再保险:作业恶意软件

NPM问题并不是新的,CPAN(仍然)许多相同的问题。库尔特>于2018年8月13日,在十五19,马尼恩艺术< amanion@cert.org >写道:> > > 8/13/18下午12:55耶利哥写道:> > > >第二种类型只是一个恶意模块无关> >与合法的模块,其他比类似的名称作为手段让人们下载> >。一个例子是> > cve - 2017 - 16044: > >的d3。js是一个恶意的模块与意图> >发表劫持> >环境变量。它已经被npm未出版。> >这似乎超出了CVE的范围。我得到npm-style软件>分布是一个“新”和真实的事情,最近没有详细>看着它,我的印象是,npm的生态系统>并不十分安全,这是一种有意的选择:> > >https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability> >在古盒产品条款,模拟> lib-png“我下载并相连。因为我想包括PNG支持>应用程序。”Not a technical vulnerability, I accidentally > installed malware. > > Yes, these matter, and I'm in favor of telling the public about > malicious npm-managed code, but that might not be CVE's job. > > I don't see much of a difference with CVE-2018-3779. Intentionally > malicious code masquerading as legitimate, gains authority and > reputation by being allowed on npm in the first place, depends on > community to find and remove. > > In terms of being vulnerabilities (and in scope for CVE), I'd say no, > not in scope. I wouldn't suggest removing any existing assignments, > but either stop or make a decision to include such things in CVE's > scope? > > Trying out the other side: There is a (popular but insecure) software > development ecosystem, within that system, flagging malicious > components is treated like a vulnerability/CVE assignment? Still > doesn't really work for me. > > - Art >