Zimbalwa iintsuku ezidlulileyo UGoogle uveze iprojekthi entsha umthombo ovulekileyo, onegama «Vanir» ebekwe njengeI-Static code analyzer eyilelwe ukuchonga ubuthathaka kwiiprojekthi zesoftware, ngakumbi ezo zingekalungiswa ngamaphetshana.
Isebenza njani iVanir isekwe kugcino lwedatha equlethe ulwazi malunga nobuthathaka obaziwayo kunye namabala ahambelanayo, evumela ukuthelekisa ikhowudi yemvelaphi kunye nezilungiso ezisetyenzisiweyo ukukhangela ukuphulwa kokhuseleko olunokwenzeka.
Ngokwenza iVanir ibe ngumthombo ovulekileyo, injongo yethu kukuvumela uluntu lokhuseleko olubanzi ukuba lube negalelo kwaye luxhamle kwesi sixhobo, sivumela ukwamkelwa okubanzi kwaye ekugqibeleni kuphuculwe ukhuseleko kuyo yonke indalo eyahlukeneyo.
Phakathi iingenelo eziphambili zeVanir oku kulandelayo kuvela:
- Ukuchonga ubuthathaka kwiifolokhwe kunye nekhowudi yomntu wesithathu
IVanir yenza kube lula ukubona iipatches ezilahlekileyo kwiifolokhwe, ukuguqulwa, okanye ikhowudi ebolekayo ngaphandle kweprojekthi ephambili. Kwi-ecosystem ye-Android, oku kukuvumela ukuba uqinisekise ukuba abavelisi besixhobo soqobo basebenzise ngokuchanekileyo iipetshi eziyimfuneko kwiinguqulelo zabo zeqonga. - Uhlalutyo ngaphandle kokuxhomekeka kwemetadata
Ngokungafaniyo nezinye izixhobo, iVanir ayifuni ulwazi olongezelelweyo olufana neenombolo zenguqulelo, imbali yokuzibophelela, okanye uluhlu lwe-SBOM (i-Software Bill of Materials). Indlela yabo isekelwe ngokukodwa kuhlalutyo olungatshintshiyo lwekhowudi yomthombo okhoyo. - Ukwenziwa kotyikityo oluzenzekelayo
I-Vanir yenza ngokuzenzekelayo ukudalwa kweesignesha ezivela kulwazi olusesichengeni soluntu (CVE) kunye neepatches ezipapashwe ngabagcini. Oku kwenza kube lula ukuhlaziya kunye nokugcina ugcino lwedatha. - Ukusebenza okukhulu kunye nokusebenza kakuhle
Ngokuthembela kuhlalutyo lwe-static lwekhowudi yomthombo, iVanir ibonelela ngokusebenza okungcono kakhulu xa kuthelekiswa nohlalutyo oluguquguqukayo okanye izixhobo zokuqinisekisa indibano yokubini. - Ukuzimela kunye nokuphunyezwa kwendawo
Isixhobo sivumela imibutho ukuba isebenzise kwaye iqhube iziseko kwiinkqubo zabo, ukuphelisa isidingo sokujika kwiinkonzo zangaphandle okanye ukuthembela kumaqela esithathu. - Ugcino lwedatha oluhlaziyiweyo noluthembekileyo
UVanir usebenzisa isiseko sedatha sokutyikitya esixhaswa liqela lezokhuseleko leGoogle Android, liqinisekisa ukhuseleko oluthembekileyo nolwexesha lwangoku lobuthathaka obubalulekileyo. - Ukudityaniswa neCI/CD
Inkxaso yokudibanisa kunye nokuhlanganiswa okuqhubekayo kunye nokuhanjiswa okuqhubekayo (CI / CD) iinkqubo zivumela ukuzenzekelayo ukubonwa kobuthathaka kumjikelezo wophuhliso, ukuququzelela ukuphunyezwa kweenkqubo zokhuseleko kwi-DevSecOps. - Ukuguquguquka kunye nokuguquguquka
Ngaphandle kokufunyanwa sesichengeni, iVanir inokulungelelaniswa neminye imisebenzi, njengokuchonga ikhowudi yekhowudi, uhlalutyo lokuphindaphinda, okanye ukusebenzisa ikhowudi eneelayisensi ezithile kwezinye iiprojekthi.
Ngelixa iVanir yayiyilelwe i-Android ekuqaleni, inokulungelelaniswa lula kwezinye izinto eziphilayo ezinotshintsho oluncinci, iyenze ibe sisixhobo esisebenza ngeendlela ezininzi sokuphucula ukhuseleko lwesoftware.
Ukuqulunqwa kweVanir
Vanir inamacandelo amabini eyona:
- ijenereyitha yotyikityo
- isixhobo sokujonga indawo esilahlekileyo.
El ijenereyitha yenza imisayino esekwe kwiinkcazelo zobuthathaka (ngefomathi ye-OSV) kunye nekhonkco kwiipetshi ezihambelanayo, ikhowudi yokucubungula ibophelela kwiindawo ezithile zokugcina ezifana ne-googlesource.com kunye ne-git.codelinaro.org, kunye nethuba lokongeza inkxaso yezinye iinkonzo usebenzisa iziphatho zotsalo.
Isebenza njani iVanir?
IVanir Detector uhlalutya ikhowudi yemvelaphi yendawo yokugcina kunye nokukhangela ukulungiswa zobuthathaka bakhona. Lo msebenzi uyenziwa usebenzisa i-algorithms ephezulu Ngokucocwa komsayino kunye nohlalutyo lwepateni emininzi, iVanir ivelisa ingxelo eneenkcukacha eqaqambisa ubuthathaka obungabhalwanga, ibonelela ngamakhonkco kwizikhundla zekhowudi kunye neembekiselo kwizichongi zeCVE kunye neziziba ezisetyenzisiweyo.
Njengomzekelo wokuqonda umthamo weVanir ngokwemigaqo yokusebenza, oku unokuskena ikhowudi yomthombo we-Android, Ngogcino lwedatha olugubungela ngaphezulu kobuthathaka abangama-2000, kwi-10 ukuya kwimizuzu engama-20 kwiPC yanamhlanje. Izinga elihle lobuxoki, elisekelwe kwiminyaka emibini yokusetyenziswa ngaphakathi kweGoogle, lihlala liphantsi, malunga ne-2.72%.
ekugqibeleni ukuba ukhona unomdla wokwazi ngakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.