\u0634\u0647\u062f\u062a \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0631\u062a\u0641\u0627\u0639\u064b\u0627 \u0645\u0644\u062d\u0648\u0638\u064b\u0627 \u0641\u064a \u0627\u0644\u062a\u0643\u0631\u0627\u0631 \u0648\u0627\u0644\u062a\u0639\u0642\u064a\u062f \u062e\u0644\u0627\u0644 \u0627\u0644\u0633\u0646\u0648\u0627\u062a \u0627\u0644\u0623\u062e\u064a\u0631\u0629. \u0641\u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0645\u0647\u0627\u062c\u0645\u0629 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0645\u0628\u0627\u0634\u0631\u0629\u060c \u064a\u0633\u062a\u0647\u062f\u0641 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0628\u0634\u0643\u0644 \u0645\u062a\u0632\u0627\u064a\u062f \u0637\u0628\u0642\u0627\u062a \u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0648\u062a\u0648\u0632\u064a\u0639 \u0627\u0644\u0645\u0643\u0648\u0646\u0627\u062a \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0634\u0643\u0651\u0644 \u0623\u0633\u0627\u0633 \u062a\u0637\u0648\u064a\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0644\u062d\u062f\u064a\u062b\u0629. \u0648\u0645\u0646 \u0623\u0643\u062b\u0631 \u0627\u0644\u062a\u0642\u0646\u064a\u0627\u062a \u0641\u0639\u0627\u0644\u064a\u0629 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0633\u064a\u0627\u0642: dependency confusion<\/strong> \u0648artifact poisoning<\/strong>.<\/p>\n \u062a\u0633\u062a\u063a\u0644 \u0647\u0630\u0647 \u0627\u0644\u0647\u062c\u0645\u0627\u062a \u062d\u0642\u064a\u0642\u0629 \u062c\u0648\u0647\u0631\u064a\u0629: \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0644\u062d\u062f\u064a\u062b\u0629 \u062a\u064f\u062c\u0645\u064e\u0651\u0639 \u0648\u0644\u0627 \u062a\u064f\u0643\u062a\u0628 \u0645\u0646 \u0627\u0644\u0635\u0641\u0631. \u0641\u0627\u0644\u062a\u0637\u0628\u064a\u0642 \u0627\u0644\u0646\u0645\u0648\u0630\u062c\u064a \u0642\u062f \u064a\u0633\u062d\u0628 \u0645\u0626\u0627\u062a \u0623\u0648 \u0622\u0644\u0627\u0641 \u0627\u0644\u062d\u0632\u0645 \u0645\u0646 \u0645\u0635\u0627\u062f\u0631 \u062e\u0627\u0631\u062c\u064a\u0629\u060c \u0648\u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a\u060c \u0648\u0642\u0648\u0627\u0644\u0628 CI\u060c \u0648\u0625\u0636\u0627\u0641\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u2014 \u0648\u0643\u0644 \u0639\u0646\u0635\u0631 \u0645\u0646\u0647\u0627 \u064a\u0645\u062b\u0644 \u062d\u0644\u0642\u0629 \u0641\u064a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062b\u0642\u0629. \u0648\u0639\u0646\u062f\u0645\u0627 \u062a\u064f\u062e\u062a\u0631\u0642 \u0623\u064a \u062d\u0644\u0642\u0629\u060c \u062a\u0646\u0647\u0627\u0631 \u0627\u0644\u0633\u0644\u0633\u0644\u0629 \u0628\u0623\u0643\u0645\u0644\u0647\u0627.<\/p>\n \u0645\u0627 \u064a\u062c\u0639\u0644 \u0647\u0630\u0647 \u0627\u0644\u0647\u062c\u0645\u0627\u062a \u062e\u0637\u064a\u0631\u0629 \u0628\u0634\u0643\u0644 \u062e\u0627\u0635 \u0647\u0648 \u0623\u0646 \u0643\u062b\u064a\u0631\u064b\u0627 \u0645\u0646 \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u062a\u0638\u0644 \u0639\u0631\u0636\u0629 \u0644\u0647\u0627 \u0631\u063a\u0645 \u0627\u0645\u062a\u0644\u0627\u0643\u0647\u0627 \u0628\u0631\u0627\u0645\u062c \u0623\u0645\u0646\u064a\u0629 \u0646\u0627\u0636\u062c\u0629. \u0641\u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a \u0623\u0645\u0627\u0646 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a\u0629 \u0644\u0627 \u062a\u0643\u0634\u0641 \u0639\u0646 \u062a\u0628\u0639\u064a\u0629 \u062e\u0628\u064a\u062b\u0629 \u062a\u064f\u062b\u0628\u064e\u0651\u062a \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621. \u0643\u0645\u0627 \u0623\u0646 \u062c\u062f\u0631\u0627\u0646 \u0627\u0644\u062d\u0645\u0627\u064a\u0629 \u0648\u0623\u0646\u0638\u0645\u0629 WAF \u0644\u0627 \u0641\u0627\u0626\u062f\u0629 \u0645\u0646\u0647\u0627 \u062d\u064a\u0646 \u064a\u0639\u0645\u0644 \u0643\u0648\u062f \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u062f\u0627\u062e\u0644 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0645\u0639 \u0648\u0635\u0648\u0644 \u0643\u0627\u0645\u0644 \u0644\u0644\u0634\u0628\u0643\u0629 \u0648\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n \u064a\u0642\u062f\u0645 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0641\u062d\u0635\u064b\u0627 \u0645\u0639\u0645\u0642\u064b\u0627 \u0644\u0643\u064a\u0641\u064a\u0629 \u0639\u0645\u0644 dependency confusion \u0648artifact poisoning\u060c \u0648\u0644\u0645\u0627\u0630\u0627 \u062a\u064f\u0639\u062f \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0623\u0647\u062f\u0627\u0641\u064b\u0627 \u0631\u0626\u064a\u0633\u064a\u0629\u060c \u0648\u0627\u0644\u0623\u0647\u0645 \u0645\u0646 \u0630\u0644\u0643 \u2014 \u0645\u0627 \u0627\u0644\u062f\u0641\u0627\u0639\u0627\u062a \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u062a\u064a \u064a\u0645\u0643\u0646\u0643 \u062a\u0637\u0628\u064a\u0642\u0647\u0627 \u0627\u0644\u064a\u0648\u0645.<\/p>\n \u062a\u062a\u0628\u0639 \u0645\u0639\u0638\u0645 \u0645\u062f\u064a\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062d\u062f\u064a\u062b\u0629 \u2014 npm \u0648pip \u0648RubyGems \u0648NuGet \u0648Maven \u2014 \u0639\u0645\u0644\u064a\u0629 \u062a\u062d\u0644\u064a\u0644 \u062a\u062a\u062d\u0642\u0642 \u0645\u0646 \u0633\u062c\u0644 \u0648\u0627\u062d\u062f \u0623\u0648 \u0623\u0643\u062b\u0631 \u0639\u0646\u062f \u0637\u0644\u0628 \u062d\u0632\u0645\u0629. \u0648\u0639\u0646\u062f\u0645\u0627 \u062a\u0633\u062a\u062e\u062f\u0645 \u0645\u0624\u0633\u0633\u0629 \u0645\u0627 \u0643\u0644\u0627\u064b \u0645\u0646 \u0633\u062c\u0644 \u062e\u0627\u0635\/\u062f\u0627\u062e\u0644\u064a<\/strong> (\u0644\u0644\u062d\u0632\u0645 \u0627\u0644\u0645\u0645\u0644\u0648\u0643\u0629) \u0648\u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u0639\u0627\u0645<\/strong> (\u0644\u062d\u0632\u0645 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0645\u0641\u062a\u0648\u062d)\u060c \u064a\u062c\u0628 \u0639\u0644\u0649 \u0645\u062f\u064a\u0631 \u0627\u0644\u062d\u0632\u0645 \u0623\u0646 \u064a\u0642\u0631\u0631 \u0623\u064a \u0633\u062c\u0644 \u064a\u064f\u0639\u0637\u0649 \u0627\u0644\u0623\u0648\u0644\u0648\u064a\u0629 \u0639\u0646\u062f\u0645\u0627 \u064a\u062d\u062a\u0648\u064a \u0643\u0644\u0627\u0647\u0645\u0627 \u0639\u0644\u0649 \u062d\u0632\u0645\u0629 \u0628\u0646\u0641\u0633 \u0627\u0644\u0627\u0633\u0645.<\/p>\n \u064a\u062e\u062a\u0644\u0641 \u0627\u0644\u0633\u0644\u0648\u0643 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a \u062d\u0633\u0628 \u0627\u0644\u0646\u0638\u0627\u0645 \u0627\u0644\u0628\u064a\u0626\u064a\u060c \u0644\u0643\u0646 \u0647\u0646\u0627\u0643 \u0646\u0645\u0637 \u0634\u0627\u0626\u0639 \u0645\u062b\u064a\u0631 \u0644\u0644\u0642\u0644\u0642: \u0643\u062b\u064a\u0631 \u0645\u0646 \u0645\u062f\u064a\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u064a\u0641\u0636\u0651\u0644\u0648\u0646 \u0631\u0642\u0645 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0623\u0639\u0644\u0649<\/strong> \u0628\u063a\u0636 \u0627\u0644\u0646\u0638\u0631 \u0639\u0646 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u0630\u064a \u064a\u0623\u062a\u064a \u0645\u0646\u0647. \u0648\u0647\u0630\u0627 \u0627\u0644\u062e\u064a\u0627\u0631 \u0627\u0644\u062a\u0635\u0645\u064a\u0645\u064a \u0627\u0644\u0628\u0631\u064a\u0621 \u0638\u0627\u0647\u0631\u064a\u064b\u0627 \u0647\u0648 \u0623\u0633\u0627\u0633 \u0647\u062c\u0648\u0645 dependency confusion.<\/p>\n \u0641\u064a \u0641\u0628\u0631\u0627\u064a\u0631 2021\u060c \u0646\u0634\u0631 \u0627\u0644\u0628\u0627\u062d\u062b \u0627\u0644\u0623\u0645\u0646\u064a Alex Birsan \u0628\u062d\u062b\u064b\u0627 \u0631\u0627\u0626\u062f\u064b\u0627 \u064a\u0648\u0636\u062d \u0643\u064a\u0641 \u064a\u0645\u0643\u0646 \u062a\u0633\u0644\u064a\u062d \u0633\u0644\u0648\u0643 \u0627\u0644\u062a\u062d\u0644\u064a\u0644 \u0647\u0630\u0627. \u0645\u0646 \u062e\u0644\u0627\u0644 \u0641\u062d\u0635 \u0623\u0633\u0645\u0627\u0621 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0627\u0644\u0645\u0633\u0631\u0651\u0628\u0629 \u0639\u0644\u0646\u064b\u0627 \u0645\u0646 \u0634\u0631\u0643\u0627\u062a \u0645\u062b\u0644 Apple \u0648Microsoft \u0648Tesla \u2014 \u0648\u0627\u0644\u062a\u064a \u0648\u064f\u062c\u062f\u062a \u0641\u064a \u0645\u0644\u0641\u0627\u062a JavaScript \u0648\u0645\u0627\u0646\u064a\u0641\u0633\u062a\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u0648\u0631\u0633\u0627\u0626\u0644 \u0627\u0644\u062e\u0637\u0623 \u2014 \u0642\u0627\u0645 \u0628\u062a\u0633\u062c\u064a\u0644 \u062d\u0632\u0645 \u0628\u0623\u0633\u0645\u0627\u0621 \u0645\u0637\u0627\u0628\u0642\u0629 \u0639\u0644\u0649 \u0633\u062c\u0644\u0627\u062a npm \u0648PyPI \u0648RubyGems \u0627\u0644\u0639\u0627\u0645\u0629 \u0628\u0623\u0631\u0642\u0627\u0645 \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0645\u0636\u062e\u0651\u0645\u0629.