CN114116471A - Automatic code scanning method, system, electronic equipment and storage medium - Google Patents

Automatic code scanning method, system, electronic equipment and storage medium Download PDF

Info

Publication number
CN114116471A
CN114116471A CN202111392774.XA CN202111392774A CN114116471A CN 114116471 A CN114116471 A CN 114116471A CN 202111392774 A CN202111392774 A CN 202111392774A CN 114116471 A CN114116471 A CN 114116471A
Authority
CN
China
Prior art keywords
code scanning
code
software
tool
scanning tool
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111392774.XA
Other languages
Chinese (zh)
Inventor
梁冰
刘晓玲
路小菲
袁楚尧
钱戈
徐雄
张萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111392774.XA priority Critical patent/CN114116471A/en
Publication of CN114116471A publication Critical patent/CN114116471A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides an automatic code scanning method, an automatic code scanning system, an electronic device and a storage medium, wherein a variable acquisition module, a code scanning tool matching module, a code scanning task management module, a code scanning task execution module and a code scanning result management module are arranged, variables required by a configuration code scanning tool during the running of a software safety test production line are acquired, then a code scanning tool selection instruction matching the project requirement of the software safety test production line is analyzed by combining with the variables required by the code scanning tool according to a built-in matching rule, a code scanning tool is selected according to the code scanning tool selection instruction and a corresponding code scanning task is created, so that the code scanning task is automatically deployed into the software safety test production line to execute software code scanning, and the automatic code scanning method and the automatic code scanning system can execute software code scanning according to different stages of software development, The code scanning tool is automatically selected under the condition of code change, so that a user can find the problems of code quality and safety as early as possible in the software development stage.

Description

Automatic code scanning method, system, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of software testing technologies, and in particular, to an automated code scanning method, system, electronic device, and storage medium.
Background
The main work content of software code security detection is to analyze a source code file of a system and locate a code structure causing a security vulnerability. In recent years, the security test of the source code has been greatly developed and is divided into a static test and a dynamic test, wherein the static analysis of the code is relatively mature, the advantages are obvious, the method has the characteristics of high efficiency, automation, low cost and the like, and the security analysis can be performed on the tested program under the condition that the tested program is not operated. The static test method adopts a static analysis method to collect the relevant information and code characteristics of the program and makes corresponding judgment without executing the program. The current common static test methods include lexical grammar analysis, semantic analysis based on abstract syntax tree, rule check analysis, data flow control stream analysis, character string matching and modeling analysis. The lexical and grammatical analysis method is mainly used for carrying out lexical and grammatical analysis on a source code and marking out possible safety problems by contrasting a set safety cave library. The semantic analysis method based on the abstract syntax tree is to scan source codes, construct the abstract syntax tree according to the scanning result, conduct inductive refining on the constructed syntax tree, extract code cores, investigate code semantic information, conduct global, module and local analysis on the codes, and detect security vulnerabilities. The rule detection is actually rule comparison, according to the international security vulnerability definition, some universal vulnerabilities are described by adopting specific syntax, are analyzed and converted into acceptable internal code representation through an intermediate file, and the acquired required information after source code scanning is matched with the written code rule to find describable source code security vulnerabilities. The method is widely used, and can more accurately discover the security holes in the codes. The data flow control analysis method is a code logic analysis method, and is used for carrying out variable acquisition and analysis according to a code logic path and detecting whether a variable is unsafe to use or not. The method has large detection data volume and better detection effect on code memory errors, and is mostly used for testing by auxiliary methods at present.
Static code scanning is one content in software code security detection, and by simply scanning and analyzing the semantic structure and the like of the code, the problems of the code in the writing process are found, and a corresponding solution is provided according to the loopholes, so that the quality of the code is ensured, and meanwhile, a large amount of labor and time cost can be saved. The goal of static code scanning is to find as many problems as possible during development, since the later a bug is found during development, the greater the cost of repair, and statistically demonstrates that 30% to 70% of code logic design and coding defects can be found and repaired by static code analysis throughout the software development lifecycle.
The method can comprehensively and quickly find the defect problems in the code through a code scanning tool, and the code scanning tool analyzes the source code from several aspects of data flow, control flow, semantics, structure, configuration and the like by utilizing a predefined rule. At present, a software development platform code scanning flow based on DevOps selects a scanning tool and performs corresponding development configuration according to a project technology stack and safety requirements, when a project introduces a new development language or selects a new scanning tool, reconfiguration adjustment is required, and a user cannot freely select the combination and execution steps of safety testing tools according to the characteristics of an application project, so that flexible application of the code scanning flow is limited, and software safety testing efficiency and testing quality are reduced.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure is directed to an automated code scanning method and system for overcoming, at least to some extent, the problems of the related art, which may result in failure to automatically select a code scanning tool and version according to different stages of software development and code change situations.
According to one aspect of the present disclosure, there is provided an automated code scanning method, comprising:
acquiring variables required by a configuration code scanning tool when a software safety test pipeline runs;
analyzing a code scanning tool selection instruction matched with the software safety test assembly line project requirement according to a built-in matching rule and the variables required by the code scanning tool;
selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task;
automatically deploying the code scanning task into the software security testing pipeline to execute software code scanning;
and acquiring the software code scanning result and forming a software code scanning report.
In an exemplary embodiment of the present disclosure, the variables required by the code scanning tool include a code base address, a code base branch, a code base version, a development language, a trigger event, a compiled instruction, a pipeline type, and an execution cycle. The matching rules include code base addresses, code base branches, development language, compilation instructions, pipeline types, and execution cycles. The code scanning tool selection instruction comprises a scanning tool docker mirror image name, scanning tool authentication information, a scanning rule set, a scanning instruction and scanning tool parameters.
According to one aspect of the present disclosure, there is provided an automated code scanning system comprising:
the variable acquisition module is used for acquiring variables required by the configuration code scanning tool when the software safety test assembly line runs;
the code scanning tool matching module is used for analyzing a code scanning tool selection instruction matched with the software security test pipeline project requirement according to a built-in matching rule and a variable required by the code scanning tool;
the code scanning task management module is used for selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task;
the code scanning task execution module is used for automatically deploying the code scanning task to the software security testing pipeline to execute software code scanning;
and the code scanning result management module is used for acquiring the software code scanning result and forming a software code scanning report.
In an exemplary embodiment of the present disclosure, the code scanning tool is provided with an API interface.
In an exemplary embodiment of the present disclosure, a docker container is disposed in the code scanning task execution module.
In one exemplary embodiment of the present disclosure, the software security test pipeline is provided in a software development platform of DevOps.
In an exemplary embodiment of the disclosure, the code scanning task execution module includes a quality detection module.
In an exemplary embodiment of the present disclosure, the code scan result management module includes a system administrator management module, a debugging personnel management module, and a report generation module.
According to an aspect of the present disclosure, there is provided an electronic device including:
a memory; and
a processor coupled to the memory, the processor configured to perform the automated code scanning method as described above based on instructions stored in the memory.
According to an aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a program which, when executed by a processor, implements an automated code scanning method as described above.
The disclosed embodiment resolves a code scanning tool selection instruction matching the project requirement of the software safety test production line by setting a variable acquisition module, a code scanning tool matching module, a code scanning task management module, a code scanning task execution module and a code scanning result management module according to a built-in matching rule and in combination with the variables required by the code scanning tool after acquiring the variables required by the code scanning tool configured during the running of the software safety test production line, selects the code scanning tool according to the code scanning tool selection instruction and creates a corresponding code scanning task, thereby automatically deploying the code scanning task to the software safety test production line to execute the software code scanning, the automatic code scanning method and system support a plurality of scanning tools, and the code scanning tool can be automatically selected according to different stages of software development and code change conditions, and the user can find the code quality and safety problems as early as possible in the software development stage.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 schematically illustrates a flow chart of one automated code scanning method 100 of the present disclosure.
Fig. 2 schematically shows a flow chart of the rule matching step in fig. 1.
FIG. 3 schematically illustrates a schematic diagram of an automated code scanning system 300 of the present disclosure.
Fig. 4 schematically shows a built-in module diagram in the code scan result management module in fig. 3.
Fig. 5 schematically shows a management flow diagram built into the system administrator management module in fig. 4.
Fig. 6 schematically shows a management flowchart built in the human debugger management module in fig. 4.
Fig. 7 schematically shows a management flowchart built in the report generation module in fig. 4.
Fig. 8 schematically illustrates a block diagram of an electronic device 800 in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Further, the drawings are merely schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus, a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
FIG. 1 schematically illustrates a flow chart of one automated code scanning method 100 of the present disclosure.
Referring to FIG. 1, an automated code scanning method 100 may include:
step S102, obtaining variables required by a configuration code scanning tool when a software safety test pipeline runs;
step S104, resolving a code scanning tool selection instruction matching the software safety test pipeline project requirement according to a built-in matching rule and the variables required by the code scanning tool;
step S106, selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task;
step S108, automatically deploying the code scanning task to the software security testing production line to execute software code scanning;
and step S110, acquiring the software code scanning result and forming a software code scanning report.
The code is an important component of the software product, and the quality of the code can reflect the quality of the software. After a team is gradually enlarged and people change and the like, the quality of codes is reduced, which is an unavoidable matter, so that the platform is determined to be developed inside a company to maintain the quality of the existing codes, and simultaneously, the quality of the new codes is strictly required, and an automatic control platform is provided for the overall code quality. The code quality refers to the quality of the code itself, and includes elements such as complexity, repetition rate, code style and the like. The code is common property of the team, and the code quality is direct embodiment of the technical level and the management level of the team. The degradation of code quality is usually self-causal, leading to a vicious circle.
Most teams often make a code writing specification at the beginning of the project development, but many members often ignore the code specification and write randomly during the project development process, and the random code writing reduces the readability, maintainability and changeability of the code. In order to solve the above problems and the potential problems, a platform capable of visualizing the code quality is necessary to strictly control the quality of the product code, and the online code and the newly produced code are gradually converted into the high-quality code, and the high-quality code needs to have the following characteristics: the logic is clear, and the bug is difficult to hide; the dependence is minimum, and the maintenance is easy; error handling may be according to an explicit policy; optimizing the performance; the encapsulated code does only one thing. These characteristics are well understood, but are not easily realized in the practical application process, so a code quality control platform is established inside a company to assist in realizing code management, and the manpower can be reduced to a greater extent.
According to the method and the system for automatically scanning the codes, the code scanning tool is automatically selected according to different stages of software development and code change conditions, so that a user can find the code quality and safety problems as early as possible in the software development stage. By the automatic code scanning method 100 of the embodiment of the disclosure, submitted codes can be evaluated and fed back in real time, so that developers can receive related messages in time to perform a series of quality assurance works, the overall code quality can be improved, and codes written by the developers can be gradually normalized to improve the working efficiency.
The steps of the automated code scanning method 100 are described in detail below.
And step S102, obtaining variables required by the configuration code scanning tool when the software safety test pipeline runs.
Variables required by the code scanning tool include a code base address, a code base branch, a code base version, a development language, a trigger event, a compiling instruction, a pipeline type, an execution cycle and the like, and serve as input parameters of code scanning. The data collection of step S102 is embedded in the persistent integration pipeline as part of the pipeline common function library.
And step S104, resolving a code scanning tool selection instruction matching the software safety test pipeline project requirement according to a built-in matching rule and the variables required by the code scanning tool. The matching rules include code base addresses, code base branches, development language, compiled instructions, pipeline type, and execution cycles. The code scanning tool selection instruction comprises a scanning tool docker mirror image name, scanning tool authentication information, a scanning rule set, a scanning instruction and a scanning tool parameter. The system administrator can also set which rules need to be detected and which rules do not need to be detected when different languages are scanned at each time, and the matching rules are divided into different groups, so that the codes can be conveniently selected and used during scanning and detection.
All code scanning and detection need to be according to rules agreed in advance, a system administrator can write the rules, testers and developers can put forward new rules, and the codes need to be detected according to the content in the rules during each scanning.
Fig. 2 schematically shows a flow chart of the rule matching step in fig. 1.
Referring to fig. 2, the step of matching the built-in rule specifically includes: step S202, collecting rules; step S204, writing rules; step S206, compiling into a rule base; in step S208, code scanning is performed.
And step S106, selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task. Alternative code scanning tools include SonarQube Community and Enterprise editions, and Fortify, among others. The SonarQube (Sonar) is an open source platform for code quality management, is used for managing the quality of source codes, can detect the code quality from seven dimensions, can manage most languages by the platform itself, and can support the code quality management and detection of twenty programming languages including Java, C #, C/C + +, PIJSQL, Cobol, JavaScript, Groovy and the like in a plug-in form. The Fortify SCA is a Software source code safety testing tool based on static analysis, which is developed by Fortify Software corporation. The method carries out static analysis on the source code of the application software from data flow, semantics, structure, control flow, configuration flow and the like, and carries out comprehensive matching and searching with a special software security vulnerability rule set in the analysis process, thereby scanning out the security vulnerability existing in the source code and giving a sorting report.
Specifically, the embodiment can develop the static code scanning function on the SonarQubs open source platform for the second time, can scan most development languages, and contains a part of rules of the languages inside, thereby facilitating the use of users, most of the rules are frequently encountered in some development processes, although some common problems can be scanned, the detection rules inside the company cannot be met, so that the rules suitable for the inside of the company need to be added inside, and the independent scanning function needs to be added inside the safety detection, thereby facilitating the users to view a comprehensive code scanning report.
The automated code scanning method 100 supports a plurality of scanning tools (including code scanning with a compiling process), generates a scanning command executable by a pipeline through a background module, and has a simple pipeline implementation mode without developing aiming at different scanning tools.
Step S104 and step S106 are embedded in a background management system independent of the pipeline, and the background management system records the scan record and returns data (docker image name, authentication parameters, execution instructions and parameters, etc. of the scan tool) required for executing code scan to the pipeline. The tester can log in the tester account, can manage different code scanning tasks after entering the background management system, set the visibility of different code scanning tasks to different developers, and can find the developers to modify codes according to problem classification.
And S108, automatically deploying the code scanning task to the software security testing pipeline to execute software code scanning.
And step S110, acquiring the software code scanning result and forming a software code scanning report.
The software code scanning report comprises the following steps of carrying out context tracking on problem points found by the scanning report, analyzing the mutual calling condition of code blocks in the system, transmitting various parameters and calling a function method, and also comprises key contents such as a detailed analysis process for finding code problems, a vulnerability verification result, a vulnerability reinforcing suggestion and the like, and the software code scanning report can be used for closed-loop management tracking for subsequently correcting the code problems.
Fig. 3 schematically illustrates a schematic diagram of an automated code scanning system 300 of the present disclosure.
Referring to FIG. 3, an automated code scanning system 300, comprising:
the variable acquisition module 310 is used for acquiring variables required by a configuration code scanning tool when the software security test pipeline runs;
the code scanning tool matching module 320 is used for resolving a code scanning tool selection instruction matching the software security test pipeline project requirement according to a built-in matching rule and a variable required by the code scanning tool;
the code scanning task management module 330 is configured to select a code scanning tool according to the code scanning tool selection instruction and create a corresponding code scanning task;
a code scanning task execution module 340, configured to automatically deploy the code scanning task into the software security testing pipeline to execute software code scanning;
and a code scan result management module 350, configured to obtain the software code scan result and form a software code scan report.
Specifically, the software security testing pipeline is arranged in a software development platform of DevOps, the code scanning tool is provided with an api (application Programming interface) application program interface, and the scanning task execution module is provided with a docker container. Docker is an open source platform that includes a container engine and a Docker Hub registration server. Wherein the Docker container engine allows developers to package their applications and dependency packages into a portable container and then distribute them to any Linux machine. The Docker Hub registry server allows users to create their own image library on the server to store, manage and share images. By means of Docker, one-time configuration and anywhere operation of software can be achieved.
DevOps (a combination of Development and Operations) is a collective term for a set of processes, methods and systems for facilitating communication, collaboration and integration between Development (application/software engineering), technical Operations and Quality Assurance (QA) departments. The core concept of DevOps is efficient communication and collaboration among production teams (research, development, operation and maintenance and QA) to solve the common problems of (1) smaller or more frequent demand changes; (2) the production environment is not controlled by developers; (3) services are application-centric, not infrastructure; (4) more cost and time are needed for the development and deployment process with concise and clear definition; (5) the development and deployment process cannot be completely automated; (6) existing platform as a service (PaaS) virtual machines have difficulty facilitating development and operation collaboration.
In the embodiment, the Docker container is combined with a DevOps system, which has the advantages that:
(1) and (3) standardization: the integration and delivery links of the service are standardized by using the mirror image and the container respectively, and the working flow of product development and delivery is unified; the standardized production test environment avoids the problem of non-uniform environment in the development test process.
(2) Intelligentization: continuous integration enables code integration to be intelligent, and code pushing is automatically constructed; the automatic operation and maintenance provides intelligent state feedback and health check functions; the intelligent monitoring can know the service and the host operation state in time and find potential problems.
(3) Comprehensive: the development, operation and maintenance links of each product such as integration, deployment, operation and maintenance, monitoring and the like are covered, one step is achieved, and the worry and the labor are saved.
(4) And (3) fast: the s-level construction and deployment can be realized, and the development and delivery efficiency is improved; the rollback and the capacity expansion and contraction are quickly upgraded, so that the service can be quickly iterated and elastically expanded and contracted; convenient page operation and standard use flow enable the user to get on hand fast, improve work efficiency.
Through a virtualization mode provided by Docker, a set of reusable development environment can be quickly established, the development environment is distributed to all developers in a mirror image mode, and the purpose of simplifying the construction process of the development environment is achieved. Docker takes mirror image and container constructed on the basis of mirror image as the basis, and takes container as developing, testing and publishing unit, all dependencies related to the application are encapsulated in the container, the transplantation is convenient, the problem of dependency caused by migration of the application among different platforms is avoided, and the fact that the application achieves highly consistent actual effect in each stage of production environment is ensured.
Specifically, the system service user in the automated code scanning system 200 in the disclosed embodiment can be set to three roles, i.e., developer, tester and system administrator. Different roles have different rights to use different functions of the system. The system administrator can modify or supplement the scanning rules in the platform, can also perfect online test cases and the like, ensures that the detection result of the system is the latest and most reliable and meets the requirements, can check the test result provided by the system to review codes, and can submit the codes to the online after self-detection and modification after the codes are modified or added by developers.
The code scanning task execution module 240 includes a quality detection module 241, and in the quality detection module 41, various qualities can be detected and managed, including complexity detection, coverage detection, document detection, repeatability detection, problem detection, maintainability detection, reliability detection, and the like, and these sub-functional modules include smaller functional modules respectively. The document detection mainly detects the part of automatically generated documents in codes, and comprises the detection of multiple aspects such as annotation lines, annotations (%), public APIs (application program interfaces), public annotated APIs (%), public unannotated APIs (application program interfaces), and the like, different problems are classified into different degrees of severity in problem detection, wherein the problems comprise the division of multiple degrees such as blocking violations, confirming problems, serious violations, misjudgment problems, prompting violations, major violations, minor violations, and the like, if the problem is input and the rule is seriously violated, the rule is highlighted in the report, so that the rule is convenient for testers and developers to check by themselves, if the blocking violation rules in the detected codes are detected, the report is marked with red marks, special prompt is performed on the machine of the developer, and the developer is sent to repeatedly remind so as to prevent the developer from missing, the problems of other levels are common reminding, and the on-line use and the later stage can be modified in advance if the normal use of the function is not influenced. The file size scanning comprises scanning of various specifications such as classes, catalogues, files, methods, generated line numbers, generated code line numbers, code line numbers, items and sentences, if a single file is too large or a certain method exceeds a specified line number, ordinary prompting is carried out, and developers are reminded that the functions can be split so as to enhance the readability and reusability of codes. If the system detects a security breach, the same prompt as the blocking problem is made and an email is sent to the relevant tester to remind the tester of the test.
Fig. 4 schematically shows a built-in module diagram in the code scan result management module in fig. 3.
Fig. 5 schematically shows a management flow diagram built into the system administrator management module in fig. 4.
Fig. 6 schematically shows a management flowchart built in the human debugger management module in fig. 4.
Fig. 7 schematically shows a management flowchart built in the report generation module in fig. 3.
Referring to fig. 4, a system administrator management module 351, a debugging personnel management module 352 and a report generation module 353 are arranged in the code scan result management module 350, and management flows built in the system administrator management module 351, the debugging personnel management module 352 and the report generation module 353 are shown in fig. 5, fig. 6 and fig. 7.
Referring to fig. 5, the management flow built in the system administrator management module 351 includes: step S502: configuring a system background; step S504: starting a server; step S506: logging in the system by using an administrator account; step S508: setting the authority of the account in a setting tab; step S510: setting grouping and group permission; step S512: rule groupings are set, which are used and which are not.
Referring to fig. 6, the built-in management flow of the commissioning personnel management module 352 includes: step S602: logging in a tester account; step S604: assigning different groups of item visibility rights; step S606: see details of the report of the project.
Referring to fig. 7, the management flow built in the report generation module 353 includes: step S702: acquiring all data after code scanning analysis; step S704: cleaning and unifying data; step S706: a specific report is generated.
The disclosed embodiment resolves a code scanning tool selection instruction matching the project requirement of the software safety test production line according to a built-in matching rule and by combining with the variables required by the code scanning tool after obtaining the variables required by the code scanning tool configured during the running of the software safety test production line by setting a variable acquisition module, a code scanning tool matching module, a code scanning task management module, a code scanning task execution module and a code scanning result management module, selects the code scanning tool according to the code scanning tool selection instruction and creates a corresponding code scanning task, thereby automatically deploying the code scanning task to the software safety test production line to execute the software code scanning, and the automatic code scanning method and the system can automatically select the code scanning tool according to the code change conditions at different stages of software development, and the user can find the code quality and safety problems as early as possible in the software development stage.
Since the functions of the automatic code scanning system have been described in detail in the corresponding method embodiments, the disclosure is not repeated herein.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 800 according to this embodiment of the invention is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present invention.
As shown in fig. 8, electronic device 800 is in the form of a general purpose computing device. The components of the electronic device 800 may include, but are not limited to: a memory 820, and a processor 810 coupled to the memory 820, the processor 810 configured to perform the automated code scanning method 100 described above based on instructions stored in the memory 820. Data is transferred between the memory 820 and the processor 810 via the bus 830.
The memory 820 stores therein program code that may be executed by the processor 810 to cause the processor 810 to perform the steps according to various exemplary embodiments of the present invention described in the "exemplary methods" section above in this specification. For example, the processor 810 may execute step S102 shown in fig. 1, obtaining variables required by the software security test pipeline runtime configuration code scanning tool; step S104, resolving a code scanning tool selection instruction matching the software safety test pipeline project requirement according to a built-in matching rule and the variables required by the code scanning tool; step S106, selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task; step S108, automatically deploying the code scanning task to the software security testing production line to execute software code scanning; and step S110, acquiring the software code scanning result and forming a software code scanning report.
The memory 820 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)8201 and/or a cache memory unit 8202, and may further include a read only memory unit (ROM) 8203.
Memory 820 may also include a program/utility 8204 having a set (at least one) of program modules 8205, such program modules 8205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 830 may be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 800 may also communicate with one or more external devices 900 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 300, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 800 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 850. Also, the electronic device 800 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 860. As shown, the network adapter 860 communicates with the other modules of the electronic device 800 via the bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
The program product for implementing the above method according to an embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program codes, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice in the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1. An automated code scanning method, comprising:
acquiring variables required by a configuration code scanning tool when a software safety test pipeline runs;
analyzing a code scanning tool selection instruction matched with the software safety test assembly line project requirement according to a built-in matching rule and the variables required by the code scanning tool;
selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task;
automatically deploying the code scanning task into the software security testing pipeline to execute software code scanning;
and acquiring the software code scanning result and forming a software code scanning report.
2. The automated code scanning method of claim 1, wherein the variables required by the code scanning tool include a code library address, a code library branch, a code library version, a development language, a trigger event, a compiled instruction, a pipeline type, and an execution cycle; the matching rules comprise code base addresses, code base branches, development languages, compiling instructions, pipeline types and execution cycles; the code scanning tool selection instruction comprises a scanning tool docker mirror image name, scanning tool authentication information, a scanning rule set, a scanning instruction and scanning tool parameters.
3. An automated code scanning system, comprising:
the variable acquisition module is used for acquiring variables required by the configuration code scanning tool when the software safety test assembly line runs;
the code scanning tool matching module is used for analyzing a code scanning tool selection instruction matched with the software security test pipeline project requirement according to a built-in matching rule and a variable required by the code scanning tool;
the code scanning task management module is used for selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task;
the code scanning task execution module is used for automatically deploying the code scanning task to the software security testing pipeline to execute software code scanning;
and the code scanning result management module is used for acquiring the software code scanning result and forming a software code scanning report.
4. The automated code scanning system of claim 1, wherein the code scanning tool is provided with an API interface.
5. The automated code scanning system of claim 1, wherein a docker container is disposed in the code scanning task execution module.
6. The automated code scanning system of claim 1, wherein the software security testing pipeline is disposed in a software development platform of DevOps.
7. The automated code scanning system of claim 3, wherein the code scanning task execution module comprises a quality detection module.
8. The automated code scanning system of claim 3, wherein the code scan result management module comprises a system administrator management module, a debugging personnel management module, and a report generation module.
9. An electronic device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the automated code scanning method of any of claims 1-2 based on instructions stored in the memory.
10. A computer-readable storage medium, on which a program is stored which, when executed by a processor, implements an automated code scanning method according to any one of claims 1-2.
CN202111392774.XA 2021-11-23 2021-11-23 Automatic code scanning method, system, electronic equipment and storage medium Pending CN114116471A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111392774.XA CN114116471A (en) 2021-11-23 2021-11-23 Automatic code scanning method, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111392774.XA CN114116471A (en) 2021-11-23 2021-11-23 Automatic code scanning method, system, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114116471A true CN114116471A (en) 2022-03-01

Family

ID=80440321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111392774.XA Pending CN114116471A (en) 2021-11-23 2021-11-23 Automatic code scanning method, system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114116471A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115599695A (en) * 2022-11-04 2023-01-13 广州嘉为科技有限公司(Cn) Quality red line interception method, device and medium based on pipeline code scanning

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115599695A (en) * 2022-11-04 2023-01-13 广州嘉为科技有限公司(Cn) Quality red line interception method, device and medium based on pipeline code scanning

Similar Documents

Publication Publication Date Title
US20220253298A1 (en) Systems and methods for transformation of reporting schema
US8875110B2 (en) Code inspection executing system for performing a code inspection of ABAP source codes
US11675575B2 (en) Checking source code validity at time of code update
US10339029B2 (en) Automatically detecting internalization (i18n) issues in source code as part of static source code analysis
US20110321007A1 (en) Targeting code sections for correcting computer program product defects using records of a defect tracking system
US20120159434A1 (en) Code clone notification and architectural change visualization
WO2016196701A1 (en) Natural language engine for coding and debugging
CN103092761A (en) Method and device of recognizing and checking modifying code blocks based on difference information file
US9311077B2 (en) Identification of code changes using language syntax and changeset data
Kirbas et al. The relationship between evolutionary coupling and defects in large industrial software
US20230145163A1 (en) Pipeline release validation
Santana et al. RAIDE: a tool for Assertion Roulette and Duplicate Assert identification and refactoring
Ren et al. Making smart contract development more secure and easier
An et al. An empirical study of crash-inducing commits in Mozilla Firefox
CN106681783A (en) Detection method and system for SVN code
Ren et al. Scstudio: a secure and efficient integrated development environment for smart contracts
CN113885876A (en) Parameter checking method, device, storage medium and computer system
CN114116471A (en) Automatic code scanning method, system, electronic equipment and storage medium
CN111488275A (en) UI automation test method and device, storage medium and electronic equipment
US11947966B2 (en) Identifying computer instructions enclosed by macros and conflicting macros at build time
US20210349808A1 (en) Source quality check service
Furda et al. A practical approach for detecting multi-tenancy data interference
Ponomarenko et al. A combined technique for automatic detection of backward binary compatibility problems
CN114174983A (en) Optimization for automatic verification of advanced constructs using test vectors
Xiao et al. Performing high efficiency source code static analysis with intelligent extensions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination