Ua hoʻolauna ʻo Google i ka OSV-Scanner toolkit no ka nānā ʻana i nā nāwaliwali i hoʻopaʻa ʻole ʻia i ka code a me nā noi, e noʻonoʻo ana i ke kaulahao holoʻokoʻa o nā hilinaʻi e pili ana i ke code. ʻAe ʻo OSV-Scanner iā ʻoe e ʻike i nā kūlana i lilo ai kahi noi i mea palupalu ma muli o nā pilikia i loko o kekahi o nā hale waihona puke i hoʻohana ʻia ma ke ʻano he hilinaʻi. I kēia hihia, hiki ke hoʻohana ʻia ka waihona vulnerable, i.e. e kāhea ʻia ma o kahi hilinaʻi ʻē aʻe. Ua kākau ʻia ke code papahana ma Go a māhele ʻia ma lalo o ka laikini Apache 2.0.
Hiki i ka OSV-Scanner ke nānā maʻalahi i kahi lāʻau papa kuhikuhi, ʻike i nā papahana a me nā noi ma ke alo o nā papa kuhikuhi git (ʻike ʻia ka ʻike e pili ana i nā nāwaliwali ma o ka nānā ʻana i nā hashes commit), nā faila SBOM (Software Bill Of Material in SPDX a me CycloneDX formats), hōʻike a i ʻole. hoʻopaʻa i nā mana waihona waihona e like me Yarn, NPM, GEM, PIP a me Cargo. Kākoʻo ia i ka nānā ʻana i nā ʻike o nā kiʻi pahu Docker i kūkulu ʻia mai nā pūʻulu mai nā waihona Debian.
Lawe ʻia ka ʻike e pili ana i nā nāwaliwali mai ka waihona OSV (Open Source Vulnerabilities), e uhi ana i ka ʻike e pili ana i nā pilikia palekana i ka Crates.io (Rust), Go, Maven, NPM (JavaScript), NuGet (C#), Packagist (PHP), PyPI (Python), RubyGems, Android, Debian a me Alpine, a me ka ʻikepili e pili ana i nā nāwaliwali o ka Linux kernel a me ka ʻike mai nā hōʻike vulnerability i nā papahana i mālama ʻia ma GitHub. Hōʻike ka ʻikepili OSV i ke kūlana o ka hoʻoponopono pilikia, hōʻike i ka hana me ka hiʻohiʻona a me ka hoʻoponopono ʻana i ka nāwaliwali, ka laulā o nā mana i hoʻopilikia ʻia e ka nāwaliwali, nā loulou i ka waihona papahana me ke code, a me kahi leka e pili ana i ka pilikia. Hāʻawi ka API i hāʻawi ʻia iā ʻoe e nānā i ka hōʻike ʻana o nā nāwaliwali ma ke kiʻekiʻe o nā hana a me nā hōʻailona a me ka nānā ʻana i ka maʻalahi o nā huahana derivative a me nā hilinaʻi i ka pilikia.
Source: opennet.ru