GitHub yakatanga sisitimu yekudzidza yemuchina kuti uwane kusazvibata mukodhi

github logo

GitHub yakavhurwa mazuva akati wandei apfuura kuwedzera kwe bvunzo dzemuchina wekudzidzal kune kodhi yekuongorora sevhisi kuziva marudzi akajairika ehutera Mukodhi. Neizvi, GitHub's CodeQL-yakavakirwa kodhi yekuongorora tekinoroji yakagadziridzwa uye ikozvino inoshandisa muchina kudzidza (ML) kuwana zvingangoita kuchengetedzwa mukodhi.

Uye iyo GitHub akawana tekinoroji yeCodeQL sechikamu chekutorwa kweSemmie. CodeQL inoshandiswa nezvikwata zvekutsvagisa zvekuchengetedza kuita semantic ongororo yekodhi, uye GitHub yakaita kuti ive yakavhurika sosi.

Nemamodheru aya, CodeQL inogona kuona mamwe asina kuvimbika mushandisi data hova uye nekudaro kwakawanda kunogona kuchengetedzwa kusagadzikana.

Zvinocherechedzwa kuti kushandiswa kwemichina yekudzidza sisitimu yaita kuti zvikwanise kuwedzera zvakanyanya huwandu hwematambudziko akaonekwa, mune iyo ongororo iyo sisitimu haina kugumira pakuona maitiro akajairika uye haina kusungirirwa kune inozivikanwa masisitimu.

Pamatambudziko akaonekwa nehurongwa hutsva, zvikanganiso zvinotungamira mukuyambuka-saiti scripting (XSS), kukanganisa kwenzira dzefaira (semuenzaniso, kuburikidza nechiratidzo "/.."), kutsiva kweSQL uye NoSQL mibvunzo inotaurwa. .

Kodhi scanning ikozvino inogona kuwana yakawanda inogona kuchengetedzwa kusadzivirirwa nekushandisa nzira itsva yekudzidza yakadzama. Ichi chiedzo chinowanikwa mubeta yeruzhinji yeJavaScript neTypeScript repositories paGitHub.com.

GitHub's chishandiso chitsva fue yakaburitswa seyemahara yeruzhinji beta Kune vese vashandisi, chimiro chinoshandisa muchina kudzidza uye kudzidza kwakadzama kuongorora mabhesi ekodhi uye kuona kusagadzikana kwakajairika chigadzirwa chisati chatumirwa.

Iyo yekuyedza ficha iripo kune vese vashandisi vepuratifomu, kusanganisira vashandisi veGitHub Enterprise seGitHub Yepamberi Chengetedzo Feature, uye inogona kushandiswa kumapurojekiti akanyorwa muJavaScript kana TypeScript.

Nekukurumidza kushanduka kweiyo yakavhurika sosi ecosystem, kune inogara ichiwedzera yakareba muswe wemaraibhurari ayo anoshandiswa zvishoma kazhinji. Isu tinoshandisa mienzaniso kubva pamaoko akagadzirwa CodeQL mibvunzo kudzidzisa zvakadzika modhi yekudzidza kuziva akavhurika sosi maraibhurari pamwe nemukati akagadziridzwa akavharika sosi maraibhurari.

Chishandiso rakagadzirwa kuti ritarise huna hunonyanya kusasimba zvinokanganisa mapurojekiti akanyorwa nemitauro miviri iyi: cross-saiti scripting (XSS), jekiseni renzira, jekiseni reNoSQL uye jekiseni reSQL.

Iyo kodhi yekuongorora sevhisi inokutendera iwe kuti uone kusazvibata panguva yekutanga yebudiriro nekutarisa yega yega git push mashandiro kune zvingangoitika.

Mhedzisiro yakanamirwa zvakananga kune chikumbiro chekudhonza. Pakutanga, cheki yaiitwa pachishandiswa injini yeCodeQL, inoongorora mapatani nemienzaniso yakajairika yekodhi isina njodzi (CodeQL inokutendera kuti ugadzire template yekodhi ine njodzi kuti uone kuvepo kwekusagadzikana kwakafanana mukodhi yemamwe mapurojekiti).

Nekugona kutsva kwekuongorora, Code Scanning inogona kuburitsa chenjedzo dzakatowanda kune ina dzakajairika mapatani ekusagadzikana: Cross-Site Scripting (XSS), Path Injection, NoSQL Injection, uye SQL Injection. Pamwe chete, aya marudzi mana ekusagadzikana anomiririra akawanda achangoburwa kusagadzikana (CVEs) muJavaScript/TypeScript ecosystem, uye kuvandudza kugona kwekodhi scanning kuti vaone kusazvibata kwakadaro pakutanga kwemaitiro ekusimudzira kwakakosha kubatsira vanogadzira kunyora kodhi yakachengeteka.

Injini itsva yekudzidza muchina inogona kuona kusakanganiswa kwaimbozivikanwa nekuti haina kusungirirwa kune iteration yekodhi mapatani anotsanangura kukanganiswa chaiko. Mutengo wemukana wakadaro kuwedzera kwenhamba yezvinyorwa zvenhema zvichienzaniswa neCodeQL-based checks.

Finalmente kune avo vanofarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.

Zvakare zvakakosha kuti titaure kuti mudanho rekuyedza, mashandiro matsva aya anowanikwa chete kumarekodhi ane JavaScript uye TypeScript kodhi.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako