GitHub ya buɗe kwanaki da yawa da suka gabata kari na gwajin tsarin koyon injinl zuwa sabis na duba lambar don gano nau'ikan lahani na gama gari A cikin code. Tare da wannan, GitHub's CodeQL fasahar bincike na lamba an sabunta kuma yanzu yana amfani da koyan inji (ML) don nemo yuwuwar raunin tsaro a lamba.
Kuma shine GitHub ya sami fasaha don CodeQL a matsayin wani ɓangare na Sammie. Ƙungiyoyin bincike na tsaro suna amfani da CodeQL don yin nazarin ma'anar lamba, kuma GitHub ya sanya shi buɗaɗɗen tushe.
Tare da waɗannan samfuran, CodeQL na iya gano ƙarin rafukan bayanan mai amfani da ba a amince da su ba don haka ƙarin yuwuwar raunin tsaro.
An lura cewa yin amfani da tsarin koyo na na'ura ya ba da damar fadada kewayon matsalolin da aka gano, wanda a cikin nazarin tsarin a yanzu ba a iyakance ga tabbatar da alamu na yau da kullum ba kuma ba a haɗa shi da sanannun tsarin ba.
Daga cikin matsalolin da sabon tsarin ya gano, kurakurai da ke haifar da rubutun giciye (XSS), karkatar da hanyoyin fayil (misali, ta hanyar alamar "/ ..."), maye gurbin SQL da tambayoyin NoSQL. .
Binciken lamba yanzu zai iya samun ƙarin yuwuwar rashin lafiyar tsaro ta hanyar amfani da sabon ƙirar koyo mai zurfi. Ana samun wannan fasalin gwajin a cikin jama'a beta don JavaScript da ma'ajiyar Rubutun Rubutun akan GitHub.com.
Sabon kayan aikin GitHub fue an sake shi azaman beta na jama'a kyauta Ga duk masu amfani, fasalin yana amfani da koyan na'ura da zurfin koyo don bincika tushe na lamba da gano lahanin tsaro gama gari kafin a tura samfur.
A halin yanzu fasalin gwajin yana samuwa ga duk masu amfani da dandamali, gami da masu amfani da GitHub Enterprise a matsayin GitHub Advanced Security Feature, kuma ana iya amfani da shi don ayyukan da aka rubuta cikin JavaScript ko TypeScript.
Tare da saurin juyin halitta na buɗaɗɗen yanayin muhalli, akwai wani dogon wutsiya na ɗakunan karatu waɗanda ba a saba amfani da su akai-akai. Muna amfani da misalai daga tambayoyin CodeQL da aka ƙirƙira da hannu don horar da ƙirar koyo mai zurfi don gane buɗaɗɗen ɗakunan karatu da kuma rufaffiyar ɗakunan karatu na tushen ciki.
Kayan aiki an ƙera shi don nemo mafi yawan lahani guda huɗu wanda ya shafi ayyukan da aka rubuta cikin waɗannan harsuna biyu: Rubutun giciye (XSS), allurar hanya, allurar NoSQL da allurar SQL.
Sabis ɗin binciken lambar yana ba ku damar gano lahani a farkon matakin haɓaka ta hanyar bincika kowane aikin tura git don abubuwan da za su yuwu.
Sakamakon yana haɗe kai tsaye zuwa buƙatar ja. A baya can, an yi rajistan ta amfani da injin CodeQL, wanda ke nazarin alamu tare da misalan misalan lambobin mara ƙarfi (CodeQL yana ba ku damar samar da samfuri na lambar mara ƙarfi don gano kasancewar irin wannan rauni a cikin lambar sauran ayyukan).
Tare da sabbin damar bincike, Binciken Code na iya haifar da ƙarin faɗakarwa don ƙirar rashin ƙarfi guda huɗu: Rubutun Rubutun Rubutu (XSS), allurar hanya, allurar NoSQL, da allurar SQL. Tare, waɗannan nau'ikan raunin rauni guda huɗu suna wakiltar yawancin raunin baya-bayan nan (CVEs) a cikin yanayin yanayin JavaScript/TypeScript, da haɓaka ikon bincika lambar don gano irin wannan raunin da wuri a cikin tsarin ci gaba shine mabuɗin don taimakawa masu haɓaka rubuta ƙarin amintaccen lamba.
Sabuwar injin koyon injin zai iya gano lahanin da ba a san su ba saboda ba a haɗa shi da maimaita tsarin lambobin da ke bayyana takamaiman lahani ba. Farashin irin wannan damar shine karuwa a cikin adadin ƙididdiga na ƙarya idan aka kwatanta da ƙididdigar tushen CodeQL.
Finalmente ga masu sha'awar ƙarin sani game da shi, zaku iya duba cikakkun bayanai A cikin mahaɗin mai zuwa.
Hakanan yana da mahimmanci a ambaci cewa a cikin matakin gwaji, sabon aikin a halin yanzu yana samuwa ne kawai don ma'ajiyoyi tare da JavaScript da lambar TypeScript.