OSV-Scanner yana aiki azaman ƙarshen gaba ga bayanan OSV.dev
Google kwanan nan ya fito da OSV-Scanner, kayan aiki wanda ke ba masu haɓaka tushen buɗewa sauƙi don bincika rashin lahani a cikin lamba da aikace-aikace, la'akari da dukan jerin abubuwan dogara da ke da alaƙa da lambar.
OSV-Scanner yana ba da damar gano yanayin da aikace-aikacen ya zama mai rauni saboda matsaloli a ɗayan ɗakunan karatu da aka yi amfani da su azaman abin dogaro. A wannan yanayin, ana iya amfani da ɗakin karatu mai rauni a kaikaice, watau ana kira ta hanyar wani abin dogaro.
A bara, mun ɗauki ƙoƙari don inganta rarrabuwa ga masu haɓakawa da masu amfani da software na buɗe tushen. Wannan ya haɗa da buga tsarin tsarin raunin tushen buɗaɗɗen (OSV) da ƙaddamar da sabis na OSV.dev, farkon rarraba bayanan raunin tushen buɗaɗɗen. OSV yana ba da damar duk buɗaɗɗen tushen yanayin muhalli daban-daban da bayanan rashin lahani don bugawa da cinye bayanai a cikin sauƙi, daidai, kuma tsari mai iya karanta na'ura.
Sau da yawa ana gina ayyukan software a saman dutsen dogaro: maimakon farawa daga karce, da masu haɓakawa sun haɗa dakunan karatu na software na waje a cikin ayyukan kuma ƙara ƙarin ayyuka. Koyaya, buɗaɗɗen tushen fakitino sau da yawa yana ƙunshe da snippets code mara izini waɗanda ake ciro daga sauran ɗakunan karatu. Wannan aikin yana haifar da abin da aka sani da "transitive dependencies" a cikin software kuma yana nufin yana iya ƙunsar nau'ikan rauni da yawa waɗanda ke da wahalar ganowa da hannu.
Dogara masu canzawa sun zama tushen haɓaka tushen haɗarin tsaro na buɗe ido a cikin shekarar da ta gabata. Wani rahoto na baya-bayan nan daga Endor Labs ya gano cewa kashi 95% na raunin tushen buɗaɗɗen suna cikin dogaro da kai ko kai tsaye, kuma wani rahoto na daban daga Sonatype ya kuma nuna cewa abubuwan dogaro da kai sun haɗa da shida daga cikin lahani bakwai da ke shafar buɗaɗɗen tushe.
A cewar Google, sabon kayan aikin zai fara ne ta hanyar neman waɗannan abubuwan dogaro masu canzawa ta hanyar nazarin bayanan bayyanawa, lissafin software na kayan (SBOMs) a inda akwai, da aikata zance. Daga nan za ta haɗa zuwa tushen tushen raunin rauni (OSV) don nuna raunin da ya dace.
OSV Scanner iya ta atomatik scan recursively bishiyar directory, gano ayyukan da aikace-aikace ta gaban kundayen adireshi na git (bayani game da raunin da aka ƙaddara ta hanyar yin bincike na hash), SBOM (Software Bill Of Material in SPDX da tsarin CycloneDX) fayiloli, bayyanannu, ko toshe masu gudanarwa daga fakitin ajiya kamar Yarn , NPM, GEM, PIP, da Kaya. Hakanan yana goyan bayan bincika fakitin hotunan kwantena da aka gina akan fakiti daga ma'ajin Debian.
OSV-Scanner shine mataki na gaba a cikin wannan ƙoƙarce-ƙoƙarce, saboda yana ba da hanyar sadarwa mai goyan baya a hukumance zuwa rumbun adana bayanai na OSV wanda ke haɗa jerin abubuwan dogaro da aikin tare da raunin da ya shafe su.
La Ana ɗaukar bayanai game da lahani daga bayanan OSV (Open Source Vulnerabilities), wanda ya shafi bayanai game da batutuwan tsaro a cikin Сrates.io (tsatsa), Go, Maven, NPM (JavaScript), NuGet (C#), Packagist (PHP), PyPI (Python), RubyGems, Android, Debian da Alpine, kazalika da bayanan lahani na kwaya na Linux da rahoton raunin aikin da aka shirya akan GitHub.
Bayanan Bayani na OSV yana nuna matsayin gyara matsalar, tabbatarwa tare da bayyanar da gyare-gyare na rashin ƙarfi, kewayon nau'ikan nau'ikan raunin da ya shafa, haɗi zuwa wurin ajiyar aikin tare da lambar da kuma sanarwar matsalar. API ɗin da aka bayar yana ba ku damar gano bayyanar lahani a matakin ƙaddamarwa da alamar alama da kuma nazarin fallasa batun daga samfura da abin dogaro.
A ƙarshe yana da kyau a ambata cewa an rubuta lambar aikin a cikin Go kuma an rarraba a ƙarƙashin lasisin Apache 2.0. Kuna iya duba ƙarin cikakkun bayanai game da shi a cikin mahaɗin da ke biyowa.
Masu haɓakawa za su iya saukewa da gwada OSV-Scanner daga gidan yanar gizon osv.dev ko amfani da OpenSSF Scorecard duba raunin rauni don gudanar da na'urar daukar hotan takardu ta atomatik a cikin aikin GitHub.