GitHub ngesinyathelo , okuhloswe ngayo ukuhlela ukusebenzisana kochwepheshe bezokuphepha bezinkampani nezinhlangano ezihlukahlukene ukuze kuhlonzwe ubuthakathaka nokusiza ekubuqedeni kukhodi yamaphrojekthi omthombo ovulekile.
Zonke izinkampani ezinentshisekelo kanye nongoti bezokuphepha bekhompyutha bayamenywa ukuthi bajoyine lolu hlelo. Okokuhlonza ubungozi ukukhokhelwa komklomelo ofika ku-$3000, kuye ngobunzima benkinga kanye nekhwalithi yombiko. Siphakamisa ukusebenzisa ikhithi yamathuluzi ukuhambisa ulwazi lwenkinga. , okuvumela ukuthi ukhiqize ithempulethi yekhodi esengozini ukuze uhlonze ukuba sengozini okufanayo kukhodi yamanye amaphrojekthi (i-CodeQL yenza kube nokwenzeka ukwenza ukuhlaziywa kwe-semantic kwekhodi futhi kukhiqize imibuzo ukucinga izakhiwo ezithile).
Abacwaningi bezokuphepha abavela ku-F5, Google, HackerOne, Intel, IOActive, J.P. sebevele bajoyine lolu hlelo. Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber kanye
I-VMWare, eminyakeni emibili edlule ΠΈ 105 ubungozi kumaphrojekthi afana neChromium, libssh2, Linux kernel, Memcached, UBoot, VLC, Apport, HHVM, Exiv2, FFmpeg, Fizz, libav, Ansible, npm, XNU, Ghostscript, Icecast, Apache Struts, strongSwani, Apachers Igys, , i-Apache Geode ne-Hadoop.
Umjikelezo wokuphila wekhodi wokuphepha ohlongozwayo we-GitHub uhlanganisa amalungu e-GitHub Security Lab ahlonza ubungozi, okuzobe sekudluliswa kubo abalondolozi nabathuthukisi, abazothuthukisa ukulungiswa, bahlanganise ukuthi bazoyidalula nini inkinga, futhi bazise amaphrojekthi ancikile ukuze afake inguqulo. ngokususa ubungozi. Isizindalwazi sizoqukatha izifanekiso ze-CodeQL ukuvimbela ukuvela kabusha kwezinkinga ezixazululiwe kukhodi ekhona ku-GitHub.
Ngesixhumi esibonakalayo se-GitHub ungakwazi manje Isihlonzi se-CVE senkinga ekhonjiwe futhi silungise umbiko, futhi i-GitHub ngokwayo izothumela izaziso ezidingekayo futhi ihlele ukulungiswa kwazo okuhlanganisiwe. Ngaphezu kwalokho, uma inkinga isixazululiwe, i-GitHub izohambisa ngokuzenzakalelayo izicelo zokudonsa ukuze ibuyekeze ukuncika okuhlobene nephrojekthi ethintekile.
I-GitHub iphinde yengeza uhlu lobungozi , eshicilela ulwazi olumayelana nokuba sengozini okuthinta amaphrojekthi ku-GitHub kanye nolwazi lokulandelela amaphakheji athintekile namakhosombe. Izihlonzi ze-CVE ezishiwo emazwaneni ku-GitHub manje zixhuma ngokuzenzakalelayo kulwazi olunemininingwane mayelana nokuba sengozini kusizindalwazi esithunyelwe. Ukwenza umsebenzi ngokuzenzakalelayo nge-database, ehlukile .
Isibuyekezo siyabikwa ukuvikela ngokumelene kumakhosombe afinyeleleka esidlangalaleni
idatha ebucayi njengamathokheni okuqinisekisa nokhiye bokufinyelela. Ngesikhathi sokuzibophezela, isithwebuli sihlola ukhiye ojwayelekile namafomethi amathokheni asetshenzisiwe , okuhlanganisa i-Alibaba Cloud API, i-Amazon Web Services (AWS), i-Azure, i-Google Cloud, i-Slack ne-Stripe. Uma ithokheni ikhonjwa, isicelo sithunyelwa kumhlinzeki wesevisi ukuze kuqinisekiswe ukuvuza futhi kuhoxiswe amathokheni onakalisiwe. Kusukela izolo, ngaphezu kwamafomethi asekelwe ngaphambilini, ukusekelwa kokuchaza amathokheni e-GoCardless, HashiCorp, Postman kanye ne-Tencent seyengeziwe.
Source: opennet.ru