寻找用于测试目的的有意漏洞的NuGet包。

huangapple go评论67阅读模式
英文:

Looking for intentionally vulnerable nuget package for testing purposes

问题

我正在寻找一个或多个有意包含漏洞的NuGet包。我想测试一些安全工具,它们应该能够自动在我的项目中检测到这些NuGet包并通知我,但我在寻找时遇到了困难。

英文:

I am looking for one or more nuget packages that intentionally contain vulnerabilities. I want to test some security tools that should be able to pick up such nugets in my projects automatically and notify me, but I am having trouble finding any.

答案1

得分: 1

如果您前往GitHub Advisories Database,您可以点击NuGet生态系统

在我写这篇文章时,首个列出的警告列出了4个受影响的软件包,尽管它们都是运行时软件包,所以也许您不希望测试这个软件包。

在我写这篇文章时,首个不属于.NET运行时的警告是关于一个名为Snappier的软件包的,前往nuget.org的软件包详细信息页面,版本选项卡,我可以看到版本1.1.0被列为存在已知漏洞。

您可能还对Newtonsoft.Json的此警告感兴趣,它影响了包的所有旧版本,这很显著,因为Newtonsoft.Json是一个非常常用的软件包,无论是直接使用还是通过直接包依赖间接使用。(nuget.org的包详细信息链接)。

英文:

If you go to the GitHub Advisories Database, you can click on the NuGet ecosystem.

The first advisory listed at the time I'm writing this lists 4 packages affected, although they're all runtime packages, so maybe you don't want to test with this package.

The first advisory that is not part of the .NET runtime at the time I'm writing this is for a package called Snappier, and going to the package detail page, versions tab on nuget.org, I can see that version 1.1.0 is listed as having a known vulnerability.

You might also be interested in this advisory on Newtonsoft.Json, which affects all older versions of the package, which is notable since Newtonsoft.Json is a very commonly used package, either directly or transitively though direct package dependencies. (nuget.org org link to package details)

huangapple
  • 本文由 发表于 2023年4月17日 21:34:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/76035754.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定