I-OSV-Skena, iskena esisemngciphekweni esivela kuGoogle

Darkcrizt

Imizuzu ye4

Iskena se-OSV

I-OSV-Skena isebenza njengesiphelo sesiseko sedatha ye-OSV.dev

UGoogle usanda kukhupha i-OSV-Skena, isixhobo esinika abaphuhlisi bomthombo ovulekileyo ukufikelela ngokulula ukukhangela ubuthathaka obungabhalwanga kwikhowudi kunye nezicelo, kuthathelwa ingqalelo ikhonkco lonke lokuxhomekeka okuhambelana nekhowudi.

I-OSV-Skena ivumela ukukhangela iimeko apho isicelo siba sesichengeni ngenxa yeengxaki kwelinye lamathala eencwadi asetyenziswa njengokuxhomekeka. Kule meko, ithala leencwadi elisemngciphekweni linokusetyenziswa ngokungathanga ngqo, okt kuthiwa kusetyenziswa omnye ukuxhomekeka.

Kulo nyaka uphelileyo, senze iinzame zokuphucula ukuhlelwa kobuthathaka kubaphuhlisi kunye nabathengi besoftware yomthombo ovulekileyo. Oku kubandakanye ukupapashwa kwe-schema ye-open source vulnerability (OSV) kunye nokuqaliswa kwenkonzo ye-OSV.dev, isiseko sedatha esivulelekileyo sokuqala esisasazwe sesichengeni. I-OSV yenza zonke iindawo ezahlukeneyo zendalo ezivulelekileyo kunye nogcino-lwazi olusemngciphekweni ukuba lupapashe kwaye lutye ulwazi ngendlela elula, echanekileyo, kunye nefomathi efundeka ngomatshini.

Iiprojekthi zeSoftware zihlala zakhiwe phezu kwentaba yokuxhomekeka: endaweni yokuqala ukusuka ekuqaleni, i abaphuhlisi babandakanya iilayibrari zesoftware zangaphandle kwiiprojekthi kunye nokongeza umsebenzi owongezelelweyo. Nangona kunjalo, iipakethi zemithombo evulekileyoo ihlala iqulathe iziqwengana zekhowudi ezingabhalwanga ezitsalwa kwamanye amathala eencwadi. Lo mkhuba udala ntoni kwaziwa ngokuba "zixhomekeke kwitransitive" kwisoftware kwaye ithetha ukuba inokuqulatha iileya ezininzi zobuthathaka ekunzima ukuzilandela ngesandla.

Ukuxhomekeka okuguquguqukayo kuye kwaba ngumthombo okhulayo womngcipheko wokhuseleko lwemithombo evulekileyo kulo nyaka uphelileyo. Ingxelo yakutshanje evela kwi-Endor Labs ifumene ukuba i-95% yobuthathaka bomthombo ovulekileyo ixhomekeke kwi-transitive okanye engathanga ngqo, kwaye ingxelo eyahlukileyo evela kwi-Sonatype iphinde yagxininisa ukuba ukuxhomekeka okutshintshileyo kuxhomekeke kwi-XNUMX kwi-XNUMX ye-vulnerabilities echaphazela umthombo ovulekileyo.

NgokukaGoogle, isixhobo esitsha siyakuqala ngokujonga ezi zixhomekeke kutshintsho ngokuhlalutya imbonakalo, iibhili zesoftware yezinto (i-SBOMs) apho zikhoyo, kwaye zibophelele ngokungxama. Iya kuthi ke iqhagamshelane nesiseko sedatha esivulelekileyo somthombo (OSV) ukubonisa ubuthathaka obufanelekileyo.

Iskena se-OSV unokuskena ngokuzenzekelayo ngokuphindaphindiweyo umthi wolawulo, ukuchonga iiprojekthi kunye nezicelo ngobukho bezalathisi ze-git (ulwazi malunga nobuthathaka obugqitywe ngohlalutyo lwe-hash), i-SBOM (i-Software Bill of Material kwi-SPDX kunye neefomathi ze-CycloneDX) iifayile, imiboniso, okanye ibhloke abalawuli kwiipakethe zogcino olufana ne-Yarn , NPM, GEM, PIP, kunye neCargo. Ikwaxhasa ukuskena ukhupho lwemifanekiso yesikhongozeli sedocker eyakhelweyo ngokusekwe kwiipakethe ezivela kwiindawo zokugcina zeDebian.

I-OSV-Skena linyathelo elilandelayo kulo mzamo, njengoko ibonelela ngojongano oluxhaswa ngokusemthethweni kwisiseko sedatha ye-OSV edibanisa uluhlu lweprojekthi lokuxhomekeka kunye nobuthathaka obubachaphazelayo.

La ulwazi malunga nobuthathaka luthatyathwe kuvimba weenkcukacha we-OSV (Open Source Vulnerabilities), equka ulwazi malunga nemiba yokhuseleko kwi-Сrates.io (Rust), Go, Maven, NPM (JavaScript), NuGet (C #), Packagist (PHP), PyPI (Python), RubyGems, Android, Debian kunye IAlpine, kunye nedatha ye-Linux kernel kunye neengxelo zobungozi beprojekthi ezibanjwe kwi-GitHub.

Uluhlu lwedatha ye-OSV ibonisa imeko yolungiso lwengxaki, iziqinisekiso ngokubonakala kunye nokulungiswa komngcipheko, uluhlu lweenguqulelo ezichatshazelwa ngumngcipheko, zidibanisa kwindawo yokugcina iprojekthi kunye nekhowudi kunye nesaziso sengxaki. I-API enikiweyo ikuvumela ukuba ulandele ukubonakaliswa kobuthathaka kwinqanaba lokuzibophelela kunye nethegi kwaye uhlalutye ukuvezwa komcimbi ovela kwiimveliso eziphuma kunye nokuxhomekeka.

Ekugqibeleni kuyafaneleka ukukhankanya ukuba ikhowudi yeprojekthi ibhaliwe kwi-Go kwaye ihanjiswa phantsi kwelayisensi ye-Apache 2.0. Ungajonga iinkcukacha ezingaphezulu malunga nalo kwikhonkco elilandelayo.

Abaphuhlisi banokukhuphela kwaye bazame i-OSV-Skena kwiwebhusayithi ye-osv.dev okanye basebenzise i-OpenSSF Scorecard ukujonga ukuba sesichengeni  ukuqhuba ngokuzenzekelayo iskena kwiprojekthi yeGitHub.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.