ProHoster > Блог > Gudanarwa > Yadda ake amfani da mai sauƙin amfani don nemo lahani a lambar shirin

Yadda ake amfani da mai sauƙin amfani don nemo lahani a lambar shirin

Graudit yana goyan bayan harsunan shirye-shirye da yawa kuma yana ba ku damar haɗa gwajin tsaro na codebase kai tsaye cikin tsarin haɓakawa.

Yadda ake amfani da mai sauƙin amfani don nemo lahani a lambar shirin
source: Unsplash (Markus Spiske)

Gwaji wani muhimmin bangare ne na tsarin ci gaban software. Akwai nau'ikan gwaji da yawa, kowannensu yana magance nasa matsalar. A yau ina so in yi magana game da nemo matsalolin tsaro a code.

Babu shakka, a cikin gaskiyar zamani na haɓaka software, yana da mahimmanci don tabbatar da tsaro na tsari. A wani lokaci, an ma gabatar da kalmar musamman DevSecOps. Wannan kalmar tana nufin jerin hanyoyin da nufin ganowa da kawar da lahani a cikin aikace-aikacen. Akwai ƙwararrun hanyoyin buɗe tushen mafita don duba raunin daidai da ƙa'idodi OWASP, wanda ke bayyana nau'o'i daban-daban da halayen rashin ƙarfi a cikin lambar tushe.

Akwai hanyoyi daban-daban don magance matsalolin tsaro, kamar Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Software Composition Analysis, da sauransu.

Gwajin tsaro na aikace-aikacen a tsaye yana gano kurakurai a lambar da aka riga aka rubuta. Wannan hanyar ba ta buƙatar aikace-aikacen ta gudana, wanda shine dalilin da ya sa ake kiran shi bincike mai mahimmanci.

Zan mayar da hankali kan nazarin lambobin a tsaye kuma in yi amfani da kayan aiki mai sauƙi na buɗe tushen don nuna komai a aikace.

Dalilin da ya sa na zaɓi kayan aiki na tushen buɗaɗɗe don bincike na tsaro a tsaye

Akwai dalilai da yawa game da wannan: na farko, kyauta ne saboda kuna amfani da kayan aikin da jama'a masu ra'ayi iri ɗaya suka ɓullo da su waɗanda ke son taimakawa wasu masu haɓakawa. Idan kuna da ƙaramin ƙungiya ko farawa, kuna da babbar dama don adana kuɗi ta amfani da buɗaɗɗen software don gwada amincin lambar lambar ku. Abu na biyu, yana kawar da buƙatar hayar ƙungiyar DevSecOps daban, yana ƙara rage farashin ku.

Ana ƙirƙira kyawawan kayan aikin buɗe tushen koyaushe suna la'akari da ƙarin buƙatu don sassauci. Don haka, ana iya amfani da su a kusan kowane yanayi, tare da ɗaukar ayyuka da yawa. Yana da sauƙi ga masu haɓakawa don haɗa irin waɗannan kayan aikin tare da tsarin da suka riga sun gina yayin aiki akan ayyukan su.

Amma ana iya samun lokutan da kuke buƙatar fasalin da ba ya cikin kayan aikin da kuka zaɓa. A wannan yanayin, kuna da damar yin cokali mai yatsa lambar sa kuma haɓaka kayan aikin ku akan shi tare da ayyukan da kuke buƙata.

Tunda a mafi yawan lokuta ci gaban software na tushen buɗaɗɗen al'umma yana da tasiri sosai, yanke shawarar yin canje-canje yana da sauri kuma zuwa ga ma'ana: masu haɓaka aikin buɗe tushen sun dogara da martani da shawarwari daga masu amfani, akan rahotannin su. kurakurai da aka samu da sauran matsalolin.

Amfani da Graudit don Binciken Tsaro na Code

Kuna iya amfani da kayan aikin buɗaɗɗe iri-iri don nazarin lambar ƙima; babu kayan aiki na duniya don duk harsunan shirye-shirye. Masu haɓaka wasu daga cikinsu suna bin shawarwarin OWASP kuma suna ƙoƙarin rufe yaruka da yawa gwargwadon iko.

A nan za mu yi amfani Graudit, Mai sauƙin amfani da layin umarni wanda zai ba mu damar samun rauni a cikin codebase. Yana goyan bayan harsuna daban-daban, amma har yanzu saitin su yana da iyaka. An haɓaka Graudit bisa tushen mai amfani na grep, wanda sau ɗaya an sake shi ƙarƙashin lasisin GNU.