<\/p>\n \u0643\u0627\u0646\u062a \u0627\u0644\u0646\u062a\u064a\u062c\u0629 \u0645\u062f\u0645\u0631\u0629. \u0641\u0639\u0646\u062f\u0645\u0627 \u062d\u0644\u0651\u0644\u062a \u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0641\u064a \u0647\u0630\u0647 \u0627\u0644\u0634\u0631\u0643\u0627\u062a \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a\u060c \u062c\u0644\u0628\u062a \u0645\u062f\u064a\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u062d\u0632\u0645 Birsan \u0627\u0644\u0639\u0627\u0645\u0629 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0627\u0644\u0645\u0634\u0631\u0648\u0639\u0629. \u062a\u0636\u0645\u0646\u062a \u062d\u0632\u0645 \u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0645\u0641\u0647\u0648\u0645 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647 \u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a \u0639\u0648\u062f\u064a\u0629 \u063a\u064a\u0631 \u0636\u0627\u0631\u0629 \u0623\u0643\u062f\u062a \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0643\u0648\u062f \u062f\u0627\u062e\u0644 \u0627\u0644\u0634\u0628\u0643\u0627\u062a \u0627\u0644\u0645\u0624\u0633\u0633\u064a\u0629. \u062d\u0635\u0644 Birsan \u0639\u0644\u0649 \u0623\u0643\u062b\u0631 \u0645\u0646 130,000 \u062f\u0648\u0644\u0627\u0631 \u0641\u064a \u0645\u0643\u0627\u0641\u0622\u062a \u0627\u0644\u0623\u062e\u0637\u0627\u0621 \u0639\u0628\u0631 \u0639\u062f\u0629 \u0645\u0624\u0633\u0633\u0627\u062a.<\/p>\n \u064a\u062a\u0628\u0639 \u0647\u062c\u0648\u0645 dependency confusion \u062a\u0633\u0644\u0633\u0644\u0627\u064b \u0645\u0628\u0627\u0634\u0631\u064b\u0627:<\/p>\n \u0644\u0627 \u064a\u0642\u062a\u0635\u0631 dependency confusion \u0639\u0644\u0649 \u0644\u063a\u0629 \u0623\u0648 \u0646\u0638\u0627\u0645 \u0628\u064a\u0626\u064a \u0648\u0627\u062d\u062f. \u0641\u0627\u0644\u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u062c\u0645\u064a\u0639\u0647\u0627 \u0639\u0631\u0636\u0629 \u0644\u0644\u062e\u0637\u0631:<\/p>\n \u0627\u0644\u0633\u0628\u0628 \u0641\u064a \u062e\u0637\u0648\u0631\u0629 dependency confusion \u0647\u0648 \u0623\u0646 \u0645\u062f\u064a\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u062a\u062f\u0639\u0645 \u0627\u0644\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a \u0644\u0644\u0643\u0648\u062f \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u062b\u0628\u064a\u062a<\/strong>. \u0641\u064a npm\u060c \u064a\u062d\u062f\u062b \u0647\u0630\u0627 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0646\u0635\u0648\u0635 \u0628\u064a\u0646\u0645\u0627 \u064a\u0633\u062a\u0647\u062f\u0641 dependency confusion \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u062a\u062d\u062f\u064a\u062f\u064b\u0627\u060c \u0641\u0625\u0646 artifact poisoning<\/strong> \u0647\u0648 \u0641\u0626\u0629 \u0623\u0648\u0633\u0639 \u0645\u0646 \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u0633\u062a\u0647\u062f\u0641 \u0623\u064a \u0645\u0643\u0648\u0646 \u062e\u0627\u0631\u062c\u064a \u064a\u064f\u0633\u062a\u0647\u0644\u0643 \u0623\u062b\u0646\u0627\u0621 \u062f\u0648\u0631\u0629 \u062d\u064a\u0627\u0629 \u062a\u0637\u0648\u064a\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a. \u064a\u0645\u062a\u062f \u0633\u0637\u062d \u0627\u0644\u0647\u062c\u0648\u0645 \u0625\u0644\u0649 \u0645\u0627 \u0647\u0648 \u0623\u0628\u0639\u062f \u0628\u0643\u062b\u064a\u0631 \u0645\u0646 \u0645\u062f\u064a\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645.<\/p>\n \u062a\u064f\u0639\u062f \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0627\u0644\u0645\u0633\u062d\u0648\u0628\u0629 \u0645\u0646 Docker Hub \u0623\u0648 \u0633\u062c\u0644\u0627\u062a \u0639\u0627\u0645\u0629 \u0623\u062e\u0631\u0649 \u0646\u0627\u0642\u0644 \u0647\u062c\u0648\u0645 \u0634\u0627\u0626\u0639\u064b\u0627. \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0646\u0634\u0631 \u0635\u0648\u0631\u0629 \u062e\u0628\u064a\u062b\u0629 \u0628\u0627\u0633\u0645 \u0645\u0634\u0627\u0628\u0647 \u0644\u0635\u0648\u0631\u0629 \u0623\u0633\u0627\u0633\u064a\u0629 \u0634\u0627\u0626\u0639\u0629\u060c \u0623\u0648 \u0627\u062e\u062a\u0631\u0627\u0642 \u0635\u0648\u0631\u0629 \u0645\u0648\u062c\u0648\u062f\u0629 \u0628\u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u062d\u0633\u0627\u0628 \u0627\u0644\u0645\u0634\u0631\u0641. \u0625\u0630\u0627 \u062d\u062f\u062f \u0645\u0644\u0641 Dockerfile \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u062a\u0645\u062b\u0644 \u0642\u0648\u0627\u0644\u0628 GitHub Actions \u0648GitLab CI \u0627\u0644\u0645\u064f\u0634\u0627\u0631 \u0625\u0644\u064a\u0647\u0627 \u0645\u0646 \u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0639\u0627\u0645\u0629 \u0633\u0637\u062d \u0647\u062c\u0648\u0645 \u0643\u0628\u064a\u0631\u064b\u0627 \u0622\u062e\u0631. \u0639\u0646\u062f\u0645\u0627 \u064a\u0634\u064a\u0631 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0625\u0644\u0649 \u062a\u0633\u062a\u063a\u0644 \u0647\u062c\u0645\u0627\u062a typosquatting \u0627\u0644\u0623\u062e\u0637\u0627\u0621 \u0627\u0644\u0625\u0645\u0644\u0627\u0626\u064a\u0629 \u0627\u0644\u0634\u0627\u0626\u0639\u0629 \u0648\u0627\u0644\u062a\u0634\u0627\u0628\u0647\u0627\u062a \u0627\u0644\u0628\u0635\u0631\u064a\u0629 \u0641\u064a \u0623\u0633\u0645\u0627\u0621 \u0627\u0644\u062d\u0632\u0645. \u0645\u0646 \u0627\u0644\u0623\u0645\u062b\u0644\u0629 \u062a\u0633\u062c\u064a\u0644 \u0639\u0646\u062f\u0645\u0627 \u064a\u062d\u0635\u0644 \u0645\u0647\u0627\u062c\u0645 \u0639\u0644\u0649 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u062d\u0633\u0627\u0628 \u0645\u0634\u0631\u0641 \u062d\u0632\u0645\u0629 \u0645\u0634\u0631\u0648\u0639 \u2014 \u0645\u0646 \u062e\u0644\u0627\u0644 \u062d\u0634\u0648 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0623\u0648 \u0627\u0644\u062a\u0635\u064a\u062f \u0627\u0644\u0627\u062d\u062a\u064a\u0627\u0644\u064a \u0623\u0648 \u0627\u0644\u0647\u0646\u062f\u0633\u0629 \u0627\u0644\u0627\u062c\u062a\u0645\u0627\u0639\u064a\u0629 \u2014 \u064a\u0645\u0643\u0646\u0647 \u0646\u0634\u0631 \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0623\u0628\u0648\u0627\u0628 \u062e\u0644\u0641\u064a\u0629 \u0645\u0646 \u062d\u0632\u0645 \u0645\u0633\u062a\u062e\u062f\u0645\u0629 \u0639\u0644\u0649 \u0646\u0637\u0627\u0642 \u0648\u0627\u0633\u0639. \u0648\u0644\u0623\u0646 \u0627\u0633\u0645 \u0627\u0644\u062d\u0632\u0645\u0629 \u0648\u0627\u0644\u0645\u0634\u0631\u0641 \u0645\u0634\u0631\u0648\u0639\u0627\u0646\u060c \u0641\u0625\u0646 \u0647\u0630\u0647 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u062e\u062a\u0631\u0642\u0629 \u0635\u0639\u0628\u0629 \u0627\u0644\u0643\u0634\u0641 \u0644\u0644\u063a\u0627\u064a\u0629 \u0628\u0627\u0644\u0648\u0633\u0627\u0626\u0644 \u0627\u0644\u0622\u0644\u064a\u0629.<\/p>\n \u062a\u062f\u0639\u0645 \u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u062b\u0644 Gradle \u0648Maven \u0648webpack \u0625\u0636\u0627\u0641\u0627\u062a \u062a\u064f\u0646\u0641\u064e\u0651\u0630 \u0623\u062b\u0646\u0627\u0621 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621. \u064a\u0645\u0643\u0646 \u0644\u0644\u0625\u0636\u0627\u0641\u0627\u062a \u0627\u0644\u062e\u0628\u064a\u062b\u0629 \u0623\u0648 \u0627\u0644\u0645\u062e\u062a\u0631\u0642\u0629 \u0641\u064a \u0647\u0630\u0647 \u0627\u0644\u0623\u0646\u0638\u0645\u0629 \u062a\u0639\u062f\u064a\u0644 \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0623\u0648 \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0623\u0648 \u062d\u0642\u0646 \u0623\u0628\u0648\u0627\u0628 \u062e\u0644\u0641\u064a\u0629 \u0641\u064a \u0627\u0644\u0645\u0643\u0648\u0646\u0627\u062a \u0627\u0644\u0645\u064f\u062c\u0645\u064e\u0651\u0639\u0629. \u0648\u0644\u0623\u0646 \u0625\u0636\u0627\u0641\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u063a\u0627\u0644\u0628\u064b\u0627 \u0645\u0627 \u062a\u062e\u0636\u0639 \u0644\u0641\u062d\u0635 \u0623\u0642\u0644 \u0645\u0646 \u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u060c \u0641\u0625\u0646\u0647\u0627 \u062a\u0645\u062b\u0644 \u0647\u062f\u0641\u064b\u0627 \u0639\u0627\u0644\u064a \u0627\u0644\u0642\u064a\u0645\u0629.