CN112783513A - Code risk checking method, device and equipment - Google Patents
Code risk checking method, device and equipment Download PDFInfo
- Publication number
- CN112783513A CN112783513A CN202110289057.8A CN202110289057A CN112783513A CN 112783513 A CN112783513 A CN 112783513A CN 202110289057 A CN202110289057 A CN 202110289057A CN 112783513 A CN112783513 A CN 112783513A
- Authority
- CN
- China
- Prior art keywords
- code
- information
- target code
- error information
- error
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 122
- 238000012360 testing method Methods 0.000 claims abstract description 146
- 230000006378 damage Effects 0.000 claims abstract description 80
- 238000001514 detection method Methods 0.000 claims abstract description 41
- 230000001066 destructive effect Effects 0.000 claims abstract description 38
- 238000004886 process control Methods 0.000 claims abstract description 32
- 238000004422 calculation algorithm Methods 0.000 claims description 24
- 230000015654 memory Effects 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 15
- 238000003860 storage Methods 0.000 claims description 13
- 238000009658 destructive testing Methods 0.000 claims description 6
- 230000009466 transformation Effects 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 3
- 239000013598 vector Substances 0.000 description 33
- 230000006870 function Effects 0.000 description 18
- 239000011159 matrix material Substances 0.000 description 15
- 238000005457 optimization Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 10
- 238000011161 development Methods 0.000 description 8
- 238000012986 modification Methods 0.000 description 8
- 230000004048 modification Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 6
- 230000035772 mutation Effects 0.000 description 6
- 230000002068 genetic effect Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 238000005259 measurement Methods 0.000 description 5
- 238000002922 simulated annealing Methods 0.000 description 5
- 230000003595 spectral effect Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 108090000623 proteins and genes Proteins 0.000 description 3
- 238000012827 research and development Methods 0.000 description 3
- 238000000926 separation method Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000013145 classification model Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 210000000349 chromosome Anatomy 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012804 iterative process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000013486 operation strategy Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000009401 outcrossing Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 238000013442 quality metrics Methods 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Software Systems (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the specification provides a code risk checking method, a code risk checking device and code risk checking equipment, which can be used in the financial field or other fields. The method comprises the steps of obtaining an object code; detecting the target code based on the error information set to obtain detection data; determining whether to perform a destructive test on the target code based on the process control model under the condition that the detection data has no risk; the process control model is established based on the resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate; under the condition that the damage test is determined to be executed on the target code, generating a damage test case based on the running node information and the execution path information corresponding to the target code; executing the damage test case to obtain an execution result corresponding to the target code; determining whether the target code is at risk based on the execution result. By utilizing the embodiment of the specification, the code risk detection efficiency can be improved, and meanwhile, the product code quality is ensured.
Description
Technical Field
The present application relates to the field of software testing, and in particular, to a code risk checking method, apparatus and device. It should be noted that the code risk checking method, device and apparatus disclosed in the present application may be used in the financial field, and may also be used in any field other than the financial field.
Background
In the daily development and test process of a software system, no potential or obvious risk exists in codes, and the improvement of the code quality and the test progress become more and more important.
Currently, in Development testing, the submission of process control is mainly performed by a code static scan tool for normative checking, and then the code passing the normative checking is tested by a Unit Test tool in a Unit Test Drive Development (UTDD) idea. However, the code static scanning tool, such as SONAR, can only statically scan the problems that may be caused in the code based on the rule base established by the industry or the technical department of companies, and can not capture some problems that can be exposed only by running; due to human reasons, the UTDD-based unit testing tool may cause that many times unit tests are written only for realizing code level coverage, which not only has uneven quality and is difficult to achieve the effect of guarding product quality, but also is difficult to verify whether the UTDD-based unit testing tool really covers branches from a business perspective, so that the product code quality cannot be ensured.
Therefore, there is a need for a solution to the above technical problems.
Disclosure of Invention
The embodiment of the specification provides a code risk checking method, a code risk checking device and a code risk checking device, which can improve code risk detection efficiency and ensure product code quality.
The code risk checking method, device and equipment provided by the specification are realized in the following modes.
A code risk checking method, comprising: acquiring a target code; detecting the target code based on an error information set to obtain detection data; the detection data represents whether the target code is at risk; determining whether to perform a destructive test on the target code based on a process control model in the absence of risk to the detection data; the process control model is established based on resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate; under the condition that the damage test is determined to be executed on the target code, generating a damage test case based on the running node information and the execution path information corresponding to the target code; executing the damage test case to obtain an execution result corresponding to the target code; determining whether the target code is at risk based on the execution result.
A code risk check device, comprising: the acquisition module is used for acquiring a target code; the detection module is used for detecting the target code based on an error information set to obtain detection data; the detection data represents whether the target code is at risk; a first determination module, configured to determine whether to perform a destructive test on the target code based on a process control model if the detection data is not at risk; the process control model is established based on resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate; the generating module is used for generating a damage test case based on the running node information and the execution path information corresponding to the target code under the condition that the damage test is determined to be executed on the target code; the execution module is used for executing the damage test case and obtaining an execution result corresponding to the target code; a second determination module to determine whether the target code is at risk based on the execution result.
A code risk checking device comprising at least one processor and a memory storing computer executable instructions which when executed by the processor implement the steps of any one of the method embodiments of the present specification.
A computer readable storage medium having stored thereon computer instructions which, when executed, implement the steps of any one of the method embodiments in the present specification.
The specification provides a code risk checking method, a code risk checking device and code risk checking equipment. In some embodiments, the target code may be obtained, and the target code may be detected based on the error information set to obtain detection data, where the detection data indicates whether the target code is at risk. Further, under the condition that the detected data has no risk, whether a damage test is executed on the target code is determined based on the process control model, when the damage test is determined to be executed on the target code, a damage test case can be generated based on the running node information and the execution path information corresponding to the target code, the damage test case is further executed, an execution result corresponding to the target code is obtained, and whether the target code has the risk is determined based on the execution result; the process control model is established based on the resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate. By adopting the implementation scheme provided by the specification, the code risk detection efficiency can be improved, and the product code quality can be ensured.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification, are incorporated in and constitute a part of this specification, and are not intended to limit the specification. In the drawings:
FIG. 1 is a schematic flow chart diagram illustrating one embodiment of a code risk check method provided herein;
fig. 2 is a directed graph corresponding to a service code provided in the present specification;
FIG. 3 is a block diagram of an embodiment of a code risk check device provided in the present specification;
FIG. 4 is a block diagram of the hardware architecture of one embodiment of a code risk check server provided by the present specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments in the present specification, and not all of the embodiments. All other embodiments that can be obtained by a person skilled in the art on the basis of one or more embodiments of the present description without inventive step shall fall within the scope of protection of the embodiments of the present description.
The following describes an embodiment of the present disclosure with a specific application scenario as an example. Specifically, fig. 1 is a schematic flow chart of an embodiment of a code risk checking method provided in this specification. Although the present specification provides the method steps or apparatus structures as shown in the following examples or figures, more or less steps or modules may be included in the method or apparatus structures based on conventional or non-inventive efforts.
One embodiment provided by the present specification can be applied to a client, a server, and the like. The client may include a terminal device, such as a smart phone, a tablet computer, and the like. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed system, and the like.
It should be noted that the following description of the embodiments does not limit the technical solutions in other extensible application scenarios based on the present specification. In an embodiment of a code risk checking method provided herein, as shown in fig. 1, the method may include the following steps.
S0: and acquiring the target code.
In this embodiment, the target code may be a code to be tested. The code under test may be code that needs to be checked for risk, for example, after committing Git and initiating Commit operation, the code enters a review phase of the code, in which a series of checks of the code are generally performed, and therefore, the code of the phase can be considered as target code. Where Git is an open-source, distributed version control system for agilely and efficiently processing any small or large project. The Commit operation may be used to save the modifications made by the transaction to the database. Review may reduce the error rate of the code.
In some embodiments, the object code may be retrieved from a database or other storage, which is not limited in this specification.
S2: detecting the target code based on an error information set to obtain detection data; the detection data indicates whether the object code is at risk.
In this embodiment of the present specification, after the target code is obtained, the target code may be detected based on the error information set, so as to obtain detection data. Wherein the detection data may indicate whether the object code is at risk.
In some embodiments, the error information set may be obtained by: acquiring a service code included in an application code library; carrying out structural transformation on the service codes to obtain a directed graph corresponding to the service codes; wherein the directed graph comprises operation node information of the service code; the operation node information comprises parameter information and code structure information; traversing the directed graph by using a breadth first algorithm to obtain execution path information corresponding to the service code; generating a damage test case based on the operation node information and the execution path information; executing the damage test case to acquire error information; the error information comprises corresponding execution path information, code structure information and parameter information when an error occurs in the process of executing the damage test case; and preprocessing the error information to obtain an error information set. The application code library may store a large number of service codes in advance. The service code may comprise code already applied to the service, may also comprise source code, etc.
In some implementation scenarios, the structured transformation may also be referred to as a nodularization, which may be understood as a decomposition and abstraction of the structure of the code itself, which may transform the code into a directed graph. It should be noted that in some implementation scenarios, the service code may include one or more program methods (simply "methods"), and a method may include information such as input, output, internal logic, and the like. Generally, the method internal logic may include certain branch decision conditions. The branch judgment condition is generally based on the actual business requirement of the branch judgment condition, different code execution paths and output results are given based on the characteristics of the programming language and different judgment conditions, so that the realization of business logic is met. The branch judgment condition of the java programming language may include: 1) catch, the expression can be used for preventing the program exception that may appear generally, put into normal business code in the general try module, catch branch can be used for processing the program exception that may appear generally; 2) else if.. else, the expression being the most common branch decision condition, if may be used for the first condition of a collision, one to more else ifs may be used for one to more conditions after a collision, and when all of the aforementioned conditions are not met, the statement block of else is executed; 3) the method comprises the steps that (1) a switch statement generally has a uniform judged object, matching is carried out according to values of one or more cases, corresponding logic is executed after matching is achieved, and a default statement block is triggered when all cases cannot be matched; 4) a ternary expression, which may be viewed as a simple version of if... else, generally of the form: b, representing that the ternary expression is based on a Boolean expression as judgment, and returning to a when the expression is true, otherwise returning to B.
Based on the branch judgment condition of the java programming language described above, the internal logic of a method generally consists of three types of sequential execution, branch judgment and loop execution. In some implementation scenarios of this specification, when converting a service code into a directed graph, sequential execution and loop execution may be combined, so that the length of a sequential execution link of a method in the service code may determine the depth of the service code, and branch judgment may increase the breadth of the service code.
In some implementation scenarios, the code may be converted into a directed graph based on the following extraction rules:
step 1: setting an entry of the method as a start node of the directed graph, and recording an initial code depth as d as 1;
step 2: judging the form of the next line of sentences;
wherein, if the statement is a sequential flow statement, skipping; if the branch judgment identifier is positive, then go to Step 3; if it is an end identifier, go to Step 4; if it is the last line of code, go to Step 5.
Step 3: and d +1, finding the corresponding ending, and according to the branch of the branch in the directed graph, keeping consistent depth. Further, the same level is continuously searched downwards to find whether a branch judgment structure of the same depth level exists or not, and the Step2 is turned until the peer code block is ended.
Step 4: depth is recorded as dend=dnow+1 and as end node, go to Step 2;
wherein d isendIndicating the depth corresponding to the end node of the execution path, dnowIndicating the depth corresponding to the current node.
Step 5: recording maximum depth
Wherein the content of the first and second substances,
represents the maximum value among the depths corresponding to all execution path end nodes in the directed graph,
indicates the depth corresponding to the end node of the execution path 1 in the directed graph,
and the depth corresponding to an end node of the execution path K in the directed graph is shown, K represents the number of the execution paths, and K represents the number of the execution paths in the directed graph.
In the embodiment of the specification, the business codes are converted into the directed graph from the programming language by using the extraction rule, so that the codes can be conveniently described in a structured mode, more convenience is provided for subsequent code analysis, and the analysis efficiency is improved.
In some implementation scenarios, after the business code is structurally converted, a directed graph corresponding to the business code may be obtained. The directed graph represents a start node and an end node of the directed graph by code entry and end, and other nodes in the directed graph can be composed of branch structures. The directed graph may include run node information of the code, and the run node information may include parameter information and code structure information. The parameter information may include input parameters, output parameters, condition parameters, and the like. Code structure information may include inputs, outputs, external dependencies, branch predicates, and the like.
In some implementation scenarios, after the digraph corresponding to the service code is obtained, the digraph may be traversed by using a breadth first algorithm to obtain the execution path information corresponding to the service code. In some implementation scenarios, the execution path information corresponding to the service code is obtained, and at the same time, the corresponding path execution matrix may also be obtained.
In some implementation scenarios, it is assumed that one method of the service code includes K execution paths, d denotes depth,
representing maximum depth, b representing the number of single-node branches, bmaxRepresenting the maximum single-node branch number, representing whether the code runs to the node when executing each execution path or not by numerical information, representing the numerical information of the starting node as 1, representing the numerical information of the ending node as 1, representing the numerical information of the rest nodes as N according to whether the numerical information of the rest nodes runs to set a variable of 0-1 or not, and representing the execution path set as Nroute={N1,N2....NKThe path execution matrix is noted as
N1Indicating execution path information corresponding to the first execution path, NKRepresenting the execution path information corresponding to the K-th execution path, and r (i, K) representing the numerical value corresponding to the ith depth and the K-th execution path, the execution steps of traversing the directed graph by using the breadth first algorithm are as follows:
step 1: starting from the start node, recording the current depth d 11, the numerical information is r (1, k) 1;
step 2: based on the branch judgment condition, finding out the value corresponding to the kth execution path of the ith depth level, and recording the depth as diThe numerical information is r (i, k) ═ j;
step 3: recording the line which reaches the end node first, recording the depth of the end node, wherein for a certain execution path k, the execution path information is Nk;
Step 4: step2 and Step3 are repeated until all nodes are traversed.