Akwai makamantan kayan aikin don tantance lambar ƙididdiga - Rough Auditing Tool for Security (RATS), Kayan aikin Binciken Aikace-aikacen Yanar Gizo na Tsaro (SWAAT), flawfinder da sauransu. Amma Graudit yana da sassauƙa sosai kuma yana da ƙarancin buƙatun fasaha. Koyaya, kuna iya samun matsalolin da Graudit ba zai iya magance su ba. Sannan zaku iya nemo wasu zabuka anan a kan wannan jerin.

Za mu iya haɗa wannan kayan aiki cikin takamaiman aiki, ko sanya shi samuwa ga zaɓaɓɓen mai amfani, ko amfani da shi lokaci guda a cikin duk ayyukanmu. Wannan kuma shine inda sassaucin Graudit ya shigo cikin wasa. Don haka bari mu fara clone repo:

$ git clone https://github.com/wireghoul/graudit

Yanzu bari mu ƙirƙiri hanyar haɗi ta alama don Graudit don amfani da ita a tsarin umarni

$ cd ~/bin && mkdir graudit
$ ln --symbolic ~/graudit/graudit ~/bin/graudit

Bari mu ƙara wani laƙabi zuwa .bashrc (ko kowane fayil ɗin sanyi da kuke amfani da shi):

#------ .bashrc ------
alias graudit="~/bin/graudit"

Sake yi:

$ source ~/.bashrc # OR
$ exex $SHELL

Bari mu duba idan shigarwar ya yi nasara:

$ graudit -h

Idan kun ga wani abu makamancin haka, to komai yana da kyau.

Yadda ake amfani da mai sauƙin amfani don nemo lahani a lambar shirin

Zan gwada ɗaya daga cikin ayyukan da nake da su. Kafin gudanar da kayan aiki, yana buƙatar a wuce bayanan bayanan da ya dace da harshen da aka rubuta aikina a ciki. Bayanan bayanan suna cikin ~/gradit/signatures folder:

$ graudit -d ~/gradit/signatures/js.db

Don haka, na gwada fayilolin js guda biyu daga aikina, kuma Graudit ya nuna bayanai game da lahani a cikin lambara zuwa na'ura wasan bidiyo:

Yadda ake amfani da mai sauƙin amfani don nemo lahani a lambar shirin

Yadda ake amfani da mai sauƙin amfani don nemo lahani a lambar shirin

Kuna iya gwada gwada ayyukan ku ta hanya ɗaya. Kuna iya ganin jerin bayanan bayanai don harsunan shirye-shirye daban-daban a nan.

Fa'idodi da rashin amfani na Graudit

Graudit yana goyan bayan harsunan shirye-shirye da yawa. Saboda haka, ya dace da yawancin masu amfani. Yana iya isa gasa tare da kowane analogues kyauta ko biya. Kuma yana da matukar muhimmanci cewa har yanzu ana ci gaba da inganta aikin, kuma al'umma ba kawai taimaka wa masu haɓakawa ba, har ma da sauran masu amfani da ke ƙoƙarin gano kayan aiki.

Wannan kayan aiki ne mai amfani, amma ya zuwa yanzu ba koyaushe zai iya nuna ainihin abin da matsalar ke tattare da wani yanki na lamba. Masu haɓakawa suna ci gaba da haɓaka Graudit.

Amma a kowane hali, yana da amfani don kula da yiwuwar matsalolin tsaro a cikin lambar lokacin amfani da kayan aiki irin wannan.

An fara…

A cikin wannan labarin, na kalli ɗaya daga cikin hanyoyi da yawa don nemo lahani - static application security test . Gudanar da nazarin lambobin a tsaye abu ne mai sauƙi, amma farkon farawa ne. Don ƙarin koyo game da tsaro na codebase, kuna buƙatar haɗa wasu nau'ikan gwaji cikin ci gaban rayuwar software ɗin ku.

Hakoki na Talla

Amintaccen VPS kuma daidaitaccen zaɓi na tsarin jadawalin kuɗin fito zai ba ku damar rage shagala daga ci gaba ta hanyar matsalolin da ba su da daɗi - komai zai yi aiki ba tare da gazawa ba kuma tare da babban lokaci mai girma!

Yadda ake amfani da mai sauƙin amfani don nemo lahani a lambar shirin

source: www.habr.com

Add a comment