mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-28 23:20:10 +08:00
geekpi
GitHub
commit
59e93b9503
@ -1,37 +0,0 @@
|
||||
[#]: subject: "Package Analysis Examines Packages In Open Source Repositories In Real Time"
|
||||
[#]: via: "https://www.opensourceforu.com/2022/05/package-analysis-examines-packages-in-open-source-repositories-in-real-time/"
|
||||
[#]: author: "Laveesh Kocher https://www.opensourceforu.com/author/laveesh-kocher/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "geekpi"
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
Package Analysis Examines Packages In Open Source Repositories In Real Time
|
||||
======
|
||||
![openssf-logo][1]
|
||||
|
||||
The Open Source Security Foundation (OpenSSF) has released a beta version of a new tool that can do dynamic analysis of all packages published to prominent open source repositories. The Package Analysis project attempts to safeguard open source packages by identifying and alerting users to any malicious behaviour, with the goal of enhancing trust in open source software and bolstering the security of the software supply chain.
|
||||
|
||||
“The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run?,” the OpenSSF said.
|
||||
|
||||
“The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously,” the foundation’s Caleb Brown and David A. Wheeler added.
|
||||
|
||||
The program discovered over 200 malicious packages published to PyPI and NPM during a month-long test run, with the majority of the rogue libraries relying on dependency confusion and typosquatting assaults. Google, an OpenSSF member, has thrown its support to the Package Analysis initiative, underlining the importance of “vetting packages before they are published in order to keep users secure.”
|
||||
|
||||
Last year, the company’s Open Source Security Team proposed the Supply Chain Levels for Software Artifacts (SLSA) architecture to verify the integrity of software packages and prevent unauthorised changes. The development comes as the open source ecosystem is increasingly being weaponized to attack developers with malware such as cryptocurrency miners and data thieves.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.opensourceforu.com/2022/05/package-analysis-examines-packages-in-open-source-repositories-in-real-time/
|
||||
|
||||
作者:[Laveesh Kocher][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.opensourceforu.com/author/laveesh-kocher/
|
||||
[b]: https://github.com/lkxed
|
||||
[1]: https://www.opensourceforu.com/wp-content/uploads/2022/05/openssf-logo-696x418.jpg
|
||||
@ -0,0 +1,37 @@
|
||||
[#]: subject: "Package Analysis Examines Packages In Open Source Repositories In Real Time"
|
||||
[#]: via: "https://www.opensourceforu.com/2022/05/package-analysis-examines-packages-in-open-source-repositories-in-real-time/"
|
||||
[#]: author: "Laveesh Kocher https://www.opensourceforu.com/author/laveesh-kocher/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "geekpi"
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
包分析实时检查开源仓库中的包
|
||||
======
|
||||
![openssf-logo][1]
|
||||
|
||||
开源安全基金会 (OpenSSF) 发布了一个新工具的测试版,它可以对发布到著名开源仓库的所有包进行动态分析。包分析项目试图通过识别和警告用户任何恶意行为来保护开源包,目的是增强对开源软件的信任并加强软件供应链的安全性。
|
||||
|
||||
OpenSSF 说:“包分析项目旨在了解开源仓库上可用包的行为和功能:它们访问哪些文件,它们连接到哪些地址,以及它们运行哪些命令?”
|
||||
|
||||
该基金会的 Caleb Brown 和 David A. Wheeler 补充说:“该项目还跟踪软件包随时间的行为变化,以确定以前安全的软件何时开始出现可疑行为。”
|
||||
|
||||
该程序在为期一个月的测试运行中发现了 200 多个发布到 PyPI 和 NPM 的恶意程序包,其中大多数流氓库依赖于依赖混淆和仿冒攻击。谷歌是 OpenSSF 的成员,它支持包分析计划,强调“在发布包之前审查包以确保用户安全”的重要性。
|
||||
|
||||
去年,该公司的开源安全团队提出了软件工件的供应链级别(SLSA)架构,以验证软件包的完整性并防止未经授权的更改。这一发展是在开源生态系统越来越多地被武器化,用加密货币矿工和数据窃贼等恶意软件攻击开发者的情况下进行的。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.opensourceforu.com/2022/05/package-analysis-examines-packages-in-open-source-repositories-in-real-time/
|
||||
|
||||
作者:[Laveesh Kocher][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[geekpi](https://github.com/geekpi)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.opensourceforu.com/author/laveesh-kocher/
|
||||
[b]: https://github.com/lkxed
|
||||
[1]: https://www.opensourceforu.com/wp-content/uploads/2022/05/openssf-logo-696x418.jpg
|
||||
Loading…
Reference in New Issue
Block a user