fix(安全): 修复依赖漏洞并强化安全扫描
主要改动: - 固定 Go 1.25.5 与 CI 校验并更新扫描流程 - 升级 quic-go、x/crypto、req 等依赖并通过 govulncheck - 强化 JWT 校验、TLS 配置与 xlsx 动态加载 - 新增审计豁免清单与校验脚本
This commit is contained in:
58
docs/dependency-security.md
Normal file
58
docs/dependency-security.md
Normal file
@@ -0,0 +1,58 @@
|
||||
# Dependency Security
|
||||
|
||||
This document describes how dependency and toolchain security is managed in this repo.
|
||||
|
||||
## Go Toolchain Policy (Pinned to 1.25.5)
|
||||
|
||||
The Go toolchain is pinned to 1.25.5 to address known security issues.
|
||||
|
||||
Locations that MUST stay aligned:
|
||||
- `backend/go.mod`: `go 1.25.5` and `toolchain go1.25.5`
|
||||
- `Dockerfile`: `GOLANG_IMAGE=golang:1.25.5-alpine`
|
||||
- Workflows: use `go-version-file: backend/go.mod` and verify `go1.25.5`
|
||||
|
||||
Update process:
|
||||
1. Change `backend/go.mod` (go + toolchain) to the new patch version.
|
||||
2. Update `Dockerfile` GOLANG_IMAGE to the same patch version.
|
||||
3. Update workflows if needed and keep the `go version` check in place.
|
||||
4. Run `govulncheck` and the CI security scan workflow.
|
||||
|
||||
## Security Scans
|
||||
|
||||
Automated scans run via `.github/workflows/security-scan.yml`:
|
||||
- `govulncheck` for Go dependencies
|
||||
- `gosec` for static security issues
|
||||
- `pnpm audit` for frontend production dependencies
|
||||
|
||||
Policy:
|
||||
- High/Critical findings fail the build unless explicitly exempted.
|
||||
- Exemptions must include mitigation and an expiry date.
|
||||
|
||||
## Audit Exceptions
|
||||
|
||||
Exception list location: `.github/audit-exceptions.yml`
|
||||
|
||||
Required fields:
|
||||
- `package`
|
||||
- `advisory` (GHSA ID or advisory URL from pnpm audit)
|
||||
- `severity`
|
||||
- `mitigation`
|
||||
- `expires_on` (recommended <= 90 days)
|
||||
|
||||
Process:
|
||||
1. Add an exception with mitigation details and an expiry date.
|
||||
2. Ensure the exception is reviewed before expiry.
|
||||
3. Remove the exception when the dependency is upgraded or replaced.
|
||||
|
||||
## Frontend xlsx Mitigation (Plan A)
|
||||
|
||||
Current mitigation:
|
||||
- Use dynamic import so `xlsx` only loads during export.
|
||||
- Keep export access restricted and data scope limited.
|
||||
|
||||
## Rollback Guidance
|
||||
|
||||
If a change causes issues:
|
||||
- Go: revert `backend/go.mod` and `Dockerfile` to the previous version.
|
||||
- Frontend: revert the dynamic import change if needed.
|
||||
- CI: remove exception entries and re-run scans to confirm status.
|
||||
Reference in New Issue
Block a user