OSV-Scanner, scanner yekusagadzikana kubva kuGoogle

OSV Scanner

OSV-Scanner inoshanda semberi kumagumo kune OSV.dev dhatabhesi

Google ichangobva kuburitsa OSV-Scanner, chishandiso chinopa open source vagadziri kuwana nyore kutarisa kusarongeka kwekusagadzikana mukodhi uye maapplication, tichifunga nezveketani yese yekutsamira yakabatana nekodhi.

OSV-Scanner inobvumira kuona mamiriro ezvinhu umo application inova panjodzi nekuda kwematambudziko mune rimwe reraibhurari rinoshandiswa sekutsamira. Muchiitiko ichi, raibhurari iri munjodzi inogona kushandiswa zvisina kunanga, kureva kuti inodanwa neimwe kutsamira.

Gore rapfuura, takaita nhamburiko yekuvandudza kusazvibata kwevagadziri uye vatengi veyakavhurika sosi software. Izvi zvinosanganisira kuburitswa kweiyo open source vulnerability schema (OSV) uye kutangwa kweiyo OSV.dev sevhisi, yekutanga kugoverwa yakavhurika sosi yenjodzi dhatabhesi. OSV inogonesa ese akasiyana akavhurika sosi ecosystems uye dhatabhesi rekusagadzikana kushambadza nekushandisa ruzivo mune yakapusa, yakarurama, uye inoverengeka muchina fomati.

Mapurojekiti eSoftware anowanzo kuvakwa pamusoro pegomo rekutsamira: pachinzvimbo chekutanga kubva pakatanga, iyo vagadziri vanosanganisira ekunze software library mumapurojekiti uye wedzera mamwe maitiro. Nekudaro, open source mapakejio kazhinji iine zvinyorwa zvekodhi zvisina kunyorwa anotorwa kubva kune mamwe maraibhurari. Kuita uku kunogadzira chii inozivikanwa se "transitive dependencies" musoftware uye zvinoreva kuti inogona kunge iine akawanda akaturikidzana ekusagadzikana ayo anonetsa kutsvaga nemaoko.

Transitive dependencies yave iri kukura sosi yeyakavhurika sosi yekuchengetedza njodzi mugore rapfuura. Chirevo chechangobva kuitika kubva kuEndor Labs chakawana kuti 95% yekusagadzikana kwenzvimbo yakavhurika iri mukutsamira kana zvisina kunanga, uye mushumo wakasiyana kubva kuSonatype wakaratidzawo kuti transitive dependencies account yezvitanhatu kubva pazvinomwe zvisizvo zvinokanganisa open source.

Maererano neGoogle, chishandiso chitsva chinotanga nekutsvaga aya anochinja anotsamira nekuongorora zviratidziro, mabhiri esoftware yezvinhu (SBOMs) panowanikwa, uye kuita hashi. Inobva yabatana kune yakavhurika sosi vulnerability dhatabhesi (OSV) kuratidza kwakakodzera kusasimba.

OSV Scanner inogona kuongorora otomatiki zvakare muti wedhairekitori, unozivisa mapurojekiti uye mashandisirwo nekuvapo kwegit madhairekitori (ruzivo nezve kusasimba kunotarwa kuburikidza nekuita hashi kuongororwa), SBOM (Software Bill Yezvinhu muSPDX neCycloneDX mafomati) mafaera, kuratidzira, kana kuvharira vatariri kubva kumapakiti ekuchengetedza seYarn. , NPM, GEM, PIP, uye Cargo. Iyo zvakare inotsigira kupenengura padding yedocker mudziyo mifananidzo yakavakwa zvichibva pamapakeji kubva kuDebian repositories.

Iyo OSV-Scanner inhanho inotevera mukuedza uku, sezvo ichipa chimiro chakatsigirwa zviri pamutemo kune iyo OSV dhatabhesi inobatanidza rondedzero yeprojekiti yekutsamira nekusagadzikana kunovabata.

La ruzivo rwekusagadzikana runotorwa kubva kuOSV database (Open Source Vulnerabilities), iyo inovhara ruzivo rwezvekuchengetedza nyaya muСrates.io (Rust), Go, Maven, NPM (JavaScript), NuGet (C#), Packagist (PHP), PyPI (Python), RubyGems, Android, Debian uye Alpine, pamwe neLinux kernel vulnerability data uye mishumo yekusagadzikana kweprojekiti inogarwa paGitHub.

Iyo OSV database inoratidza mamiriro ekugadzirisa dambudziko, zvisimbiso nechitarisiko uye kugadziriswa kwekusagadzikana, huwandu hweshanduro dzakakanganiswa nekusagadzikana, zvinongedzo kune repository yeprojekiti nekodhi uye chiziviso chedambudziko. Iyo API yakapihwa inokutendera kuti utarise kuratidzwa kwekusagadzikana padanho rekuita uye tag uye kuongorora kuratidzwa kune iyo nyaya kubva kune zvakabva kune zvigadzirwa uye zvinoenderana.

Pakupedzisira zvakakodzera kutaura kuti kodhi yeprojekiti yakanyorwa muGo uye yakagoverwa pasi peApache 2.0 rezinesi. Iwe unogona kutarisa zvimwe zvakawanda nezvazvo mune inotevera link.

Vagadziri vanogona kudhawunirodha uye kuyedza OSV-Scanner kubva kune osv.dev webhusaiti kana kushandisa iyo OpenSSF Scorecard kuchengetedzwa kwekutarisa  kumhanyisa otomatiki scanner muGitHub purojekiti.


Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako