GitHub Security Lab morero oa ho khetholla bofokoli ho software ea mohloli o bulehileng

github-security-lab-hed

 

Maobane, kopanong ea Bokahohle ea GitHub bakeng sa bahlahisi, GitHub e phatlalalitse hore e tla tsebisa lenaneo le lecha le ikemiselitseng ho ntlafatsa polokeho ea tikoloho le mohloli o bulehileng oa tikoloho. Lenaneo le lecha le bitsoa GitHub Ts'ireletso Lab hape e nolofalletsa bafuputsi ba ts'ireletso ho tsoa likhamphaning tse fapaneng ho tseba le ho rarolla mathata a merero e tsebahalang ea mohloli o bulehileng.

bohle lik'hamphani tse nang le thahasello le litsebi tsa ts'ireletso k'homphieutha ka bomong u mengoa ho kenella mohato oo bafuputsi ba ts'ireletso ba tsoang F5, Google, HackerOne, Intel, IOActive, JP Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber le VMWare, tse supileng le ho thusa ho lokisa likotsi tse 105 lilemong tse peli tse fetileng mererong e kang Chromium, libssh2, Linux kernel, Memcached, UBoot, VLC, Apport, HHVM, Exiv2, FFmpeg, Fizz, libav, Ansible, npm, XNU, Ghostscript, Icecast, Apache Struts, strongSwan, Apache Ignite, rsyslog, Apache Geode le Hadoop.

"Morero oa Lab ea Ts'ireletso ke ho khothatsa le ho thusa sechaba sa lipatlisiso sa lefats'e ho boloka khoutu ea lenaneo," ho boletse k'hamphani.

Nako ea bophelo ba tlhokomelo ea ts'ireletso ea khoutu e hlahisitsoeng ke GitHub ho bolela hore bankakarolo ba GitHub Security Lab ba tla bona bofokoli, kamora moo leseli le mabapi le litaba li tla tsebisoa mohlokomeli le bahlahisi ba tla rarolla mathata, ba lumellane ka hore na ba tla senola tlhahisoleseling mabapi le taba neng, le ho tsebisa merero e itšetlehileng ka tlhoko ea ho kenya mofuta ona ka ho tlosa tlokotsi.

Microsoft e lokollotsoe CodeQL, e ntlafalitsoeng ho fumana bofokoli khoutu ea mohloli o bulehileng, bakeng sa ts'ebeliso ea sechaba. Setsi sa database se tla amohela li-template tsa CodeQL ho qoba ho hlaha hape ha litaba tse sa fetoheng ho khoutu e teng ho GitHub.

Ntle le moo, GitHub haufinyane e se e le CVE Authorized Numbering Authority (CNA). Sena se bolela hore e ka fana ka lits'oants'o tsa CVE bakeng sa bofokoli. Karolo ena e kentsoe ts'ebetsong e ncha e bitsoang "Malebela a Ts'ireletso«.

Ka sebopeho sa GitHub, o ka fumana sesupa-tsela sa CVE bakeng sa bothata bo khethiloeng le ho hlophisa tlaleho, 'me GitHub e tla romella litsebiso tse hlokahalang ka boeona le ho hlophisa khalemelo ea bona e hokahaneng. Hape, kamora ho lokisa bothata, GitHub e tla romella likopo ka kotloloho ho ntlafatsa litšepiso e amanang le projeke e tlokotsing.

ea Litlhaloso tsa CVE e boletsoeng litlatsong tsa GitHub joale iketsetse tlhaiso-leseling e batsi ka tlokotsi ho database e tlisitsoeng. Ho iketsetsa mosebetsi ka database, ho hlahisoa API e arohaneng.

GitHub hape e hlahisitse GitHub Advisory Database Vulnerability Catalog, e phatlalatsang tlhaiso-leseling mabapi le bofokoli bo amang merero ea GitHub le tlhaiso-leseling ho latela lipakete le lits'oants'o tse tlokotsing. Lebitso la database sa boeletsi ba ts'ireletso e tla ba ho GitHub e tla ba GitHub Advisory Database.

E boetse e tlaleha ntlafatso ea ts'ebeletso ea ts'ireletso khahlanong le ho fumana leseli la lekunutu, joalo ka matšoao a netefatso le linotlolo tsa phihlello, polokelong ea sechaba.

Nakong ea netefatso, scanner e netefatsa lifomate tsa senotlolo le matšoao tse sebelisoang ke bafani le litšebeletso tse 20 tsa leru, ho kenyeletsoa Alibaba Cloud API, Amazon Web Services (AWS), Azure, Google Cloud, Slack le Stripe. Haeba letšoao le fumanoa, kopo e romelloa ho mofani oa litšebeletso ho netefatsa ho lutla le ho hlakola tokens e sekiselitsoeng. Ho tloha maobane, ntle le lifomate tse neng li tšehelitsoe pele, ts'ehetso e ekelitsoe bakeng sa ho hlalosa matšoao a GoCardless, HashiCorp, Postman le Tencent

Bakeng sa boitsebiso ba ts'oaetso, ho fanoa ka tefo ea ho fihlela ho $ 3,000, ho latela kotsi ea bothata le boleng ba boitokisetso ba tlaleho.

Ho ea ka k'hamphani, litlaleho tsa bug li lokela ho ba le potso ea CodeQL e lumellang ho theha template e tlokotsing ea khoutu ho bona boteng ba ts'oaetso e ts'oanang khoutu ea merero e meng (CodeQL e lumella tlhahlobo ea semantic ea khoutu mme e theha lipotso ho fumana likarolo itseng).


Litaba tsa sengoloa sena li latela melao-motheo ea rona ea melao ea boitšoaro ea bongoli. Ho tlaleha phoso tlanya mona.

E-ba oa pele ho fana ka maikutlo

Siea maikutlo a hau

aterese ya hao ya imeile ke ke ho phatlalatswa.

*

*

  1. E ikarabella bakeng sa data: Miguel Ángel Gatón
  2. Morero oa data: Laola SPAM, tsamaiso ea maikutlo.
  3. Molao: Tumello ea hau
  4. Puisano ea data: Lintlha li ke ke tsa tsebisoa batho ba boraro ntle le ka tlamo ea molao.
  5. Polokelo ea data: Database e hapiloeng ke Occentus Networks (EU)
  6. Litokelo: Nako efe kapa efe o ka fokotsa, oa hlaphoheloa mme oa hlakola tlhaiso-leseling ea hau.

bool('nete)