As shown in fig. 2, fig. 2 is a directed graph corresponding to a service code provided in this specification. Where d represents depth, the number in the circle represents the node number, there are 10 nodes in total, start in the circle represents the start node (denoted as node 1), end in the circle represents the end node (denoted as node 10), and there are 5 execution paths, and the method forms a branch after branch condition determination is performed at nodes 1,2, 4, and 5. By using the breadth first algorithm to traverse the directed graph, an execution matrix R can be obtained as:
set of execution paths Nroute={N1,N2....NKIn (v), N1=(1,1),(2,1),(3,1),(4,1),(5,1),N2=(1,1),(2,2),(3,0),(4,0),(5,1),N3=(1,1),(2,1),(3,2),(4,1),(5,1),N4=(1,1),(2,1),(3,1),(4,2),(5,1),N5=(1,1),(2,1),(3,2),(4,2),(5,1)。
In some implementation scenarios, after the execution path information corresponding to the service code, a damage test component may be designed based on the operation node information and the execution path information, and a damage test may be performed on the method to be tested, so as to verify whether a potential risk exists in the current code writing logic, and provide a data basis for subsequent intelligent identification. Wherein, the test case can be understood as a destructive test case.
In some implementation scenarios, when a damage test case is generated based on the operating node information and the execution path information corresponding to the target code, firstly, powermocktio can be used to simulate external dependency information in a service code, then, based on the operating node information, a damage test input is designed, and finally, based on the execution path information and the damage test input, a reflection tool and a code template generation tool are used to generate the test case. The PowerMockito is an open source mock frame and can be used for isolating external dependence in a code method and ensuring the unit level and the independence of code execution. For example, a method is internally connected with a database to perform some operations, so that when a destructive test is performed, in order to ensure the unit property of a code, the dependence on the outside needs to be cut off, that is, the database cannot be really connected, and the existence of powermocktio can simulate the behavior of the dependence on the outside, thereby realizing the effect of "simulation". The code template generation tool may be Velocity. Velocity can be considered as a template engine that can be used to generate test cases. For example, a template of a mail is designed, only part of core content (such as dynamic information of time, addressee and the like) is transmitted to the template, and a finished mail can be assembled by using Velocity. The reflecting means may comprise javaassit, cglib, etc. javaassit is a class library for editing byte codes in Java, and can search object attributes and methods, modify scope, call methods by method name, and the like at runtime. cglib is a powerful, high-performance code generation library that is widely used in the AOP framework to provide method interception operations. The destructive testing input can be understood as an entry into the destructive testing case, the value of which can be inferred based on the branch, for example. For example, an entry has an array, and the number of elements in the array is checked in the branch, and depending on whether the branch is null, the entry to the array here can be null or data.
In some implementations, designing the destructive testing component may include: (1) reading a code, and acquiring input information, output information, external dependence information and branch judgment condition information of the code; (2) designing a destructive test input; (3) and automatically generating a damage test case based on reflection tool packages such as javaassit, cglib and the like and a vector code template generation tool.
In the implementation scenario, the input information of the code may be generally divided into three types, one is no input, the other is a basic type including common numerical values, character strings, boolean, sets, maps, and the like, and the other is a more complex type. On one hand, the more complex class can be simulated based on mock, and for some difficultly mock but not used in the method, null (empty) can be given, and for some difficultly mock, a damage test case needs to be written manually, but the situation is very rare.
In the implementation scenario, for input, it may be retrieved based on the object scanning method which attributes and methods are used by the object scanning method, which assignment and determination processes are involved, and specific different combination input information may be obtained by combining types and inputs.
In the implementation scenario, three types of outputs can be included, one is no output, i.e. Void method, one is basic type output, and the other is type output. In some implementations, however, there may also be a special set of outputs, namely an Exception class, that is one result of the code in the event that an Exception is thrown and the code itself is not captured during the corruption test.
In the implementation scenario, for external dependency, in software development, it generally refers to a method that calls a database, initiates a network request to the outside, or calls other non-system classes. According to the isolation principle of unit testing, for the condition, a mock can be used for isolating dependence, and the condition that the test operation is unstable due to the change of the external environment is ensured. In the embodiments of the present specification, the external dependency is isolated by a powermocktio tool, which has a simulation of an instance method, a static method, a final method, a private method, and the like.
In the implementation scenario, for branch judgment, the input and the external dependency can be considered together, generally, judgment is performed according to the input of data and an intermediate variable in the method, and the intermediate variable is generally obtained through an external method, so that the generation position of the judgment condition can be traced by analyzing the judgment condition of the branch, and different mock implementation behaviors are set for different branches.
In some implementation scenarios, after generating the failure test case, the failure test case may be executed based on Junit to obtain the error information. The error information may include execution path information, code structure information, parameter information, depth, error type, error stack information, and the like corresponding to the error occurring during the process of executing the destructive test case. Junit is a java-based unit test framework that can be used to run unit-level tests at the method level, driving the execution of test cases.
In the embodiment of the specification, by designing a PowerMockito + Junit-based destructive test component, judging input and output, external dependence and branch conditions of the method, a destructive unit test case covered by a full path is automatically generated by a Velocity code template generation tool, and a large amount of error information is acquired by running the generated destructive unit test case, so that a data base can be provided for subsequent error classification, and a guarantee can be provided for subsequent code risk detection.
In some embodiments, after obtaining the error information, the error information may be preprocessed to obtain an error information set. In some implementation scenarios, the error information with the same execution path information may be merged first, and then the secondary error information is removed from the merged error information set to obtain an error information set.
In some implementations, error stack information may be used to trace to the location of the code error before merging the error information with the same execution path information, thereby locating the error information within two execution nodes. Since the node where the error occurs is not necessarily the true error position, the error position of the code can be further traced according to the type of the thrown error. In the embodiment of the present specification, a root cause (such as group boundary crossing, read-write abnormality, network connection abnormality, and the like) causing the test failure is referred to as a primary error, and a subsequent code execution error caused by a propagation effect generated by the primary error and code operation is referred to as a secondary error.
In some implementation scenarios, after the error information is located in two execution nodes, the error information corresponding to the same execution path due to different conditions may be merged and then extracted therefromAnd eliminating secondary error information, and reserving a primary error information path so as to obtain an error information set. For example, in some implementation scenarios, all failure test success cases of a single method are analyzed, after all error information of the method is acquired, de-duplication and merging can be performed by taking a primary error occurrence position as a center due to consideration of possible repeated errors, and finally, an error information set of the method m is obtained
Wherein N ismIs the total error number for method M, and M represents how many methods there are in the class.
In some implementation scenarios, after the error information is obtained, the corresponding sub-matrix may be extracted from the execution matrix according to the execution path information corresponding to the error information. For example, in some embodiments, a new faulty execution matrix R may be formed by extracting corresponding numerical information from the execution matrix based on the faulty execution pathsubFurther, the entry and judgment information of each node in the error path is stored and executed, and the entry and judgment information comprises the entry type and the data information. Therefore, the error information can be stripped from the overall information, and the subsequent analysis is facilitated. The entry parameter may be understood as parameter information corresponding to the faulty execution path, and the determination information may be understood as code structure information corresponding to the faulty execution path.
In the embodiment of the present specification, after the error information set is obtained, the error information in the error information set may also be classified.
In some implementation scenarios, each error message in the error message set may be represented as a vector, and the classification of the error messages may be implemented by classifying the vectors. For example, in some implementation scenarios, the execution path information corresponding to a certain method may be recorded as an erroneous execution vector veThe code structure information is recorded as a code structure vector vcThe parameter information is recorded as a parameter vector vpIn this way, the error information set can be used for different error information of the same method and error information of different methods by the vector set v ═ v (v ═ v)e,vc,vp) To indicate. Wherein, the information covered by each error information can be restored through the vector group.
In some implementations, the error information in the error information set is concentrated by a vector set of v ═ v (v ═ v)e,vc,vp) After the representation, the error information can be finely classified based on the spectral clustering and simulated annealing algorithm. Specifically, an error classification model based on a multi-path spectral clustering algorithm can be established, and then the error classification model is solved based on a simulated annealing algorithm, so that different error information can be classified. In the embodiments of the present specification, a vector set v ═ (v) is usede,vc,vp) As an index for measuring the similarity of error messages.
In this implementation scenario, a vector group set consisting of V error information sets may be constructed as (V, E, w) directed graph G. Where V denotes a node of the directed graph, E denotes an arc between error information sets, and E ═ ee ═ (V ═ is providedw,vv),vw,vv∈V,vw≠vv},vwAnd vvFor two different sets of error information belonging to V, w represents the weight of the arc, with w ═ we|e∈E}。
In this implementation scenario, for directed graph GjDefining its weighted adjacency matrix AjThe dimension is o × o. Matrix AjThe elements in (A) are as follows:
wherein, a abovewvIs a weighted adjacency matrix AjValue of w-th row and v-th column element, xw、xvFor two non-identical points, σ is a gaussian kernel function.
In this implementation scenario, a degree matrix D may be definedjThe diagonal elements are:
the remaining elements are all 0. Wherein d is as defined abovewwDegree matrix DjValue of the w-th element of the w-th row, amnIs a weighted adjacency matrix AjThe value of the mth row and nth column elements.
In the present embodiment, LjIs a directed graph GjOf Laplace matrix, where Lj=Dj-Aj. The goal of spectral clustering is to cut the directed graph into k sub-graphs and ensure that the sum of the interval weights connecting the sub-graphs is minimal and the sum of the weights within the sub-graphs is large. Suppose the graph is cut into two subgraphs, for subgraphs I and I
Assume that the connection path set between the two is EcThen, there are:
wherein, aeIs the e-th element in the connection path set; e is an arc; m and n are different point positions.
In this implementation scenario, connection path set EcWeight of WcThe numerical values are:
the general parameter item set partitioning target function based on spectral clustering is as follows:
wherein G is a directed graph; k is the number of the dissected subgraphs.
In the implementation scenario, a multi-path canonical cut set criterion can be used as an implementation mode, and compared with other criteria, the implementation scenario has higher execution efficiency. The recognition model of the multi-path standard cut-set criterion is as follows:
wherein G is a directed graph, K is the number of the separation clusters, e and f are classification cluster indexes, and the sum of the weights among the sub-graphs is traversed; se and Sf represent sub-graphs,
the weight between the two subgraphs is u and t are indexes of elements in the subgraphs and are used for traversing the weight sum between the subgraphs and the whole subgraph; w is autThe weight between the sub-graph and the whole graph.
In the implementation scenario, after the identification model is established, two parameters to be optimized exist, one is a gaussian kernel function sigma, and the other is the number K of the separation clusters. To determine the optimal values of the parameters, the values of the two parameters can be optimized based on an optimization algorithm of simulated annealing. The simulated annealing algorithm receives a solution worse than the current solution with a certain probability, so that the local optimal solution may be jumped out to reach the global optimal solution.
Therefore, the constraint is:
wherein K is the number of the separation clusters, SKThe method is characterized in that the method is a subset of V, V is a node of a directed graph, n is iteration times, Te is a temperature threshold value, and eta is a temperature attenuation rate.
In this implementation scenario, the optimal error information classification can be obtained by iteratively solving the identification model, and it can be used to check whether a new code has a known error.
In the implementation scene, the classification of the error information is realized through the algorithm based on spectral clustering and simulated annealing, at the moment, the method can be used for some kind of error information E, and the method can be used for determining the E ═ v1,v2,v3... v a1,2,3.. a }, where a represents the number of such sets of error information vectors.
In this embodiment, after classifying the error information in the error information set, the target code may be detected based on the error information set, so as to determine whether a risk exists in the target code.
In some embodiments, before detecting the object code based on the error information set, whether a problem possibly caused exists in the object code may be statically scanned based on a rule base established by an industry or a technical department of a company, and when the problem does not exist, whether a risk exists in the object code may be detected based on the error information set. Of course, the above description is only exemplary, the way of statically scanning the target code is not limited to the above examples, and other modifications are possible for those skilled in the art in light of the technical spirit of the present application, and all that can be achieved is covered by the scope of the present application as long as the functions and effects achieved by the present application are the same as or similar to the present application.
In some embodiments, before detecting the target code based on the error information set, the method may include: performing structural transformation on the target code to obtain a directed graph corresponding to the target code; wherein the directed graph comprises running node information of the target code; and traversing the directed graph by using a breadth first algorithm to obtain the execution path information corresponding to the target code.
It should be noted that, for the specific implementation manner of performing the structural transformation on the object code and obtaining the execution path information corresponding to the object code, reference may be made to the description of the foregoing related method embodiment, which is not described in detail herein.
In some embodiments, the detecting the target code based on the error information set may include: detecting whether a first error information set matched with the code structure information of the target code exists in the error information set; when the first error information set exists, detecting whether a second error information set matched with the execution path information corresponding to the target code exists in the first error information set; and when the second error information set exists, detecting whether a third error information set matched with the parameter information corresponding to the target code exists in the second error information set.
In some implementation scenarios, when detecting the target code based on the error information set, the target code may be extracted nodally and then matched in the error information set. The specific matching sequence is as follows: the code structure vector v in the vector group corresponding to each error message in the error message setcComparing, if not matching, then not corresponding to the current error informationPerforming subsequent matching on the measurement group, and performing the next round of matching; if so, further performing with the error vector as veMatching, if not, then no longer performing subsequent matching with the vector group corresponding to the current error information, and performing the next round of matching; if matched, further matching with the parameter vector vpMatching is carried out; if the error information is matched with the target code, taking the error category corresponding to the error information as the error category corresponding to the target code, and further displaying the error category; if not, it can be determined that the target code has no risk corresponding to the error information in the error information set.
The classification of the existing error information set is described above, and it can be said that there is a ruler for measuring whether the checked code has an existing error. But there is a problem in that the degree to which the code under test matches a certain vector group of the error information set can only determine that it belongs to that type of error. In some implementation scenarios, in order to determine how well the matching is successful, a similarity threshold is set for each vector matching, and then whether each group of vectors is successfully matched can be determined by the similarity threshold.
In some implementation scenarios, three similarity thresholds (similarity thresholds corresponding to matching of code structure vectors, error execution vectors, and parameter vectors) may be trained using known error codes, and then when detecting whether there is a risk in the target code based on the error information set, based on the similarity thresholds of three times of matching, when the result of each matching exceeds the corresponding threshold, the next set of matching is performed, otherwise, it is directly determined that there is no risk corresponding to error information in the error information set, which is a new code type, in the target code, and then it may be considered whether a destructive test needs to be performed to find a problem.
