Google ichangobva kuzivisa kuvhurwa kwe sevhisi nyowani inonzi "OSV" (Vhura Sosi Vulnerability), iyo kanainopa mukana kune dhatabhesi yeruzivo nezve kusagadzikana mune yakavhurika sosi software.
Basa racho inopa API iyo inobvumira otomatiki kuumbwa kwezvikumbiro kuti uwane ruzivo nezve kusagadzikana, zvine chirevo kune chinzvimbo cheiyo repodhi nekodhi. Njodzi dzinopihwa zvitupa zveOSV paradzanisa iyo inozadzisa iyo CVE neruzivo rwakawedzerwa.
Kunyanya iyo OSV dhatabhesi inoratidza mamiriro eiyi dambudziko mhinduro, izvo zvivimbiso zvinoratidzwa nechitarisiko uye kugadzirisa kwekusagadzikana, huwandu hweshanduro dzakashata, zvinongedzo kune reprojekiti repodhi nekodhi uye kuziviswa kwedambudziko.
Isu tinofara kuvhura OSV (Vhura Sosi Vulnerability), danho redu rekutanga kunatsiridza kusagadzikana kusarudzika kwevagadziri nevatengi veyakavhurika sosi software. Chinangwa cheOSV ndechekupa iyo chaiyo data kwese kwayakaunzwa nenjodzi uye kwayakagadziriswa, zvichidaro kubatsira yakavhurika sosi software vashandisi kuti vanyatsoona kana vakanganiswa vozoita zvekuchengetedza zvekuchengetedza nekukurumidza sezvazvinogona. Isu tatanga OSV ine dhata seti yekukanganisa kusagadzikana kunowanikwa neOSS-Fuzz sevhisi. Iyo OSV chirongwa chakashanduka kubva kuyedza kwedu kwazvino kwekuvandudza yakavhurika sosi yekushomeka manejimendi ("Ziva, Dzivirira, Gadzirisa" fomati).
Kugadzirisa kusagadzikana kunogona kurwadza kune vese vatengi uye vanochengeta yakavhurika sosi software, uye mune dzakawanda zviitiko zvinosanganisira zvinonetesa basa remawoko.
Chinangwa chikuru kugadzira OSV ndeyekurerutsa maitiro ekuzivisa vanochengeta mapakeji nezve kushomeka kunyatso kuratidza vhezheni uye kuita izvo zvinokanganiswa nenyaya. Iyo data iriko inobvumidza pane zvaunoita uye tag nhanho yekutevera kuratidzwa kwekushupika uye kuongorora kukanganisika kune dambudziko rezvinobva uye kutsamira.
Mukuwedzera pakutsvaga kusagadzikana, inofanirwa zvakare kugadzirisa kushandurwa kweshanduro dzakabatwa. Kune izvi, sevhisi inoenderana nema automated maitiro ekuongorora maitiro uye bisection. Iyo yekupedzisira inoshandiswa kuwana iyo simbiso yekuti iwe waunza imwe bug mune chirongwa.
Chero ani anoshandisa rakavhurika sosi raibhurari anogona kuwana OSV kuburikidza neAPI uye nekuona kana imwe vhezheni ichikanganiswa nenjodzi yakawanikwa. Kiyi ye API kubva kuGoogle API koni inodikanwa kumubvunzo.
Kune vatengi veyakavhurika sosi software, zvinowanzo kunetsa kugovera kushupika senge Zvakajairika Dambudziko uye Kufumura (CVE) kupinda kune mapakeji mavhezheni avanoshandisa. Izvi zvinokonzerwa nenyaya yekuti marongero ekushandura ematanho aripo ekushomeka (akadai seCommunity Platform Enumeration (CPE)) haawirirane zvakanaka neakavhurika chaiwo masosi ekushandura, ayo anowanzove mavhezheni / ma tag uye yekusimbisa hashes. Mhedzisiro yacho inofuratirwa nenjodzi dzinokanganisa vashoma vekunze.
Semuenzaniso, iyo API inokutendera iwe kukumbira ruzivo nezve kuvapo kwekusasimba nenhamba yekusimbisa kana chirongwa chechirongwa. Parizvino, dhatabhesi rine anenge zviuru makumi maviri neshanu zvezvinetso zvakaonekwa mune otomatiki fuzzing yekuyedza maitiro muOSS-Fuzz system, iyo inovhara kodhi yemamwe anopfuura 380 akavhurwa sosi mapurojekiti muC / C ++.
Tiri kuronga kushanda neakavhurika masosi enharaunda kuyera nedata kubva kune akasiyana mitauro ecosystems (semuenzaniso NPM, PyPI) uye kuvaka pombi yevanochengeta mapakeji kuendesa kusagadzikana nebasa shoma.
Mune ramangwana, zvakarongwa kubatanidza mamwe masosi eruzivo pane kusagadzikana kune dhatabhesi. Semuenzaniso, basa riri kuitwa rekubatanidza ruzivo nezve kushomeka muzvirongwa mumutauro weGo, pamwe neNPM nePyPl ecosystems.
Chekupedzisira, kana iwe uchida kuziva zvakawanda nezvazvo, unogona kubvunza chinotevera chinongedzo.