GitHub tare da himma , da nufin shirya haɗin gwiwar masana tsaro daga kamfanoni da kungiyoyi daban-daban don gano raunin da kuma taimakawa wajen kawar da su a cikin ka'idojin ayyukan budewa.
Ana gayyatar duk kamfanoni masu sha'awa da ƙwararrun tsaron kwamfuta ɗaya don shiga cikin shirin. Don gano raunin biyan tukuicin har dala 3000, ya danganta da tsananin matsalar da ingancin rahoton. Muna ba da shawarar amfani da kayan aikin don ƙaddamar da bayanin matsala. , wanda ke ba ku damar samar da samfuri na lambar mara lahani don gano kasancewar irin wannan rauni a cikin lambar wasu ayyukan (CodeQL yana ba ku damar gudanar da nazarin ma'anar lambar da kuma samar da tambayoyi don bincika wasu tsarin).
Masu binciken tsaro daga F5, Google, HackerOne, Intel, IOActive, JP Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber da
VMWare, wanda a cikin shekaru biyu da suka gabata и 105 rashin lahani a cikin ayyukan kamar Chromium, libssh2, Linux kernel, Memcached, UBoot, VLC, Apport, HHVM, Exiv2, FFmpeg, Fizz, libav, Mai yiwuwa, npm, XNU, Ghostscript, Icecast, Apache Struts, strongSwan, Aparsyslog Ignite, , Apache Geode da Hadoop.
Tsarin rayuwa na lambar tsaro na GitHub ya ƙunshi membobin GitHub Tsaro Lab ɗin da ke gano lahani, waɗanda za a sanar da su ga masu kiyayewa da masu haɓakawa, waɗanda za su haɓaka gyare-gyare, daidaita lokacin da za a bayyana batun, kuma su sanar da ayyukan dogaro don shigar da sigar. tare da kawar da rauni. Bayanan bayanan zai ƙunshi samfuran CodeQL don hana sake bayyana matsalolin da aka warware a cikin lambar da ke kan GitHub.
Ta hanyar haɗin GitHub zaka iya yanzu Mai gano CVE don matsalar da aka gano da kuma shirya rahoto, kuma GitHub da kanta za ta aika da sanarwar da suka dace kuma ta tsara daidaitawarsu. Haka kuma, da zarar an warware matsalar, GitHub zai gabatar da buƙatun ja ta atomatik don sabunta abubuwan dogaro da aikin da abin ya shafa.
GitHub kuma ya ƙara jerin rashin lahani , wanda ke buga bayanai game da raunin da ya shafi ayyukan akan GitHub da bayanai don bin diddigin fakiti da wuraren ajiya da abin ya shafa. Masu gano CVE da aka ambata a cikin sharhi akan GitHub yanzu suna haɗi ta atomatik zuwa cikakkun bayanai game da raunin da aka ƙaddamar a cikin bayanan da aka ƙaddamar. Don yin aiki ta atomatik tare da bayanan bayanai, daban .
An kuma bayar da rahoton sabuntawa don karewa zuwa wuraren ajiya masu isa ga jama'a
bayanai masu mahimmanci kamar alamun tantancewa da maɓallan shiga. Yayin alƙawarin, na'urar daukar hotan takardu tana bincika maɓalli na yau da kullun da kuma tsarin alamun da aka yi amfani da su , ciki har da Alibaba Cloud API, Amazon Web Services (AWS), Azure, Google Cloud, Slack and Stripe. Idan an gano alamar, ana aika buƙatu zuwa ga mai bada sabis don tabbatar da ɗigo da soke alamun da aka daidaita. Ya zuwa jiya, ban da tsarin da aka goyan baya a baya, an ƙara goyan bayan ayyana GoCardless, HashiCorp, Postman da alamun Tencent.
source: budenet.ru