<\/p>\n \u062a\u0648\u0636\u062d \u0639\u062f\u0629 \u062d\u0648\u0627\u062f\u062b \u0643\u0628\u0631\u0649 \u0627\u0644\u062a\u0623\u062b\u064a\u0631 \u0627\u0644\u0648\u0627\u0642\u0639\u064a \u0644\u0640 artifact poisoning:<\/p>\n \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0639\u0631\u0636\u0629 \u0628\u0634\u0643\u0644 \u0641\u0631\u064a\u062f \u0644\u0647\u062c\u0645\u0627\u062a dependency confusion \u0648artifact poisoning \u0628\u0633\u0628\u0628 \u0637\u0631\u064a\u0642\u0629 \u062a\u0635\u0645\u064a\u0645\u0647\u0627 \u0644\u0644\u0639\u0645\u0644. \u0641\u0647\u0645 \u0644\u0645\u0627\u0630\u0627 \u062a\u064f\u0639\u062f \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0623\u0647\u062f\u0627\u0641\u064b\u0627 \u0631\u0626\u064a\u0633\u064a\u0629 \u0623\u0645\u0631 \u0636\u0631\u0648\u0631\u064a \u0644\u0628\u0646\u0627\u0621 \u062f\u0641\u0627\u0639\u0627\u062a \u0641\u0639\u0627\u0644\u0629.<\/p>\n \u0641\u064a \u0643\u0644 \u0645\u0631\u0629 \u064a\u0634\u063a\u0651\u0644 \u0641\u064a\u0647\u0627 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI \u0623\u0645\u0631 \u0639\u0627\u062f\u0629\u064b \u0645\u0627 \u062a\u064f\u0643\u0648\u064e\u0651\u0646 \u0628\u064a\u0626\u0627\u062a CI\/CD \u0628\u0623\u0633\u0631\u0627\u0631 \u0645\u0637\u0644\u0648\u0628\u0629 \u0644\u0644\u0646\u0634\u0631: \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u0632\u0648\u0651\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629\u060c \u0648\u0631\u0645\u0648\u0632 API\u060c \u0648\u0643\u0644\u0645\u0627\u062a \u0645\u0631\u0648\u0631 \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\u060c \u0648\u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u060c \u0648\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062c\u0644\u0627\u062a. \u064a\u0645\u0643\u0646 \u0644\u062a\u0628\u0639\u064a\u0629 \u062e\u0628\u064a\u062b\u0629 \u062a\u0639\u0645\u0644 \u0623\u062b\u0646\u0627\u0621 \u0645\u0631\u062d\u0644\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0647\u0630\u0647 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0639\u0628\u0631 \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629 \u0623\u0648 \u0645\u062e\u0627\u0632\u0646 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u064f\u0631\u0643\u064e\u0651\u0628\u0629. \u0648\u0647\u0630\u0627 \u064a\u062c\u0639\u0644 \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0623\u0647\u062f\u0627\u0641\u064b\u0627 \u0623\u0643\u062b\u0631 \u0642\u064a\u0645\u0629 \u0628\u0643\u062b\u064a\u0631 \u0645\u0646 \u062d\u0648\u0627\u0633\u064a\u0628 \u0627\u0644\u0645\u0637\u0648\u0631\u064a\u0646 \u0627\u0644\u0645\u062d\u0645\u0648\u0644\u0629.<\/p>\n \u0641\u064a \u0645\u0639\u0638\u0645 \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a\u060c \u062a\u064f\u062d\u062f\u064e\u0651\u062f \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0641\u064a \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u0627\u0646\u064a\u0641\u0633\u062a ( \u0642\u062f \u064a\u064f\u0639\u0644\u0646 \u062a\u0637\u0628\u064a\u0642\u0643 \u0639\u0646 50 \u062a\u0628\u0639\u064a\u0629 \u0645\u0628\u0627\u0634\u0631\u0629\u060c \u0644\u0643\u0646 \u0644\u0647\u0630\u0647 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u062a\u0628\u0639\u064a\u0627\u062a\u0647\u0627 \u0627\u0644\u062e\u0627\u0635\u0629\u060c \u0645\u0645\u0627 \u064a\u064f\u0646\u0634\u0626 \u0634\u062c\u0631\u0629 \u0642\u062f \u062a\u062a\u0636\u0645\u0646 \u0622\u0644\u0627\u0641 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u0639\u0627\u0628\u0631\u0629. \u0644\u064a\u0633 \u0644\u062f\u064a\u0643 \u062a\u062d\u0643\u0645 \u0645\u0628\u0627\u0634\u0631 \u0641\u064a\u0645\u0627 \u062a\u0639\u062a\u0645\u062f \u0639\u0644\u064a\u0647 \u062a\u0628\u0639\u064a\u0627\u062a\u0643. \u0639\u0646\u062f\u0645\u0627 \u062a\u064f\u062e\u062a\u0631\u0642 \u062a\u0628\u0639\u064a\u0629 \u0639\u0627\u0628\u0631\u0629 \u2014 \u0643\u0645\u0627 \u0641\u064a \u062d\u0627\u062f\u062b\u0629 \u064a\u062a\u0637\u0644\u0628 \u0645\u0646\u0639 dependency confusion \u062a\u0643\u0648\u064a\u0646 \u0645\u062f\u064a\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u0648\u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0644\u062f\u064a\u0643 \u0644\u0644\u0642\u0636\u0627\u0621 \u0639\u0644\u0649 \u0627\u0644\u063a\u0645\u0648\u0636 \u0628\u064a\u0646 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u0639\u0627\u0645\u0629 \u0648\u0627\u0644\u062e\u0627\u0635\u0629. \u0625\u0644\u064a\u0643 \u0623\u0643\u062b\u0631 \u0627\u0644\u062a\u062e\u0641\u064a\u0641\u0627\u062a \u0641\u0639\u0627\u0644\u064a\u0629.<\/p>\n \u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0623\u0643\u062b\u0631 \u0641\u0639\u0627\u0644\u064a\u0629 \u0647\u0648 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0623\u0633\u0645\u0627\u0621 \u062d\u0632\u0645 \u0630\u0627\u062a \u0646\u0637\u0627\u0642\u0627\u062a \u0644\u062c\u0645\u064a\u0639 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629. \u0641\u064a npm\u060c \u064a\u0639\u0646\u064a \u0647\u0630\u0627 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062d\u0632\u0645 \u0645\u062d\u062f\u062f\u0629 \u0627\u0644\u0646\u0637\u0627\u0642 \u0645\u062b\u0644 \u0644\u0627 \u062a\u0639\u062a\u0645\u062f \u0623\u0628\u062f\u064b\u0627 \u0639\u0644\u0649 \u0633\u0644\u0648\u0643 \u0627\u0644\u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a. \u0643\u0648\u0650\u0651\u0646 \u0645\u062f\u064a\u0631 \u0627\u0644\u062d\u0632\u0645 \u0635\u0631\u0627\u062d\u0629\u064b \u0644\u062c\u0644\u0628 \u0627\u0644\u062d\u0632\u0645 \u0630\u0627\u062a \u0627\u0644\u0646\u0637\u0627\u0642 \u0645\u0646 \u0633\u062c\u0644\u0643 \u0627\u0644\u062e\u0627\u0635 \u0648\u0643\u0644 \u0634\u064a\u0621 \u0622\u062e\u0631 \u0645\u0646 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u0639\u0627\u0645.<\/p>\n \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u062a\u0643\u0648\u064a\u0646 \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0627\u0646\u0634\u0631 \u0648\u0643\u064a\u0644 \u0633\u062c\u0644 \u0645\u062b\u0644 JFrog Artifactory \u0623\u0648 Sonatype Nexus \u0623\u0648 GitHub Packages \u064a\u0642\u0639 \u0628\u064a\u0646 \u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0639\u0627\u0645\u0629. \u0643\u0648\u0650\u0651\u0646 \u0627\u0644\u0648\u0643\u064a\u0644 \u0644\u0640:<\/p>\n \u0647\u0630\u0627 \u064a\u064f\u0646\u0634\u0626 \u0645\u0635\u062f\u0631\u064b\u0627 \u0648\u0627\u062d\u062f\u064b\u0627 \u0644\u0644\u062d\u0642\u064a\u0642\u0629 \u0644\u062c\u0645\u064a\u0639 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0648\u064a\u0632\u064a\u0644 \u0627\u0644\u063a\u0645\u0648\u0636 \u0628\u064a\u0646 \u0627\u0644\u0639\u0627\u0645 \u0648\u0627\u0644\u062e\u0627\u0635 \u062a\u0645\u0627\u0645\u064b\u0627.<\/p>\n \u0633\u062c\u0651\u0644 \u0623\u0633\u0645\u0627\u0621 \u062d\u0632\u0645\u0643 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0639\u0644\u0649 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0639\u0627\u0645\u0629 \u0643\u062d\u0632\u0645 \u0645\u064f\u0639\u0644\u064e\u0651\u0642\u0629. \u064a\u062c\u0628 \u0623\u0644\u0627 \u062a\u062d\u062a\u0648\u064a \u0647\u0630\u0647 \u0627\u0644\u062d\u0632\u0645 \u0639\u0644\u0649 \u0643\u0648\u062f \u062d\u0642\u064a\u0642\u064a \u2014 \u0641\u0642\u0637 \u0645\u0644\u0641 README \u064a\u0634\u0631\u062d \u0623\u0646 \u0627\u0644\u0627\u0633\u0645 \u0645\u062d\u062c\u0648\u0632. \u0647\u0630\u0627 \u064a\u0645\u0646\u0639 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0645\u0646 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0629 \u0628\u062a\u0644\u0643 \u0627\u0644\u0623\u0633\u0645\u0627\u0621. \u0631\u063a\u0645 \u0623\u0646 \u0647\u0630\u0627 \u0644\u064a\u0633 \u062f\u0641\u0627\u0639\u064b\u0627 \u0623\u0633\u0627\u0633\u064a\u064b\u0627\u060c \u0625\u0644\u0627 \u0623\u0646\u0647 \u064a\u0636\u064a\u0641 \u0637\u0628\u0642\u0629 \u062d\u0645\u0627\u064a\u0629 \u0625\u0636\u0627\u0641\u064a\u0629.