CN116415258A - Vulnerability detection method, device, equipment, medium and program product - Google Patents

Vulnerability detection method, device, equipment, medium and program product Download PDF

Info

Publication number
CN116415258A
CN116415258A CN202310430639.2A CN202310430639A CN116415258A CN 116415258 A CN116415258 A CN 116415258A CN 202310430639 A CN202310430639 A CN 202310430639A CN 116415258 A CN116415258 A CN 116415258A
Authority
CN
China
Prior art keywords
vulnerability
false alarm
information
detection
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310430639.2A
Other languages
Chinese (zh)
Inventor
刘学营
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
CCB Finetech Co Ltd
Original Assignee
China Construction Bank Corp
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp, CCB Finetech Co Ltd filed Critical China Construction Bank Corp
Priority to CN202310430639.2A priority Critical patent/CN116415258A/en
Publication of CN116415258A publication Critical patent/CN116415258A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The application provides a vulnerability detection method, device, equipment, medium and program product, and relates to the technical field of vulnerability detection, wherein the method comprises the following steps: the electronic equipment carries out vulnerability detection on codes in the service system through SAST, so as to obtain vulnerability information, if the vulnerability information is inconsistent with any false alarm information stored in the false alarm library, the context of the vulnerability in the code file is determined according to the vulnerability information, and the identification of the vulnerability, the context of the vulnerability, the type of the vulnerability and the type of the code file are input into a false alarm detection model, so that a detection result output by the false alarm detection model is obtained. According to the technical scheme, the manual auditing process in the existing process is replaced, the labor cost is effectively saved, and the processing efficiency and accuracy are improved.

Description

Vulnerability detection method, device, equipment, medium and program product
Technical Field
The present disclosure relates to the field of vulnerability detection technologies, and in particular, to a vulnerability detection method, device, apparatus, medium, and program product.
Background
With the rapid development of the internet industry, a large number of service systems gradually start to present the characteristics of diversification, complexity and high importance, and the network security risk is rapidly increased. Various business systems are composed of a large number of codes with different language types and different platforms, security holes caused by the codes are the most main cause of invasion of hackers, the security of the business systems is seriously influenced, and how to detect the security holes in the codes is a problem to be solved urgently at present.
At present, code security quality is detected mainly based on static source code security scanning (Static Analysis Security Testing, SAST) so as to control code quality in a coding stage, discover and repair code loopholes in advance, and improve research and development efficiency. Because the false alarm rate of the existing SAST is high, after the SAST codes are subjected to vulnerability detection, the detected vulnerability information also needs to be checked manually so as to determine whether the vulnerability information generated by the SAST is false alarm or not.
However, the manual verification process of the prior art is relatively high in labor cost, accuracy and efficiency.
Disclosure of Invention
The application provides a vulnerability detection method, device, equipment, medium and program product, which are used for solving the problems of higher labor cost, lower accuracy and lower efficiency in the manual checking process in the prior art.
In a first aspect, an embodiment of the present application provides a vulnerability detection method, including:
performing vulnerability detection on codes in a service system through SAST, and obtaining vulnerability information, wherein the vulnerability information is used for representing the identification of a vulnerability and the position of the vulnerability in a code file;
if the vulnerability information is inconsistent with any false alarm information stored in the false alarm library, determining the context of the vulnerability and the identity of the vulnerability in the code file according to the vulnerability information, wherein the false alarm information is the historically detected false alarm vulnerability information;
And inputting the identification, the context and the type of the vulnerability and the type of the code file into a false alarm detection model, and obtaining a detection result output by the false alarm detection model, wherein the detection result is used for indicating whether the vulnerability is false alarm or not, and the false alarm detection model is obtained by performing model training according to the identification, the context and the type of the sample vulnerability corresponding to each sample vulnerability and the type of the sample code file.
In one possible design of the first aspect, the method further comprises:
and if the vulnerability information is consistent with any false alarm information stored in the false alarm library, determining the vulnerability information as false alarm vulnerability information.
In another possible design of the first aspect, after the inputting the identifier, the context, the type, and the type of the code file of the vulnerability into a false alarm detection model, the method includes:
and if the detection result is used for indicating that the vulnerability information is false alarm, storing the vulnerability information into the false alarm library.
In yet another possible design of the first aspect, the vulnerability information includes an identification of the vulnerability, an identification of the business system, a code file corresponding to the vulnerability, and a location of the vulnerability in the code file.
In yet another possible design of the first aspect, before the performing, by the SAST, vulnerability detection on the code in the service system, the method further includes:
extracting characteristics of sample loopholes corresponding to each sample code file in a plurality of sample code files, and acquiring an identification of the sample loopholes, a context of the sample loopholes, a type of the sample loopholes and a type of the sample code files corresponding to each sample loophole, wherein the sample loopholes comprise false alarm loopholes and non-false alarm loopholes;
and performing model training according to the identification, the context and the type of the sample loopholes corresponding to each sample loophole and the type of the sample code file to obtain the false alarm detection model.
