Graudit inotsigira akawanda programming mitauro uye inobvumidza iwe kuti ubatanidze codebase chengetedzo yekuongorora zvakananga mukuvandudza maitiro.
Source:
Kuedza chikamu chakakosha chehupenyu hwekuvandudza software. Kune marudzi akawanda ekuedza, imwe neimwe inogadzirisa dambudziko rayo. Nhasi ndinoda kutaura nezve kutsvaga matambudziko ekuchengetedza mukodhi.
Zviripachena, mune zvemazuva ano zvekuvandudza software, zvakakosha kuve nechokwadi chekuchengetedzwa kwemaitiro. Pane imwe nguva, izwi rinokosha DevSecOps rakatounzwa. Iri izwi rinoreva nhevedzano yemaitiro akanangana nekuona nekubvisa zvinokanganisa muchikumbiro. Kune nyanzvi dzakavhurika sosi mhinduro dzekutarisa kusasimba zvinoenderana nezviyero
Kune nzira dzakasiyana dzekugadzirisa matambudziko ekuchengetedza, akadai seStatic Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Software Composition Analysis, zvichingodaro.
Static application kuchengetedza bvunzo inoratidza zvikanganiso mune yakatonyorwa kodhi. Iyi nzira haidi kuti application iite, ndosaka ichinzi static analysis.
Ini ndichatarisa pane static kodhi yekuongorora uye kushandisa yakapusa yakavhurika sosi chishandiso kuratidza zvese zviri mukuita.
Nei ndakasarudza yakavhurika sosi chishandiso cheiyo static kodhi yekuchengetedza ongororo
Pane zvikonzero zvakati kuti zveizvi: chekutanga, ndezvemahara nekuti uri kushandisa chishandiso chakagadzirwa nenharaunda yevanhu vane pfungwa dzakafanana vanoda kubatsira vamwe vanogadzira. Kana iwe uine timu diki kana kutanga, une mukana wakanaka wekuchengetedza mari uchishandisa yakavhurika sosi software yekuyedza chengetedzo yecodebase yako. Kechipiri, zvinobvisa kudiwa kwekuti iwe uhaye yakasarudzika DevSecOps timu, zvichiwedzera kudzikisira mitengo yako.
Maturusi akanaka akavhurika sosi anogara akagadzirwa achifunga nezvekuwedzera zvinodiwa zvekuchinja. Naizvozvo, anogona kushandiswa munenge chero nharaunda, achifukidza huwandu hwakawanda hwemabasa. Zviri nyore kuti vagadziri vabatanidze maturusi akadaro nehurongwa hwavakatovaka vachiri kushanda pamapurojekiti avo.
Asi panogona kunge paine nguva dzaunoda chinhu chisiri kuwanikwa muchishandiso chaunosarudza. Mune ino kesi, iwe une mukana weforogo kodhi yayo uye gadzira chako chishandiso chakavakirwa pairi nekushanda kwaunoda.
Sezvo kazhinji kuvandudzwa kwesoftware yakavhurika sosi inopesvedzerwa nenharaunda, danho rekuita shanduko rinoitwa nekukurumidza uye kusvika padanho: vagadziri veiyo yakavhurika sosi purojekiti vanovimba nemhinduro uye mazano kubva kune vashandisi, pane yavo mishumo. zvikanganiso zvakawanikwa uye mamwe matambudziko.
Kushandisa Graudit yeCode Security Analysis
Iwe unogona kushandisa akasiyana akavhurika sosi maturusi eiyo static kodhi yekuongorora; hapana chese chishandiso chemitauro yese yekuronga. Vagadziri vevamwe vavo vanotevera kurudziro yeOWASP uye edza kuvhara mitauro yakawanda sezvinobvira.
Pano tichashandisa
Pane zvishandiso zvakafanana zve static code analysis - Rough Auditing Tool for Security (RATS), Securitycompass Web Application Analysis Tool (SWAAT), flawfinder nezvimwe zvakadaro. Asi Graudit inoshanduka-shanduka uye ine zvishoma zvehunyanzvi zvinodiwa. Nekudaro, unogona kunge uine matambudziko ayo Graudit asingakwanisi kugadzirisa. Ipapo iwe unogona kutsvaga dzimwe sarudzo pano
Isu tinokwanisa kubatanidza chishandiso ichi mune chimwe chirongwa, kana kuita kuti chiwanikwe kune akasarudzwa mushandisi, kana kuishandisa panguva imwe chete mumapurojekiti edu ese. Apa ndipo panowanikwawo kuchinjika kwaGraudit. Saka ngatitangei kubatanidza repo kutanga:
$ git clone https://github.com/wireghoul/graudit
Zvino ngatigadzire chinongedzo chekufananidzira cheGraudit kuti chishandise mukuraira fomati
$ cd ~/bin && mkdir graudit
$ ln --symbolic ~/graudit/graudit ~/bin/graudit
Ngatiwedzerei zita rekuti .bashrc (kana chero faira rekugadzirisa rauri kushandisa):
#------ .bashrc ------
alias graudit="~/bin/graudit"
Reboot:
$ source ~/.bashrc # OR
$ exex $SHELL
Ngatitarisei kana kuiswa kwacho kwakabudirira:
$ graudit -h
Kana iwe ukaona chimwe chinhu chakafanana, saka zvese zvakanaka.
Ndichange ndichiyedza imwe yemapurojekiti angu aripo. Usati washandisa chishandiso, chinoda kupfuudzwa dhatabhesi inoenderana nemutauro wakanyorwa purojekiti yangu. Iwo dhatabhesi ari mu ~/gradit/siginecha folda:
$ graudit -d ~/gradit/signatures/js.db
Saka, ndakaedza mafaera maviri ejs kubva kupurojekiti yangu, uye Graudit yakaratidza ruzivo rwekusagadzikana mukodhi yangu kune koni:
Iwe unogona kuedza kuyedza mapurojekiti ako nenzira imwechete. Iwe unogona kuona rondedzero yedhatabhesi yemitauro yakasiyana yekuronga
Zvakanakira uye Zvakaipa zveGraudit
Graudit inotsigira mitauro yakawanda yekuronga. Naizvozvo, inokodzera huwandu hwakawanda hwevashandisi. Inogona kukwikwidza zvakakwana chero emahara kana anobhadharwa analogues. Uye zvakakosha zvikuru kuti kuvandudzwa kuchiri kuitwa kupurojekiti, uye nharaunda haingobatsiri vanogadzira chete, asiwo vamwe vashandisi vari kuedza kuongorora chishandiso.
Ichi chishandiso chinoshanda, asi kusvika pari zvino haigone kugara ichinongedza chaizvo kuti dambudziko nderei nechidimbu chekodhi inofungidzira. Vagadziri vanoenderera mberi nekuvandudza Graudit.
Asi chero zvipi zvazvo, zvinobatsira kuterera kune zvingangoitika matambudziko ekuchengetedza mukodhi kana uchishandisa zvishandiso seizvi.
Tangaβ¦
Muchikamu chino, ndakatarisa imwe yenzira dzakawanda dzekuwana kusazvibata - static application kuchengetedza bvunzo. Kuita static code analysis iri nyore, asi ingori mavambo. Kuti udzidze zvakawanda nezve chengetedzo yecodebase yako, unofanirwa kubatanidza mamwe marudzi ekuyedza mune yako software yekuvandudza hupenyu.
Pamusoro pekodzero dzekutsvaga
Source: www.habr.com