I-Graudit isekela izilimi eziningi zokuhlela futhi ikuvumela ukuthi uhlanganise ukuhlolwa kokuphepha kwe-codebase ngqo kwinqubo yokuthuthukiswa.
Source: (Markus Spiske)
Ukuhlola kuyingxenye ebalulekile yomjikelezo wokuphila wokuthuthukiswa kwesofthiwe. Kunezinhlobo eziningi zokuhlola, ngayinye yazo ixazulula inkinga yayo. Namuhla ngifuna ukukhuluma ngokuthola izinkinga zokuphepha ngekhodi.
Ngokusobala, ezintweni zanamuhla zokuthuthukiswa kwesofthiwe, kubalulekile ukuqinisekisa ukuphepha kwenqubo. Ngesinye isikhathi, kwaze kwethulwa igama elikhethekile elithi DevSecOps. Leli gama lisho uchungechunge lwezinqubo ezihloselwe ukuhlonza nokuqeda ubungozi kuhlelo lokusebenza. Kunezixazululo ezikhethekile zomthombo ovulekile zokuhlola ubungozi ngokuvumelana nezindinganiso , ezichaza izinhlobo ezahlukene nokuziphatha kobungozi kukhodi yomthombo.
Kunezindlela ezihlukene zokuxazulula izinkinga zokuphepha, ezifana nokuhlolwa kokuvikeleka kwesicelo esiqinile (SAST), Ukuhlolwa Kokuphepha Kwesicelo SeDynamic (DAST), Ukuhlolwa Kokuphepha Kwesicelo Esisebenzisanayo (IAST), Ukuhlaziywa Kokwakheka Kwesoftware, njalo njalo.
Ukuhlolwa kokuphepha kohlelo lokusebenza okuqinile kuhlonza amaphutha kukhodi esibhaliwe kakade. Le ndlela ayidingi ukuthi uhlelo lokusebenza lusebenze, yingakho ibizwa ngokuthi ukuhlaziywa okumile.
Ngizogxila ekuhlaziyeni ikhodi emile futhi ngisebenzise ithuluzi elilula lomthombo ovulekile ukuze ngibonise yonke into eyenziwayo.
Kungani ngikhethe ithuluzi lomthombo ovulekile lokuhlaziywa kokuphepha kwekhodi emile
Kunezizathu ezimbalwa zalokhu: okokuqala, kumahhala ngoba usebenzisa ithuluzi elithuthukiswe umphakathi wabantu abanomqondo ofanayo ofuna ukusiza abanye onjiniyela. Uma uneqembu elincane noma uqalisa, unethuba elihle lokonga imali ngokusebenzisa isofthiwe yomthombo ovulekile ukuze uhlole ukuphepha kwe-codebase yakho. Okwesibili, kuqeda isidingo sokuqasha ithimba elihlukile le-DevSecOps, kuphinde kwehlise izindleko zakho.
Amathuluzi amahle omthombo ovulekile ahlala edalwa kucatshangelwa izidingo ezikhulayo zokuvumelana nezimo. Ngakho-ke, angasetshenziswa cishe kunoma iyiphi indawo, ehlanganisa imisebenzi eminingi. Kulula kakhulu kubathuthukisi ukuxhuma amathuluzi anjalo nohlelo asebevele belwakhile ngenkathi besebenza kumaphrojekthi abo.
Kodwa kungase kube nezikhathi lapho udinga khona isici esingatholakali ethuluzini olikhethayo. Kulokhu, unethuba lokufohla ikhodi yayo futhi uthuthukise ithuluzi lakho ngokusekelwe kulo ngokusebenza okudingayo.
Njengoba ezimweni eziningi ukuthuthukiswa kwesoftware yomthombo ovulekile kuthonywa umphakathi, isinqumo sokwenza izinguquko senziwa ngokushesha futhi kuze kufike ephuzwini: abathuthukisi bephrojekthi yomthombo ovulekile bathembela empendulweni naseziphakamisweni zabasebenzisi, emibikweni yabo amaphutha atholakele nezinye izinkinga.
Ukusebenzisa i-Graudit ye-Code Security Analysis
Ungasebenzisa amathuluzi omthombo ovulekile ahlukahlukene wokuhlaziya amakhodi amile; alikho ithuluzi elisebenza emhlabeni wonke lazo zonke izilimi zokuhlela. Abathuthukisi babanye babo balandela izincomo ze-OWASP futhi bazame ukuhlanganisa izilimi eziningi ngangokunokwenzeka.
Lapha sizosebenzisa , insiza elula yomugqa womyalo ezosivumela ukuthi sithole ubungozi ku-codebase yethu. Isekela izilimi ezahlukene, kodwa namanje isethi yabo inomkhawulo. I-Graudit ithuthukiswa ngokususelwa kunsiza ye-grep, eyake yakhululwa ngaphansi kwelayisensi ye-GNU.
Kukhona amathuluzi afanayo okuhlaziya ikhodi emile - Ithuluzi Lokuhlola Okubi Lokuvikeleka (RATS), Ithuluzi Lokuhlaziya Isicelo Sewebhu Sekhampasi (SWAAT), i-flawfinder nokunye. Kodwa iGraudit iguquguquka kakhulu futhi inezidingo zobuchwepheshe ezincane. Nokho, ungase ube nezinkinga uGraudit angakwazi ukuzixazulula. Bese ungabheka ezinye izinketho lapha .
Singahlanganisa leli thuluzi kuphrojekthi ethile, noma silenze litholakale kumsebenzisi okhethiwe, noma silisebenzise ngesikhathi esisodwa kuwo wonke amaphrojekthi ethu. Yilapho futhi ukuguquguquka kwe-Graudit kusebenza khona. Ngakho-ke ake sihlanganise i-repo kuqala:
$ git clone https://github.com/wireghoul/grauditManje ake sakhe isixhumanisi esingokomfanekiso se-Graudit ukuze asisebenzise ngefomethi yomyalo
$ cd ~/bin && mkdir graudit
$ ln --symbolic ~/graudit/graudit ~/bin/grauditAke sengeze isibizo ku-.bashrc (noma yiliphi ifayela lokumisa olisebenzisayo):
#------ .bashrc ------
alias graudit="~/bin/graudit"Qalisa kabusha:
$ source ~/.bashrc # OR
$ exex $SHELL
Ake sihlole ukuthi ukufaka kube yimpumelelo yini:
$ graudit -hUma ubona into efanayo, khona-ke konke kuhamba kahle.
Ngizobe ngihlola enye yamaphrojekthi ami akhona. Ngaphambi kokusebenzisa ithuluzi, kumele kudluliswe isizindalwazi esihambisana nolimi iphrojekthi yami ebhalwe ngalo. Imininingo egciniwe itholakala kufolda ethi ~/gradit/signatures:
$ graudit -d ~/gradit/signatures/js.dbNgakho-ke, ngihlole amafayela amabili we-js kuphrojekthi yami, futhi u-Graudit wabonisa ulwazi mayelana nokuba sengozini kukhodi yami ku-console:
Ungazama ukuhlola amaphrojekthi akho ngendlela efanayo. Ungabona uhlu lwemininingwane egciniwe yezilimi ezihlukene zokuhlela .
Izinzuzo kanye Nemibi ye-Graudit
I-Graudit isekela izilimi eziningi zokuhlela. Ngakho-ke, ifanele uhla olubanzi lwabasebenzisi. Ingakwazi ukuncintisana ngokwanele nanoma yimaphi ama-analogue amahhala noma akhokhelwayo. Futhi kubaluleke kakhulu ukuthi ukuthuthukiswa kusenziwa kuphrojekthi, futhi umphakathi awusizi nje kuphela abathuthukisi, kodwa nabanye abasebenzisi abazama ukuthola ithuluzi.
Leli ithuluzi eliwusizo, kodwa kuze kube manje alikwazi ukukhomba kahle ukuthi iyini inkinga ngocezu lwekhodi olusolisayo. Abathuthukisi bayaqhubeka nokuthuthukisa i-Graudit.
Kodwa kunoma yikuphi, kuyasiza ukunaka izinkinga zokuphepha ezingaba khona kukhodi lapho usebenzisa amathuluzi afana nalawa.
Iyaqalaβ¦
Kulesi sihloko, ngibheke enye yezindlela eziningi zokuthola ubungozi - ukuhlolwa kokuphepha kohlelo lokusebenza okumile. Ukwenza ukuhlaziya ikhodi emile kulula, kodwa kumane kuyisiqalo. Ukuze ufunde kabanzi mayelana nokuphepha kwe-codebase yakho, udinga ukuhlanganisa ezinye izinhlobo zokuhlola emjikelezweni wokuphila wokuthuthukisa isofthiwe yakho.
Emalungelo Wokukhangisa
futhi ukukhetha okulungile kohlelo lwe-tariff kuzokuvumela ukuthi ungaphazanyiswa kancane ekuthuthukisweni ngezinkinga ezingathandeki - konke kuzosebenza ngaphandle kokwehluleka kanye nesikhathi esiphezulu kakhulu!
Source: www.habr.com