In yet another possible design of the first aspect, the performing, by the SAST, vulnerability detection on the code in the service system to obtain vulnerability information includes:
acquiring a code scanning request, wherein the code scanning request is used for scanning codes in the service system and determining loopholes in the codes;
executing the code scanning request, and performing vulnerability detection on codes in the service system through SAST to acquire the vulnerability information.
In a second aspect, an embodiment of the present application provides a vulnerability detection apparatus, including:
the detection module is used for carrying out vulnerability detection on codes in the service system through SAST, and obtaining vulnerability information, wherein the vulnerability information is used for representing the identification of the vulnerability and the position of the vulnerability in the code file;
the determining module is used for determining the context of the bug and the mark of the bug in the code file according to the bug information if the bug information is inconsistent with any false bug information stored in the false bug library, wherein the false bug information is the bug information of the false bug detected in history;
the input module is used for inputting the identification, the context and the type of the vulnerability and the type of the code file into a false alarm detection model, obtaining a detection result output by the false alarm detection model, wherein the detection result is used for indicating whether the vulnerability is false alarm or not, and the false alarm detection model is obtained by performing model training according to the identification, the context and the type of the sample vulnerability corresponding to each sample vulnerability and the type of the sample code file.
In one possible design of the second aspect, the determining module is further configured to:
And if the vulnerability information is consistent with any false alarm information stored in the false alarm library, determining the vulnerability information as false alarm vulnerability information.
In another possible design of the second aspect, after the inputting the identifier, the context, the type, and the type of the code file of the vulnerability into a false positive detection model, the apparatus further includes:
and the storage module is used for storing the vulnerability information into the false alarm library if the detection result is used for indicating that the vulnerability information is false alarm.
In yet another possible design of the second aspect, the vulnerability information includes an identification of the vulnerability, an identification of the service system, a code file corresponding to the vulnerability, and a location of the vulnerability in the code file.
In yet another possible design of the second aspect, before the performing, by the SAST, vulnerability detection on the code in the service system, and acquiring vulnerability information, the apparatus further includes:
the extraction module is used for extracting characteristics of sample loopholes corresponding to each sample code file in the plurality of sample code files, and obtaining the identification of the sample loopholes, the context of the sample loopholes, the types of the sample loopholes and the types of the sample code files, wherein the sample loopholes comprise false alarm loopholes and non-false alarm loopholes;
And the training module is also used for carrying out model training according to the identification, the context and the type of the sample loopholes corresponding to each sample loophole and the type of the sample code file to obtain the false alarm detection model.
In a further possible design of the second aspect, the detection module is specifically configured to:
acquiring a code scanning request, wherein the code scanning request is used for scanning codes in the service system and determining loopholes in the codes;
executing the code scanning request, and performing vulnerability detection on codes in the service system through SAST to acquire the vulnerability information.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and computer program instructions stored on the memory and executable on the processor for implementing the method provided by the first aspect and each possible design when the processor executes the computer program instructions.
In a fourth aspect, embodiments of the present application may provide a computer-readable storage medium having stored therein computer-executable instructions which, when executed by a processor, are adapted to carry out the method provided by the first aspect and each possible design.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program for implementing the method provided by the first aspect and each possible design when executed by a processor.
According to the vulnerability detection method, device, equipment, medium and program product, the electronic equipment carries out vulnerability detection on codes in a service system through SAST, vulnerability information is obtained, if the vulnerability information is inconsistent with any false alarm information stored in a false alarm library, the context of the vulnerability in a code file is determined according to the vulnerability information, the identification of the vulnerability, the context of the vulnerability, the type of the vulnerability and the type of the code file are input into a false alarm detection model, and a detection result output by the false alarm detection model is obtained. In the technical scheme, after the corresponding vulnerability information is acquired by carrying out vulnerability detection on codes in a service system through SAST, the vulnerability information is compared with false alarm information stored in a false alarm library, and when the vulnerability information is inconsistent, the false alarm information is detected through a pre-acquired false alarm detection model to judge whether the vulnerability is false alarm or not, so that the manual checking process in the existing process is replaced, the labor cost is effectively saved, and the processing efficiency and accuracy are improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic flow chart of a first embodiment of a vulnerability detection method provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of a second embodiment of a vulnerability detection method provided in the embodiment of the present application;
fig. 3 is a schematic flow chart of a third embodiment of a vulnerability detection method provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of a first embodiment of a leak detection apparatus provided in an embodiment of the present application;
fig. 5 is a schematic structural diagram of a second embodiment of a leak detection apparatus provided in the embodiment of the present application;
fig. 6 is a schematic structural diagram of a third embodiment of a leak detection apparatus provided in the embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In the technical scheme of the application, the related information such as financial data or user data is collected, stored, used, processed, transmitted, provided, disclosed and the like, which accords with the regulations of related laws and regulations and does not violate the popular regulations of the public order.
Before describing the embodiments of the present application, an application background of the embodiments of the present application will be explained first:
with the development of internet technology, the network security risk is rapidly increased, and vulnerabilities become main factors affecting software security. It is counted that nearly 75% of hacking is currently from code holes. Therefore, how to detect security holes in code is a current challenge.
As business evolves and teams expand, the software scale and call links in the business system become more and more complex. If a good code detection mechanism is not available, only by means of functional verification, team technical debt is higher, development departments often need to spend a great deal of time and effort to discover and modify code defects, and finally drag down the iteration progress of a business system, and even serious safety problems can be caused.
Currently, security quality control of code based on SAST is an important implementation way for discovering and repairing code loopholes in advance. Where SAST is a process of scanning code without running the code (stationary state), based on a set of predetermined rules defining coding errors in the source code that need to be evaluated and processed, to identify common security vulnerabilities in some code, such as structured query language database (Structured Query Language, SQL) injection, input verification, stack buffer overflow, etc.
However, SAST is not easily implemented as a tool product for high-running, high-accuracy detection, and a balance between run time and algorithm accuracy is achieved. In the SAST tool design, the detection flow is simplified and selected, so that the detection precision is lost, and the false alarm rate is high.
In order to solve the problem of higher SAST false alarm rate, the prior art mainly comprises that after each task scanning is finished, a development department of a service system analyzes the scanning result of each time and marks the loophole as to-be-modified or not (false alarm). Meanwhile, a special auditor is configured for each project group, and after the development department marks the loopholes, the misreported loopholes are audited again.
However, the prior art has the following problems:
(1) For large enterprises, multiple development departments often exist independently, thousands of physical subsystems exist, and the loopholes to be managed reach tens of millions or even hundreds of millions. The auditors audit the detected vulnerabilities one by one, so that a great deal of labor cost is required, and the processing efficiency is low.
(2) And because of the requirement of functional iteration of the service system, code scanning is required to be carried out every time the code is changed so as to discover potential safety hazards in the code in time. The process often results in repeated false alarms, and a development department often needs to analyze the same false alarm repeatedly, so that a great deal of time is wasted, and normal development of a service system and rapid iteration of projects are affected. With the simultaneous scanning of a large number of physical subsystems, audit requests received by auditors every day will also be of a massive level and contain a large number of false alarm vulnerabilities that have been audited before.
(3) And when different auditors audit the loopholes according to inconsistent audit standards, the audit accuracy cannot be ensured, so that the security risk of the business system occurs.
In summary, the manual checking process in the prior art has higher labor cost, lower accuracy and lower efficiency.
Based on the technical problems, the technical conception of the application is as follows: after the code in the service system is subjected to vulnerability detection based on the SAST, whether the vulnerability information is false positive or not can be detected based on a false positive detection model obtained through training in advance so as to judge which vulnerability information obtained through the SAST is true and which is false positive, and the false positive detection model replaces a manual checking process in the prior art, so that the problems of high labor cost, low accuracy and low efficiency in the manual checking process in the prior art are solved. The false alarm detection model is obtained by model training according to the identification of the sample loopholes corresponding to each sample loophole, the context of the sample loopholes, the types of the sample loopholes and the types of the sample code files.
The following describes the technical scheme of the present application in detail through specific embodiments.
It should be noted that the following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a schematic flow chart of a first embodiment of a vulnerability detection method provided in an embodiment of the present application. As shown in fig. 1, the vulnerability detection method is applied to an electronic device, which may be a terminal device, that is, a server, and the vulnerability detection method may include the following steps:
s101, performing vulnerability detection on codes in a service system through SAST, and acquiring vulnerability information.
In the step, since the false alarm rate of the SAST detection code in the prior art is high, the loopholes obtained by SAST detection are checked again by manpower, and the problems of high labor cost and low accuracy and efficiency exist. According to the embodiment of the application, whether the leak obtained by SAST detection is false alarm or not is judged through the false alarm detection model, a manual auditing process is replaced, and therefore labor cost is reduced. And the false alarm detection model has self-learning capability, and compared with the manual processing process, the false alarm detection model can effectively ensure the processing efficiency and accuracy. Therefore, before judging whether the bug obtained by SAST detection is false, the bug detection is needed to be performed on the codes in the service system through SAST to obtain bug information, wherein the bug information is used for indicating the identification of the bug and the position of the bug in the code file.
Optionally, the vulnerability information includes an identifier of the vulnerability, an identifier of the service system, a code file corresponding to the vulnerability, and a location of the vulnerability in the code file.
Optionally, the vulnerability detection can be performed on codes in one service system through the SAST, and the vulnerability detection can also be performed on codes in a plurality of service systems, where the number of service systems is not limited in the embodiment of the present application.
Optionally, all codes in the service system may be subjected to vulnerability detection through the SAST, and part of codes in the service system may be subjected to vulnerability detection, and specific detection on which codes may be determined according to actual conditions, which is not specifically limited in the embodiment of the present application.
Illustratively, assume that business system 1 contains code file 1, where code file 1 contains 10 lines of code, where line 5 has vulnerability 1. Performing vulnerability detection on codes in each code file of the service system 1 through SAST, wherein the obtained vulnerability information comprises: vulnerability 1, code file 1, business system 1, line 5 of code file 1.
In one possible implementation manner, the vulnerability detection method provided by the application can be applied to a security test center in an enterprise, a project group of the enterprise can initiate vulnerability detection processing on codes of a business system of the enterprise to the security test center, and the security test center responds to the project group to perform vulnerability detection on the codes of the business system of the enterprise. Specifically, S101 may be implemented by the following steps (a) and (b):
Step (a), acquiring a code scanning request.
The code scanning request is used for scanning codes in the service system and determining loopholes in the codes.
Optionally, the code scanning request may be used to instruct scanning of a number of code files in the service system, such as scanning of code file 1, code file 2, and code file 3; and can also be used for indicating to scan the code file in a certain storage path of the service system, such as scanning the code file in the c disc; the code scanning request can also be used for indicating to scan the type of a certain code file in the service system, such as scanning a code file with Java type in the service system; the code scan request may also be used to instruct scanning of code files in a project in the business system, such as scanning of code files corresponding to project XX in the business system. It should be understood that the code file to be scanned indicated by the code scanning request may be defined according to actual requirements, which is not specifically limited in this application.
Optionally, the code scanning request may be a request sent by the first electronic device of the project group to the second electronic device of the security test center in response to an operation performed by a worker in the project group, or may be an operation interface where the worker of the security test center actively clicks the second electronic device of the security test center, and the electronic device responds to a request generated by a clicking operation of the worker.
And (b) executing a code scanning request, and performing vulnerability detection on codes in the service system through SAST to obtain vulnerability information.
S102, if the vulnerability information is inconsistent with any false alarm information stored in the false alarm library, determining the context of the vulnerability in the code file according to the vulnerability information.
In this step, when there is a change in the code, the code needs to be scanned in the prior art, which results in that the same bug with false alarm is scanned each time the code is scanned by the SAST, and the subsequent process of judging whether the bug is false alarm is repeatedly executed after the code is scanned, which requires a lot of processing time, resulting in lower processing efficiency. The false alarm library is deployed in advance, and can be a database deployed in a service system or an independent database deployed outside the service system, wherein false alarm information is stored in the database, and the false alarm information is the leak information of the false alarm detected in history. After the code in the service system is subjected to vulnerability detection through SAST, vulnerability information is acquired, the vulnerability information can be compared with false alarm information in a false alarm library, if any false alarm information in the false alarm library is consistent with the vulnerability information, the situation that the vulnerability information is judged to be false alarm historically is indicated, subsequent steps are not required to be executed, and processing time is saved; otherwise, it is stated that whether the vulnerability information is misinformation has not been judged in history, and a subsequent judging process needs to be executed.
In one possible implementation, the false positive repository may store false positive information of multiple service systems. The false alarm library may include multiple false alarm sub-libraries, where each false alarm sub-library is used to store false alarm information of a corresponding service system. Each false alarm sub-library also has a hash map (English: hashMap) set, the hashMap set is used for storing the identification of each false alarm information in the false alarm sub-library, and the identification of the false alarm information is generated according to the identification of the bug of the false alarm information, the identification of the service system, the code file corresponding to the bug and the position of the bug in the code file.
In this manner, after the vulnerability information is obtained, the identifier of the vulnerability information may be generated according to the identifier of the vulnerability information, the identifier of the service system, the code file corresponding to the vulnerability, and the position of the vulnerability in the code file. And comparing the identification of the vulnerability information with the identification of the false positive information in the hashMap set of the corresponding false positive sub-library, thereby judging whether false positive information consistent with the vulnerability information exists.
The stored table of the false positive repository may be represented by table 1, for example.
Column name Column type Remarks
id Int(11) Vulnerability id
module_id Int(11) Service system id
false_id Varchar(64) Identification of false positive information
It should be understood that the storage table shown in table 1 stores the vulnerability ids, the service system ids and the identifications of the corresponding false alarm information. It should be understood that, in practical application, the storage table of the false alarm library may have other expression forms and other contents stored therein, and may be determined according to practical situations, which is not particularly limited in the embodiment of the present application.
In the implementation mode, by setting the white list in the false alarm library, the white list is the identification of each false alarm message, so that false alarm holes in the service system can be filtered through the white list only by marking the false alarm holes once in the white list, the false alarm information generated by the follow-up false alarm holes is not required to be detected through a false alarm detection model, the processing efficiency is effectively improved, and the processing time is saved.
If the vulnerability information is inconsistent with any false alarm information stored in the false alarm library, whether the vulnerability information is false alarm or not needs to be judged according to a false alarm detection model. The input of the false alarm detection model is the identification of the loophole, the context of the loophole, the type of the loophole and the type of the code file, so that the context of the loophole and the identification of the loophole in the code file are required to be determined according to the loophole information.
The method comprises the steps of extracting a mark of a vulnerability from the vulnerability information, determining a vulnerability code with the vulnerability from a code file according to the position of the vulnerability represented by the vulnerability information in the code file, and determining codes with association relations with the vulnerability code above and below the vulnerability code in the code file as the context of the vulnerability.
Optionally, if the vulnerability information is consistent with any false alarm information stored in the false alarm library, the vulnerability information is determined to be false alarm vulnerability information, and further verification is not needed, so that the processing time is effectively saved, and the processing efficiency is improved.
S103, inputting the identification, the context, the type and the type of the code file of the vulnerability into a false alarm detection model, and obtaining a detection result output by the false alarm detection model.
In this step, when the vulnerability information is inconsistent with any false alarm information stored in the false alarm library, it is described that whether the vulnerability information is false alarm needs to be verified, and the identifier of the vulnerability corresponding to the vulnerability information, the context of the vulnerability, the type of the vulnerability and the type of the code file need to be input into the false alarm detection model to obtain a detection result output by the false alarm detection model and used for indicating whether the vulnerability is false alarm.
Optionally, the SAST includes a plurality of scanning rules, each scanning rule being used to scan for a type of vulnerability. That is, the type of vulnerability here is equivalent to the scanning rules used when scanning out the vulnerability.
The type of the code file may be c++, java, or Python, or may be other types, which may be defined according to practical situations, and the embodiment of the present application is not limited in detail.
The false alarm detection model is obtained by model training according to the identification of the sample loopholes corresponding to each sample loophole, the context of the sample loophole, the type of the sample loophole and the type of the sample code file.
It should be understood that the training process of the false alarm detection model may refer to the content of the embodiment shown in fig. 2, which is not described herein.
Optionally, if the detection result is used for indicating that the vulnerability information is false positive, the vulnerability information is stored in a false positive library, so that the vulnerability information generated by scanning codes of the service system is compared with the vulnerability information in the future, and therefore time for detecting whether the vulnerability is false positive in the future is saved.
According to the vulnerability detection method provided by the embodiment of the application, the electronic equipment carries out vulnerability detection on codes in the service system through the SAST, vulnerability information is obtained, if the vulnerability information is inconsistent with any false alarm information stored in the false alarm library, the context of the vulnerability in the code file is determined according to the vulnerability information, and the identification, the context, the type and the type of the vulnerability are input into the false alarm detection model, so that a detection result output by the false alarm detection model is obtained. In the technical scheme, after the corresponding vulnerability information is acquired by carrying out vulnerability detection on codes in the service system through SAST, the vulnerability information is compared with false alarm information stored in a false alarm library, and when the vulnerability information is inconsistent, the false alarm information is detected through a pre-acquired false alarm detection model to judge whether the vulnerability is false alarm or not, so that the manual checking process in the existing process is replaced, the labor cost is effectively saved, the processing efficiency, the accuracy and the vulnerability recognition rate are improved, the research and development period is shortened, the accuracy and the stability of the codes are improved, and the safety risk of the service system is reduced.
Optionally, before performing bug detection on the codes in the service system through the SAST, a false alarm detection model needs to be acquired, so that whether the bug detected by the SAST is false alarm or not is determined by the false alarm detection model.
It should be understood that the false alarm detection model may be obtained in advance from other data storage devices or may be obtained by training an electronic device in advance, and the method for obtaining the false alarm detection model is not specifically limited in this application.
Fig. 2 is a schematic flow chart of a second embodiment of a vulnerability detection method provided in an embodiment of the present application. As shown in fig. 2, the vulnerability detection method may include the following steps:
s201, extracting features of sample loopholes corresponding to each sample code file in the plurality of sample code files, and obtaining identification of the sample loopholes corresponding to each sample loophole, context of the sample loopholes, types of the sample loopholes and types of the sample code files.
In this step, the sample code file may be a code file detected in history, and the sample bug is a bug obtained by scanning the sample code file in history through the sat, where the sample bug includes a false alarm bug and a non-false alarm bug. The false alarm loopholes refer to the loopholes which are misreported when the SAST scans normal codes, and the non-false alarm loopholes refer to the loopholes which are obtained when the SAST scans codes containing the loopholes.
It should be understood that, the context, type of the vulnerability and the type of the code file of the sample may be explained with reference to the context, type and type of the vulnerability in the embodiment shown in fig. 1, which is not described in detail herein.
S202, performing model training according to the identification, the context and the type of the sample loopholes corresponding to each sample loophole and the type of the sample code file to obtain a false alarm detection model.
In the training process, the identification, the context and the type of the sample loopholes corresponding to each sample loophole and the type of the sample code file are training sets required by model training, and the sample loopholes are false alarm loopholes or non-false alarm loopholes are labels corresponding to the training sets. And performing model training through the training set, thereby obtaining a false alarm detection model.
In the above embodiment, the code file historically scanned by the SAST is determined as the sample file, the scanned vulnerability is determined as the sample vulnerability, and model training is performed according to the identification, the context, the type and the type of the sample vulnerability, so that the misinformation detection model obtained by training has the capability of identifying whether the vulnerability is misinformation, thereby reducing the subsequent manual processing process and the labor cost, and improving the accuracy and the efficiency of the subsequent processing
Based on the vulnerability detection method shown in any of the above embodiments, a specific development of the method will be described below by way of a specific example.
Fig. 3 is a schematic flow chart of a third embodiment of a vulnerability detection method provided in an embodiment of the present application. As shown in fig. 3, the vulnerability detection method may include the following steps:
s301, the first electronic device of the project group sends a code scanning request to the second electronic device of the security test center.
Correspondingly, the second electronic device receives the code scanning request.
S302, the second electronic equipment performs vulnerability detection on codes in the service system by using SAST according to the code scanning request to acquire vulnerability information.
S303, the second electronic equipment inquires the identifications of the false alarm information stored in the false alarm sub-library corresponding to the service system in the false alarm library.
S304, the second electronic device generates the identification of the vulnerability information according to the content contained in the vulnerability information, and compares the identification of the vulnerability information with the identification of the false alarm information stored in the false alarm sub-library. If the result is consistent, the process skips, and if the result is inconsistent, the process proceeds to S305.
S305, the second electronic device inputs the identification, the context, the type and the type of the code file of the vulnerability into the false alarm detection model, and obtains a detection result output by the false alarm detection model.
And S306, the second electronic equipment sends the vulnerability information and the detection result to the first electronic equipment.
Correspondingly, the first electronic device receives and displays the vulnerability information and the detection result.
S307, the first electronic device responds to the operation of the user and marks the vulnerability information, and the mark is used for explaining the detection result.
And S308, the first electronic device sends the marked vulnerability information to the second electronic device.
Correspondingly, the second electronic device receives the marked vulnerability information.
S309, the second electronic device determines whether the vulnerability information is false report again in response to the operation of the user, if yes, then S310 is executed, and if not, S311 is executed.
S310, the second electronic device generates the identification of the vulnerability information, and stores the identification of the vulnerability information as the identification of the false alarm information into a corresponding false alarm sub-library in the false alarm library, and then S311 is executed.
S311, the second electronic device sends a rectifying instruction to the first electronic device, wherein the rectifying instruction is used for indicating relevant staff of the project group to rectify codes corresponding to the vulnerability information.
S312, the second electronic device generates a training set according to the vulnerability information, and trains the false alarm detection model based on the training set.
The following are device embodiments of the present application, which may be used to perform method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.
Fig. 4 is a schematic structural diagram of a first embodiment of a leak detection apparatus provided in an embodiment of the present application. As shown in fig. 4, the vulnerability detection apparatus 400 includes:
the detection module 401 is configured to perform vulnerability detection on a code in a service system by using static source code security scanning SAST, and obtain vulnerability information, where the vulnerability information is used to represent an identifier of a vulnerability and a location of the vulnerability in a code file.
The determining module 402 is configured to determine a context of the bug in the code file according to the bug information if the bug information is inconsistent with any false positive information stored in the false positive library, where the false positive information is the bug information detected in history.
The input module 403 is configured to input the identifier of the vulnerability, the context of the vulnerability, the type of the vulnerability, and the type of the code file into a false alarm detection model, obtain a detection result output by the false alarm detection model, where the detection result is used to indicate whether the vulnerability is a false alarm, and the false alarm detection model is obtained by performing model training according to the identifier of the sample vulnerability, the context of the sample vulnerability, the type of the sample vulnerability, and the type of the located sample code file corresponding to each sample vulnerability.
In one possible design of the embodiment of the present application, the determining module 402 is further configured to:
and if the vulnerability information is consistent with any false alarm information stored in the false alarm library, determining the vulnerability information as false alarm vulnerability information.
The vulnerability detection device provided in the embodiment of the present application may be used to execute the vulnerability detection method in any of the above embodiments, and its implementation principle and technical effects are similar and are not described herein again.
Fig. 5 is a schematic structural diagram of a second embodiment of a leak detection apparatus provided in the embodiment of the present application. As shown in fig. 5, after the identification of the vulnerability, the context of the vulnerability, the type of the vulnerability and the type of the code file are input into the false alarm detection model, the detection result output by the false alarm detection model is obtained, the vulnerability detection apparatus 400 further includes:
and the storage module 404 is configured to store the vulnerability information to the false alarm library if the detection result is used to indicate that the vulnerability information is false alarm.
In one possible design of the embodiment of the present application, the vulnerability information includes an identifier of the vulnerability, an identifier of the service system, a code file corresponding to the vulnerability, and a location of the vulnerability in the code file.
The vulnerability detection device provided in the embodiment of the present application may be used to execute the vulnerability detection method in any of the above embodiments, and its implementation principle and technical effects are similar and are not described herein again.
Fig. 6 is a schematic structural diagram of a third embodiment of a leak detection apparatus provided in the embodiment of the present application. As shown in fig. 6, before performing vulnerability detection on codes in a service system by SAST to obtain vulnerability information, the vulnerability detection apparatus 400 further includes:
the extracting module 405 is configured to perform feature extraction on a sample vulnerability corresponding to each sample code file in the plurality of sample code files, and obtain an identifier of the sample vulnerability corresponding to each sample vulnerability, a context of the sample vulnerability, a type of the sample vulnerability, and a type of the sample code file where the sample vulnerability is located.
The training module 406 is further configured to perform model training according to the identifier of the sample vulnerability corresponding to each sample vulnerability, the context of the sample vulnerability, the type of the sample vulnerability, and the type of the located sample code file, and obtain a false alarm detection model.
In one possible design of the embodiment of the present application, the detection module 401 is specifically configured to:
and acquiring a code scanning request, wherein the code scanning request is used for scanning codes in a service system and determining loopholes in the codes.
And detecting the loopholes of the codes in the service system according to the code scanning request to acquire loophole information.
The vulnerability detection device provided in the embodiment of the present application may be used to execute the vulnerability detection method in any of the above embodiments, and its implementation principle and technical effects are similar and are not described herein again.
It should be noted that, it should be understood that the division of the modules of the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated. And these modules may all be implemented in the form of software calls through the processing elements. Or may be implemented entirely in hardware. The method can also be realized in a form of calling software by a processing element, and the method can be realized in a form of hardware by a part of modules. In addition, all or part of the modules may be integrated together or may be implemented independently. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device 700 may include: the vulnerability detection method provided by any of the previous embodiments is implemented by the processor 701, the memory 702 and the computer program instructions stored on the memory 702 and capable of being executed on the processor 701 when the processor 701 executes the computer program instructions.
Alternatively, the above-mentioned devices of the electronic apparatus 700 may be connected through a system bus.
The memory 702 may be a separate memory unit or may be a memory unit integrated into the processor. The number of processors is one or more.
Optionally, the electronic device 700 may also include interfaces to interact with other devices.
The transceiver is used for communicating with other computers, and forms a communication interface.
It should be appreciated that the processor 701 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor or in a combination of hardware and software modules within a processor.
The system bus may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The system bus may be classified into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus. The memory may include random access memory (random access memory, RAM) and may also include non-volatile memory (NVM), such as at least one disk memory.
All or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a readable memory. The program, when executed, performs steps including the method embodiments described above; and the aforementioned memory (storage medium) includes: read-only memory (ROM), RAM, flash memory, hard disk, solid state disk, magnetic tape, floppy disk, optical disk (optical disc), and any combination thereof.
The electronic device provided in the embodiment of the present application may be used to execute the vulnerability detection method provided in any of the above method embodiments, and its implementation principle and technical effects are similar and are not described herein again.
The embodiment of the application provides a computer readable storage medium, wherein computer execution instructions are stored in the computer readable storage medium, and when the computer execution instructions run on a computer, the computer is caused to execute the vulnerability detection method.
The computer readable storage medium described above may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as static random access memory, electrically erasable programmable read-only memory, magnetic memory, flash memory, magnetic disk or optical disk. A readable storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
In the alternative, a readable storage medium is coupled to the processor such that the processor can read information from, and write information to, the readable storage medium. In the alternative, the readable storage medium may be integral to the processor. The processor and the readable storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuits, ASIC). The processor and the readable storage medium may reside as discrete components in a device.
Embodiments of the present application also provide a computer program product, where the computer program product includes a computer program, where the computer program is stored in a computer readable storage medium, and at least one processor may read the computer program from the computer readable storage medium, and the at least one processor may implement the above-mentioned vulnerability detection method when executing the computer program.
It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A vulnerability detection method, comprising:
Performing vulnerability detection on codes in a service system through static source code security scanning SAST, and obtaining vulnerability information, wherein the vulnerability information is used for representing the identification of a vulnerability and the position of the vulnerability in a code file;
if the vulnerability information is inconsistent with any false alarm information stored in the false alarm library, determining the context of the vulnerability and the identity of the vulnerability in the code file according to the vulnerability information, wherein the false alarm information is the historically detected false alarm vulnerability information;
and inputting the identification, the context and the type of the vulnerability and the type of the code file into a false alarm detection model, and obtaining a detection result output by the false alarm detection model, wherein the detection result is used for indicating whether the vulnerability is false alarm or not, and the false alarm detection model is obtained by performing model training according to the identification, the context and the type of the sample vulnerability corresponding to each sample vulnerability and the type of the sample code file.
2. The method according to claim 1, wherein the method further comprises:
and if the vulnerability information is consistent with any false alarm information stored in the false alarm library, determining the vulnerability information as false alarm vulnerability information.
3. The method according to claim 1, wherein after the inputting the identity, the context, the type, and the type of the vulnerability into the false positive detection model and obtaining the detection result output by the false positive detection model, the method comprises:
and if the detection result is used for indicating that the vulnerability information is false alarm, storing the vulnerability information into the false alarm library.
4. A method according to any of claims 1 to 3, wherein the vulnerability information comprises an identification of the vulnerability, an identification of the business system, a code file to which the vulnerability corresponds, and a location of the vulnerability in the code file.
5. A method according to any one of claims 1 to 3, wherein before the vulnerability detection is performed on the codes in the service system by the SAST to obtain vulnerability information, the method further comprises:
extracting characteristics of sample loopholes corresponding to each sample code file in a plurality of sample code files, and acquiring an identification of the sample loopholes, a context of the sample loopholes, a type of the sample loopholes and a type of the sample code files corresponding to each sample loophole, wherein the sample loopholes comprise false alarm loopholes and non-false alarm loopholes;
And performing model training according to the identification, the context and the type of the sample loopholes corresponding to each sample loophole and the type of the sample code file to obtain the false alarm detection model.
6. A method according to any one of claims 1 to 3, wherein the performing, by the SAST, vulnerability detection on the codes in the service system to obtain vulnerability information includes:
acquiring a code scanning request, wherein the code scanning request is used for scanning codes in the service system and determining loopholes in the codes;
executing the code scanning request, and performing vulnerability detection on codes in the service system through SAST to acquire the vulnerability information.
7. A vulnerability detection apparatus, comprising:
the detection module is used for carrying out vulnerability detection on codes in the service system through static source code security scanning SAST to obtain vulnerability information, wherein the vulnerability information is used for representing the identification of the vulnerability and the position of the vulnerability in a code file;
the determining module is used for determining the context of the bug and the mark of the bug in the code file according to the bug information if the bug information is inconsistent with any false bug information stored in the false bug library, wherein the false bug information is the bug information of the false bug detected in history;
The input module is used for inputting the identification, the context and the type of the vulnerability and the type of the code file into a false alarm detection model, obtaining a detection result output by the false alarm detection model, wherein the detection result is used for indicating whether the vulnerability is false alarm or not, and the false alarm detection model is obtained by performing model training according to the identification, the context and the type of the sample vulnerability corresponding to each sample vulnerability and the type of the sample code file.
8. An electronic device, comprising: a processor, a memory and computer program instructions stored on the memory and executable on the processor, wherein the processor is configured to implement the vulnerability detection method of any one of claims 1 to 6 when executing the computer program instructions.
9. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are for implementing the vulnerability detection method of any one of claims 1 to 6.
10. A computer program product comprising a computer program for implementing the vulnerability detection method of any one of claims 1 to 6 when executed by a processor.
CN202310430639.2A 2023-04-19 2023-04-19 Vulnerability detection method, device, equipment, medium and program product Pending CN116415258A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310430639.2A CN116415258A (en) 2023-04-19 2023-04-19 Vulnerability detection method, device, equipment, medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310430639.2A CN116415258A (en) 2023-04-19 2023-04-19 Vulnerability detection method, device, equipment, medium and program product

Publications (1)

Publication Number Publication Date
CN116415258A true CN116415258A (en) 2023-07-11

Family

ID=87056142

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310430639.2A Pending CN116415258A (en) 2023-04-19 2023-04-19 Vulnerability detection method, device, equipment, medium and program product

Country Status (1)

Country Link
CN (1) CN116415258A (en)

Similar Documents

Publication Publication Date Title
CN111240994B (en) Vulnerability processing method and device, electronic equipment and readable storage medium
CN111858242B (en) System log abnormality detection method and device, electronic equipment and storage medium
US11544176B1 (en) Systems and methods for automatically assessing and conforming software development modules to accessibility guidelines in real-time
CN115952503B (en) Application safety test method and system fused with black and white ash safety detection technology
CN113032834A (en) Database table processing method, device, equipment and storage medium
CN112529575A (en) Risk early warning method, equipment, storage medium and device
CN110287700B (en) iOS application security analysis method and device
CN115292197A (en) Software testing method and device, electronic equipment and storage medium
CN111382077A (en) Application program crash reason positioning method and device, electronic equipment and storage medium
CN113051180A (en) Test task monitoring method, device, equipment and storage medium
CN116431522A (en) Automatic test method and system for low-code object storage gateway
CN116415258A (en) Vulnerability detection method, device, equipment, medium and program product
CN115774881A (en) Code auditing method, device, equipment and medium
US11880470B2 (en) System and method for vulnerability detection in computer code
CN115080827A (en) Sensitive data processing method and device
CN110633204B (en) Program defect detection method and device
CN114201399A (en) Method, device, equipment and storage medium for identifying influence range of program change
CN112698883A (en) Configuration data processing method, device, terminal and storage medium
CN114157439A (en) Vulnerability scanning method, computing device and recording medium
CN115545677B (en) Online process specification detection method and system based on automatic case execution condition
CN111736847B (en) Script language mapping method, electronic device and readable storage medium
CN111258886B (en) Abnormality positioning method and device for application program
CN114048481A (en) Method, device, server and storage medium for processing security scanning report
CN116436676A (en) App automatic security scanning method, device, equipment and storage medium
CN114611111A (en) Vulnerability repair method and computing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination