GitHub nekutanga , yakanangana nekuronga kubatana kwenyanzvi dzezvekuchengetedza kubva kumakambani akasiyana siyana nemasangano kuti vaone kusasimba uye kubatsira mukuzvibvisa mukodhi yemapurojekiti akavhurika sosi.
Vese makambani anofarira uye nyanzvi dzekuchengetedza komputa vanokokwa kuti vapinde muchirongwa ichi. Nekuda kuziva vulnerability kubhadhara kwemubairo unosvika madhora zviuru zvitatu, zvichienderana nekuoma kwedambudziko uye kunaka kwemushumo. Isu tinokurudzira kushandisa Toolkit kutumira ruzivo rwedambudziko. , iyo inokutendera kuti ugadzire template yekodhi ine njodzi kuti uone kuvepo kwekusagadzikana kwakafanana mukodhi yemamwe mapurojekiti (CodeQL inoita kuti zvikwanise kuita semantic ongororo yekodhi uye kuburitsa mibvunzo yekutsvaga zvimwe zvimiro).
Vatsvakurudzi vekuchengetedza kubva kuF5, Google, HackerOne, Intel, IOActive, JP Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber uye
VMWare, iyo mumakore maviri apfuura ΠΈ 105 kusasimba mumapurojekiti akadai seChromium, libssh2, Linux kernel, Memcached, UBoot, VLC, Apport, HHVM, Exiv2, FFmpeg, Fizz, libav, Ansible, npm, XNU, Ghostscript, Icecast, Apache Struts, strongSwani, Apachers Igys, , Apache Geode uye Hadoop.
GitHub's proposed code security lifecycle inosanganisira nhengo dzeGitHub Security Lab dzinoratidza kusagadzikana, izvo zvinozotaurirwa kune vanochengetedza uye vanogadzira, vanozogadzira zvigadziriso, kuronga nguva yekuburitsa nyaya, uye kuzivisa mapurojekiti anoenderana nekuisa iyo vhezheni. Iyo dhatabhesi ichave neCodeQL matemplate kudzivirira kuonekazve kwematambudziko akagadziriswa mukodhi iripo paGitHub.
Kuburikidza neGitHub interface iwe unogona ikozvino CVE identifier yedambudziko rakaonekwa uye gadzirira chirevo, uye GitHub pachayo inotumira inodiwa zviziviso uye kuronga kurongeka kwavo kwakarongeka. Uyezve, kana nyaya yacho yagadziriswa, GitHub inongotumira zvikumbiro zvekudhonza kuti igadzirise zvinoenderana neiyo purojekiti yakakanganisika.
GitHub yakawedzerawo runyorwa rwekusagadzikana , iyo inoburitsa ruzivo rwekusagadzikana kuri kukanganisa mapurojekiti paGitHub uye ruzivo rwekutevera akakanganisika mapakeji uye repositori. CVE identifiers inotaurwa mumashoko paGitHub ikozvino inongozvibatanidza kune yakadzama ruzivo nezvekusagadzikana mune yakatumirwa dhatabhesi. Kuita otomatiki basa nedatabase, rakaparadzana .
Update inoshumwa zvakare kudzivirira kunzvimbo dzinowanikwa neveruzhinji
data rakajeka senge makiyi echokwadi uye makiyi ekuwana. Panguva yekuzvipira, scanner inotarisa yakajairwa kiyi uye tokeni mafomati anoshandiswa , kusanganisira Alibaba Cloud API, Amazon Web Services (AWS), Azure, Google Cloud, Slack uye Stripe. Kana chiratidzo chikaonekwa, chikumbiro chinotumirwa kumupi webasa kuti asimbise kuvuza uye kudzoreredza tokeni dzakakanganiswa. Kubva nezuro, kuwedzera kune mafomu akatsigirwa kare, tsigiro yekutsanangura GoCardless, HashiCorp, Postman uye Tencent tokens yakawedzerwa.
Source: opennet.ru