Graudit ã¯è€æ°ã®ããã°ã©ãã³ã°èšèªããµããŒãããŠãããã³ãŒãããŒã¹ã®ã»ãã¥ãªã㣠ãã¹ããéçºããã»ã¹ã«çŽæ¥çµ±åã§ããŸãã
åºæïŒ
ãã¹ãã¯ãœãããŠã§ã¢éçºã©ã€ããµã€ã¯ã«ã®éèŠãªéšåã§ãã ãã¹ãã«ã¯å€ãã®çš®é¡ãããããããããç¬èªã®åé¡ã解決ããŸãã ä»æ¥ã¯ã³ãŒãå ã®ã»ãã¥ãªãã£äžã®åé¡ãèŠã€ããããšã«ã€ããŠè©±ããããšæããŸãã
ãœãããŠã§ã¢éçºã®çŸä»£ã®çŸå®ã«ãããŠã¯ãããã»ã¹ã®ã»ãã¥ãªãã£ã確ä¿ããããšãéèŠã§ããããšã¯æããã§ãã ãã€ãŠã¯ãDevSecOps ãšããç¹å¥ãªçšèªãå°å
¥ãããããšããããŸããã ãã®çšèªã¯ãã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ãç¹å®ããŠæé€ããããšãç®çãšããäžé£ã®æé ãæããŸãã æšæºã«åŸã£ãŠè匱æ§ããã§ãã¯ããããã®å°çšã®ãªãŒãã³ãœãŒã¹ ãœãªã¥ãŒã·ã§ã³ããããŸãã
ã»ãã¥ãªãã£åé¡ã解決ããã«ã¯ãéçã¢ããªã±ãŒã·ã§ã³ ã»ãã¥ãªã㣠ãã¹ã (SAST)ãåçã¢ããªã±ãŒã·ã§ã³ ã»ãã¥ãªã㣠ãã¹ã (DAST)ã察話åã¢ããªã±ãŒã·ã§ã³ ã»ãã¥ãªã㣠ãã¹ã (IAST)ããœãããŠã§ã¢æ§æåæãªã©ãããŸããŸãªã¢ãããŒãããããŸãã
éçãªã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªã㣠ãã¹ãã§ã¯ããã§ã«èšè¿°ãããŠããã³ãŒãå ã®ãšã©ãŒãç¹å®ããŸãã ãã®ã¢ãããŒãã¯ã¢ããªã±ãŒã·ã§ã³ãå®è¡ããå¿ èŠããªããããéçåæãšåŒã°ããŸãã
éçã³ãŒãåæã«çŠç¹ãåœãŠãã·ã³ãã«ãªãªãŒãã³ãœãŒã¹ ããŒã«ã䜿çšããŠãã¹ãŠãå®éã«ç€ºããŸãã
éçã³ãŒãã®ã»ãã¥ãªãã£åæã«ãªãŒãã³ãœãŒã¹ ããŒã«ãéžãã çç±
ããã«ã¯ããã€ãã®çç±ããããŸãããŸããä»ã®éçºè ãæ¯æŽããããšããåãèããæã€äººã ã®ã³ãã¥ããã£ã«ãã£ãŠéçºãããããŒã«ã䜿çšããŠãããããç¡æã§ãã å°èŠæš¡ãªããŒã ãŸãã¯æ°èäŒæ¥ã®å ŽåããªãŒãã³ãœãŒã¹ ãœãããŠã§ã¢ã䜿çšããŠã³ãŒãããŒã¹ã®ã»ãã¥ãªãã£ããã¹ãããããšã§ãã³ã¹ããç¯çŽãã絶奜ã®æ©äŒããããŸãã 次ã«ãå¥ã® DevSecOps ããŒã ãéãå¿ èŠããªããªããã³ã¹ããããã«åæžãããŸãã
åªãããªãŒãã³ãœãŒã¹ ããŒã«ã¯ãåžžã«æè»æ§ã«å¯ŸããèŠä»¶ã®å¢å ãèæ ®ããŠäœæãããŸãã ãããã£ãŠãã»ãŒãã¹ãŠã®ç°å¢ã§äœ¿çšã§ããå¹ åºãã¿ã¹ã¯ã«å¯Ÿå¿ã§ããŸãã éçºè ã«ãšã£ãŠããããžã§ã¯ãã®äœæ¥äžã«ãã®ãããªããŒã«ããã§ã«æ§ç¯ããã·ã¹ãã ã«æ¥ç¶ããã®ã¯ã¯ããã«ç°¡åã§ãã
ãã ããéžæããããŒã«ã§ã¯å©çšã§ããªãæ©èœãå¿ èŠã«ãªãå ŽåããããŸãã ãã®å Žåããã®ã³ãŒãããã©ãŒã¯ããããã«åºã¥ããŠå¿ èŠãªæ©èœãåããç¬èªã®ããŒã«ãéçºããæ©äŒããããŸãã
ã»ãšãã©ã®å ŽåããªãŒãã³ ãœãŒã¹ ãœãããŠã§ã¢ã®éçºã¯ã³ãã¥ããã£ã®åœ±é¿ãç©æ¥µçã«åããŠãããããå€æŽãå ãã決å®ã¯éåžžã«è¿ éãã€ç確ã«è¡ãããŸãããªãŒãã³ ãœãŒã¹ ãããžã§ã¯ãã®éçºè ã¯ããŠãŒã¶ãŒããã®ãã£ãŒãããã¯ãææ¡ãããã³ãŠãŒã¶ãŒããã®ã¬ããŒãã«äŸåããŠããŸããèŠã€ãã£ããšã©ãŒããã®ä»ã®åé¡ã
Graudit ã䜿çšããã³ãŒãã»ãã¥ãªãã£åæ
éçã³ãŒãåæã«ã¯ããŸããŸãªãªãŒãã³ ãœãŒã¹ ããŒã«ã䜿çšã§ããŸããããã¹ãŠã®ããã°ã©ãã³ã°èšèªã«å ±éã®ããŒã«ã¯ãããŸããã äžéšã®éçºè 㯠OWASP ã®æšå¥šäºé ã«åŸã£ãŠãããã§ããã ãå€ãã®èšèªãã«ããŒããããšããŠããŸãã
ããã§äœ¿çšããŸã
éçã³ãŒãåæçšã®åæ§ã®ããŒã«ãšããŠãRough Auditing Tool for Security (RATS)ãSecuritycompass Web Application Analysis Tool (SWAAT)ãfloatfinder ãªã©ããããŸãã ãã ããGraudit ã¯éåžžã«æè»æ§ããããæè¡çãªèŠä»¶ã¯æå°éã§ãã ãã ããGraudit ã§ã¯è§£æ±ºã§ããªãåé¡ãçºçããå¯èœæ§ããããŸãã ããã§ä»ã®ãªãã·ã§ã³ãæ¢ãããšãã§ããŸã
ãã®ããŒã«ãç¹å®ã®ãããžã§ã¯ãã«çµ±åããããéžæãããŠãŒã¶ãŒãå©çšã§ããããã«ãããããã¹ãŠã®ãããžã§ã¯ãã§åæã«äœ¿çšãããã§ããŸãã ããã§ã Graudit ã®æè»æ§ãçºæ®ãããŸãã ããã§ã¯ãæåã«ãªããžããªã®ã¯ããŒã³ãäœæããŸãããã
$ git clone https://github.com/wireghoul/graudit
次ã«ãGraudit ãã³ãã³ã圢åŒã§äœ¿çšã§ããããã«ã·ã³ããªã㯠ãªã³ã¯ãäœæããŸãããã
$ cd ~/bin && mkdir graudit
$ ln --symbolic ~/graudit/graudit ~/bin/graudit
ãšã€ãªã¢ã¹ã .bashrc (ãŸãã¯äœ¿çšããŠããèšå®ãã¡ã€ã«) ã«è¿œå ããŸãããã
#------ .bashrc ------
alias graudit="~/bin/graudit"
ãªããŒãïŒ
$ source ~/.bashrc # OR
$ exex $SHELL
ã€ã³ã¹ããŒã«ãæåãããã©ããã確èªããŠã¿ãŸãããã
$ graudit -h
åæ§ã®ãã®ã衚瀺ãããå Žåã¯ããã¹ãŠåé¡ãããŸããã
æ¢åã®ãããžã§ã¯ãã® XNUMX ã€ããã¹ãããŸãã ããŒã«ãå®è¡ããåã«ããããžã§ã¯ããèšè¿°ãããŠããèšèªã«å¯Ÿå¿ããããŒã¿ããŒã¹ãããŒã«ã«æž¡ãå¿
èŠããããŸãã ããŒã¿ããŒã¹ã¯ ~/gradit/signatures ãã©ã«ããŒã«ãããŸãã
$ graudit -d ~/gradit/signatures/js.db
ããã§ããããžã§ã¯ãã® XNUMX ã€ã® js ãã¡ã€ã«ããã¹ããããšãããGraudit ã¯ã³ãŒãå ã®è匱æ§ã«é¢ããæ å ±ãã³ã³ãœãŒã«ã«è¡šç€ºããŸããã
åãæ¹æ³ã§ãããžã§ã¯ãããã¹ãããŠã¿ãããšãã§ããŸãã ããŸããŸãªããã°ã©ãã³ã°èšèªã®ããŒã¿ããŒã¹ã®ãªã¹ãã衚瀺ã§ããŸãã
Graudit ã®é·æãšçæ
Graudit ã¯å€ãã®ããã°ã©ãã³ã°èšèªããµããŒãããŠããŸãã ãããã£ãŠãå¹ åºããŠãŒã¶ãŒã«é©ããŠããŸãã ç¡æãŸãã¯ææã®é¡äŒŒç©ãšååã«ç«¶åã§ããŸãã ãããŠããããžã§ã¯ãã®æ¹åãçŸåšãè¡ãããŠããããšãéåžžã«éèŠã§ãããã³ãã¥ããã£ã¯éçºè ã ãã§ãªããããŒã«ãç解ããããšããŠããä»ã®ãŠãŒã¶ãŒãæ¯æŽããŸãã
ããã¯äŸ¿å©ãªããŒã«ã§ããããããŸã§ã®ãšãããçãããã³ãŒãéšåã®åé¡ãåžžã«æ£ç¢ºã«ç¹å®ã§ããããã§ã¯ãããŸããã éçºè ã¯åŒãç¶ã Graudit ã®æ¹è¯ãè¡ã£ãŠããŸãã
ãã ãããããã®å Žåã§ãããã®ãããªããŒã«ã䜿çšããå Žåã¯ãã³ãŒãå ã®æœåšçãªã»ãã¥ãªãã£åé¡ã«æ³šæãæãããšã圹ç«ã¡ãŸãã
å§ããâŠ
ãã®èšäºã§ã¯ãè匱æ§ãèŠã€ããå€ãã®æ¹æ³ã®ãã¡ã® XNUMX ã€ã§ããéçã¢ããªã±ãŒã·ã§ã³ ã»ãã¥ãªã㣠ãã¹ãã«ã€ããŠèª¬æããŸããã éçã³ãŒãåæãå®æœããã®ã¯ç°¡åã§ãããããã¯å§ãŸãã«ãããŸããã ã³ãŒãããŒã¹ã®ã»ãã¥ãªãã£ã«ã€ããŠããã«è©³ããç¥ãã«ã¯ãä»ã®çš®é¡ã®ãã¹ãããœãããŠã§ã¢éçºã©ã€ããµã€ã¯ã«ã«çµ±åããå¿ èŠããããŸãã
åºåã®æš©å©ã«ã€ããŠ
åºæïŒ habr.com