英文:
Potential vulnerabilities in code generation tools
问题
我正在使用JHipster构建代码生成工具。它通过CLI提供提示,客户可以选择所需的Java包,用于生成微服务的CRUD层。流水线中的代码生成器将该包构建成部署的JAR文件。除了已批准的代码扫描工具之外,在安全方面还可以做些什么呢?是否有类似工具的潜在威胁模型的参考,可以作为JHipster基础的代码生成工具的参考或指导,以及可能的漏洞或安全问题?谢谢!
已使用:类似Semgrep的代码扫描工具。
英文:
I'm working on building a code generation tool using JHipster. It gives promts on CLI through which customer can choose and then required Java package for CRUD layer of the micro service gets generated. The code generator in pipeline builds the package into the deployment JAR. Beside approved code scanning tools, what else can be done here on security front ? Is there reference of potential Threat models for similar kind of tools, potential vulnerabilities or security issues which we can take as reference or guidance on similar Jhipster based code generation tools ?
Thank you !
Used : Code scanning tools like Semgrep.
答案1
得分: 1
JHipster生成器是一个Node应用程序,因此您可以像扫描其他Node应用程序一样使用npm audit或其他与npm兼容的工具进行扫描,您自己的工具也是如此。
接下来,最重要的部分是将生成的代码作为您的持续集成工具链的一部分进行扫描(例如sonarqube、snyk、gitlab等),以及扫描存在漏洞的依赖项(例如maven owasp dependency plugin,...)。
英文:
JHipster generator is a node application, so you can scan it as any other node application using npm audit or other npm compatible tool, same for your own tool.
Then, the most important part is to scan the generated code as part of your continuous integration tool chain (sonarqube, snyk, gitlab, ..) and to scan vulnerable dependencies (maven owasp dependency plugin, ...)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论