Ua hoʻolaha ʻo GitHub i ka hoʻohui ʻana o kahi ʻōnaehana aʻo mīkini hoʻokolohua i kāna lawelawe scanning Code e ʻike ai i nā ʻano palupalu maʻamau i ke code. I ka hoʻāʻo ʻana, aia ka hana hou i kēia manawa no nā waihona me nā code ma JavaScript a me TypeScript. Hoʻomaopopo ʻia ʻo ka hoʻohana ʻana i kahi ʻōnaehana aʻo mīkini i hiki ai ke hoʻonui nui i ka laulā o nā pilikia i ʻike ʻia, i ka wā e nānā ana i ka mea ʻaʻole i kaupalena ʻia ka ʻōnaehana i ka nānā ʻana i nā maʻamau maʻamau a ʻaʻole pili i nā frameworks kaulana. Ma waena o nā pilikia i ʻike ʻia e ka ʻōnaehana hou, ua ʻōlelo ʻia nā hewa e alakaʻi ai i ka hōʻike ʻana i ka paena cross-site (XSS), distortion o nā ala faila (no ka laʻana, ma o ka hōʻailona o "/.."), hoʻololi i nā nīnau SQL a me NoSQL.
Hiki i ka lawelawe scanning Code ke ʻike i nā nāwaliwali i ka wā mua o ka hoʻomohala ʻana ma ka nānā ʻana i kēlā me kēia hana "git push" no nā pilikia e hiki mai ana. Hoʻopili pololei ʻia ka hopena i ka noi huki. Ma mua, ua hoʻokō ʻia ka nānā ʻana me ka mīkini CodeQL, nāna e nānā i nā templates me nā hiʻohiʻona maʻamau o ka code vulnerable (CodeQL e ʻae iā ʻoe e hana i kahi template code vulnerable e ʻike ai i ka hiki ʻana o kahi nāwaliwali like i ke code o nā papahana ʻē aʻe). ʻO ka ʻenekini hou, e hoʻohana ana i ka aʻo ʻana i ka mīkini, hiki ke ʻike i nā nāwaliwali i ʻike mua ʻole ʻia no ka mea ʻaʻole pili ia i ka helu ʻana i nā template code e wehewehe ana i nā nāwaliwali kikoʻī. ʻO ke kumukūʻai o kēia hiʻohiʻona ka hoʻonui ʻana i ka helu o nā mea maikaʻi ʻole i hoʻohālikelike ʻia me nā loiloi codeQL.
Source: opennet.ru