In some implementation scenarios, the three similarity thresholds may be determined as follows: setting an initial similarity threshold, wherein the percentage number TPR of the total number of parameters with positive targets and positive results is greater than a preset value theta, iterative training can be performed by using an unconstrained optimization algorithm to obtain the target similarity threshold, and specifically, an L-BFGS algorithm (Limited memory-BFGS, Limited memory quasi-Newton algorithm) can be adopted. The L-BFGS is a memory-saving BFGS, and can be used for solving an optimization problem. The specific iterative process is as follows:
s21: inputting an initial similarity threshold delta0And a sample set B, wherein the sample set is a code class set of historical known error categories, and the output result is a target similarity threshold;
s22: when TPR is not more than theta, executing the step S23-step S27, otherwise executing the step S28;
s23: calculating a similarity threshold δ gradient:
wherein g is the gradient of the similarity threshold delta, i is the dimension, L is the derivative function, x(i)Is the component of the argument at i, y: (i)Is the component of the dependent variable at i;
s24: calculating a Hessian matrix;
s25: calculating the inverse H of the Hessian matrix-1;
S26: and (3) calculating and updating: Δ δ ← H-1g。
S27: application updating: δ ← δ + Δ δ.
S28: and when the similarity threshold obtained by iteration is basically not changed, outputting a result: a target similarity threshold δ.
In some implementations, the optimal similarity threshold δ is obtained whene、δc、δpThen, aiming at the new detected code, when the matching degrees of the three detections are respectively larger than deltae、δc、δpIf the similarity does not meet any similarity threshold, the existing error category is judged not to exist. Wherein, deltae、δc、δpRespectively representing similarity thresholds corresponding to the code structure vector, the error execution vector and the parameter vector.
In the embodiment of the present specification, by forming a code structure vector, an error execution vector, and a parameter vector into a vector group, the efficiency of classifying error information can be improved, and a large error class can be classified. By determining the corresponding similarity threshold values when matching the code structure vector, the error execution vector and the parameter vector by using the known error codes, the accuracy of code risk check can be effectively improved.
In some embodiments, when a risk is detected in the target code based on the set of error information, a countermeasure or modification suggestion may be extracted from the rule base and fed back to the code writer or other administrator. The rule base can store modification suggestions or measures corresponding to different error information in advance, code auditors and technicians can analyze the error information and give suggestions from a code design level, suggestions for developers to avoid developing similar codes next time are given, and for example, in order to prevent concurrent control problems of timing tasks, tasks should be locked to ensure that only one server executes the tasks at the same time node.
S4: determining whether to perform a destructive test on the target code based on a process control model in the absence of risk to the detection data; the process control model is established based on resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate.
In this embodiment of the present specification, when there is no risk in the detection data, it may be determined whether to perform a destructive test on the target code based on the process control model, and then it may be determined whether there is a risk in the target code. The process control model may also be referred to as a process control decision model, and may be established based on the resource information, the destructive test case generation time, the destructive test case operation judgment time, and the code error rate. The process control model takes whether the method in the class executes the damage test as a decision variable and takes the cost as an output value. The resource information may refer to information such as cost, and the like.
Since the code submission speed and the number of codes are increased day by day under the influence of agile development, if matching, destructive testing and result output are performed on each code, the checking process of the codes is very complicated, and the research and development efficiency is influenced. To this end, in embodiments of the present specification, when it is determined that there is no risk in the target code based on the error information set, it may be determined whether to perform a destructive test on the target code based on the process control model. The process control model may seek a balance between quality and efficiency or favor a strategy. A balance point is understood to mean a point between optimum quality and optimum efficiency, at which the minimum total cost is achieved, at which the best possible partial optimum quality and optimum efficiency are achieved. In this embodiment, the sum of the cost for achieving the best efficiency and the cost for achieving the best quality may be referred to as a total cost. The development process focusing on Quality and photopic Efficiency may be referred to as Quality optimization (Quality optimization), and the development process focusing on Efficiency and photopic Efficiency may be referred to as Efficiency optimization (Efficiency optimization). The total cost may be represented by the symbol Z and the balance point coefficient may be represented by the symbol α.
In some embodiments, the process control model is established by first measuring quality and efficiency.
In this embodiment, for the quality measurement, the error rate of the method is used as a measurement index; for the measurement of efficiency, the generation time of the damage test case and the operation judgment time of the damage test case of the branch of the method are used as the measurement.
In this embodiment, for the efficiency measure, it can be assumed that there are U methods for one class C, and denoted as C ═ f u1,2,3. For method fuIn terms of there are K execution paths, denoted Ru={ r k1,2,3. For a single execution path, the generation time and the operation judgment time of the damage test case can be respectively expressed as
At this time, for the efficiency measure, the cost expense is represented as ZeIs provided with
For the quality metric, one can assume a class C method fuCode error rate ofuHas a muu=nerrorK, wherein nerrorRepresentation method fuNumber of anomalies that the destructive test occurs. At this time, for one class, the cost of mass cost is represented as ZqIs provided with
The total cost model may be expressed as Z ═ α Z for the entire object codee+(1-α)Zq+β0。
Substituting the above equation, the total cost model can be expressed as:
where α represents a balance point coefficient, ωb、ωr、ωeCoefficients, beta, representing the time of generating a failure test case, the time of judging the operation, and the error rate of the code, respectively0Representing the scan time of the code average.
The corresponding constraints are:
0≤α≤1
C={fu|u=1,2,3,...,U}
Ru={rk|k=1,2,3,...,K}
ωb、ωr、ωe>0
0≤μ≤1
in the above-described embodiment, by quantifying the measures of quality and efficiency, it is possible to establish whether to perform the destructive test in relation to the total cost (process control model). By solving the model, the minimum cost of the whole process can be realized under the condition of a specific balance point coefficient, namely a strategy.
In some embodiments, the model created above may be solved based on a genetic algorithm. The genetic algorithm is based on alternative solutions to carry out crossing, mutation, selection and heredity to realize gradual optimization. Specifically, in the crossing process, it can be assumed that the crossing probability of each iteration is pcrossTo ensure the proper operation of the intersection, it can be assumed that: 1) the gene fragment is not divisible, and takes a group of genes (individuals) as a cross basic unit; 2) if the two gene point phases are the same, the crossing does not occur, and the crossing is directly transmitted to the filial generation, otherwise, the crossing is implemented. During mutation, it can be assumed that each chromosome has p in each generationmutationThe mutation process is 0,1 interchange, and the mutation position is random. The selection process is to enable good individuals to be inherited, and a conventional roulette method can be adopted, wherein the individual fitness is an objective function, and the total fitness is Z (psi) assuming that the fitness of a certain individual is ZtotalThen the likelihood of selecting an individual is:
in this embodiment, when the established model is solved based on a genetic algorithm, whether a damage test is performed on each method in the class C as a solving object (i.e., a decision variable) is 1 if the damage test is performed, and otherwise, the damage test is 0. Defining a variable ΨcTo refer to a set of execution results, having Ψc={φuU }, where Φ is 1,2,3uIndicating whether a method U executes a damage test, wherein U represents the number of methods in the class C; define the population omegaTFor the Tth generation, there is Ω for each populationT={Ψ1,Ψ2,Ψ3,..., Ψ d1,2,3.., D }, where D represents the number of populations. Thus, solving the established model based on genetic algorithm can be performed for ΨcThe solutions in (1) perform a crossover, mutation process, then calculate the fitness (i.e. model function value) of each solution, and finally decide which solutions can be inherited based on the fitness. The concrete solving steps are as follows:
step 1: initializing relevant parameters, and generating a dynamic test set, namely a population, based on random numbers;
step 2: calling a checking module based on different strategies, and running out related data to obtain related data for calculating the fitness;
step 3: calculating the fitness of individuals and groups based on the data result;
step 4: carrying out mutation, crossing and selection operations on individuals in the population to generate a new population set;
step 5: judging the iteration times, if the iteration times exceed the iteration times, turning to Step6, and otherwise, turning to Step 2;
step 6: and outputting the optimal operation strategy.
In the embodiment of the specification, the established model is solved based on a genetic algorithm, so that a user can intelligently evaluate different method classes under the condition of customizing a balance point, balance is sought in quality and efficiency, and the requirement of lowest operation cost is met.
In the embodiment of the description, by establishing a process control model based on efficiency and quality, a balance point strategy can be dynamically adjusted according to current research and development requirements, and a relatively optimal destructive test execution strategy is obtained, so that the local optimization of code quality and pipeline efficiency can be ensured, and the global optimization of comprehensive cost can be ensured.
S6: and under the condition that the damage test is determined to be executed on the target code, generating a damage test case based on the running node information and the execution path information corresponding to the target code.
In this embodiment of the present description, when it is determined to perform a destructive test on a target code, a destructive test case may be generated based on running node information and execution path information corresponding to the target code.
In some embodiments, the generating a damage test case based on the running node information and the execution path information corresponding to the target code may include: simulating external dependency information in the target code by using PowerMockito; designing a destructive test input based on the operating node information; based on the execution path information and the destructive testing input, a test case is generated by using a reflection tool and a code template generation tool.
It should be noted that, the specific implementation manner of generating the damage test case may refer to the description of the foregoing related method embodiment, and details are not described here.
In some embodiments, the determination to perform the destructive test on the target code may be performed within a predetermined time. The predetermined time may be set according to an actual scene, for example, the predetermined time may be executed at night or at other idle time, and the present specification does not limit this.
In some embodiments, the results of the detection with the set of error information may be output when it is determined that the corruption test is not to be performed on the target code.
S8: and executing the damage test case to obtain an execution result corresponding to the target code.
In the embodiment of the present description, after the destructive test case is generated, the destructive test case may be executed to obtain an execution result corresponding to the target code. The execution result may or may not include error information. The error information may include execution path information, code structure information, parameter information, depth, error type, error stack information, and the like corresponding to the error occurring during the process of executing the destructive test case.
In some embodiments, after generating the damage test case, the damage test case may be executed based on Junit to obtain an execution result corresponding to the target code.
S10: determining whether the target code is at risk based on the execution result.
In the embodiments of the present specification, after obtaining the execution result corresponding to the target code, it may be determined whether the target code is at risk based on the execution result.
In some embodiments, the determining whether the target code is at risk based on the execution result may include: judging whether error information exists in the execution result; updating the set of error information based on the error information when the determining exists. When the execution result has error information, it can be shown that the target code has risk.
In some implementation scenarios, when it is determined that error information exists in the execution result, the error information can be automatically collected and stored in a warehouse, so that a self-learning and self-supplementing mechanism of an error library is realized, a data basis is provided for subsequent updating of an error information set, and data is provided for technicians to expand a rule library.
The method in the embodiment of the specification can be introduced in a plug-in mode, the non-invasive triggering of the pipeline is achieved, dynamic risk check is carried out according to codes submitted by developers, and the check result is fed back to the pipeline (such as Jenkins pipelines). The Jenkins assembly line is a set of plug-in components, and the landing and implementation of continuous delivery information can be achieved.
The embodiment of the present specification can be applied to a software architecture including a storage module, a logical operation module, and an interaction module. The storage module can mainly store required relevant basic data, calculation results of an optimization part and all required relevant parameters, and can be developed through an ORACLE database and a mangoDB at present. The logic operation module mainly comprises three functions: (1) interacting with a storage module, storing operation result information, reading various basic information, wherein the operation result information can be developed based on JAVA, and the interaction with the storage module can adopt JPA (Java Persistence API) as an ORM (object Relational mapping) framework; (2) implementing logical computation: the part mainly carries out numerical calculation and algorithm flow control; (3) providing data transfer for the interaction module: as a hierarchy between the presentation layer and the storage layer, the logical operation layer may receive an API (Application Programming Interface) request initiated by the interaction layer, and return corresponding data. The interaction module mainly comprises three functions: (1) code dynamic risk checking: extracting running node information and execution path information of the code information based on the code information submitted by the current user, and performing matching and dynamic damage test on an existing error information set; (2) information push: assembling possible error information based on the output of (1), extracting corresponding measures or modification suggestions from a rule base, and returning to the constructed production line; (3) and (3) updating a rule base: and analyzing the unknown errors in a batch mode by the background, executing a corresponding algorithm and providing the algorithm for a technical administrator for further analysis. Currently, front-end technology is developed using the open source framework vue.
In the embodiment of the specification, the service codes in the code library are analyzed, the destructive test case is generated based on the open source tool component, the tested codes are subjected to destructive test, relevant information can be obtained when the destructive test is successful, potential running problems can be found, the potential problem discovery capability can be improved, and a foundation can be laid for problem classification and effective suggestion.
In the embodiment of the specification, a large number of error sets can be obtained by performing a damage test on a tested code, and by classifying the errors, the error types can be determined, so that a data basis is provided for the subsequent updating of a rule base, a direction is indicated for avoiding errors by technicians, and a certain support is provided for technical departments in updating code development specifications.
In the embodiment of the specification, when a new user code is scanned, the error type is judged by scanning the code structure and the dynamic destruction test, so that the repeated destruction can be effectively avoided, error information is provided for a technical department, and data and guidance are provided for increasing code development specifications.
In the embodiment of the description, by establishing a process control model based on efficiency and quality, a balance point strategy can be dynamically adjusted according to current research and development requirements, and a relatively optimal destructive test execution strategy is obtained, so that the local optimization of code quality and pipeline efficiency can be ensured, and the global optimization of comprehensive cost can be ensured.
In the embodiment of the specification, a Jenkins pipeline triggered by Git submission operation can effectively check code risks while being non-intrusive, and a new thought is provided for improving code quality and avoiding slow test progress caused by low-level problems.
It is to be understood that the foregoing is only exemplary, and the embodiments of the present disclosure are not limited to the above examples, and other modifications may be made by those skilled in the art within the spirit of the present disclosure, and the scope of the present disclosure is intended to be covered by the claims as long as the functions and effects achieved by the embodiments are the same as or similar to the present disclosure.
