I-GitHub yatyhilwa kwiintsuku ezimbalwa ezidlulileyo ukongeza imifuniselo yenkqubo yokufunda ngomatshinil kwinkonzo yokuskena ikhowudi ukuchonga iindidi eziqhelekileyo zobuthathaka Kwikhowudi. Ngale nto, itekhnoloji yohlalutyo lwekhowudi esekwe kwi-GitHub ye-CodeQL iye yahlaziywa kwaye ngoku isebenzisa ukufunda ngomatshini (ML) ukufumana ubuthathaka obunokubakho bokhuseleko kwikhowudi.
Kwaye yiloo GitHub ifumene itekhnoloji yeCodeQL njengenxalenye yokufunyanwa kweSemmie. I-CodeQL isetyenziswa ngamaqela ophando okhuseleko ukwenza uhlalutyo lwe-semantic yekhowudi, kwaye i-GitHub yenza ukuba ibe ngumthombo ovulekileyo.
Ngezi modeli, iCodeQL inokuchonga imijelo yedatha yabasebenzisi abangathembekanga kwaye ngenxa yoko ubuthathaka obungakumbi bokhuseleko.
Kuphawulwa ukuba ukusetyenziswa komatshini wokufunda umatshini kuye kwenza ukuba kube lula ukwandisa uluhlu lweengxaki ezichongiweyo, ekuhlalutyweni kwayo inkqubo ngoku ayiphelelanga ekuqinisekiseni iipateni eziqhelekileyo kwaye ayibophelwanga kwizicwangciso ezaziwayo.
Kwiingxaki ezichongiweyo yinkqubo entsha, iimpazamo ezikhokelela kwi-cross-site scripting (XSS), ukuphazamiseka kweendlela zefayile (umzekelo, ngokubonisa "/.."), ukutshintshwa kwemibuzo yeSQL kunye neNoSQL ikhankanywe.
Ukuskena ikhowudi ngoku kunokufumana ubuthathaka obungakumbi bokhuseleko ngokusebenzisa imodeli entsha yokufunda enzulu. Olu phawu lovavanyo luyafumaneka kwi-beta kawonke-wonke yeJavaScript kunye ne-TypeScript yokugcina kwi-GitHub.com.
isixhobo esitsha GitHub kaThixo fue ikhutshwe njenge-beta yoluntu yasimahla Kubo bonke abasebenzisi, inqaku lisebenzisa ukufundwa komatshini kunye nokufunda nzulu ukuskena iziseko zekhowudi kunye nokuchonga ubuthathaka obuqhelekileyo bokhuseleko phambi kweenqanawa zemveliso.
Isici sovavanyo sikhoyo ngoku kubo bonke abasebenzisi beqonga, kubandakanywa abasebenzisi be-GitHub Enterprise njenge-GitHub Advanced Security Feature, kwaye ingasetyenziselwa iiprojekthi ezibhalwe kwiJavaScript okanye i-TypeScript.
Ngokuvela ngokukhawuleza komthombo ovulekileyo we-ecosystem, kukho umsila omde osoloko ukhula wamathala eencwadi asetyenziswa kancinci rhoqo. Sisebenzisa imizekelo evela kwimibuzo eyenziwe ngesandla ye-CodeQL ukuqeqesha iimodeli zokufunda nzulu ukuqaphela amathala eencwadi emithombo evulelekileyo kunye namathala eencwadi emithombo evaliweyo aphuhliswe ngaphakathi.
Isixhobo yenzelwe ukujonga ezona buthathaka zixhaphakileyo ezine ezichaphazela iiprojekthi ezibhalwe ngezi lwimi zimbini: i-cross-site scripting (XSS), inaliti yendlela, inaliti ye-NoSQL kunye nenaliti ye-SQL.
Inkonzo yokuskena ikhowudi ikuvumela ukuba ubone ubuthathaka kwinqanaba lokuqala lophuhliso ngokuskena umsebenzi ngamnye we-git kwimiba enokubakho.
Isiphumo siqhotyoshelwe ngokuthe ngqo kwisicelo sokutsala. Ngaphambili, ukukhangela kwenziwa ngokusebenzisa injini ye-CodeQL, ehlalutya iipatheni kunye nemizekelo eqhelekileyo yekhowudi esengozini (i-CodeQL ikuvumela ukuba uvelise itemplate yekhowudi esengozini yokubona ubukho bobuthathaka obufanayo kwikhowudi yezinye iiprojekthi).
Ngobuchule obutsha bokuhlalutya, Ukuskena kweKhowudi kunokuvelisa izilumkiso ezingakumbi kwiipateni ezine ezixhaphakileyo zobuthathaka: I-Cross-Site Scripting (XSS), i-Path Injection, i-NoSQL Injection, kunye ne-SQL Injection. Ngokudibeneyo, ezi ntlobo zine zobuthathaka zimele uninzi lobuthathaka bamva nje (CVEs) kwiJavaScript/TypeScript ecosystem, kunye nokuphucula ukukwazi ukuskena ikhowudi ukubona ubuthathaka obunjalo kwangoko kwinkqubo yophuhliso ngundoqo ekuncedeni abaphuhlisi babhale ikhowudi ekhuselekileyo.
Injini entsha yokufunda ngoomatshini inokuchonga ubuthathaka obungaziwa ngaphambili kuba ayibotshelelwanga kuphindaphindo lweepateni zekhowudi ezichaza ubuthathaka obuthile. Ixabiso lethuba elinjalo kukunyuka kwenani leengxelo zobuxoki xa kuthelekiswa ne-CodeQL-based checks.
Gqibela kwabo banomdla wokwazi okungakumbi ngayo, unokujonga iinkcukacha Kule khonkco ilandelayo.
Kwakhona kubalulekile ukukhankanya ukuba kwinqanaba lokuvavanya, ukusebenza okutsha okwangoku kufumaneka kuphela kwiindawo zokugcina kunye neJavaScript kunye nekhowudi ye-TypeScript.