I-OSV-Skena, iskena sobungozi esivela kwa-Google

Darkcrizt

Imizuzu ye-4

Iskena se-OSV

I-OSV-Scanner isebenza njengengaphambili kusizindalwazi se-OSV.dev

I-Google isanda kukhipha i-OSV-Scanner, ithuluzi elinikeza onjiniyela bomthombo ovulekile ukufinyelela okulula ukuhlola ubungozi obunganamathiselwe kwikhodi nezinhlelo zokusebenza, kucatshangelwa lonke uchungechunge lokuncika oluhlotshaniswa nekhodi.

I-OSV-Scanner ivumela ukuthola izimo lapho uhlelo lokusebenza luba sengcupheni ngenxa yezinkinga kwenye yemitapo yolwazi esetshenziswa njengokuncika. Kulokhu, umtapo wolwazi osengcupheni ungasetshenziswa ngokungaqondile, okungukuthi ubizwe ngokunye ukuncika.

Ngonyaka odlule, senze umzamo wokuthuthukisa ukuhlukaniswa okuba sengozini konjiniyela nabathengi besofthiwe yomthombo ovulekile. Lokhu kwakuhilela ukushicilelwa kwe-schema somthombo ovulekile wokuba sengozini (OSV) kanye nokwethulwa kwesevisi ye-OSV.dev, isizindalwazi sokuqala esisabalalisiwe somthombo ovulekile wokuba sengozini. I-OSV inika amandla zonke izinhlelo zemvelo ezihlukene nezingosi zolwazi ezisengozini ukuze zishicilele futhi zisebenzise ulwazi ngefomethi elula, enembile, nefundeka umshini.

Amaphrojekthi e-software avame ukwakhiwa phezu kwentaba yokuncika: esikhundleni sokuqala kusukela ekuqaleni, i abathuthukisi bahlanganisa imitapo yolwazi yesofthiwe yangaphandle kumaphrojekthi bese wengeza ukusebenza okwengeziwe. Nokho, amaphakheji omthombo ovulekileo kuvame ukuqukatha amazwibela ekhodi angabhaliwe ekhishwa kweminye imitapo yolwazi. Lo mkhuba udala ukuthini kwaziwa ngokuthi "i-transitive dependencies" kusofthiwe futhi kusho ukuthi ingase iqukathe izendlalelo eziningi zokuba sengozini okunzima ukuzilandelela mathupha.

Ukuncika okuguquguqukayo sekuphenduke umthombo okhulayo wengozi yokuphepha yomthombo ovulekile ngonyaka odlule. Umbiko wakamuva ovela ku-Endor Labs uthole ukuthi u-95% wobungozi bomthombo ovulekile usekuncikeni ezishintshayo noma ezingaqondile, futhi umbiko ohlukile ovela ku-Sonatype uphinde wagqamisa ukuthi ukuncika okuguquguqukayo kuba sengozini okuyisithupha kokuyisikhombisa okuthinta umthombo ovulekile.

Ngokuya nge-Google, ithuluzi elisha lizoqala ngokubheka lezi zincika eziguqukayo ngokuhlaziya i-manifest, i-software bills of materials (ama-SBOM) lapho etholakala khona, futhi enze ama-hashes. Izobe isixhuma kusizindalwazi somthombo ovulekile wokuba sengozini (OSV) ukuze ibonise ubungozi obuhlobene.

Iskena se-OSV ingakwazi ukuskena ngokuzenzakalela ngokuphindaphindiwe isihlahla somkhombandlela, esihlonza amaphrojekthi nezinhlelo zokusebenza ngokuba khona kwezinkomba ze-git (ulwazi mayelana nokuba sengozini okunqunywa ngokuhlaziywa kwe-hashi), ama-SBOM (I-Software Bill Of Material kumafomethi we-SPDX kanye ne-CycloneDX) amafayela, ama-manifest, noma avimbe abalawuli kumaphakheji engobo yomlando njenge-Yarn , NPM, GEM, PIP, and Cargo. Iphinde isekele ukuskena ukupheda kwezithombe zesitsha se-docker ezakhiwe ngokusekelwe kumaphakheji asuka kumakhosombe e-Debian.

I-OSV-Skena isinyathelo esilandelayo kulo mzamo, njengoba inikeza isixhumi esibonakalayo esisekelwa ngokusemthethweni kusizindalwazi se-OSV esixhumanisa uhlu lwephrojekthi lokuncika nokuba sengozini okubathintayo.

La ulwazi olumayelana nokuba sengozini luthathwe kusizindalwazi se-OSV (Open Source Vulnerabilities), ehlanganisa ulwazi mayelana nezindaba zokuphepha ku-Сrates.io (Rust), Go, Maven, NPM (JavaScript), NuGet (C#), Packagist (PHP), PyPI (Python), RubyGems, Android, Debian kanye I-Alpine, kanye nedatha ye-Linux kernel nemibiko yokuba sengozini yephrojekthi isingathwe ku-GitHub.

Idatha ye-OSV ibonisa isimo sokulungisa inkinga, iziqinisekiso ngokubukeka nokulungiswa kokuba sengozini, ububanzi bezinguqulo ezithintwa ukuba sengozini, izixhumanisi zendawo yephrojekthi enekhodi kanye nesaziso senkinga. I-API enikeziwe ikuvumela ukuthi ulandelele ukubonakaliswa kokuba sengozini ezingeni lokuzibophezela nomaka futhi uhlaziye ukuchayeka endabeni kusukela kumikhiqizo ephuma kokunye nokuncika.

Ekugcineni kufanelekile ukusho ukuthi ikhodi yephrojekthi ibhalwe ku-Go futhi isatshalaliswa ngaphansi kwelayisensi ye-Apache 2.0. Ungahlola imininingwane eyengeziwe ngakho kusixhumanisi esilandelayo.

Onjiniyela bangalanda futhi bazame i-OSV-Scanner kusuka kuwebhusayithi ye-osv.dev noma basebenzise ukuhlola ukuba sengozini kwe-OpenSSF Scorecard  ukuqalisa ngokuzenzakalela isithwebuli kuphrojekthi ye-GitHub.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.