的漏洞,并使他们能够修复漏洞以防止黑客入侵。 它附带一个为期14天的测试应用程序试用版。

The benefits of using Acunetix to scan web applications are numerous. Some of them are:

使用Acunetix扫描Web应用程序的好处很多。 他们之中有一些是:

  • Tests for over 3000 vulnerabilities

  • Analysis of external links for malwares and phishing URLs

  • Scanning of HTML, JavaScript, single page applications, and web services




NodeJsScan is a static security code scanner. It is used for discovering security vulnerabilities in web applications, web services and serverless applications.

NodeJsScan是静态安全代码扫描程序。 它用于发现Web应用程序,Web服务和无服务器应用程序中的安全漏洞。

It can be used as a CLI tool (which allows NodeJsScan to be integrated with CI/CD pipelines), a web based application, and also has a Python API.

它可以用作CLI工具(允许NodeJsScan与CI / CD管道集成),基于Web的应用程序,并且还具有Python API。

结论 (Conclusion)

Packages, libraries and components for Node.js applications are released regularly, and the fact that they are open source leaves room for vulnerabilities. This is true whether you're working with Node.js, Apache Struts vulnerabilities, or any other open source framework.

Node.js应用程序的软件包,库和组件会定期发布,而它们是开源的事实为漏洞留下了空间。 无论您使用的是Node.js, Apache Struts漏洞还是任何其他开源框架,这都是事实。

Developers need to watch out for vulnerabilities in new releases of packages and know when it's necessary to update packages. The tools above can ease the process of creating efficient and reliable products.

开发人员需要注意新版本软件包中的漏洞,并知道何时需要更新软件包。 上面的工具可以简化创建高效,可靠产品的过程。


node/js 漏洞