From the above description, it can be seen that the embodiment of the application may acquire the target code, detect the target code based on the error information set, and obtain the detection data, where the detection data indicates whether the target code has a risk. Further, under the condition that the detected data has no risk, whether a damage test is executed on the target code is determined based on the process control model, when the damage test is determined to be executed on the target code, a damage test case can be generated based on the running node information and the execution path information corresponding to the target code, the damage test case is further executed, an execution result corresponding to the target code is obtained, and whether the target code has the risk is determined based on the execution result; the process control model is established based on the resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate. According to the method and the device, the target code can be selectively subjected to the damage test based on the process control model, so that the code risk detection efficiency can be improved, and the product code quality can be guaranteed.
In the present specification, each embodiment of the method is described in a progressive manner, and the same and similar parts in each embodiment may be joined together, and each embodiment focuses on the differences from the other embodiments. Reference is made to the description of the method embodiments.
Based on the code risk checking method, one or more embodiments of the present specification further provide a code risk checking device. The apparatus may include systems (including distributed systems), software (applications), modules, components, servers, clients, etc. that use the methods described in the embodiments of the present specification in conjunction with any necessary apparatus to implement the hardware. Based on the same innovative conception, embodiments of the present specification provide an apparatus as described in the following embodiments. Since the implementation scheme of the apparatus for solving the problem is similar to that of the method, the specific implementation of the apparatus in the embodiment of the present specification may refer to the implementation of the foregoing method, and repeated details are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Specifically, fig. 3 is a schematic block diagram of an embodiment of a code risk check device provided in this specification, and as shown in fig. 3, the code risk check device provided in this specification may include: the system comprises an acquisition module 120, a detection module 122, a first determination module 124, a generation module 126, an execution module 128 and a second determination module 130.
An obtaining module 120, which may be configured to obtain an object code;
a detection module 122, configured to detect the target code based on an error information set, and obtain detection data; the detection data represents whether the target code is at risk;
a first determining module 124, which may be configured to determine whether to perform a destructive test on the target code based on a process control model if the detection data is not at risk; the process control model is established based on resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate;
the generating module 126 may be configured to generate a destructive test case based on the running node information and the execution path information corresponding to the target code, when it is determined that a destructive test is performed on the target code;
an execution module 128, configured to execute the destructive test case to obtain an execution result corresponding to the target code;
a second determining module 130, configured to determine whether the target code is at risk based on the execution result.
It should be noted that the above-mentioned description of the apparatus according to the method embodiment may also include other embodiments, and specific implementation manners may refer to the description of the related method embodiment, which is not described herein again.
The present specification also provides an embodiment of a code risk checking device comprising a processor and a memory for storing processor-executable instructions, which when executed by the processor implement steps comprising: acquiring a target code; detecting the target code based on an error information set to obtain detection data; the detection data represents whether the target code is at risk; determining whether to perform a destructive test on the target code based on a process control model in the absence of risk to the detection data; the process control model is established based on resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate; under the condition that the damage test is determined to be executed on the target code, generating a damage test case based on the running node information and the execution path information corresponding to the target code; executing the damage test case to obtain an execution result corresponding to the target code; determining whether the target code is at risk based on the execution result.
It should be noted that the above-mentioned apparatuses may also include other embodiments according to the description of the method or apparatus embodiments. The specific implementation manner may refer to the description of the related method embodiment, and is not described in detail herein.
The method embodiments provided in the present specification may be executed in a mobile terminal, a computer terminal, a server or a similar computing device. Taking an example of the code risk checking server running on a server, fig. 4 is a hardware structure block diagram of an embodiment of a code risk checking server provided in this specification, where the server may be a code risk checking device or a code risk checking device in the above embodiment. As shown in fig. 4, the server 10 may include one or more (only one shown) processors 100 (the processors 100 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 200 for storing data, and a transmission module 300 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 4 is only an illustration and is not intended to limit the structure of the electronic device. For example, the server 10 may also include more or fewer components than shown in FIG. 4, and may also include other processing hardware, such as a database or multi-level cache, a GPU, or have a different configuration than shown in FIG. 4, for example.
The memory 200 may be used to store software programs and modules of application software, such as program instructions/modules corresponding to the code risk checking method in the embodiments of the present specification, and the processor 100 executes various functional applications and data processing by executing the software programs and modules stored in the memory 200. Memory 200 may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 200 may further include memory located remotely from processor 100, which may be connected to a computer terminal through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module 300 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal. In one example, the transmission module 300 includes a Network adapter (NIC) that can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission module 300 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The method or apparatus provided by the present specification and described in the foregoing embodiments may implement service logic through a computer program and record the service logic on a storage medium, where the storage medium may be read and executed by a computer, so as to implement the effect of the solution described in the embodiments of the present specification. The storage medium may include a physical device for storing information, and typically, the information is digitized and then stored using an electrical, magnetic, or optical media. The storage medium may include: devices that store information using electrical energy, such as various types of memory, e.g., RAM, ROM, etc.; devices that store information using magnetic energy, such as hard disks, floppy disks, tapes, core memories, bubble memories, and usb disks; devices that store information optically, such as CDs or DVDs. Of course, there are other ways of storing media that can be read, such as quantum memory, graphene memory, and so forth.
The embodiments of the code risk checking method and apparatus provided in this specification may be implemented in a computer by a processor executing corresponding program instructions, for example, implemented in a PC end using a c + + language of a windows operating system, implemented in a linux system, or implemented in an intelligent terminal using android, iOS system programming languages, implemented in processing logic based on a quantum computer, or the like.
It should be noted that descriptions of the apparatus, the device, and the system described above according to the related method embodiments may also include other embodiments, and specific implementations may refer to descriptions of corresponding method embodiments, which are not described in detail herein.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the hardware + program class embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to the partial description of the method embodiment.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, when implementing one or more of the present description, the functions of some modules may be implemented in one or more software and/or hardware, or the modules implementing the same functions may be implemented by a plurality of sub-modules or sub-units, etc.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, devices, systems according to embodiments of the invention. It will be understood that the implementation can be by computer program instructions which can be provided to a processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
As will be appreciated by one skilled in the art, one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects.
The above description is merely exemplary of one or more embodiments of the present disclosure and is not intended to limit the scope of one or more embodiments of the present disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims.
Claims (10)
1. A code risk checking method, comprising:
acquiring a target code;
detecting the target code based on an error information set to obtain detection data; the detection data represents whether the target code is at risk;
determining whether to perform a destructive test on the target code based on a process control model in the absence of risk to the detection data; the process control model is established based on resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate;
under the condition that the damage test is determined to be executed on the target code, generating a damage test case based on the running node information and the execution path information corresponding to the target code;
executing the damage test case to obtain an execution result corresponding to the target code;
determining whether the target code is at risk based on the execution result.
2. The method of claim 1, wherein the set of error information is obtained by:
acquiring a service code included in an application code library;
carrying out structural transformation on the service codes to obtain a directed graph corresponding to the service codes; wherein the directed graph comprises operation node information of the service code; the operation node information comprises parameter information and code structure information;
traversing the directed graph by using a breadth first algorithm to obtain execution path information corresponding to the service code;
generating a damage test case based on the operation node information and the execution path information;
executing the damage test case to acquire error information; the error information comprises corresponding execution path information, code structure information and parameter information when an error occurs in the process of executing the damage test case;
and preprocessing the error information to obtain an error information set.
3. The method of claim 2, wherein preprocessing the error information to obtain an error information set comprises:
merging error information with the same execution path information;
and removing the secondary error information from the combined error information set to obtain an error information set.
