e70c0462d7
- engine-doc canonical docs/governance/harness-11-engine.md (PHẦN A/B/C/D + 3-tier D5/D6/D7 + one-direction-lock D8 + CAVEAT honest) - scripts/governance-detectors.ps1 (C1 broken-pointer + C2/B3 staleness + C3 vocab-fork + C4 self-exclusion + C5 resolve, NO-API DÒ+FLAG-only, runtime-proven, FP-refined 59→27) - scripts/memory-archive-gate.ps1 (PHẦN A: hysteresis 0.85 + keep-floor 5 + 2-strike + A7 NO-API L1-eval) + budget.json archive_gate - B1 ×11 count→canonical-pointer (root CLAUDE.md, ef-core/dep-audit SKILL, skills/README, docs/CLAUDE.md) — drift mig53→55/test306→339/gotcha68→69 RESOLVED + ef-core +Mig 54/55 rows - cadence-wire D1 session-start §2.1.3 + D2 session-end §L.b(c) + agents/README Upgrade S75 - run-trace TRACKED: audit wf_7fdc3bd5-930 / implement wf_c5e5844e-7c1 / review wf_d7ca1ff8-942 (REVIEW PASS, completeness-gate ĐẠT) - check-email AI_INFRA harness-11 (verify whole-file 318ff9f6 + body b2a2fc1c) + adap-report + outbox report (body 7fa1b53a) - 0 production code; state THẬT giữ nguyên (Mig 55 · 88 bảng · 339 test · gotcha 69 · menu 54 · bundle BYF5vIMJ/CB-tiRxd) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
5.4 KiB
5.4 KiB
name, description, when-to-use
| name | description | when-to-use | |||||||
|---|---|---|---|---|---|---|---|---|---|
| dependency-audit-erp | Scan lỗ hổng NuGet + npm cho SOLUTION_ERP (.NET 10 + 2 FE React). Chạy dotnet list package --vulnerable + npm audit cho fe-admin/fe-user, report CVE + decide upgrade path. Respect pin constraint (MediatR 12.4.1 cannot upgrade to 14, Swashbuckle 6.9.0 cannot upgrade to 7+, Node 20.x only for CI). |
|
Dependency Audit — SOLUTION_ERP
Context: Phase 5.1 security backlog explicit — "Dependencies scan CI (
dotnet list package --vulnerable --include-transitive,npm audit --audit-level=high)". Chưa hook vào workflow, có thể chạy manual.
Commands (chạy từ root repo)
Backend .NET
# Restore trước khi scan (first time / sau pull)
dotnet restore
# Scan top-level + transitive vulnerable
dotnet list src/Backend/SolutionErp.Api/SolutionErp.Api.csproj package --vulnerable --include-transitive
# Scan cả solution
dotnet list SolutionErp.slnx package --vulnerable --include-transitive
# Outdated check (khác vulnerable — chỉ cảnh báo version cũ)
dotnet list SolutionErp.slnx package --outdated
Output interpretation:
> High/> Criticalseverity → fix ngay (pin lên patch/minor version không breaking)> Moderate→ plan trong sprint tới> Low→ track, không rush
Frontend 2 app
# fe-admin
cd fe-admin
npm audit --audit-level=high
npm audit --json > ../tmp/fe-admin-audit.json # detail
cd ..
# fe-user
cd fe-user
npm audit --audit-level=high
npm audit --json > ../tmp/fe-user-audit.json
cd ..
Hoặc chạy song song từ 1 lệnh:
cd fe-admin; npm audit --audit-level=high; cd ..; cd fe-user; npm audit --audit-level=high; cd ..
⚠️ Pin constraints — KHÔNG auto-upgrade dù có CVE/outdated
Đọc docs/gotchas.md trước khi bấm npm audit fix hoặc dotnet add package. Những pin sau đây có lý do rõ ràng:
Backend pins
| Package | Current | Lý do không upgrade | Gotcha # |
|---|---|---|---|
MediatR |
12.4.1 | v14 breaking — AddMediatR fail resolve IMediator |
#1 |
Swashbuckle.AspNetCore |
6.9.0 | v10+ yêu cầu Microsoft.OpenApi 2.x — breaking Swashbuckle.AspNetCore.Models namespace |
#2 |
Microsoft.AspNetCore.OpenApi |
removed | Conflict Swashbuckle, dùng riêng 1 trong 2 | #2 |
Microsoft.EntityFrameworkCore |
10.x | Pin theo .NET 10 SDK (global.json 10.0.104) |
— |
Microsoft.AspNetCore.Identity |
10.x | Pin theo .NET 10 — AddIdentityCore không có AddDefaultTokenProviders |
#8 |
Frontend pins
| Package | Current | Lý do pin |
|---|---|---|
typescript |
6.x | erasableSyntaxOnly cấm enum → đã rewrite const-object pattern, rollback = rewrite lại (#3) |
vite |
8.x | rolldown native binding cần fresh node_modules trên CI (gotcha npm ci fail) |
@microsoft/signalr |
8.0.7 | SignalR hub version parity với ASP.NET Core 10 — test kỹ trước khi bump |
react |
19 | Auto-scaffolded, đã style-adapt cho |
| Node engine | >=20 |
CI pin 20.x qua .nvmrc (NamGroup bài học, gotcha #5) |
Workflow khi fix vulnerability
1. Đọc CVE detail: npm audit (--json) hoặc https://github.com/advisories/GHSA-xxxx
2. Check có phải transitive dep không?
- Direct → bump trong package.json / .csproj, test build
- Transitive → check ancestor package, có newer không
3. Nếu ancestor fix available nhưng là major version:
- Đánh giá breaking change (đọc CHANGELOG)
- Nếu yes → defer + document, dùng npm overrides hoặc dotnet transitive constraint
4. Test local:
- BE: dotnet build + dotnet run → /health/ready healthy
- FE: npm run build + npm run dev → login flow + CRUD smoke test
5. Commit [CLAUDE] Infra: bump <package> for CVE-xxxx
6. Watch CI xanh
CI integration (TODO — Phase 5.1 backlog)
Dự kiến thêm vào .gitea/workflows/deploy.yml step:
- name: Deps audit
shell: pwsh
run: |
dotnet list SolutionErp.slnx package --vulnerable --include-transitive 2>&1 | Tee-Object -Variable nugetOut
if ($nugetOut -match 'has the following vulnerable packages') {
Write-Error "NuGet vulnerabilities found"
exit 1
}
cd fe-admin; npm audit --audit-level=high; if ($LASTEXITCODE -ne 0) { exit 1 }; cd ..
cd fe-user; npm audit --audit-level=high; if ($LASTEXITCODE -ne 0) { exit 1 }; cd ..
Gate nên set continue-on-error: true lần đầu → monitor 1 tuần → enable blocking.
Output template (khi manual chạy)
# Deps audit — {YYYY-MM-DD}
## NuGet
- Critical: 0
- High: 0
- Moderate: 0
- Low: 0
## npm fe-admin
- Critical: 0
- High: 0
- Moderate: N (liệt kê)
## npm fe-user
- Critical: 0
- High: 0
- ...
## Action items
- [ ] Bump X from a.b.c → a.b.d (patch, safe) — CVE-xxxx
- [ ] Defer Y (v3 → v4 breaking, plan Phase N)
- [ ] Override Z via npm overrides (transitive, no direct bump)
Lưu vào docs/changelog/deps-audit-{YYYY-MM-DD}.md nếu có action.
Related
docs/gotchas.md— bẫy package compat / CI / IIS / Identity / per-NV refactor / SQLite tie-break đã gặp (số hiện tại →docs/STATUS.md)docs/changelog/migration-todos.mdPhase 5.1 — checklist deps scan CISolutionErp.slnx+global.json— .NET version pin