<\/p>\n \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0628\u062a\u062c\u0632\u0626\u0629 \u062a\u0634\u0641\u064a\u0631\u064a\u0629 \u064a\u0636\u0645\u0646 \u0623\u0646 \u0627\u0644\u0645\u0643\u0648\u0646 \u0627\u0644\u0630\u064a \u0631\u0627\u062c\u0639\u062a\u0647 \u0628\u0627\u0644\u0636\u0628\u0637 \u0647\u0648 \u0645\u0627 \u064a\u064f\u062b\u0628\u064e\u0651\u062a \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621. \u062d\u062a\u0649 \u0644\u0648 \u0646\u0634\u0631 \u0645\u0647\u0627\u062c\u0645 \u0625\u0635\u062f\u0627\u0631\u064b\u0627 \u062e\u0628\u064a\u062b\u064b\u0627\u060c \u0644\u0646 \u062a\u062a\u0637\u0627\u0628\u0642 \u0627\u0644\u062a\u062c\u0632\u0626\u0629 \u0648\u0633\u064a\u0641\u0634\u0644 \u0627\u0644\u062a\u062b\u0628\u064a\u062a.<\/p>\n \u0644\u0640 pip (Python):<\/strong><\/p>\n \u0644\u0640 npm:<\/strong><\/p>\n \u064a\u0633\u062c\u0644 npm \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u062a\u062c\u0632\u0626\u0627\u062a \u0627\u0644\u0633\u0644\u0627\u0645\u0629 \u0641\u064a \u0644\u0623\u0646 artifact poisoning \u064a\u0634\u0645\u0644 \u0646\u0637\u0627\u0642\u064b\u0627 \u0623\u0648\u0633\u0639 \u0645\u0646 \u0646\u0648\u0627\u0642\u0644 \u0627\u0644\u0647\u062c\u0648\u0645\u060c \u064a\u062a\u0637\u0644\u0628 \u0627\u0644\u062f\u0641\u0627\u0639 \u0636\u0648\u0627\u0628\u0637 \u0645\u062a\u0639\u062f\u062f\u0629 \u0627\u0644\u0637\u0628\u0642\u0627\u062a \u0639\u0628\u0631 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0642\u0648\u0627\u0644\u0628 CI \u0648\u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0648\u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n \u0644\u0627 \u062a\u0634\u0631 \u0623\u0628\u062f\u064b\u0627 \u0625\u0644\u0649 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0628\u0648\u0633\u0648\u0645 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u0645\u062b\u0644 \u0623\u0634\u0631 \u0625\u0644\u0649 GitHub Actions \u0628\u062a\u062c\u0632\u0626\u0629 \u0627\u0644\u0640 commit \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0648\u0633\u0645 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631:<\/p>\n \u062d\u064a\u062b\u0645\u0627 \u062a\u0648\u0641\u0651\u0631\u060c \u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0627\u0644\u062a\u0634\u0641\u064a\u0631\u064a\u0629 \u0644\u062a\u0623\u0643\u064a\u062f \u0623\u0646 \u0627\u0644\u0645\u0643\u0648\u0646\u0627\u062a \u0646\u064f\u0634\u0631\u062a \u0645\u0646 \u0642\u0628\u0644 \u0645\u0634\u0631\u0641\u064a\u0647\u0627 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u064a\u0646:<\/p>\n \u064a\u064f\u062d\u0635\u064a SBOM (\u0642\u0627\u0626\u0645\u0629 \u0645\u0648\u0627\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a) \u0643\u0644 \u0645\u0643\u0648\u0646 \u0641\u064a \u062a\u0637\u0628\u064a\u0642\u0643. \u0645\u0646 \u062e\u0644\u0627\u0644 \u0625\u0646\u0634\u0627\u0621 SBOMs \u0644\u0643\u0644 \u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0621 \u0648\u0645\u0642\u0627\u0631\u0646\u062a\u0647\u0627\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0625\u0636\u0627\u0641\u0627\u062a \u0623\u0648 \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629 \u0641\u064a \u0634\u062c\u0631\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a. \u064a\u0645\u0643\u0646 \u0644\u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 Syft \u0648Trivy \u0648CycloneDX \u0625\u0646\u0634\u0627\u0621 SBOMs \u0628\u062a\u0646\u0633\u064a\u0642\u0627\u062a \u0645\u0639\u064a\u0627\u0631\u064a\u0629 (SPDX\u060c CycloneDX).<\/p>\n \u0627\u0646\u0634\u0631 \u0623\u062f\u0648\u0627\u062a \u0622\u0644\u064a\u0629 \u062a\u0641\u062d\u0635 \u062a\u0628\u0639\u064a\u0627\u062a\u0643 \u0628\u0627\u0633\u062a\u0645\u0631\u0627\u0631 \u0628\u062d\u062b\u064b\u0627 \u0639\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0645\u0639\u0631\u0648\u0641\u0629 \u0648\u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0645\u0634\u0628\u0648\u0647\u0629:<\/p>\n \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645 \u0647\u0648 \u0628\u0646\u0627\u0621 \u0644\u0627 \u064a\u0645\u0643\u0646\u0647 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629. \u064a\u062c\u0628 \u062c\u0644\u0628 \u062c\u0645\u064a\u0639 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0648\u062a\u062e\u0632\u064a\u0646\u0647\u0627 \u0645\u0624\u0642\u062a\u064b\u0627 \u0642\u0628\u0644 \u0628\u062f\u0621 \u0627\u0644\u0628\u0646\u0627\u0621. \u0647\u0630\u0627 \u064a\u0645\u0646\u0639 \u0627\u0644\u0628\u0646\u0627\u0621 \u0645\u0646 \u062c\u0644\u0628 \u062d\u0632\u0645\u0629 \u062e\u0628\u064a\u062b\u0629 \u0645\u0646\u0634\u0648\u0631\u0629 \u062d\u062f\u064a\u062b\u064b\u0627. \u064a\u062f\u0639\u0645 Bazel \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062d\u0643\u0645 \u0623\u0635\u0644\u0627\u064b\u060c \u0648\u064a\u0645\u0643\u0646 \u062a\u062d\u0642\u064a\u0642 \u0639\u0632\u0644 \u0645\u0645\u0627\u062b\u0644 \u0628\u0639\u0644\u0645 \u062d\u0627\u0641\u0638 \u0639\u0644\u0649 \u0642\u0627\u0626\u0645\u0629 \u0645\u0639\u062a\u0645\u062f\u0629 \u0645\u0646 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0648\u0625\u0635\u062f\u0627\u0631\u0627\u062a\u0647\u0627. \u0623\u064a \u062a\u0628\u0639\u064a\u0629 \u062c\u062f\u064a\u062f\u0629 \u0623\u0648 \u062a\u063a\u064a\u064a\u0631 \u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u064a\u062a\u0637\u0644\u0628 \u0645\u0648\u0627\u0641\u0642\u0629 \u0635\u0631\u064a\u062d\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0639\u0645\u0644\u064a\u0629 \u0645\u0631\u0627\u062c\u0639\u0629. \u0631\u063a\u0645 \u0623\u0646 \u0647\u0630\u0627 \u064a\u0636\u064a\u0641 \u0627\u062d\u062a\u0643\u0627\u0643\u064b\u0627\u060c \u0625\u0644\u0627 \u0623\u0646\u0647 \u064a\u0645\u0646\u0639 \u0627\u0644\u062d\u0632\u0645 \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u0631\u062d \u0628\u0647\u0627 \u0645\u0646 \u0627\u0644\u062f\u062e\u0648\u0644 \u0625\u0644\u0649 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n \u062d\u062a\u0649 \u0645\u0639 \u0636\u0648\u0627\u0628\u0637 \u0648\u0642\u0627\u0626\u064a\u0629 \u0642\u0648\u064a\u0629\u060c \u062a\u064f\u0639\u062f \u0642\u062f\u0631\u0627\u062a \u0627\u0644\u0643\u0634\u0641 \u0636\u0631\u0648\u0631\u064a\u0629 \u0644\u0627\u0644\u062a\u0642\u0627\u0637 \u0627\u0644\u0647\u062c\u0645\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u062a\u062c\u0627\u0648\u0632 \u062f\u0641\u0627\u0639\u0627\u062a\u0643.<\/p>\n \u0637\u0628\u0651\u0642 \u0641\u062d\u0648\u0635\u0627\u062a CI \u062a\u064f\u0646\u0628\u0651\u0647 \u0639\u0644\u0649 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0633\u062d\u0628 \u0627\u0644\u062a\u064a \u062a\u064f\u062f\u062e\u0644 \u062a\u0628\u0639\u064a\u0627\u062a \u062c\u062f\u064a\u062f\u0629. \u0627\u0637\u0644\u0628 \u0645\u0628\u0631\u0631\u064b\u0627 \u0648\u0645\u0631\u0627\u062c\u0639\u0629 \u0635\u0631\u064a\u062d\u064a\u0646 \u0644\u0623\u064a \u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649 \u0645\u0627\u0646\u064a\u0641\u0633\u062a \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a. \u0647\u0630\u0627 \u0645\u0647\u0645 \u0628\u0634\u0643\u0644 \u062e\u0627\u0635 \u0644\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u0639\u0627\u0628\u0631\u0629 \u2014 \u0641\u062a\u0628\u0639\u064a\u0629 \u0645\u0628\u0627\u0634\u0631\u0629 \u062c\u062f\u064a\u062f\u0629 \u0642\u062f \u062a\u062c\u0644\u0628 \u0639\u0634\u0631\u0627\u062a \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u0639\u0627\u0628\u0631\u0629.<\/p>\n \u062a\u0628\u0639\u064a\u0629 \u062a\u0642\u0641\u0632 \u0645\u0646 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0637\u0628\u0651\u0642 \u0623\u062f\u0648\u0627\u062a \u062a\u062d\u062f\u062f \u062a\u062d\u062f\u064a\u062f\u064b\u0627 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062a\u064a \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0646\u0635\u0648\u0635 \u062a\u062b\u0628\u064a\u062a. \u0631\u063a\u0645 \u0623\u0646 \u0646\u0635\u0648\u0635 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0644\u0647\u0627 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0627\u062a \u0645\u0634\u0631\u0648\u0639\u0629\u060c \u0625\u0644\u0627 \u0623\u0646\u0647\u0627 \u0646\u0627\u0642\u0644 \u0627\u0644\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0631\u0626\u064a\u0633\u064a \u0644\u0647\u062c\u0645\u0627\u062a dependency confusion. \u0636\u0639 \u0639\u0644\u0627\u0645\u0629 \u0648\u0631\u0627\u062c\u0639 \u0623\u064a \u062d\u0632\u0645\u0629 \u062a\u062a\u0636\u0645\u0646 \u0646\u0635\u0648\u0635 \u0642\u0627\u0631\u0646 \u0628\u0627\u0646\u062a\u0638\u0627\u0645 SBOMs \u0645\u0646 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0645\u062a\u062a\u0627\u0644\u064a\u0629. \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629 \u2014 \u062d\u0632\u0645 \u062c\u062f\u064a\u062f\u0629 \u062a\u0638\u0647\u0631\u060c \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u062a\u062a\u063a\u064a\u0631 \u062f\u0648\u0646 \u062a\u062d\u062f\u064a\u062b\u0627\u062a \u0645\u0627\u0646\u064a\u0641\u0633\u062a \u0645\u0642\u0627\u0628\u0644\u0629\u060c \u0623\u0648 \u062d\u0632\u0645 \u0645\u0646 \u0633\u062c\u0644\u0627\u062a \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639\u0629 \u2014 \u064a\u062c\u0628 \u0623\u0646 \u062a\u064f\u0637\u0644\u0642 \u062a\u0646\u0628\u064a\u0647\u0627\u062a \u0648\u062a\u062d\u0642\u064a\u0642\u0627\u062a.<\/p>\n \u0628\u0627\u0644\u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649 \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a\u060c \u064a\u062d\u062a\u0627\u062c \u062a\u0643\u0648\u064a\u0646 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0646\u0641\u0633\u0647 \u0625\u0644\u0649 \u062a\u0642\u0648\u064a\u0629 \u0644\u0645\u0642\u0627\u0648\u0645\u0629 \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f.<\/p>\n \u062a\u0633\u062c\u0651\u0644 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 ( \u0645\u062b\u0627\u0644 GitHub Actions \u2014 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0633\u0644\u0627\u0645\u0629 \u0645\u0644\u0641 \u0627\u0644\u0642\u0641\u0644:<\/strong><\/p>\n \u0645\u062b\u0627\u0644 GitLab CI \u2014 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0645\u0644\u0641 \u0627\u0644\u0642\u0641\u0644 \u0645\u0639 pip:<\/strong><\/p>\n \u0627\u0633\u062a\u062e\u062f\u0645 \u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0621 \u0645\u0646 \u0645\u0631\u062d\u0644\u062a\u064a\u0646: \u0623\u0648\u0644\u0627\u064b \u062d\u0644\u0651\u0644 \u0648\u0646\u0632\u0651\u0644 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0641\u064a \u0628\u064a\u0626\u0629 \u0645\u0639\u0632\u0648\u0644\u0629\u060c \u062b\u0645 \u0634\u063a\u0651\u0644 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0641\u0639\u0644\u064a \u0645\u0639 \u062a\u0639\u0637\u064a\u0644 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629. \u0647\u0630\u0627 \u064a\u0645\u0646\u0639 \u062a\u0628\u0639\u064a\u0629 \u0645\u062e\u062a\u0631\u0642\u0629 \u0645\u0646 \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0623\u0648 \u062a\u0646\u0632\u064a\u0644 \u062d\u0645\u0648\u0644\u0627\u062a \u0625\u0636\u0627\u0641\u064a\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n \u0644\u0644\u0628\u0646\u0627\u0621\u0627\u062a \u0639\u0627\u0644\u064a\u0629 \u0627\u0644\u0623\u0645\u0627\u0646\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0628\u064a\u0626\u0627\u062a \u0645\u0642\u064a\u0651\u062f\u0629 \u0627\u0644\u0634\u0628\u0643\u0629 \u0644\u0627 \u064a\u0645\u0643\u0646\u0647\u0627 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0627 \u0625\u0644\u0649 \u0648\u0643\u064a\u0644 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u062f\u0627\u062e\u0644\u064a. \u0647\u0630\u0627 \u064a\u0644\u063a\u064a \u0625\u0645\u0643\u0627\u0646\u064a\u0629 \u062c\u0644\u0628 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0645\u0628\u0627\u0634\u0631\u0629 \u0645\u0646 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0639\u0627\u0645\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u062c\u0644\u0628 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0645\u0646 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0639\u0627\u0645\u0629 \u0641\u064a \u0643\u0644 \u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0621\u060c \u062e\u0632\u0651\u0646 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u0639\u062a\u0645\u062f\u0629 \u0641\u064a \u062a\u062e\u0632\u064a\u0646 \u062f\u0627\u062e\u0644\u064a (Artifactory \u0623\u0648 Nexus \u0623\u0648 \u062f\u0644\u0627\u0621 \u0627\u0644\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0633\u062d\u0627\u0628\u064a). \u064a\u062c\u0628 \u0623\u0646 \u064a\u0633\u062d\u0628 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI \u062d\u0635\u0631\u064a\u064b\u0627 \u0645\u0646 \u0647\u0630\u0647 \u0627\u0644\u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u0645\u0624\u0642\u062a\u0629 \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u0629. \u062d\u062f\u0651\u062b \u0627\u0644\u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u0645\u0624\u0642\u062a\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0639\u0645\u0644\u064a\u0629 \u062e\u0627\u0636\u0639\u0629 \u0644\u0644\u0631\u0642\u0627\u0628\u0629 \u0648\u0627\u0644\u062a\u062f\u0642\u064a\u0642.<\/p>\n \u064a\u0633\u062a\u063a\u0644 dependency confusion \u0648artifact poisoning \u0627\u0641\u062a\u0631\u0627\u0636\u0627\u062a \u062b\u0642\u0629 \u0631\u0627\u0633\u062e\u0629 \u0641\u064a \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a. \u0643\u0644 \u0623\u0645\u0631 \u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0641\u0639\u0627\u0644 \u0644\u064a\u0633 \u0623\u062f\u0627\u0629 \u0648\u0627\u062d\u062f\u0629 \u0623\u0648 \u062a\u063a\u064a\u064a\u0631 \u062a\u0643\u0648\u064a\u0646 \u0648\u0627\u062d\u062f. \u0628\u0644 \u064a\u062a\u0637\u0644\u0628 \u0636\u0648\u0627\u0628\u0637 \u0641\u064a \u0643\u0644 \u0637\u0628\u0642\u0629 \u0645\u0646 \u062f\u0648\u0631\u0629 \u062d\u064a\u0627\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a:<\/p>\n \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0627\u0644\u0623\u0643\u062b\u0631 \u0645\u0631\u0648\u0646\u0629 \u062a\u062c\u0627\u0647 \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0647\u064a \u062a\u0644\u0643 \u0627\u0644\u062a\u064a \u062a\u0639\u0627\u0645\u0644 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0628\u0646\u0641\u0633 \u0627\u0644\u0635\u0631\u0627\u0645\u0629 \u0627\u0644\u062a\u064a \u062a\u0637\u0628\u0642\u0647\u0627 \u0639\u0644\u0649 \u0643\u0648\u062f\u0647\u0627 \u0627\u0644\u062e\u0627\u0635: \u0645\u064f\u0631\u0627\u062c\u064e\u0639\u0629\u060c \u0648\u0645\u064f\u062a\u062d\u0642\u064e\u0651\u0642 \u0645\u0646\u0647\u0627\u060c \u0648\u0645\u064f\u0631\u0627\u0642\u064e\u0628\u0629\u060c \u0648\u0644\u0627 \u062a\u064f\u0645\u0646\u062d \u0627\u0644\u062b\u0642\u0629 \u0636\u0645\u0646\u064a\u064b\u0627 \u0623\u0628\u062f\u064b\u0627. \u0627\u0628\u062f\u0623 \u0628\u062a\u0637\u0628\u064a\u0642 \u0627\u0644\u0636\u0648\u0627\u0628\u0637 \u0627\u0644\u0623\u0639\u0644\u0649 \u062a\u0623\u062b\u064a\u0631\u064b\u0627 \u2014 \u0627\u0644\u062d\u0632\u0645 \u0630\u0627\u062a \u0627\u0644\u0646\u0637\u0627\u0642\u0627\u062a\u060c \u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0633\u062c\u0644\u060c \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0645\u0644\u0641 \u0627\u0644\u0642\u0641\u0644 \u0641\u064a CI \u2014 \u062b\u0645 \u0623\u0636\u0641 \u0637\u0628\u0642\u0627\u062a \u062a\u062f\u0631\u064a\u062c\u064a\u064b\u0627 \u0645\u0639 \u0646\u0636\u0648\u062c \u0628\u0631\u0646\u0627\u0645\u062c \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0644\u062f\u064a\u0643.<\/p>\n","protected":false},"excerpt":{"rendered":" \u0645\u0642\u062f\u0645\u0629 \u0634\u0647\u062f\u062a \u0647\u062c\u0645\u0627\u062a \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0631\u062a\u0641\u0627\u0639\u064b\u0627 \u0645\u0644\u062d\u0648\u0638\u064b\u0627 \u0641\u064a \u0627\u0644\u062a\u0643\u0631\u0627\u0631 \u0648\u0627\u0644\u062a\u0639\u0642\u064a\u062f \u062e\u0644\u0627\u0644 \u0627\u0644\u0633\u0646\u0648\u0627\u062a \u0627\u0644\u0623\u062e\u064a\u0631\u0629. \u0641\u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0645\u0647\u0627\u062c\u0645\u0629 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0645\u0628\u0627\u0634\u0631\u0629\u060c \u064a\u0633\u062a\u0647\u062f\u0641 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0628\u0634\u0643\u0644 \u0645\u062a\u0632\u0627\u064a\u062f \u0637\u0628\u0642\u0627\u062a \u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0648\u062a\u0648\u0632\u064a\u0639 \u0627\u0644\u0645\u0643\u0648\u0646\u0627\u062a \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0627\u0644\u062a\u064a \u062a\u0634\u0643\u0651\u0644 \u0623\u0633\u0627\u0633 \u062a\u0637\u0648\u064a\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0644\u062d\u062f\u064a\u062b\u0629. \u0648\u0645\u0646 \u0623\u0643\u062b\u0631 \u0627\u0644\u062a\u0642\u0646\u064a\u0627\u062a \u0641\u0639\u0627\u0644\u064a\u0629 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0633\u064a\u0627\u0642: dependency confusion \u0648artifact poisoning. \u062a\u0633\u062a\u063a\u0644 \u0647\u0630\u0647 \u0627\u0644\u0647\u062c\u0645\u0627\u062a \u062d\u0642\u064a\u0642\u0629 \u062c\u0648\u0647\u0631\u064a\u0629: \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0644\u062d\u062f\u064a\u062b\u0629 \u062a\u064f\u062c\u0645\u064e\u0651\u0639 \u0648\u0644\u0627 … \u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,31],"tags":[],"post_folder":[],"class_list":["post-792","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-threats-attacks"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=792"}],"version-history":[{"count":1,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/792\/revisions"}],"predecessor-version":[{"id":796,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/792\/revisions\/796"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=792"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u0634\u0631\u062d Dependency Confusion<\/h2>\n
\u0643\u064a\u0641 \u062a\u062d\u0644\u0651\u0644 \u0645\u062f\u064a\u0631\u0627\u062a \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u0623\u0633\u0645\u0627\u0621<\/h3>\n
\u0627\u0644\u0628\u062d\u062b \u0627\u0644\u0623\u0635\u0644\u064a: Alex Birsan (2021)<\/h3>\n
\u0622\u0644\u064a\u0627\u062a \u0627\u0644\u0647\u062c\u0648\u0645<\/h3>\n
\n
package.json<\/code> \u0627\u0644\u0645\u0633\u0631\u0651\u0628\u0629\u060c \u0648\u062e\u0631\u0627\u0626\u0637 \u0645\u0635\u062f\u0631 JavaScript\u060c \u0648\u0631\u0633\u0627\u0626\u0644 \u0627\u0644\u062e\u0637\u0623\u060c \u0648\u0625\u0639\u0644\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0638\u0627\u0626\u0641\u060c \u0623\u0648 \u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0645\u0641\u062a\u0648\u062d \u0627\u0644\u062a\u064a \u062a\u0634\u064a\u0631 \u0625\u0644\u0649 \u062a\u0628\u0639\u064a\u0627\u062a \u062f\u0627\u062e\u0644\u064a\u0629.<\/li>\n99.0.0<\/code>).<\/li>\nnpm install<\/code> \u0623\u0648 pip install<\/code> \u0623\u0648 \u0645\u0627 \u064a\u0639\u0627\u062f\u0644\u0647\u060c \u064a\u062d\u0644\u0651\u0644 \u0645\u062f\u064a\u0631 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062a\u0628\u0639\u064a\u0629 \u0625\u0644\u0649 \u062d\u0632\u0645\u0629 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0639\u0627\u0645\u0629 \u0628\u0633\u0628\u0628 \u0631\u0642\u0645 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0623\u0639\u0644\u0649.<\/li>\n\u0627\u0644\u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u0628\u064a\u0626\u064a\u0629 \u0627\u0644\u0645\u062a\u0623\u062b\u0631\u0629<\/h3>\n
\n
--extra-index-url<\/code> \u0641\u064a pip \u064a\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0641\u0647\u0631\u0633\u064a\u0646 \u0627\u0644\u062e\u0627\u0635 \u0648\u0627\u0644\u0639\u0627\u0645\u060c \u0648\u064a\u0641\u0636\u0651\u0644 \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0623\u0639\u0644\u0649.<\/li>\n\u0646\u0635\u0648\u0635 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0643\u0646\u0627\u0642\u0644 \u0644\u0644\u062d\u0645\u0648\u0644\u0629<\/h3>\n
preinstall<\/code> \u0648install<\/code> \u0648postinstall<\/code> \u0627\u0644\u0645\u062d\u062f\u062f\u0629 \u0641\u064a package.json<\/code>. \u0641\u064a Python\u060c \u064a\u0645\u0643\u0646 \u0644\u0640 setup.py<\/code> \u062a\u0646\u0641\u064a\u0630 \u0643\u0648\u062f \u0639\u0634\u0648\u0627\u0626\u064a \u0623\u062b\u0646\u0627\u0621 pip install<\/code>. \u0635\u064f\u0645\u0645\u062a \u0647\u0630\u0647 \u0627\u0644\u062e\u0637\u0627\u0641\u0627\u062a \u0644\u0645\u0647\u0627\u0645 \u0628\u0646\u0627\u0621 \u0645\u0634\u0631\u0648\u0639\u0629 \u0644\u0643\u0646\u0647\u0627 \u062a\u0648\u0641\u0631 \u0644\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0646\u0627\u0642\u0644 \u062a\u0646\u0641\u064a\u0630 \u0645\u062b\u0627\u0644\u064a \u2014 \u064a\u0646\u0641\u064e\u0651\u0630 \u0627\u0644\u0643\u0648\u062f \u0642\u0628\u0644 \u062d\u062a\u0649 \u0628\u0646\u0627\u0621 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u060c \u0648\u063a\u0627\u0644\u0628\u064b\u0627 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u0631\u062a\u0641\u0639\u0629.<\/p>\nArtifact Poisoning: \u0645\u0627 \u0648\u0631\u0627\u0621 \u0627\u0644\u062d\u0632\u0645<\/h2>\n
\u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0627\u0644\u0645\u062e\u062a\u0631\u0642\u0629<\/h3>\n
FROM python:3.11<\/code> \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0648\u0633\u0645 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631\u060c \u0641\u0625\u0646 \u0635\u0648\u0631\u0629 \u0645\u062e\u062a\u0631\u0642\u0629 \u062a\u064f\u0631\u0641\u0639 \u0628\u0647\u0630\u0627 \u0627\u0644\u0648\u0633\u0645 \u0633\u062a\u064f\u0633\u062d\u0628 \u0641\u064a \u0643\u0644 \u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0621 \u0644\u0627\u062d\u0642\u0629.<\/p>\n\u0642\u0648\u0627\u0644\u0628 CI\/CD \u0627\u0644\u0645\u0639\u062f\u0651\u0644\u0629<\/h3>\n
uses: some-org\/some-action@main<\/code>\u060c \u0641\u0625\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0645\u0646\u0641\u064e\u0651\u0630 \u0641\u064a \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628\u0643 \u064a\u062a\u062d\u0643\u0645 \u0641\u064a\u0647 \u0643\u0644 \u0645\u0646 \u0644\u062f\u064a\u0647 \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u062f\u0641\u0639 \u0625\u0644\u0649 \u0630\u0644\u0643 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639. \u0625\u0630\u0627 \u0627\u062e\u062a\u064f\u0631\u0642 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0625\u062c\u0631\u0627\u0621\u060c \u064a\u064f\u062e\u062a\u0631\u0642 \u0643\u0644 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u064a\u0634\u064a\u0631 \u0625\u0644\u064a\u0647 \u0623\u064a\u0636\u064b\u0627.<\/p>\nTyposquatting<\/h3>\n
co1ors<\/code> (\u0628\u0627\u0644\u0631\u0642\u0645 \u0648\u0627\u062d\u062f) \u0628\u062f\u0644\u0627\u064b \u0645\u0646 colors<\/code>\u060c \u0648lodahs<\/code> \u0628\u062f\u0644\u0627\u064b \u0645\u0646 lodash<\/code>\u060c \u0623\u0648 reqeusts<\/code> \u0628\u062f\u0644\u0627\u064b \u0645\u0646 requests<\/code>. \u062a\u062d\u062a\u0648\u064a \u0647\u0630\u0647 \u0627\u0644\u062d\u0632\u0645 \u0639\u0644\u0649 \u0643\u0648\u062f \u062e\u0628\u064a\u062b \u0648\u062a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 \u0648\u0642\u0648\u0639 \u0627\u0644\u0645\u0637\u0648\u0631\u064a\u0646 \u0641\u064a \u0623\u062e\u0637\u0627\u0621 \u0645\u0637\u0628\u0639\u064a\u0629 \u0639\u0646\u062f \u0625\u0636\u0627\u0641\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a. \u0627\u0643\u062a\u0634\u0641\u062a \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0622\u0644\u064a\u0629 \u0622\u0644\u0627\u0641 \u062d\u0632\u0645 typosquatting \u0639\u0628\u0631 npm \u0648PyPI.<\/p>\n\u062d\u0633\u0627\u0628\u0627\u062a \u0627\u0644\u0645\u0634\u0631\u0641\u064a\u0646 \u0627\u0644\u0645\u062e\u062a\u0631\u0642\u0629<\/h3>\n
\u0625\u0636\u0627\u0641\u0627\u062a \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n
\u062d\u0648\u0627\u062f\u062b \u0648\u0627\u0642\u0639\u064a\u0629<\/h3>\n
\n
event-stream<\/code> (1.5 \u0645\u0644\u064a\u0648\u0646 \u062a\u0646\u0632\u064a\u0644 \u0623\u0633\u0628\u0648\u0639\u064a). \u0623\u0636\u0627\u0641 \u062a\u0628\u0639\u064a\u0629 \u0639\u0644\u0649 \u062d\u0632\u0645\u0629 \u062e\u0628\u064a\u062b\u0629\u060c flatmap-stream<\/code>\u060c \u0627\u0644\u062a\u064a \u0627\u062d\u062a\u0648\u062a \u0639\u0644\u0649 \u0643\u0648\u062f \u0645\u0634\u0641\u0651\u0631 \u064a\u0633\u062a\u0647\u062f\u0641 \u0645\u062d\u0641\u0638\u0629 Copay Bitcoin\u060c \u0645\u062d\u0627\u0648\u0644\u0627\u064b \u0633\u0631\u0642\u0629 \u0627\u0644\u0639\u0645\u0644\u0627\u062a \u0627\u0644\u0645\u0634\u0641\u0631\u0629.<\/li>\nua-parser-js<\/code> (7 \u0645\u0644\u0627\u064a\u064a\u0646 \u062a\u0646\u0632\u064a\u0644 \u0623\u0633\u0628\u0648\u0639\u064a) \u0639\u0646\u062f \u0627\u062e\u062a\u0631\u0627\u0642 \u062d\u0633\u0627\u0628 \u0627\u0644\u0645\u0634\u0631\u0641. \u0646\u064f\u0634\u0631\u062a \u0625\u0635\u062f\u0627\u0631\u0627\u062a \u062e\u0628\u064a\u062b\u0629 \u062b\u0628\u0651\u062a\u062a \u0628\u0631\u0627\u0645\u062c \u062a\u0639\u062f\u064a\u0646 \u0627\u0644\u0639\u0645\u0644\u0627\u062a \u0627\u0644\u0645\u0634\u0641\u0631\u0629 \u0648\u0628\u0631\u0627\u0645\u062c \u0633\u0631\u0642\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0639\u0644\u0649 \u0623\u0646\u0638\u0645\u0629 Linux \u0648Windows.<\/li>\nnode-ipc<\/code> \u0639\u0645\u062f\u064b\u0627 \u0643\u0648\u062f\u064b\u0627 \u064a\u0645\u0633\u062d \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0639\u0644\u0649 \u0627\u0644\u0623\u0646\u0638\u0645\u0629 \u0630\u0627\u062a \u0639\u0646\u0627\u0648\u064a\u0646 IP \u0627\u0644\u0631\u0648\u0633\u064a\u0629 \u0623\u0648 \u0627\u0644\u0628\u064a\u0644\u0627\u0631\u0648\u0633\u064a\u0629\u060c \u0645\u0645\u0627 \u064a\u0648\u0636\u062d \u0623\u0646 \u062d\u062a\u0649 \u0627\u0644\u0645\u0634\u0631\u0641\u064a\u0646 \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u064a\u0646 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u0635\u0628\u062d\u0648\u0627 \u0646\u0627\u0642\u0644 \u062a\u0647\u062f\u064a\u062f (\u064a\u064f\u0637\u0644\u0642 \u0639\u0644\u064a\u0647 \u0623\u062d\u064a\u0627\u0646\u064b\u0627 “protestware”).<\/li>\n<\/ul>\n\u0643\u064a\u0641 \u062a\u0633\u062a\u063a\u0644 \u0647\u0630\u0647 \u0627\u0644\u0647\u062c\u0645\u0627\u062a CI\/CD<\/h2>\n
\u0627\u0644\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a \u0644\u0644\u0643\u0648\u062f \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n
npm install<\/code> \u0623\u0648 pip install -r requirements.txt<\/code> \u0623\u0648 docker build<\/code>\u060c \u0641\u0625\u0646\u0647 \u064a\u0646\u0641\u0651\u0630 \u0643\u0648\u062f\u064b\u0627 \u0645\u0646 \u0645\u0635\u0627\u062f\u0631 \u062e\u0627\u0631\u062c\u064a\u0629. \u064a\u062d\u062f\u062b \u0647\u0630\u0627 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0645\u0639 \u0643\u0644 commit \u0623\u0648 pull request \u0623\u0648 \u0628\u0646\u0627\u0621 \u0645\u062c\u062f\u0648\u0644. \u0644\u0627 \u064a\u0648\u062c\u062f \u0625\u0646\u0633\u0627\u0646 \u0641\u064a \u0627\u0644\u062d\u0644\u0642\u0629 \u0644\u0645\u0631\u0627\u062c\u0639\u0629 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0630\u064a \u064a\u064f\u0633\u062d\u0628 \u0648\u064a\u064f\u0646\u0641\u064e\u0651\u0630 \u0641\u0639\u0644\u064a\u064b\u0627.<\/p>\n\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0644\u062f\u064a\u0647\u0627 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f<\/h3>\n
\u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u0645\u062c\u0644\u0648\u0628\u0629 \u0648\u0642\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0644\u0627 \u062a\u062e\u0636\u0639 \u0644\u062a\u062f\u0642\u064a\u0642 \u0645\u0633\u0628\u0642<\/h3>\n
package.json<\/code>\u060c requirements.txt<\/code>) \u0644\u0643\u0646 \u0627\u0644\u0643\u0648\u062f \u0627\u0644\u0641\u0639\u0644\u064a \u064a\u064f\u062c\u0644\u0628 \u062d\u062f\u064a\u062b\u064b\u0627 \u0645\u0646 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0648\u0642\u062a \u0627\u0644\u0628\u0646\u0627\u0621. \u0628\u064a\u0646 \u0648\u0642\u062a \u0625\u0636\u0627\u0641\u0629 \u0645\u0637\u0648\u0631 \u0644\u062a\u0628\u0639\u064a\u0629 \u0648\u0648\u0642\u062a \u062a\u062b\u0628\u064a\u062a \u0646\u0638\u0627\u0645 CI \u0644\u0647\u0627\u060c \u0642\u062f \u062a\u062a\u063a\u064a\u0631 \u0645\u062d\u062a\u0648\u064a\u0627\u062a \u0627\u0644\u062d\u0632\u0645\u0629 \u2014 \u0623\u0648 \u0642\u062f \u062a\u0638\u0647\u0631 \u062d\u0632\u0645\u0629 dependency confusion \u0639\u0644\u0649 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u0639\u0627\u0645. \u0639\u0627\u062f\u0629\u064b \u0644\u0627 \u062a\u0648\u062c\u062f \u062e\u0637\u0648\u0629 \u062a\u062d\u0642\u0642 \u0628\u064a\u0646 \u0627\u0644\u062a\u062d\u0644\u064a\u0644 \u0648\u0627\u0644\u062a\u0646\u0641\u064a\u0630.<\/p>\n\u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u0639\u0627\u0628\u0631\u0629 \u062a\u0648\u0633\u0651\u0639 \u0633\u0637\u062d \u0627\u0644\u0647\u062c\u0648\u0645<\/h3>\n
event-stream<\/code> \u2014 \u064a\u0646\u062a\u0634\u0631 \u0627\u0644\u0647\u062c\u0648\u0645 \u0639\u0628\u0631 \u0634\u062c\u0631\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0628\u0623\u0643\u0645\u0644\u0647\u0627 \u062f\u0648\u0646 \u0623\u064a \u062a\u063a\u064a\u064a\u0631 \u0641\u064a \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u0627\u0646\u064a\u0641\u0633\u062a \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643.<\/p>\n\u0627\u0644\u062f\u0641\u0627\u0639 \u0636\u062f Dependency Confusion<\/h2>\n
\u0627\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0646\u0637\u0627\u0642\u0627\u062a \u0644\u062d\u0632\u0645\u0643 \u0627\u0644\u062e\u0627\u0635\u0629<\/h3>\n
@yourcompany\/package-name<\/code>. \u0644\u0627 \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u062a\u0633\u062c\u064a\u0644 \u062d\u0632\u0645 \u062a\u062d\u062a \u0646\u0637\u0627\u0642 \u0645\u0624\u0633\u0633\u062a\u0643 \u0639\u0644\u0649 \u0633\u062c\u0644 npm \u0627\u0644\u0639\u0627\u0645.<\/p>\n\u0643\u0648\u0650\u0651\u0646 \u0623\u0648\u0644\u0648\u064a\u0629 \u0627\u0644\u0633\u062c\u0644 \u0635\u0631\u0627\u062d\u0629\u064b<\/h3>\n
.npmrc<\/code>:<\/strong><\/p>\n# Always fetch @yourcompany scoped packages from private registry\n@yourcompany:registry=https:\/\/npm.yourcompany.com\/\n\n# All other packages come from the public npm registry\nregistry=https:\/\/registry.npmjs.org\/\n\n# Authentication for private registry\n\/\/npm.yourcompany.com\/:_authToken=${NPM_PRIVATE_TOKEN}<\/code><\/pre>\npip.conf<\/code> \u0644\u0640 Python:<\/strong><\/p>\n# IMPORTANT: Use --index-url (NOT --extra-index-url) for your private registry\n# --extra-index-url checks BOTH registries and picks the higher version (vulnerable!)\n# --index-url uses ONLY your private registry as the primary source\n\n[global]\nindex-url = https:\/\/pypi.yourcompany.com\/simple\/\n\n# If you need public PyPI packages, configure your private registry\n# (Artifactory, Nexus) to proxy public PyPI \u2014 do NOT use --extra-index-url<\/code><\/pre>\n.yarnrc.yml<\/code> \u0644\u0640 Yarn Berry:<\/strong><\/p>\nnpmScopes:\n yourcompany:\n npmRegistryServer: \"https:\/\/npm.yourcompany.com\"\n npmAuthToken: \"${NPM_PRIVATE_TOKEN}\"\n\nnpmRegistryServer: \"https:\/\/registry.yarnpkg.com\"<\/code><\/pre>\n\u0627\u0633\u062a\u062e\u062f\u0645 \u0648\u0643\u0644\u0627\u0621 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0627\u0644\u062e\u0627\u0635\u0629<\/h3>\n
\n
\u0627\u0644\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u0641\u0627\u0639\u064a<\/h3>\n
\u062b\u0628\u0651\u062a \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0628\u0627\u0644\u062a\u062c\u0632\u0626\u0629<\/h3>\n
# Generate hashes for your requirements\npip-compile --generate-hashes requirements.in -o requirements.txt\n\n# Install with hash verification\npip install --require-hashes -r requirements.txt<\/code><\/pre>\npackage-lock.json<\/code>. \u062a\u0623\u0643\u062f \u0645\u0646 \u0625\u064a\u062f\u0627\u0639 \u0645\u0644\u0641 \u0627\u0644\u0642\u0641\u0644 \u0648\u0627\u0633\u062a\u062e\u062f\u0627\u0645 npm ci<\/code> (\u0648\u0644\u064a\u0633 npm install<\/code>) \u0641\u064a CI \u0644\u0641\u0631\u0636 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0633\u0644\u0627\u0645\u0629:<\/p>\n# In CI, always use npm ci \u2014 it strictly follows the lockfile\n# and verifies integrity hashes for every package\nnpm ci<\/code><\/pre>\n\u0627\u0644\u062f\u0641\u0627\u0639 \u0636\u062f Artifact Poisoning<\/h2>\n
\u062b\u0628\u0651\u062a \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0628\u0627\u0644\u0645\u0644\u062e\u0635<\/h3>\n
latest<\/code> \u0623\u0648 \u062d\u062a\u0649 3.11<\/code>. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643\u060c \u062b\u0628\u0651\u062a \u0639\u0644\u0649 \u0645\u0644\u062e\u0635 SHA256 \u063a\u064a\u0631 \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u063a\u064a\u064a\u0631:<\/p>\n# Vulnerable: tag can be overwritten with a compromised image\nFROM python:3.11-slim\n\n# Secure: digest is immutable \u2014 this exact image or nothing\nFROM python:3.11-slim@sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2<\/code><\/pre>\n\u062b\u0628\u0651\u062a GitHub Actions \u0628\u0640 SHA<\/h3>\n
# Vulnerable: v3 tag can be moved to point to compromised code\n- uses: actions\/checkout@v3\n\n# Secure: pinned to specific commit SHA\n- uses: actions\/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2<\/code><\/pre>\n\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0639\u0644\u0649 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a<\/h3>\n
\n
npm audit signatures<\/code> \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0627\u0644\u0633\u062c\u0644 \u0639\u0644\u0649 \u0627\u0644\u062d\u0632\u0645.<\/li>\nsigstore-python<\/code> \u062a\u062c\u0644\u0628 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0625\u0644\u0649 PyPI.<\/li>\n<\/ul>\n\u0623\u0646\u0634\u0626 \u0648\u062a\u062a\u0628\u0651\u0639 SBOMs<\/h3>\n
\u0623\u062a\u0645\u062a \u0645\u0631\u0627\u062c\u0639\u0629 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a<\/h3>\n
\n
\u0642\u064a\u0651\u062f \u0648\u0635\u0648\u0644 \u0627\u0644\u0634\u0628\u0643\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621 (Hermetic Builds)<\/h3>\n
--network=none<\/code> \u0641\u064a Docker \u0623\u0648 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u0629 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0645\u0646\u0635\u0629 CI.<\/p>\n\u0627\u0639\u062a\u0645\u062f \u0645\u0633\u0628\u0642\u064b\u0627 \u0648\u0623\u0646\u0634\u0626 \u0642\u0648\u0627\u0626\u0645 \u0645\u0633\u0645\u0648\u062d\u0629 \u0644\u0644\u062a\u0628\u0639\u064a\u0627\u062a<\/h3>\n
\u0627\u0644\u0643\u0634\u0641 \u0648\u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629<\/h2>\n
\u0631\u0627\u0642\u0628 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0627\u0644\u062c\u062f\u064a\u062f\u0629 \u063a\u064a\u0631 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629<\/h3>\n
\u0623\u0646\u0630\u0631 \u0639\u0646\u062f \u0642\u0641\u0632\u0627\u062a \u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a<\/h3>\n
1.2.3<\/code> \u0625\u0644\u0649 99.0.0<\/code> \u0647\u064a \u0645\u0624\u0634\u0631 \u0642\u0648\u064a \u0639\u0644\u0649 \u0647\u062c\u0648\u0645 dependency confusion. \u0637\u0628\u0651\u0642 \u0645\u0631\u0627\u0642\u0628\u0629 \u062a\u064f\u0646\u0630\u0631 \u0639\u0646\u062f \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u063a\u064a\u0631 \u0627\u0644\u0645\u0639\u062a\u0627\u062f\u0629\u060c \u062e\u0627\u0635\u0629 \u0627\u0644\u0642\u0641\u0632\u0627\u062a \u0627\u0644\u0643\u0628\u064a\u0631\u0629 \u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0631\u0626\u064a\u0633\u064a \u0644\u0644\u062d\u0632\u0645 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629.<\/p>\n\u0627\u0633\u062a\u0641\u062f \u0645\u0646 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0641\u062d\u0635 \u0627\u0644\u0623\u0645\u0646\u064a<\/h3>\n
\n
\u0627\u0641\u062d\u0635 \u0646\u0635\u0648\u0635 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u0648\u062e\u0637\u0627\u0641\u0627\u062a \u0645\u0627 \u0628\u0639\u062f \u0627\u0644\u062a\u062b\u0628\u064a\u062a<\/h3>\n
preinstall<\/code> \u0623\u0648 install<\/code> \u0623\u0648 postinstall<\/code> \u0641\u064a npm\u060c \u0623\u0648 setup.py<\/code> \u0628\u0643\u0648\u062f \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u0646\u0641\u064a\u0630 \u0641\u064a Python.<\/p>\n\u0642\u0627\u0631\u0646 SBOMs \u0628\u064a\u0646 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n
\u062a\u0642\u0648\u064a\u0629 CI\/CD \u0628\u0634\u0643\u0644 \u062e\u0627\u0635<\/h2>\n
\u0623\u0648\u062f\u0639 \u0648\u062a\u062d\u0642\u0642 \u0645\u0646 \u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0642\u0641\u0644 \u0641\u064a CI<\/h3>\n
package-lock.json<\/code>\u060c yarn.lock<\/code>\u060c Pipfile.lock<\/code>\u060c poetry.lock<\/code>) \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u062f\u0642\u064a\u0642\u0629 \u0648\u062a\u062c\u0632\u0626\u0627\u062a \u0643\u0644 \u062a\u0628\u0639\u064a\u0629. \u064a\u062c\u0628 \u0623\u0646 \u064a\u0641\u0634\u0644 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI \u0625\u0630\u0627 \u0643\u0627\u0646 \u0645\u0644\u0641 \u0627\u0644\u0642\u0641\u0644 \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u063a\u064a\u0631 \u0645\u062a\u0648\u0642\u0639\u0629.<\/p>\nname: Build\non: [push, pull_request]\n\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2\n\n - name: Setup Node.js\n uses: actions\/setup-node@1a4442cacd436585916f1b3aa94e4166f1a22160 # v3.8.2\n with:\n node-version: '20'\n\n - name: Verify lockfile has not been tampered with\n run: |\n # npm ci will fail if package-lock.json is out of sync\n # with package.json or if integrity hashes don't match\n npm ci\n\n - name: Check for lockfile modifications\n run: |\n if ! git diff --exit-code package-lock.json; then\n echo \"ERROR: package-lock.json was modified during install.\"\n echo \"This could indicate a dependency confusion attack.\"\n exit 1\n fi\n\n - name: Audit dependencies\n run: npm audit --audit-level=high<\/code><\/pre>\nstages:\n - verify\n - build\n - test\n\nverify-dependencies:\n stage: verify\n image: python:3.11-slim@sha256:abc123... # Pin by digest\n script:\n - pip install pip-tools pip-audit\n # Verify that requirements.txt hashes match actual packages\n - pip install --require-hashes --no-deps -r requirements.txt\n # Audit for known vulnerabilities\n - pip-audit -r requirements.txt\n # Ensure no unexpected changes to lockfile\n - pip-compile --generate-hashes requirements.in -o \/tmp\/requirements-check.txt\n - diff requirements.txt \/tmp\/requirements-check.txt\n rules:\n - if: '$CI_PIPELINE_SOURCE == \"merge_request_event\"'\n - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'\n\nbuild:\n stage: build\n image: python:3.11-slim@sha256:abc123...\n script:\n - pip install --require-hashes --no-deps -r requirements.txt\n - python -m build\n needs: [verify-dependencies]<\/code><\/pre>\n\u0627\u0641\u0635\u0644 \u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0639\u0646 \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n
\u0628\u064a\u0626\u0627\u062a \u0628\u0646\u0627\u0621 \u0645\u0639\u0632\u0648\u0644\u0629 \u0639\u0646 \u0627\u0644\u0634\u0628\u0643\u0629<\/h3>\n
# Docker-based hermetic build example\n# Phase 1: Fetch dependencies (with network)\ndocker run --name dep-fetch my-builder:latest \\\n npm ci --prefer-offline\n\n# Phase 2: Build (without network)\ndocker run --network=none -v deps:\/app\/node_modules \\\n my-builder:latest npm run build<\/code><\/pre>\n\u062e\u0632\u0651\u0646 \u0627\u0644\u062a\u0628\u0639\u064a\u0627\u062a \u0641\u064a \u062a\u062e\u0632\u064a\u0646 \u062f\u0627\u062e\u0644\u064a \u0645\u0648\u062b\u0648\u0642<\/h3>\n
\u0627\u0644\u062e\u0644\u0627\u0635\u0629<\/h2>\n
npm install<\/code>\u060c \u0648\u0643\u0644 docker pull<\/code>\u060c \u0648\u0643\u0644 \u062a\u0648\u062c\u064a\u0647 uses:<\/code> \u0641\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0647\u0648 \u0642\u0631\u0627\u0631 \u062b\u0642\u0629 \u2014 \u0648\u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u064a\u0639\u0645\u0644\u0648\u0646 \u0628\u0646\u0634\u0627\u0637 \u0644\u0625\u0633\u0627\u0621\u0629 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062a\u0644\u0643 \u0627\u0644\u062b\u0642\u0629.<\/p>\n\n
npm ci<\/code> \u0623\u0648 --require-hashes<\/code>\u060c \u0639\u0637\u0651\u0644 \u0646\u0635\u0648\u0635 \u0627\u0644\u062a\u062b\u0628\u064a\u062a \u062d\u064a\u062b\u0645\u0627 \u0623\u0645\u0643\u0646.<\/li>\n