4. The method of claim 1, wherein before detecting the target code based on the set of error information, the method comprises:
performing structural transformation on the target code to obtain a directed graph corresponding to the target code; wherein the directed graph comprises running node information of the target code;
and traversing the directed graph by using a breadth first algorithm to obtain the execution path information corresponding to the target code.
5. The method of claim 4, wherein the detecting the object code based on the error information set comprises:
detecting whether a first error information set matched with the code structure information of the target code exists in the error information set;
when the first error information set exists, detecting whether a second error information set matched with the execution path information corresponding to the target code exists in the first error information set;
and when the second error information set exists, detecting whether a third error information set matched with the parameter information corresponding to the target code exists in the second error information set.
6. The method of claim 1, wherein generating the damage test case based on the running node information and the execution path information corresponding to the target code comprises:
simulating external dependency information in the target code by using PowerMockito;
designing a destructive test input based on the operating node information;
based on the execution path information and the destructive testing input, a test case is generated by using a reflection tool and a code template generation tool.
7. The method of claim 1, wherein determining whether the target code is at risk based on the execution result comprises:
judging whether error information exists in the execution result;
updating the set of error information based on the error information when the determining exists.
8. A code risk check device, comprising:
the acquisition module is used for acquiring a target code;
the detection module is used for detecting the target code based on an error information set to obtain detection data; the detection data represents whether the target code is at risk;
a first determination module, configured to determine whether to perform a destructive test on the target code based on a process control model if the detection data is not at risk; the process control model is established based on resource information, the generation time of the damage test case, the operation judgment time of the damage test case and the code error rate;
the generating module is used for generating a damage test case based on the running node information and the execution path information corresponding to the target code under the condition that the damage test is determined to be executed on the target code;
the execution module is used for executing the damage test case and obtaining an execution result corresponding to the target code;
a second determination module to determine whether the target code is at risk based on the execution result.
9. A code risk checking device comprising at least one processor and a memory storing computer executable instructions which when executed by the processor implement the steps of the method of any one of claims 1 to 7.
10. A computer-readable storage medium having stored thereon computer instructions which, when executed, implement the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110289057.8A CN112783513B (en) | 2021-03-18 | 2021-03-18 | Code risk checking method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110289057.8A CN112783513B (en) | 2021-03-18 | 2021-03-18 | Code risk checking method, device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112783513A true CN112783513A (en) | 2021-05-11 |
| CN112783513B CN112783513B (en) | 2024-02-27 |
Family
ID=75762676
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110289057.8A Active CN112783513B (en) | 2021-03-18 | 2021-03-18 | Code risk checking method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112783513B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113342353A (en) * | 2021-07-01 | 2021-09-03 | 银联商务股份有限公司 | Mock data generation method and device |
| US20230195558A1 (en) * | 2021-12-17 | 2023-06-22 | Bank Of America Corporation | System and method for continuous failure prediction and remediation within a computational environment using independent execution units |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106294149A (en) * | 2016-08-09 | 2017-01-04 | 北京邮电大学 | A kind of method detecting Android application component communication leak |
| CN111783104A (en) * | 2020-07-02 | 2020-10-16 | 北京自如信息科技有限公司 | Vulnerability checking method, vulnerability checking method and device for continuous integrated codes |
| US20210011840A1 (en) * | 2019-01-03 | 2021-01-14 | Boe Technology Group Co., Ltd. | Software testing method, system, apparatus, device medium, and computer program product |
| CN112257054A (en) * | 2020-10-22 | 2021-01-22 | 北京邮电大学 | Software application unauthorized risk detection method, electronic equipment and storage medium |
-
2021
- 2021-03-18 CN CN202110289057.8A patent/CN112783513B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106294149A (en) * | 2016-08-09 | 2017-01-04 | 北京邮电大学 | A kind of method detecting Android application component communication leak |
| US20210011840A1 (en) * | 2019-01-03 | 2021-01-14 | Boe Technology Group Co., Ltd. | Software testing method, system, apparatus, device medium, and computer program product |
| CN111783104A (en) * | 2020-07-02 | 2020-10-16 | 北京自如信息科技有限公司 | Vulnerability checking method, vulnerability checking method and device for continuous integrated codes |
| CN112257054A (en) * | 2020-10-22 | 2021-01-22 | 北京邮电大学 | Software application unauthorized risk detection method, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 韩;吴波;辛丹;: "一种动静结合的高代码覆盖率模糊测试方法", 信息安全研究, no. 08, 5 August 2016 (2016-08-05) * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113342353A (en) * | 2021-07-01 | 2021-09-03 | 银联商务股份有限公司 | Mock data generation method and device |
| CN113342353B (en) * | 2021-07-01 | 2023-05-23 | 银联商务股份有限公司 | Mock data generation method and device |
| US20230195558A1 (en) * | 2021-12-17 | 2023-06-22 | Bank Of America Corporation | System and method for continuous failure prediction and remediation within a computational environment using independent execution units |
| US11892903B2 (en) * | 2021-12-17 | 2024-02-06 | Bank Of America Corporation | System and method for continuous failure prediction and remediation within a computational environment using independent execution units |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112783513B (en) | 2024-02-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3508981B1 (en) | Touchless testing platform | |
| US11681925B2 (en) | Techniques for creating, analyzing, and modifying neural networks | |
| US20190370659A1 (en) | Optimizing neural network architectures | |
| CN111274134A (en) | Vulnerability identification and prediction method and system based on graph neural network, computer equipment and storage medium | |
| Le et al. | Deepcva: Automated commit-level vulnerability assessment with deep multi-task learning | |
| US20230273775A1 (en) | Remote application modernization | |
| US11640539B2 (en) | Techniques for visualizing the operation of neural networks using samples of training data | |
| CN108491228A (en) | A kind of binary vulnerability Code Clones detection method and system | |
| WO2021223215A1 (en) | Automated decision platform | |
| CN111475820A (en) | Binary vulnerability detection method and system based on executable program and storage medium | |
| CN109828750B (en) | Method and device for automatically configuring data embedded points, electronic equipment and storage medium | |
| CN112783513A (en) | Code risk checking method, device and equipment | |
| CN105765561A (en) | Determination of production vs. development uses from tracer data | |
| CN114036531A (en) | Multi-scale code measurement-based software security vulnerability detection method | |
| US11550703B2 (en) | Test package analyzer | |
| CN114157507A (en) | Cloud service vulnerability analysis method and artificial intelligence system adopting big data analysis | |
| Li et al. | Automatic identification of assumptions from the hibernate developer mailing list | |
| US20210149793A1 (en) | Weighted code coverage | |
| CN111582313A (en) | Sample data generation method and device and electronic equipment | |
| US11853196B1 (en) | Artificial intelligence driven testing | |
| CN114780443A (en) | Micro-service application automatic test method and device, electronic equipment and storage medium | |
| CN115906089B (en) | Vulnerability detection method and system based on binary function similarity | |
| US20220358400A1 (en) | Probing Model Signal Awareness | |
| CN117151247B (en) | Method, apparatus, computer device and storage medium for modeling machine learning task | |
| CN117556425B (en) | Intelligent contract vulnerability detection method, system and equipment based on graph neural network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |