CN117742897B - Method for realizing automatic repair of vulnerability based on container mirror image - Google Patents
Method for realizing automatic repair of vulnerability based on container mirror image Download PDFInfo
- Publication number
- CN117742897B CN117742897B CN202410188066.1A CN202410188066A CN117742897B CN 117742897 B CN117742897 B CN 117742897B CN 202410188066 A CN202410188066 A CN 202410188066A CN 117742897 B CN117742897 B CN 117742897B
- Authority
- CN
- China
- Prior art keywords
- mirror image
- container mirror
- container
- information
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000008439 repair process Effects 0.000 title claims abstract description 16
- 238000001514 detection method Methods 0.000 claims abstract description 19
- 230000008569 process Effects 0.000 claims description 30
- 230000002159 abnormal effect Effects 0.000 claims description 24
- 238000005070 sampling Methods 0.000 claims description 3
- 230000008859 change Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the technical field of computers, and provides a method for realizing automatic bug repair based on a container mirror image, which is used for judging whether the container mirror image is in a called state of a tenant terminal based on running environment characteristic information of the container mirror image, so as to facilitate targeted bug detection on the called and non-called conditions of the container mirror image; when the container mirror image is not in the called state, scanning the container mirror image based on a container mirror image use log of a server terminal where the container mirror image is currently located, and determining vulnerability information of the container mirror image; when the container mirror image is in a called state, based on a task processing log of a tenant terminal where the container mirror image is currently located, file writing attribute information of the container mirror image is obtained, the container mirror image is scanned, vulnerability information of the container mirror image is determined, and vulnerability detection of the container mirror image under different scenes is realized; and performing vulnerability restoration based on file vulnerability status information of the container mirror image, so that accurate and rapid vulnerability detection and restoration of the container mirror image are realized.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method for realizing automatic repair of a container mirror image vulnerability.
Background
The container mirror image is a file system obtained by standardized packaging of program codes and running environments thereof, belongs to static resources and is stored in a corresponding server terminal. When the external tenant terminal needs to run corresponding program codes in the task processing process, a corresponding container mirror image is called from the server terminal, so that the corresponding task is completed in an assisted mode. The container mirror image is possibly invaded in the process of being stored in the server terminal or being called by the tenant terminal, so that program codes in the container mirror image are lost and the like, if the container mirror image is continuously called to process corresponding tasks after the leak occurs, the task processing accuracy and reliability of the tenant terminal cannot be ensured, and meanwhile, potential data safety hazards are generated for the server terminal and the tenant terminal. Therefore, accurate and rapid leak detection and repair of the container mirror image are required, and the safety and usability of the container mirror image are improved.
Disclosure of Invention
Aiming at the defects existing in the prior art, the invention provides a method for realizing automatic bug repair based on a container mirror image, which is used for judging whether the container mirror image is in a called state of a tenant terminal based on the running environment characteristic information of the container mirror image, so as to facilitate the subsequent targeted bug detection on the called and non-called conditions of the container mirror image; when the container mirror image is not in the called state, scanning the container mirror image based on a container mirror image use log of a server terminal where the container mirror image is currently located, and determining vulnerability information of the container mirror image; when the container mirror image is in a called state, based on a task processing log of a tenant terminal where the container mirror image is currently located, file writing attribute information of the container mirror image is obtained, the container mirror image is scanned, vulnerability information of the container mirror image is determined, and vulnerability detection of the container mirror image under different scenes is realized; and performing vulnerability restoration based on file vulnerability status information of the container mirror image, so that accurate and rapid vulnerability detection and restoration of the container mirror image are realized, and the safety and usability of the container mirror image are improved.
The invention provides a method for realizing automatic repair based on container mirror image loopholes, which comprises the following steps:
Step S1, detecting the running environment of a container mirror image to obtain the running environment characteristic information of the container mirror image; judging whether the container mirror image is in a state called by a tenant terminal or not based on the running environment characteristic information, so as to perform identification processing on the container mirror image;
Step S2, when the container mirror image is not in a state called by the tenant terminal, acquiring a container mirror image use log of a server terminal where the container mirror image is currently located; analyzing the use log of the container mirror image to determine abnormal use event characteristic information of the container mirror image in the history use process; based on the abnormal use event characteristic information, scanning the container mirror image, and determining vulnerability information of the container mirror image;
step S3, when the container mirror image is in a state of being called by the tenant terminal, acquiring a task processing log of the tenant terminal where the container mirror image is currently located; analyzing the task processing log to determine file writing attribute information of the container mirror image in the current working process; based on the file writing attribute information, scanning the container mirror image, and determining vulnerability information of the container mirror image;
Step S4, carrying out file identification processing on the container mirror image based on the vulnerability information of the container mirror image to obtain corresponding file vulnerability state information; and performing vulnerability restoration processing on the container mirror image based on the file vulnerability status information.
In one embodiment of the present disclosure, in the step S1, performing an operation environment detection on a container image to obtain operation environment feature information of the container image, including:
Sampling the system file of the current running environment of the container mirror image to obtain a plurality of system file data; carrying out data editing state identification on the system file data to obtain the latest updating time of the system file data; if the latest updating time is in the preset time interval, determining the system file data as effective system file data; otherwise, the system file data is not determined to be valid system file data; and carrying out data type identification on all the valid system file data to obtain the necessary software type information of the running environment where the container mirror image is currently located, and taking the necessary software type information as the running environment characteristic information.
In one embodiment of the present disclosure, in the step S1, based on the operating environment feature information, determining whether the container image is in a state called by the tenant terminal, so as to perform identification processing on the container image includes:
Comparing the necessary software type information with an operation necessary software catalog of a server terminal generating the container mirror image, and judging that the container mirror image is not in a state called by a tenant terminal if the necessary software type information is consistent with the operation necessary software catalog of the server terminal generating the container mirror image; if the two images are inconsistent, judging that the container mirror image is in a state called by the tenant terminal; and then distinguishing and identifying all the container images which are not in the calling state of the tenant terminal and all the container images in the calling state of the tenant terminal.
In one embodiment of the present disclosure, in the step S2, when the container image is not in a state of being invoked by a tenant terminal, obtaining a container image usage log of a server terminal where the container image is currently located includes:
and when the container mirror image is not in the call state of the tenant terminal, searching the log storage space of the server terminal where the container mirror image is currently positioned based on the identity information of the container mirror image to obtain a corresponding container mirror image use log.
In one embodiment of the disclosure, in the step S2, the analysis is performed on the container image usage log to determine abnormal usage event feature information of the container image during the history of use, including:
Analyzing the container mirror image use log to obtain a corresponding calling duration interval when the container mirror image is called by the tenant terminal each time in the history use process; and if the time length of the calling duration time interval is greater than a preset time length threshold, taking the corresponding calling duration time interval as abnormal use event occurrence time information of the container mirror image in the history use process.
In one embodiment of the disclosure, in the step S2, based on the abnormal usage event feature information, scanning the container image to determine vulnerability information of the container image includes:
And based on the abnormal use event occurrence time information, scanning the data part of the container mirror image, which is correspondingly changed in the time interval of the abnormal use time, and determining vulnerability information of the container mirror image.
In one embodiment of the disclosure, in the step S3, when the container image is in a state of being called by a tenant terminal, a task processing log of the tenant terminal where the container image is currently located is obtained; analyzing the task processing log to determine file writing attribute information of the container mirror image in the current working process, wherein the method comprises the following steps:
When the container mirror image is in a state of being called by the tenant terminal, acquiring running logs of all application programs subordinate to the tenant terminal where the container mirror image is currently located; analyzing the running log of each application program, and judging whether the application program contains a container mirror image calling flow in the running process; if the application program execution container mirror image call flow is included, acquiring a task processing log where the application program execution container mirror image call flow is located;
and analyzing all the acquired task processing logs to obtain storage interval position information of the container mirror image for storing the written file in the current working process, and taking the storage interval position information as the file writing attribute information.
In one embodiment of the disclosure, in the step S3, based on the file writing attribute information, scanning the container image to determine vulnerability information of the container image, including:
And based on the storage interval position information, scanning data stored in the corresponding storage interval in the container mirror image, and determining vulnerability information of the container mirror image.
In one embodiment of the present disclosure, in the step S4, file identification processing is performed on the container image based on the vulnerability information of the container image, to obtain corresponding file vulnerability status information, including:
Determining all files with data holes in the container mirror image based on the hole information of the container mirror image; and respectively carrying out file identification processing on all files with data vulnerabilities to obtain data vulnerability type information corresponding to each file.
In one embodiment of the disclosure, in the step S4, performing vulnerability restoration processing on the container image based on the file vulnerability status information includes:
And based on the data vulnerability type information, a corresponding container plug-in is called, and the container plug-in is loaded in the container mirror image to carry out vulnerability restoration processing.
Compared with the prior art, the method for realizing automatic vulnerability restoration based on the container mirror image judges whether the container mirror image is in the invoked state of the tenant terminal based on the running environment characteristic information of the container mirror image, so that subsequent targeted vulnerability detection on invoked and non-invoked situations of the container mirror image is facilitated; when the container mirror image is not in the called state, scanning the container mirror image based on a container mirror image use log of a server terminal where the container mirror image is currently located, and determining vulnerability information of the container mirror image; when the container mirror image is in a called state, based on a task processing log of a tenant terminal where the container mirror image is currently located, file writing attribute information of the container mirror image is obtained, the container mirror image is scanned, vulnerability information of the container mirror image is determined, and vulnerability detection of the container mirror image under different scenes is realized; and performing vulnerability restoration based on file vulnerability status information of the container mirror image, so that accurate and rapid vulnerability detection and restoration of the container mirror image are realized, and the safety and usability of the container mirror image are improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an implementation method for automatically repairing a bug based on a container mirror image.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a flow chart of an implementation method for automatically repairing a bug based on a container image according to an embodiment of the present invention. The method for realizing automatic repair based on the container mirror image loopholes comprises the following steps:
step S1, detecting the running environment of a container mirror image to obtain the characteristic information of the running environment of the container mirror image; judging whether the container mirror image is in a state called by the tenant terminal or not based on the running environment characteristic information, so as to carry out identification processing on the container mirror image;
Step S2, when the container mirror image is not in a state called by the tenant terminal, acquiring a container mirror image use log of a server terminal where the container mirror image is currently located; analyzing the use log of the container mirror image to determine the characteristic information of abnormal use events of the container mirror image in the history use process; based on the abnormal use event characteristic information, scanning the container mirror image, and determining vulnerability information of the container mirror image;
Step S3, when the container mirror image is in a state of being called by the tenant terminal, acquiring a task processing log of the tenant terminal where the container mirror image is currently located; analyzing the task processing log to determine file writing attribute information of the container mirror image in the current working process; based on the written attribute information of the file, scanning the container mirror image, and determining vulnerability information of the container mirror image;
Step S4, based on the vulnerability information of the container mirror image, carrying out file identification processing on the container mirror image to obtain corresponding file vulnerability state information; and performing vulnerability restoration processing on the container mirror image based on the file vulnerability status information.
The method for realizing automatic bug repair based on the container mirror image judges whether the container mirror image is in a called state of a tenant terminal based on the running environment characteristic information of the container mirror image, so that the subsequent targeted bug detection on the called and non-called conditions of the container mirror image is facilitated; when the container mirror image is not in the called state, scanning the container mirror image based on a container mirror image use log of a server terminal where the container mirror image is currently located, and determining vulnerability information of the container mirror image; when the container mirror image is in a called state, based on a task processing log of a tenant terminal where the container mirror image is currently located, file writing attribute information of the container mirror image is obtained, the container mirror image is scanned, vulnerability information of the container mirror image is determined, and vulnerability detection of the container mirror image under different scenes is realized; and performing vulnerability restoration based on file vulnerability status information of the container mirror image, so that accurate and rapid vulnerability detection and restoration of the container mirror image are realized, and the safety and usability of the container mirror image are improved.
Preferably, in the step S1, the running environment detection is performed on the container image to obtain the running environment feature information of the container image, including:
Sampling the system file of the current running environment of the container mirror image to obtain a plurality of system file data; carrying out data editing state identification on the system file data to obtain the latest updating time of the system file data; if the latest updating time is in the preset time interval, determining the system file data as effective system file data; otherwise, the system file data is not determined to be valid system file data; and then carrying out data type identification on all the valid system file data to obtain the necessary software type information of the running environment where the container mirror image is currently located, and taking the necessary software type information as the characteristic information of the running environment.
In the technical scheme, the system file in the current running environment of the container mirror image is sampled to obtain a plurality of system file data, and the system file data can represent the state type of the current running environment of the container mirror image. And carrying out data editing state identification on the system file data to obtain the latest updating time of the system file data, so that the timeliness of the system file data can be accurately identified. Comparing the latest updating time with a preset time interval, judging whether the system file data belongs to the effective system file data, so that the data type identification of the effective system file data can be ensured to be accurately carried out later, the necessary software type information of the current running environment of the container mirror image is obtained, and the accurate identification of the running environment of the container mirror image is realized.
Preferably, in the step S1, based on the running environment feature information, it is determined whether the container image is in a state called by the tenant terminal, so as to perform identification processing on the container image, including:
Comparing the necessary software type information with an operation necessary software catalog of a server terminal generating the container mirror image, and if the necessary software type information is consistent with the operation necessary software catalog of the server terminal generating the container mirror image, judging that the container mirror image is not in a state called by a tenant terminal; if the two images are inconsistent, judging that the container mirror image is in a state called by the tenant terminal; and then distinguishing and identifying all the container images which are not in the calling state of the tenant terminal and all the container images in the calling state of the tenant terminal.
In the above technical solution, the necessary software type information is compared with an operation necessary software directory of a server terminal generating the container mirror image, so as to realize software state comparison between an operation environment where the container mirror image is located and an operation environment which can be provided by the server terminal, thereby accurately judging whether the container mirror image is in a state called by a tenant terminal, and when the container mirror image is called by the tenant terminal (i.e., the container mirror image is located inside the tenant terminal), the necessary software type information is inconsistent with the operation necessary software directory of the server terminal generating the container mirror image; when the container mirror image is not called by the tenant terminal, the necessary software type information is consistent with the operation necessary software catalog of the server terminal generating the container mirror image, so that the operation environment where the container mirror image is located can be effectively and accurately distinguished and identified.
Preferably, in the step S2, when the container image is not in a state of being invoked by the tenant terminal, obtaining a container image usage log of the server terminal where the container image is currently located includes:
And when the container mirror image is not in the call state of the tenant terminal, searching the log storage space of the server terminal where the container mirror image is currently positioned based on the identity information of the container mirror image to obtain a corresponding container mirror image use log.
In the above technical solution, when the container mirror image is not in the invoked state of the tenant terminal, the log storage space of the server terminal where the container mirror image is currently located is searched with reference to the identity information of the container mirror image, so as to obtain a corresponding container mirror image use log, and thus, it can be ensured that the container mirror image use log accurately characterizes the container mirror image use accuracy.
Preferably, in the step S2, the analysis is performed on the usage log of the container image to determine abnormal usage event feature information of the container image during the history of use, including:
Analyzing the container mirror image use log to obtain a corresponding calling duration time interval when the container mirror image is called by the tenant terminal each time in the history use process; and if the time length of the calling duration time interval is greater than the preset time length threshold, taking the corresponding calling duration time interval as abnormal use event occurrence time information of the container mirror image in the history use process.
In the technical scheme, the container mirror image use log is analyzed to obtain a calling duration time interval corresponding to each time the container mirror image is called by the tenant terminal in the history use process, threshold value comparison is carried out on the calling duration time interval, the calling duration time interval with the time length being greater than the preset time length threshold value is used as abnormal use event occurrence time information of the container mirror image in the history use process, and accurate calibration of the abnormal event occurrence time information is achieved.
Preferably, in the step S2, based on the abnormal usage event feature information, the container image is scanned, and vulnerability information of the container image is determined, including:
Based on the abnormal use event occurrence time information, scanning the data part of the container mirror image, which corresponds to the change of the time interval of the abnormal use time, to determine the vulnerability information of the container mirror image.
According to the technical scheme, based on the abnormal use event occurrence time information, the data part of the container mirror image, which corresponds to the change of the time interval of the abnormal use time, is scanned, and the vulnerability information of the container mirror image is determined, so that the vulnerability problem generated by the container mirror image which is not called by the tenant terminal can be accurately identified.
Preferably, in the step S3, when the container image is in a state of being called by the tenant terminal, a task processing log of the tenant terminal where the container image is currently located is obtained; analyzing the task processing log to determine file writing attribute information of the container mirror image in the current working process, wherein the method comprises the following steps:
When the container mirror image is in a state of being called by the tenant terminal, acquiring running logs of all application programs subordinate to the tenant terminal where the container mirror image is currently located; analyzing the running log of each application program, and judging whether the application program contains a container mirror image calling flow in the running process; if so, acquiring a task processing log of the application program execution container mirror image calling flow;
And analyzing all the acquired task processing logs to obtain storage interval position information of the container mirror image for storing the written file in the current working process, and taking the storage interval position information as the written attribute information of the file.
In the technical scheme, when the container mirror image is in the invoked state of the tenant terminal, the running logs of all application programs subordinate to the tenant terminal where the container mirror image is currently located are obtained, the running logs are analyzed, whether the application program contains a container mirror image invoking flow or not in the running process is identified, so that the task processing logs where the application program executes the container mirror image invoking flow are accurately screened out, the storage interval position information of the writing file in the container mirror image in the current working process is accurately determined later, and the writing storage state of the file of the container mirror image is comprehensively identified.
Preferably, in the step S3, based on the file writing attribute information, scanning is performed on the container image to determine vulnerability information of the container image, including:
And based on the storage interval position information, scanning the data stored in the corresponding storage interval in the container mirror image, and determining vulnerability information of the container mirror image.
According to the technical scheme, based on the storage interval position information, the data stored in the storage interval corresponding to the inside of the container mirror image are scanned, and the vulnerability information of the container mirror image is determined, so that vulnerability problems generated by the container mirror image called by the tenant terminal can be accurately identified.
Preferably, in the step S4, file identification processing is performed on the container image based on the vulnerability information of the container image, so as to obtain corresponding file vulnerability status information, including:
Determining all files with data holes in the container mirror image based on the hole information of the container mirror image; and respectively carrying out file identification processing on all files with data vulnerabilities to obtain data vulnerability type information corresponding to each file.
In the technical scheme, all files with data holes in the container mirror image are determined based on the hole information of the container mirror image, and then file identification processing is carried out on all files with data holes to obtain the data hole type information corresponding to each file, so that the file data hole type of the container mirror image is accurately and comprehensively determined.
Preferably, in the step S4, based on the file vulnerability status information, vulnerability restoration processing is performed on the container image, including:
Based on the data vulnerability type information, a corresponding container plug-in is called, and the container plug-in is loaded in the container mirror image to carry out vulnerability restoration processing.
According to the technical scheme, based on the data vulnerability type information, the corresponding container plug-in is called, and the container plug-in is loaded in the container mirror image to carry out vulnerability restoration processing, so that the current vulnerability of the container mirror image can be timely and accurately restored, and the vulnerability restoration efficiency and reliability of the container mirror image are improved to the greatest extent.
According to the embodiment, the method for realizing automatic vulnerability restoration based on the container mirror image judges whether the container mirror image is in the invoked state of the tenant terminal based on the running environment characteristic information of the container mirror image, so that subsequent targeted vulnerability detection on invoked and non-invoked situations of the container mirror image is facilitated; when the container mirror image is not in the called state, scanning the container mirror image based on a container mirror image use log of a server terminal where the container mirror image is currently located, and determining vulnerability information of the container mirror image; when the container mirror image is in a called state, based on a task processing log of a tenant terminal where the container mirror image is currently located, file writing attribute information of the container mirror image is obtained, the container mirror image is scanned, vulnerability information of the container mirror image is determined, and vulnerability detection of the container mirror image under different scenes is realized; and performing vulnerability restoration based on file vulnerability status information of the container mirror image, so that accurate and rapid vulnerability detection and restoration of the container mirror image are realized, and the safety and usability of the container mirror image are improved.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (7)
1. The method for realizing automatic repair based on the container mirror image loopholes is characterized by comprising the following steps:
Step S1, detecting the running environment of a container mirror image to obtain the running environment characteristic information of the container mirror image, wherein the necessary software type information of the running environment of the container mirror image is used as the running environment characteristic information; judging whether the container mirror image is in a state called by the tenant terminal or not based on the running environment characteristic information, so as to perform identification processing on the container mirror image, wherein the identification processing comprises the steps of comparing the necessary software type information with a running necessary software catalog of a server terminal for generating the container mirror image, and judging that the container mirror image is not in the state called by the tenant terminal if the necessary software type information is consistent with the running necessary software catalog of the server terminal for generating the container mirror image; if the two images are inconsistent, judging that the container mirror image is in a state called by the tenant terminal; then distinguishing and identifying all container images which are not in the called state of the tenant terminal and all container images which are in the called state of the tenant terminal;
Step S2, when the container mirror image is not in a state called by the tenant terminal, acquiring a container mirror image use log of a server terminal where the container mirror image is currently located; analyzing the use log of the container mirror image to determine abnormal use event characteristic information of the container mirror image in the history use process; scanning the container mirror image based on the abnormal use event characteristic information to determine vulnerability information of the container mirror image, wherein the vulnerability information of the container mirror image is determined by scanning a data part of the container mirror image, which corresponds to and is changed in a time interval when the abnormal use event occurs, based on the abnormal use event occurrence time information;
Step S3, when the container mirror image is in a state of being called by the tenant terminal, acquiring a task processing log of the tenant terminal where the container mirror image is currently located; analyzing the task processing log, and determining file writing attribute information of the container mirror image in the current working process, wherein storage interval position information of the container mirror image for storing the writing file in the current working process is used as the file writing attribute information; based on the file writing attribute information, scanning the container mirror image to determine vulnerability information of the container mirror image, including scanning data stored in a corresponding storage section in the container mirror image based on the storage section position information to determine vulnerability information of the container mirror image;
Step S4, carrying out file identification processing on the container mirror image based on the vulnerability information of the container mirror image to obtain corresponding file vulnerability state information; and performing vulnerability restoration processing on the container mirror image based on the file vulnerability status information.
2. The method for implementing automatic repair based on container mirror images vulnerability according to claim 1, wherein the method comprises the following steps:
In the step S1, performing an operation environment detection on a container image to obtain operation environment feature information of the container image, including:
Sampling the system file of the current running environment of the container mirror image to obtain a plurality of system file data; carrying out data editing state identification on the system file data to obtain the latest updating time of the system file data; if the latest updating time is in the preset time interval, determining the system file data as effective system file data; otherwise, the system file data is not determined to be valid system file data; and then carrying out data type identification on all the valid system file data to obtain the necessary software type information of the current running environment of the container mirror image.
3. The method for implementing automatic repair based on container mirror images vulnerability according to claim 1, wherein the method comprises the following steps:
In the step S2, when the container image is not in the invoked state of the tenant terminal, obtaining a container image usage log of the server terminal where the container image is currently located, including:
and when the container mirror image is not in the call state of the tenant terminal, searching the log storage space of the server terminal where the container mirror image is currently positioned based on the identity information of the container mirror image to obtain a corresponding container mirror image use log.
4. The method for implementing automatic repair based on container image vulnerability as set forth in claim 3, wherein:
In the step S2, the container image usage log is analyzed to determine abnormal usage event feature information of the container image in the history use process, including:
Analyzing the container mirror image use log to obtain a corresponding calling duration interval when the container mirror image is called by the tenant terminal each time in the history use process; and if the time length of the calling duration time interval is greater than a preset time length threshold, taking the corresponding calling duration time interval as abnormal use event occurrence time information of the container mirror image in the history use process.
5. The method for implementing automatic repair based on container mirror images vulnerability according to claim 1, wherein the method comprises the following steps:
in the step S3, when the container mirror is in a state of being called by the tenant terminal, a task processing log of the tenant terminal where the container mirror is currently located is obtained; analyzing the task processing log to determine file writing attribute information of the container mirror image in the current working process, wherein the method comprises the following steps:
When the container mirror image is in a state of being called by the tenant terminal, acquiring running logs of all application programs subordinate to the tenant terminal where the container mirror image is currently located; analyzing the running log of each application program, and judging whether the application program contains a container mirror image calling flow in the running process; if the application program execution container mirror image call flow is included, acquiring a task processing log where the application program execution container mirror image call flow is located;
And analyzing all the acquired task processing logs to obtain storage interval position information of the container mirror image for storing the written file in the current working process.
6. The method for implementing automatic repair based on container mirror images vulnerability according to claim 1, wherein the method comprises the following steps:
In the step S4, file identification processing is performed on the container image based on the vulnerability information of the container image, so as to obtain corresponding file vulnerability status information, including:
Determining all files with data holes in the container mirror image based on the hole information of the container mirror image; and respectively carrying out file identification processing on all files with data vulnerabilities to obtain data vulnerability type information corresponding to each file.
7. The method for implementing automatic repair based on container mirror images vulnerability according to claim 6, wherein the method comprises the following steps:
In the step S4, performing vulnerability restoration processing on the container image based on the file vulnerability status information, including:
And based on the data vulnerability type information, a corresponding container plug-in is called, and the container plug-in is loaded in the container mirror image to carry out vulnerability restoration processing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410188066.1A CN117742897B (en) | 2024-02-20 | 2024-02-20 | Method for realizing automatic repair of vulnerability based on container mirror image |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410188066.1A CN117742897B (en) | 2024-02-20 | 2024-02-20 | Method for realizing automatic repair of vulnerability based on container mirror image |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117742897A CN117742897A (en) | 2024-03-22 |
| CN117742897B true CN117742897B (en) | 2024-04-26 |
Family
ID=90254900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410188066.1A Active CN117742897B (en) | 2024-02-20 | 2024-02-20 | Method for realizing automatic repair of vulnerability based on container mirror image |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117742897B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010244241A (en) * | 2009-04-03 | 2010-10-28 | Nec Corp | Mirroring restoration device, method and program, and mirroring system |
| CN111625834A (en) * | 2020-05-15 | 2020-09-04 | 深圳开源互联网安全技术有限公司 | System and method for detecting vulnerability of Docker mirror image file |
| WO2021003982A1 (en) * | 2019-07-05 | 2021-01-14 | 深圳壹账通智能科技有限公司 | Service system vulnerability processing method and apparatus, computer device, and storage medium |
| CN114189349A (en) * | 2021-10-19 | 2022-03-15 | 广东南方通信建设有限公司 | Safety monitoring and early warning platform, safety monitoring and early warning method and storage medium |
| CN114205218A (en) * | 2021-12-16 | 2022-03-18 | 杭州谐云科技有限公司 | Method and system for diagnosing container network fault |
| CN116541198A (en) * | 2023-05-06 | 2023-08-04 | 中国工商银行股份有限公司 | Container repairing method and device, computer storage medium and electronic equipment |
| CN117421152A (en) * | 2023-11-08 | 2024-01-19 | 中国工商银行股份有限公司 | Container abnormality detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220329616A1 (en) * | 2017-11-27 | 2022-10-13 | Lacework, Inc. | Using static analysis for vulnerability detection |
| TWI677804B (en) * | 2017-11-29 | 2019-11-21 | 財團法人資訊工業策進會 | Computer device and method of identifying whether container behavior thereof is abnormal |
-
2024
- 2024-02-20 CN CN202410188066.1A patent/CN117742897B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010244241A (en) * | 2009-04-03 | 2010-10-28 | Nec Corp | Mirroring restoration device, method and program, and mirroring system |
| WO2021003982A1 (en) * | 2019-07-05 | 2021-01-14 | 深圳壹账通智能科技有限公司 | Service system vulnerability processing method and apparatus, computer device, and storage medium |
| CN111625834A (en) * | 2020-05-15 | 2020-09-04 | 深圳开源互联网安全技术有限公司 | System and method for detecting vulnerability of Docker mirror image file |
| CN114189349A (en) * | 2021-10-19 | 2022-03-15 | 广东南方通信建设有限公司 | Safety monitoring and early warning platform, safety monitoring and early warning method and storage medium |
| CN114205218A (en) * | 2021-12-16 | 2022-03-18 | 杭州谐云科技有限公司 | Method and system for diagnosing container network fault |
| CN116541198A (en) * | 2023-05-06 | 2023-08-04 | 中国工商银行股份有限公司 | Container repairing method and device, computer storage medium and electronic equipment |
| CN117421152A (en) * | 2023-11-08 | 2024-01-19 | 中国工商银行股份有限公司 | Container abnormality detection method and device |
Non-Patent Citations (3)
| Title |
|---|
| Intrusion detection techniques in cloud environment: a survey;Preeti Mishra 等;《Journal of Network and Computer Applications》;20161020;18-47 * |
| 基于系统调用的入侵检测技术研究;陈仲磊 等;《网络安全技术与应用》;20220314(第03期);1-6 * |
| 软件与系统漏洞分析与发现技术研究构想和成果展望;饶志宏 等;《工程科学与技术》;20180119;第50卷(第01期);9-21 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117742897A (en) | 2024-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111240994B (en) | Vulnerability processing method and device, electronic equipment and readable storage medium | |
| US9256517B1 (en) | Display of aggregated stack traces in a source code viewer | |
| US8438546B2 (en) | System and method for mitigating repeated crashes of an application resulting from supplemental code | |
| US20130262936A1 (en) | Assessing computer programs using stack frame signatures | |
| US20060010337A1 (en) | Management system and management method | |
| CN110554962A (en) | Regression testing process covering method, server and computer readable storage medium | |
| CN112380542B (en) | Internet of things firmware vulnerability mining method and system based on error scene generation | |
| CN112035354A (en) | Method, device and equipment for positioning risk code and storage medium | |
| US20180143897A1 (en) | Determining idle testing periods | |
| KR101979329B1 (en) | Method and apparatus for tracking security vulnerable input data of executable binaries thereof | |
| CN113342685A (en) | Precise test method and device, computer equipment and storage medium | |
| CN116627848B (en) | Automatic test method and system for application program | |
| CN111654495B (en) | Method, apparatus, device and storage medium for determining traffic generation source | |
| US20160314061A1 (en) | Software Defect Detection Identifying Location of Diverging Paths | |
| CN117742897B (en) | Method for realizing automatic repair of vulnerability based on container mirror image | |
| CN114328168A (en) | Anomaly detection method and device, computer equipment and storage medium | |
| CN111666200A (en) | Testing method and terminal for time consumption of cold start of PC software | |
| CN113127367B (en) | Defect detection method for Android dynamic permission application | |
| CN112114987B (en) | Abnormality detection method and device for operation environment, intelligent terminal and storage medium | |
| CN115705297A (en) | Code call detection method, device, computer equipment and storage medium | |
| CN112506782A (en) | Application program testing method, device, equipment and storage medium | |
| CN111338956A (en) | Automatic pressure measurement method, device, equipment and storage medium | |
| CN107102938B (en) | Test script updating method and device | |
| CN114048488B (en) | Vulnerability detection method and system | |
| CN111428238B (en) | Android component-based service rejection testing method, detection terminal and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |