TWI805514B - Traceability system and its method - Google Patents
Traceability system and its method Download PDFInfo
- Publication number
- TWI805514B TWI805514B TW111140032A TW111140032A TWI805514B TW I805514 B TWI805514 B TW I805514B TW 111140032 A TW111140032 A TW 111140032A TW 111140032 A TW111140032 A TW 111140032A TW I805514 B TWI805514 B TW I805514B
- Authority
- TW
- Taiwan
- Prior art keywords
- container image
- server
- file
- image file
- container
- Prior art date
Links
Images
Landscapes
- Diaphragms For Electromechanical Transducers (AREA)
- Preparation Of Compounds By Using Micro-Organisms (AREA)
Abstract
溯源系統,包含:一第一容器映像檔註冊儲存庫;以及一伺服器,存取該第一容器映像檔註冊儲存庫,並通訊連接一第二容器映像檔註冊儲存庫;其中該伺服器自該第二容器映像檔註冊儲存庫接收一第一容器映像檔,該伺服器對該第一容器映像檔執行一安全性檢查,以產生一安全確認資料;其中該伺服器基於該第一容器映像檔與該安全確認資料,以產生一第二容器映像檔,該伺服器並將該第二容器映像檔儲存至該第一容器映像檔註冊儲存庫;其中該第二容器映像檔包含該第一容器映像檔以及一第一隱碼圖像檔,該第一隱碼圖像檔包含一第一字串資料。The traceability system includes: a first container image registration repository; and a server that accesses the first container image registration repository and communicates with a second container image registry; wherein the server is from The second container image registry receives a first container image, and the server performs a security check on the first container image to generate a security confirmation; wherein the server is based on the first container image file and the security confirmation data to generate a second container image, the server stores the second container image in the first container image registry; wherein the second container image includes the first A container image file and a first hidden code image file, the first hidden code image file includes a first character string data.
Description
本發明係關於一種溯源系統及其方法,特別係關於一種可確保系統內部所儲存及/或使用的容器映像檔(image,或稱container image file)皆為已符合資安要求之容器映像檔的溯源系統及其方法。The present invention relates to a traceability system and method thereof, in particular to a method that can ensure that all container image files (or called container image files) stored and/or used in the system are container image files that have met information security requirements. Traceability system and its method.
藉由傳統的容器映像檔技術,使用者可自不同的容器映像檔註冊儲存庫(registry)下載所需的容器映像檔,並依需求修改或調整容器映像檔的內容。然而,對企業而言,若無法確保其內部各員工所下載的每一個容器映像檔皆為安全可靠的容器映像檔,則對於企業的資訊安全將有可能造成極大的損害。有鑑於此,將需要一種可確保系統內部所儲存及/或使用的容器映像檔皆為已符合資安要求之容器映像檔的溯源系統及其方法。With traditional container image technology, users can download the required container image from different container image registries, and modify or adjust the content of the container image as required. However, for an enterprise, if it cannot ensure that each container image file downloaded by its internal employees is a safe and reliable container image file, it may cause great damage to the information security of the enterprise. In view of this, there is a need for a traceability system and method for ensuring that all container image files stored and/or used in the system are container image files that have met information security requirements.
為了解決上述問題,本發明之一構想在於提供一種可確保系統內部所儲存及/或使用的容器映像檔皆為已符合資安要求之容器映像檔的溯源系統及其方法。。In order to solve the above problems, one idea of the present invention is to provide a traceability system and method that can ensure that all container images stored and/or used in the system are container images that meet information security requirements. .
基於前揭構想,本發明提供一種溯源系統,包含:一第一容器映像檔註冊儲存庫;以及一伺服器,存取該第一容器映像檔註冊儲存庫,並通訊連接一第二容器映像檔註冊儲存庫;其中該伺服器自該第二容器映像檔註冊儲存庫接收一第一容器映像檔,該伺服器對該第一容器映像檔執行一安全性檢查,以產生一安全確認資料;其中該伺服器基於該第一容器映像檔與該安全確認資料,以產生一第二容器映像檔,該伺服器並將該第二容器映像檔儲存至該第一容器映像檔註冊儲存庫;其中該第二容器映像檔包含該第一容器映像檔以及一第一隱碼圖像檔,該第一隱碼圖像檔包含一第一字串資料。Based on the idea disclosed above, the present invention provides a traceability system, including: a first container image registry repository; and a server, accessing the first container image registry repository and communicating with a second container image repository a registry repository; wherein the server receives a first container image from the second container image registry, the server performs a security check on the first container image to generate a security confirmation; wherein The server generates a second container image based on the first container image and the security confirmation data, and the server stores the second container image in the first container image registry; wherein the server The second container image file includes the first container image file and a first hidden code image file, and the first hidden code image file includes a first string data.
於本發明之一較佳實施例中,該伺服器將該第一容器映像檔轉換成一第一容器映像原碼檔;其中該伺服器使該第一容器映像原碼檔包含該第一隱碼圖像檔,並將該第一容器映像原碼檔連同該第一隱碼圖像檔,轉換成該第二容器映像檔。In a preferred embodiment of the present invention, the server converts the first container image file into a first container image source file; wherein the server makes the first container image source file include the first hidden code image file, and convert the first container image source code file together with the first hidden code image file into the second container image file.
於本發明之一較佳實施例中,該第一容器映像檔註冊儲存庫儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑;其中該伺服器基於該路徑紀錄資料,以使該第一隱碼圖像檔關聯於該第一容器映像原碼檔中的該特定路徑。In a preferred embodiment of the present invention, the first container image registry stores a path record data, the path record data indicates a specific path; wherein the server makes the first container image file based on the path record data A hidden image file is associated with the specific path in the first container image source code file.
於本發明之一較佳實施例中,該伺服器接收一驗證指令,該伺服器基於該驗證指令,以將該第二容器映像檔轉換成一第二容器映像原碼檔;其中該伺服器自該第二容器映像原碼檔獲得該第一隱碼圖像檔,並自該第一隱碼圖像檔獲得該第一字串資料;其中該伺服器基於該第一字串資料符合一安全性字串資料,而產生一第一驗證成功資料。In a preferred embodiment of the present invention, the server receives a verification command, and based on the verification command, the server converts the second container image file into a second container image source code file; wherein the server automatically The second container image source file obtains the first encrypted image file, and obtains the first string data from the first encrypted image file; wherein the server complies with a security based on the first string data character string data, and generate a first authentication success data.
於本發明之一較佳實施例中,該第一容器映像檔註冊儲存庫儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑;其中該伺服器係基於該路徑紀錄資料,以自該第二容器映像原碼檔中的該特定路徑,獲得該第一隱碼圖像檔。In a preferred embodiment of the present invention, the first container image registry store stores a path log data indicating a specific path; wherein the server is based on the path log data, from the The specific path in the second container image source code file obtains the first hidden code image file.
於本發明之一較佳實施例中,該第一容器映像檔註冊儲存庫儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑;其中該溯源系統進一步包含:一計算機裝置,存取該第一容器映像檔註冊儲存庫,並通訊連接該伺服器,該計算機裝置傳送一第三容器映像檔至該伺服器;其中該伺服器將該第三容器映像檔轉換成一第三容器映像原碼檔,且該伺服器基於該第三容器映像原碼檔與該路徑紀錄資料,以決定是否將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the first container image registry stores a path record data, and the path record data indicates a specific path; wherein the traceability system further includes: a computer device, accessing the The first container image file is registered with the repository and communicated with the server, and the computer device sends a third container image file to the server; wherein the server converts the third container image file into a third container image source code file, and the server determines whether to store the third container image in the first container image registry based on the source file of the third container image and the path record data.
於本發明之一較佳實施例中,該伺服器自該第三容器映像原碼檔的該特定路徑中,獲得一第二隱碼圖像檔,並自該第二隱碼圖像檔獲得一第二字串資料;其中該伺服器基於該第二字串資料符合一安全性字串資料,而將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the server obtains a second encrypted image file from the specific path of the third container image source code file, and obtains from the second encrypted image file A second string data; wherein the server stores the third container image file in the first container image registry repository based on the second string data matching a security string data.
於本發明之一較佳實施例中,該伺服器基於該第三容器映像原碼檔中的該特定路徑不具有一第二隱碼圖像檔,而決定不將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the server decides not to store the third container image based on the fact that the specific path in the third container image source file does not have a second hidden image file Register the repository with the first container image.
於本發明之一較佳實施例中,該伺服器自該第三容器映像原碼檔的該特定路徑中,獲得一第二隱碼圖像檔,並自該第二隱碼圖像檔獲得一第二字串資料;其中該伺服器基於該第二字串資料不符合一安全性字串資料,而決定不將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the server obtains a second encrypted image file from the specific path of the third container image source code file, and obtains from the second encrypted image file A second string data; wherein the server decides not to store the third container image file in the first container image registry repository because the second string data does not match a security string data.
根據本發明之目的,再提供一種溯源系統,包含:一第一容器映像檔註冊儲存庫,儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑;一伺服器,存取該第一容器映像檔註冊儲存庫;以及一計算機裝置,存取該第一容器映像檔註冊儲存庫,並通訊連接該伺服器,該計算機裝置傳送一第三容器映像檔至該伺服器;其中該伺服器將該第三容器映像檔轉換成一第三容器映像原碼檔,且該伺服器基於該第三容器映像原碼檔與該路徑紀錄資料,以決定是否將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。According to the purpose of the present invention, a traceability system is further provided, comprising: a first container image file registration repository storing a path record data indicating a specific path; a server accessing the first container an image file registry; and a computer device accessing the first container image registry and communicatively connected to the server, the computer device sending a third container image to the server; wherein the server will The third container image is converted into a third container image source file, and the server determines whether to store the third container image file in the first container image based on the third container image source file and the path record data. Container image registry repository.
於本發明之一較佳實施例中,該伺服器自該第三容器映像原碼檔的該特定路徑中,獲得一第二隱碼圖像檔,並自該第二隱碼圖像檔獲得一第二字串資料;其中該伺服器基於該第二字串資料符合一安全性字串資料,而將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the server obtains a second encrypted image file from the specific path of the third container image source code file, and obtains from the second encrypted image file A second string data; wherein the server stores the third container image file in the first container image registry repository based on the second string data matching a security string data.
於本發明之一較佳實施例中,該伺服器基於該第三容器映像原碼檔中的該特定路徑不具有一第二隱碼圖像檔,而決定不將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the server decides not to store the third container image based on the fact that the specific path in the third container image source file does not have a second hidden image file Register the repository with the first container image.
於本發明之一較佳實施例中,該伺服器自該第三容器映像原碼檔的該特定路徑中,獲得一第二隱碼圖像檔,並自該第二隱碼圖像檔獲得一第二字串資料;其中該伺服器基於該第二字串資料不符合一安全性字串資料,而決定不將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the server obtains a second encrypted image file from the specific path of the third container image source code file, and obtains from the second encrypted image file A second string data; wherein the server decides not to store the third container image file in the first container image registry repository because the second string data does not match a security string data.
根據本發明之目的,再提供一種溯源方法,應用於一溯源系統,該溯源系統包含一第一容器映像檔註冊儲存庫以及一伺服器,該伺服器存取該第一容器映像檔註冊儲存庫,且該伺服器通訊連接一第二容器映像檔註冊儲存庫;該溯源方法包含以下步驟:由該伺服器自該第二容器映像檔註冊儲存庫接收一第一容器映像檔;由該伺服器對該第一容器映像檔執行一安全性檢查,以產生一安全確認資料;由該伺服器基於該第一容器映像檔與該安全確認資料,以產生一第二容器映像檔;以及由該伺服器將該第二容器映像檔儲存至該第一容器映像檔註冊儲存庫;其中該第二容器映像檔包含該第一容器映像檔以及一第一隱碼圖像檔,該第一隱碼圖像檔包含一第一字串資料。According to the purpose of the present invention, a traceability method is further provided, which is applied to a traceability system, the traceability system includes a first container image file registration repository and a server, and the server accesses the first container image file registration repository , and the server is connected to a second container image registry; the trace method includes the following steps: the server receives a first container image from the second container image registry; the server performing a security check on the first container image to generate a security confirmation; generating a second container image by the server based on the first container image and the security confirmation; and by the server The device stores the second container image file into the first container image file registration repository; wherein the second container image file includes the first container image file and a first hidden code image file, the first hidden code image file The image file contains a first string of data.
於本發明之一較佳實施例中,溯源方法該進一步包含以下步驟:由該伺服器將該第一容器映像檔轉換成一第一容器映像原碼檔;由該伺服器使該第一容器映像原碼檔包含該第一隱碼圖像檔,以及由該伺服器將該第一容器映像原碼檔連同該第一隱碼圖像檔,轉換成該第二容器映像檔。In a preferred embodiment of the present invention, the traceability method further includes the following steps: converting the first container image file into a first container image original code file by the server; making the first container image file by the server The original code file includes the first hidden code image file, and the server converts the first container image original code file together with the first hidden code image file into the second container image file.
於本發明之一較佳實施例中,該第一容器映像檔註冊儲存庫儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑;其中該溯源方法進一步包含以下步驟:由該伺服器基於該路徑紀錄資料,以使該第一隱碼圖像檔關聯於該第一容器映像原碼檔中的該特定路徑。In a preferred embodiment of the present invention, the first container image file registry stores a path record data, and the path record data indicates a specific path; wherein the source tracing method further includes the following steps: the server based on The path records data so that the first hidden image file is associated with the specific path in the first container image source code file.
於本發明之一較佳實施例中,該溯源方法該進一步包含以下步驟:由該伺服器接收一驗證指令,該伺服器基於該驗證指令,以將該第二容器映像檔轉換成一第二容器映像原碼檔;由該伺服器自該第二容器映像原碼檔獲得該第一隱碼圖像檔,並自該第一隱碼圖像檔獲得該第一字串資料;以及由該伺服器基於該第一字串資料符合一安全性字串資料,而產生一第一驗證成功資料。In a preferred embodiment of the present invention, the traceability method further includes the following steps: the server receives a verification instruction, and the server converts the second container image file into a second container based on the verification instruction an image source file; the server obtains the first encrypted image file from the second container image original file, and obtains the first string data from the first encrypted image file; and the server The device generates first authentication success information based on the first string data conforming to a security string data.
於本發明之一較佳實施例中,該第一容器映像檔註冊儲存庫儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑;其中該伺服器係基於該路徑紀錄資料,以自該第二容器映像原碼檔中的該特定路徑,獲得該第一隱碼圖像檔。In a preferred embodiment of the present invention, the first container image registry store stores a path log data indicating a specific path; wherein the server is based on the path log data, from the The specific path in the second container image source code file obtains the first hidden code image file.
於本發明之一較佳實施例中,該溯源系統包含一計算機裝置,該計算機裝置存取該第一容器映像檔註冊儲存庫,且該計算機裝置通訊連接該伺服器;其中該第一容器映像檔註冊儲存庫儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑;其中該溯源方法進一步包含以下步驟:由該計算機裝置傳送一第三容器映像檔至該伺服器;由該伺服器將該第三容器映像檔轉換成一第三容器映像原碼檔;以及由該伺服器基於該第三容器映像原碼檔與該路徑紀錄資料,以決定是否將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the traceability system includes a computer device, the computer device accesses the first container image registration repository, and the computer device is connected to the server in communication; wherein the first container image The file registration repository stores a path record data, and the path record data indicates a specific path; wherein the traceability method further includes the following steps: sending a third container image file to the server by the computer device; The third container image is converted into a third container image source file; and the server determines whether to store the third container image file in the first container image based on the third container image source file and the path record data A container image registry repository.
於本發明之一較佳實施例中,該溯源方法該進一步包含以下步驟:由該伺服器自該第三容器映像原碼檔的該特定路徑中,獲得一第二隱碼圖像檔;由該伺服器自該第二隱碼圖像檔獲得一第二字串資料;以及由該伺服器基於該第二字串資料符合一安全性字串資料,而將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the traceability method further includes the following steps: the server obtains a second hidden code image file from the specific path of the third container image original code file; The server obtains a second string data from the second encrypted image file; and based on the second string data matching a security string data, the server stores the third container image file in The first container image registry repository.
於本發明之一較佳實施例中,該溯源方法該進一步包含以下步驟:由該伺服器基於該第三容器映像原碼檔中的該特定路徑不具有一第二隱碼圖像檔,而決定不將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the traceability method further includes the following steps: the server does not have a second hidden code image file based on the specific path in the third container image original code file, and It is determined not to store the third container image in the first container image registry.
於本發明之一較佳實施例中,該溯源方法該進一步包含以下步驟:由該伺服器自該第三容器映像原碼檔的該特定路徑中,獲得一第二隱碼圖像檔;由該伺服器自該第二隱碼圖像檔獲得一第二字串資料;以及由該伺服器基於該第二字串資料不符合一安全性字串資料,而決定不將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the traceability method further includes the following steps: the server obtains a second hidden code image file from the specific path of the third container image original code file; The server obtains a second string data from the second encrypted image file; and the server determines not to image the third container based on the second string data not matching a security string data files are stored in the first container image registry repository.
根據本發明之目的,再提供一種溯源方法,應用於一溯源系統,該溯源系統包含一第一容器映像檔註冊儲存庫、一伺服器以及一計算機裝置,該伺服器存取該第一容器映像檔註冊儲存庫,該計算機裝置存取該第一容器映像檔註冊儲存庫,且該計算機裝置通訊連接該伺服器;其中該第一容器映像檔註冊儲存庫儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑;該溯源方法包含以下步驟:由該計算機裝置傳送一第三容器映像檔至該伺服器;由該伺服器將該第三容器映像檔轉換成一第三容器映像原碼檔;以及由該伺服器基於該第三容器映像原碼檔與該路徑紀錄資料,以決定是否將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。According to the purpose of the present invention, a traceability method is further provided, which is applied to a traceability system, and the traceability system includes a first container image file registration repository, a server and a computer device, and the server accesses the first container image A file registry repository, the computer device accesses the first container image registry repository, and the computer device is communicatively connected to the server; wherein the first container image registry repository stores a path record data, the path record data Indicating a specific path; the tracing method includes the following steps: sending a third container image file to the server from the computer device; converting the third container image file into a third container image source code file by the server; And the server determines whether to store the third container image in the first container image registry based on the third container image source code file and the path record data.
於本發明之一較佳實施例中,該溯源方法該進一步包含以下步驟:由該伺服器自該第三容器映像原碼檔的該特定路徑中,獲得一第二隱碼圖像檔;由該伺服器自該第二隱碼圖像檔獲得一第二字串資料;以及由該伺服器基於該第二字串資料符合一安全性字串資料,而將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the traceability method further includes the following steps: the server obtains a second hidden code image file from the specific path of the third container image original code file; The server obtains a second string data from the second encrypted image file; and based on the second string data matching a security string data, the server stores the third container image file in The first container image registry repository.
於本發明之一較佳實施例中,該溯源方法該進一步包含以下步驟:由該伺服器基於該第三容器映像原碼檔中的該特定路徑不具有一第二隱碼圖像檔,而決定不將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the traceability method further includes the following steps: the server does not have a second hidden code image file based on the specific path in the third container image original code file, and It is determined not to store the third container image in the first container image registry.
於本發明之一較佳實施例中,該溯源方法該進一步包含以下步驟:由該伺服器自該第三容器映像原碼檔的該特定路徑中,獲得一第二隱碼圖像檔;由該伺服器自該第二隱碼圖像檔獲得一第二字串資料;以及由該伺服器基於該第二字串資料不符合一安全性字串資料,而決定不將該第三容器映像檔儲存至該第一容器映像檔註冊儲存庫。In a preferred embodiment of the present invention, the traceability method further includes the following steps: the server obtains a second hidden code image file from the specific path of the third container image original code file; The server obtains a second string data from the second encrypted image file; and the server determines not to image the third container based on the second string data not matching a security string data files are stored in the first container image registry repository.
本發明前述各方面及其它方面依據下述的非限制性具體實施例詳細說明以及參照附隨的圖式將更趨於明瞭。The foregoing and other aspects of the invention will become more apparent from the following detailed description of non-limiting specific examples and with reference to the accompanying drawings.
請參閱第一圖,其例示說明了根據本發明溯源系統一具體實施例的系統架構圖。如第一圖所示實施例,溯源系統100包含第一容器映像檔註冊儲存庫110(容器映像檔註冊儲存庫可稱為registry)以及伺服器120。伺服器120可存取第一容器映像檔註冊儲存庫110,且伺服器120通訊連接第二容器映像檔註冊儲存庫910。在一具體實施例中,溯源系統100進一步包含計算機裝置130,計算機裝置130可存取第一容器映像檔註冊儲存庫110,且計算機裝置130通訊連接伺服器120。在一具體實施例中,本發明之溯源系統100包含一或多個處理器,且溯源系統100係以硬體與軟體協同運作的方式實施第一容器映像檔註冊儲存庫110及/或伺服器120及/或計算機裝置130。例如伺服器120能以硬體與軟體協同運作的方式傳送、接收以及處理各種資料、檔案或指令,計算機裝置130能以硬體與軟體協同運作的方式傳送、接收以及處理各種資料、檔案或指令,而第一容器映像檔註冊儲存庫110能以硬體與軟體協同運作的方式傳送、接收以及儲存各種資料、檔案或指令。在不同具體實施例中,計算機裝置130可為伺服器、電腦、筆電、行動裝置等,但不以此為限。應了解,根據需求,計算機裝置130亦可為伺服器120。Please refer to the first figure, which illustrates a system architecture diagram of a specific embodiment of the traceability system according to the present invention. In the embodiment shown in the first figure, the
在第一圖所示實施例中,伺服器120可自第二容器映像檔註冊儲存庫910接收第一容器映像檔(容器映像檔可稱為image,或可稱為container image file),伺服器120可對第一容器映像檔執行安全性檢查,以產生安全確認資料,該安全確認資料關聯於第一容器映像檔。較佳地,安全確認資料指示出第一容器映像檔符合資訊安全之需求。伺服器120可基於第一容器映像檔與安全確認資料,以產生第二容器映像檔,伺服器120並可將第二容器映像檔儲存至第一容器映像檔註冊儲存庫110。其中,第二容器映像檔包含第一容器映像檔以及一第一隱碼圖像檔,第一隱碼圖像檔包含一第一字串資料。較佳地,第一字串資料指示出第二容器映像檔符合資訊安全之需求。在完成前述流程後,儲存於第一容器映像檔註冊儲存庫110的第二容器映像檔即可由使用者進行下載及/或使用(例如使用者可藉由計算機裝置130以至第一容器映像檔註冊儲存庫110擷取並使用第二容器映像檔,或例如使用者可藉由伺服器120以至第一容器映像檔註冊儲存庫110擷取並使用第二容器映像檔)。In the embodiment shown in the first figure, the
應了解,溯源系統100可根據需求,而由其伺服器120使用原碼掃描技術(或使用其它可用於確認是否符合資訊安全之技術),以對第一容器映像檔執行安全性檢查。在一具體實施例中,當伺服器120執行安全性檢查時,若伺服器120可確認第一容器映像檔係自符合資訊安全之官方網站所下載,或者若伺服器120可確認第一容器映像檔的下載來源為符合資訊安全之第三方網站,且該第三方網站提供具保證性的官方原碼,則伺服器120將對應產生安全確認資料。It should be understood that the
應了解,當伺服器120對特定容器映像檔執行安全性檢查時,若發現該特定容器映像檔不符合資訊安全之需求,則伺服器120不會針對該特定容器映像檔產生安全確認資料,亦不會將該特定容器映像檔儲存至第一容器映像檔註冊儲存庫110。如此,即可確保儲存在第一容器映像檔註冊儲存庫110中的容器映像檔皆可通過安全性檢查且符合資訊安全之需求。在一具體實施例中,當伺服器120對特定容器映像檔執行安全性檢查時,若發現該特定容器映像檔不符合資訊安全之需求,則伺服器120將針對該特定容器映像檔產生警示資料,伺服器120並基於該特定容器映像檔以及該警示資料,而決定不將該特定容器映像檔儲存至第一容器映像檔註冊儲存庫110。其中,警示資料關聯於該特定容器映像檔,且警示資料指示出該特定容器映像檔不符合資訊安全之需求。It should be understood that when the
在一具體實施例中,在伺服器120對第一容器映像檔執行安全性檢查以產生安全確認資料後,伺服器120可將第一容器映像檔轉換成第一容器映像原碼檔(容器映像原碼檔可稱為docker file)。接著,伺服器120可使第一容器映像原碼檔包含第一隱碼圖像檔,伺服器120並可將第一容器映像原碼檔連同第一隱碼圖像檔,轉換成第二容器映像檔。如此,第二容器映像檔即包含了第一容器映像檔以及第一隱碼圖像檔。較佳地,第一容器映像檔註冊儲存庫110儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑。伺服器120可基於路徑紀錄資料,以使第一隱碼圖像檔關聯於第一容器映像原碼檔中的特定路徑。具體而言,伺服器120可基於路徑紀錄資料,以使第一隱碼圖像檔被包含在(或稱儲存在)第一容器映像原碼檔中的特定路徑。In a specific embodiment, after the
在一具體實施例中,伺服器120接收一驗證指令,伺服器120可基於驗證指令,以將第二容器映像檔轉換成一第二容器映像原碼檔。而後,伺服器120可自第二容器映像原碼檔獲得第一隱碼圖像檔,並自第一隱碼圖像檔獲得第一字串資料。伺服器120並可接著基於第一字串資料符合一安全性字串資料,而產生一第一驗證成功資料。較佳地,伺服器120可每隔一特定時間長度即接收驗證指令(亦即,伺服器120每隔一特定時間長度即會驗證第一容器映像檔註冊儲存庫110中的各個容器映像檔是否可通過安全性檢查且符合資訊安全之需求)。較佳地,伺服器120可於一特定時間點接收驗證指令(亦即,伺服器120在一特定時間點即會驗證第一容器映像檔註冊儲存庫110中的各個容器映像檔是否可通過安全性檢查且符合資訊安全之需求)。較佳地,第一容器映像檔註冊儲存庫110儲存一路徑紀錄資料,該路徑紀錄資料指示出一特定路徑。伺服器120可基於路徑紀錄資料,以自第二容器映像原碼檔中的特定路徑處,獲得第一隱碼圖像檔。在一具體實施例中,所述第一字串資料符合一安全性字串資料,係指第一字串資料所指示出(或所記載)的字串內容等於安全性字串資料所指示出(或所記載)的字串內容。在一具體實施例中,所述第一字串資料符合一安全性字串資料,係指第一字串資料所指示出(或所記載)的字串內容匹配於安全性字串資料所指示出(或所記載)的字串內容。較佳地, 安全性字串資料的內容可依需求而設置。In a specific embodiment, the
在一具體實施例中,第一容器映像檔註冊儲存庫110儲存路徑紀錄資料,路徑紀錄資料指示出特定路徑。溯源系統100進一步包含計算機裝置130,計算機裝置130可傳送第三容器映像檔至伺服器120。伺服器120可將第三容器映像檔轉換成一第三容器映像原碼檔,且伺服器120可基於第三容器映像原碼檔與該路徑紀錄資料,以決定是否將第三容器映像檔儲存至第一容器映像檔註冊儲存庫110。較佳地,伺服器120可自第三容器映像原碼檔的特定路徑中,獲得第二隱碼圖像檔,伺服器120並可自第二隱碼圖像檔獲得一第二字串資料。其中,若第二字串資料符合安全性字串資料,則伺服器120基於第二字串資料符合安全性字串資料,而將第三容器映像檔儲存至第一容器映像檔註冊儲存庫110。但若第二字串資料不符合安全性字串資料,則伺服器120基於第二字串資料不符合安全性字串資料,而決定不將第三容器映像檔儲存至第一容器映像檔註冊儲存庫110。較佳地,伺服器120可基於第三容器映像原碼檔中的特定路徑不具有第二隱碼圖像檔,而決定不將第三容器映像檔儲存至第一容器映像檔註冊儲存庫110。In a specific embodiment, the first container
藉由此種方式,當使用者透過計算機裝置130以試圖將第三容器映像檔儲存至第一容器映像檔註冊儲存庫110時,伺服器120即可藉由第三容器映像檔中是否包含第二隱碼圖像檔,以及第二隱碼圖像檔中的第二字串資料是否符合安全性字串資料,以判斷是否可將第三容器映像檔儲存至第一容器映像檔註冊儲存庫110。如此,即可確保第一容器映像檔註冊儲存庫110中所儲存的容器映像檔皆可通過安全性檢查且符合資訊安全之需求。較佳地,在溯源系統100中,使用者僅能下載並使用儲存在第一容器映像檔註冊儲存庫110中的容器映像檔。若使用者於他處另行下載外部容器映像檔,則該外部容器映像檔將無法儲存至第一容器映像檔註冊儲存庫110中。如此,即可確保使用者在溯源系統100所使用的容器映像檔皆可通過安全性檢查且符合資訊安全之需求。In this way, when the user tries to store the third container image in the first
請參閱第二圖,其例示說明了根據本發明溯源系統一具體實施例的系統架構圖。如第二圖所示實施例,溯源系統200包含第一容器映像檔註冊儲存庫210(容器映像檔註冊儲存庫可稱為registry)、伺服器220以及計算機裝置230。伺服器220可存取第一容器映像檔註冊儲存庫210,計算機裝置230可存取第一容器映像檔註冊儲存庫210,且計算機裝置230通訊連接伺服器220。在一具體實施例中,本發明之溯源系統200包含一或多個處理器,且溯源系統200係以硬體與軟體協同運作的方式實施第一容器映像檔註冊儲存庫210及/或伺服器220及/或計算機裝置230。例如伺服器220能以硬體與軟體協同運作的方式傳送、接收以及處理各種資料、檔案或指令,計算機裝置230能以硬體與軟體協同運作的方式傳送、接收以及處理各種資料、檔案或指令,而第一容器映像檔註冊儲存庫210能以硬體與軟體協同運作的方式傳送、接收以及儲存各種資料、檔案或指令。在不同具體實施例中,計算機裝置230可為伺服器、電腦、筆電、行動裝置等,但不以此為限。應了解,根據需求,計算機裝置230亦可為伺服器220。Please refer to the second figure, which illustrates a system architecture diagram of a specific embodiment of the traceability system according to the present invention. In the embodiment shown in the second figure, the
在第二圖所示實施例中,第一容器映像檔註冊儲存庫210儲存路徑紀錄資料,路徑紀錄資料指示出特定路徑。計算機裝置230可傳送第三容器映像檔至伺服器220,伺服器220可將第三容器映像檔轉換成第三容器映像原碼檔,且伺服器220可基於第三容器映像原碼檔與路徑紀錄資料,以決定是否將第三容器映像檔儲存至第一容器映像檔註冊儲存庫210。較佳地,伺服器220可自第三容器映像原碼檔的特定路徑中,獲得第二隱碼圖像檔,伺服器220並可自第二隱碼圖像檔獲得一第二字串資料。其中,若第二字串資料符合安全性字串資料,則伺服器220基於第二字串資料符合安全性字串資料,而將第三容器映像檔儲存至第一容器映像檔註冊儲存庫210。但若第二字串資料不符合安全性字串資料,則伺服器220基於第二字串資料不符合安全性字串資料,而決定不將第三容器映像檔儲存至第一容器映像檔註冊儲存庫210。較佳地,伺服器220可基於第三容器映像原碼檔中的特定路徑不具有第二隱碼圖像檔,而決定不將第三容器映像檔儲存至第一容器映像檔註冊儲存庫210。In the embodiment shown in the second figure, the first container
藉由此種方式,當使用者透過計算機裝置230以試圖將第三容器映像檔儲存至第一容器映像檔註冊儲存庫210時,伺服器220即可藉由第三容器映像檔中是否包含第二隱碼圖像檔,以及第二隱碼圖像檔中的第二字串資料是否符合安全性字串資料,以判斷是否可將第三容器映像檔儲存至第一容器映像檔註冊儲存庫210。如此,即可確保第一容器映像檔註冊儲存庫210中所儲存的容器映像檔皆可通過安全性檢查且符合資訊安全之需求。較佳地,在溯源系統200中,使用者僅能下載並使用儲存在第一容器映像檔註冊儲存庫210中的容器映像檔。若使用者於他處另行下載外部容器映像檔,則該外部容器映像檔將無法儲存至第一容器映像檔註冊儲存庫210中。如此,即可確保使用者在溯源系統200所使用的容器映像檔皆可通過安全性檢查且符合資訊安全之需求。In this way, when the user tries to store the third container image in the first
請參閱第三圖,其例示說明了根據本發明溯源系統一具體實施例的流程圖。如第三圖所示實施例,溯源方法300可應用於一溯源系統,溯源系統包含第一容器映像檔註冊儲存庫以及伺服器,伺服器存取第一容器映像檔註冊儲存庫,且伺服器通訊連接一第二容器映像檔註冊儲存庫。溯源方法300開始於步驟310,由伺服器自第二容器映像檔註冊儲存庫接收第一容器映像檔。接著,執行步驟320,由伺服器對第一容器映像檔執行安全性檢查,以產生安全確認資料。接著,執行步驟330,由伺服器基於第一容器映像檔與安全確認資料,以產生第二容器映像檔。接著,執行步驟340,由伺服器將第二容器映像檔儲存至第一容器映像檔註冊儲存庫。其中,第二容器映像檔包含第一容器映像檔以及第一隱碼圖像檔,第一隱碼圖像檔包含第一字串資料。在一具體實施例中,溯源方法300進一步包含以下步驟,藉以產生第二容器映像檔:由伺服器將第一容器映像檔轉換成第一容器映像原碼檔;由伺服器使第一容器映像原碼檔包含第一隱碼圖像檔,以及由伺服器將第一容器映像原碼檔連同第一隱碼圖像檔,轉換成第二容器映像檔。Please refer to the third figure, which illustrates a flow chart of a specific embodiment of the traceability system according to the present invention. As in the embodiment shown in the third figure, the
在一具體實施例中,第一容器映像檔註冊儲存庫儲存路徑紀錄資料,路徑紀錄資料指示出特定路徑。溯源方法300進一步包含以下步驟:由伺服器基於路徑紀錄資料,以使第一隱碼圖像檔關聯於第一容器映像原碼檔中的特定路徑。在一具體實施例中,溯源方法300進一步包含以下步驟:由伺服器接收驗證指令;由伺服器基於驗證指令,以將第二容器映像檔轉換成第二容器映像原碼檔;由伺服器自第二容器映像原碼檔獲得第一隱碼圖像檔,並自第一隱碼圖像檔獲得第一字串資料;以及由伺服器基於第一字串資料符合安全性字串資料,而產生第一驗證成功資料。在一具體實施例中,第一容器映像檔註冊儲存庫儲存路徑紀錄資料,路徑紀錄資料指示出特定路徑。其中,伺服器係基於路徑紀錄資料,以自第二容器映像原碼檔中的特定路徑,獲得第一隱碼圖像檔。In one embodiment, the first container image registry stores path record data, and the path record data indicates a specific path. The
在一具體實施例中,溯源系統包含計算機裝置,計算機裝置存取第一容器映像檔註冊儲存庫,且計算機裝置通訊連接伺服器。第一容器映像檔註冊儲存庫儲存路徑紀錄資料,路徑紀錄資料指示出特定路徑。溯源方法300進一步包含以下步驟:由計算機裝置傳送第三容器映像檔至伺服器;由伺服器將第三容器映像檔轉換成第三容器映像原碼檔;以及由伺服器基於第三容器映像原碼檔與路徑紀錄資料,以決定是否將第三容器映像檔儲存至第一容器映像檔註冊儲存庫。In a specific embodiment, the traceability system includes a computer device, the computer device accesses the first container image file registration repository, and the computer device communicates with the server. The first container image registry stores path record data, and the path record data indicates a specific path. The
在一具體實施例中,溯源方法300進一步包含以下步驟:由伺服器自第三容器映像原碼檔的特定路徑中,獲得第二隱碼圖像檔;由伺服器自第二隱碼圖像檔獲得第二字串資料;以及由伺服器基於第二字串資料符合安全性字串資料,而將第三容器映像檔儲存至第一容器映像檔註冊儲存庫。在一具體實施例中,溯源方法300進一步包含以下步驟:由伺服器基於第三容器映像原碼檔中的特定路徑不具有第二隱碼圖像檔,而決定不將第三容器映像檔儲存至第一容器映像檔註冊儲存庫。在一具體實施例中,溯源方法300進一步包含以下步驟:由伺服器自第三容器映像原碼檔的特定路徑中,獲得第二隱碼圖像檔;由伺服器自第二隱碼圖像檔獲得第二字串資料;以及由伺服器基於第二字串資料不符合安全性字串資料,而決定不將第三容器映像檔儲存至第一容器映像檔註冊儲存庫。In a specific embodiment, the
請參閱第四圖,其例示說明了根據本發明溯源系統一具體實施例的流程圖。如第四圖所示實施例,溯源方法400可應用於一溯源系統,溯源系統包含第一容器映像檔註冊儲存庫、伺服器以及計算機裝置,伺服器存取第一容器映像檔註冊儲存庫,計算機裝置存取第一容器映像檔註冊儲存庫,且計算機裝置通訊連接伺服器。其中,第一容器映像檔註冊儲存庫儲存路徑紀錄資料,路徑紀錄資料指示出特定路徑。溯源方法400開始於步驟410,由計算機裝置傳送第三容器映像檔至伺服器。接著,執行步驟420,由伺服器將第三容器映像檔轉換成第三容器映像原碼檔。接著,執行步驟430,由伺服器基於第三容器映像原碼檔與路徑紀錄資料,以決定是否將第三容器映像檔儲存至第一容器映像檔註冊儲存庫。Please refer to the fourth figure, which illustrates a flow chart of a specific embodiment of the traceability system according to the present invention. As shown in the embodiment shown in the fourth figure, the
在一具體實施例中,溯源方法400進一步包含以下步驟:由伺服器自第三容器映像原碼檔的特定路徑中,獲得第二隱碼圖像檔;由伺服器自第二隱碼圖像檔獲得第二字串資料;以及由伺服器基於第二字串資料符合安全性字串資料,而將第三容器映像檔儲存至第一容器映像檔註冊儲存庫。在一具體實施例中,溯源方法400進一步包含以下步驟:由伺服器基於第三容器映像原碼檔中的特定路徑不具有第二隱碼圖像檔,而決定不將第三容器映像檔儲存至第一容器映像檔註冊儲存庫。在一具體實施例中,溯源方法400進一步包含以下步驟:由伺服器自第三容器映像原碼檔的特定路徑中,獲得第二隱碼圖像檔;由伺服器自第二隱碼圖像檔獲得第二字串資料;以及由伺服器基於第二字串資料不符合安全性字串資料,而決定不將第三容器映像檔儲存至第一容器映像檔註冊儲存庫。In a specific embodiment, the
至此,本發明之溯源系統及其方法已經由上述說明及圖式加以說明。然應了解,本發明的各個具體實施例僅是做為說明之用,在不脫離本發明申請專利範圍與精神下可進行各種改變,且均應包含於本發明之專利範圍中。因此,本說明書所描述的各具體實施例並非用以限制本發明,本發明之真實範圍與精神揭示於以下申請專利範圍。So far, the traceability system and method of the present invention have been described by the above description and drawings. However, it should be understood that the various specific embodiments of the present invention are only used for illustration, and various changes can be made without departing from the scope and spirit of the patent application of the present invention, and all should be included in the patent scope of the present invention. Therefore, the specific embodiments described in this specification are not intended to limit the present invention, and the true scope and spirit of the present invention are disclosed in the following claims.
100:溯源系統
110:第一容器映像檔註冊儲存庫
120:伺服器
130:計算機裝置
200:溯源系統
210:第一容器映像檔註冊儲存庫
220:伺服器
230:計算機裝置
300:溯源方法
310~340:步驟
400:溯源方法
410~430:步驟
910:第二容器映像檔註冊儲存庫100: Traceability system
110:First container image registry repository
120: server
130:Computer device
200: Traceability system
210: First container image registry repository
220: server
230: Computer device
300:
第一圖為本發明溯源系統一具體實施例的系統架構圖。The first figure is a system architecture diagram of a specific embodiment of the traceability system of the present invention.
第二圖為本發明溯源系統一具體實施例的系統架構圖。The second figure is a system architecture diagram of a specific embodiment of the traceability system of the present invention.
第三圖為本發明溯源方法一具體實施例的流程圖。The third figure is a flowchart of a specific embodiment of the source tracing method of the present invention.
第四圖為本發明溯源方法一具體實施例的流程圖。The fourth figure is a flow chart of a specific embodiment of the traceability method of the present invention.
無none
100:溯源系統 100: Traceability system
110:第一容器映像檔註冊儲存庫 110:First container image registry repository
120:伺服器 120: server
130:計算機裝置 130:Computer device
910:第二容器映像檔註冊儲存庫 910: Second container image registration repository
Claims (26)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111140032A TWI805514B (en) | 2022-10-21 | 2022-10-21 | Traceability system and its method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111140032A TWI805514B (en) | 2022-10-21 | 2022-10-21 | Traceability system and its method |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI805514B true TWI805514B (en) | 2023-06-11 |
TW202418128A TW202418128A (en) | 2024-05-01 |
Family
ID=87803046
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW111140032A TWI805514B (en) | 2022-10-21 | 2022-10-21 | Traceability system and its method |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI805514B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210208916A1 (en) * | 2020-01-03 | 2021-07-08 | International Business Machines Corporation | Images deployment system across multiple architectures |
TWI733490B (en) * | 2020-06-11 | 2021-07-11 | 中華電信股份有限公司 | System for detecting image file security and method thereof |
US20220108023A1 (en) * | 2020-10-06 | 2022-04-07 | Foundation Of Soongsil University-Industry Cooperation | Docker image vulnerability inspection device and method for performing docker file analysis |
-
2022
- 2022-10-21 TW TW111140032A patent/TWI805514B/en active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210208916A1 (en) * | 2020-01-03 | 2021-07-08 | International Business Machines Corporation | Images deployment system across multiple architectures |
TWI733490B (en) * | 2020-06-11 | 2021-07-11 | 中華電信股份有限公司 | System for detecting image file security and method thereof |
US20220108023A1 (en) * | 2020-10-06 | 2022-04-07 | Foundation Of Soongsil University-Industry Cooperation | Docker image vulnerability inspection device and method for performing docker file analysis |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11107088B2 (en) | Open registry for internet of things | |
US7770165B2 (en) | Providing firmware updates to portable media devices | |
WO2020155767A1 (en) | Mobile terminal-based passwordless login method and apparatus, device, and storage medium | |
TWI640889B (en) | Method and device for identity verification using human biological characteristics | |
KR101948721B1 (en) | Method and apparatus for examining forgery of file by using file hash value | |
WO2016091034A1 (en) | Method and device for providing application channel packet | |
US20110093503A1 (en) | Computer Hardware Identity Tracking Using Characteristic Parameter-Derived Data | |
EP2312483A2 (en) | Authentication of computing and communications hardware | |
CN107483509A (en) | A kind of auth method, server and readable storage medium storing program for executing | |
US20060227378A1 (en) | Data storage device, data storage method, and program thereof | |
JP2016533595A (en) | Client download and installation method and apparatus | |
CN105141427A (en) | Login authentication method, device and system based on voiceprint recognition | |
WO2018001065A1 (en) | Method, device and system for managing application | |
US11176224B2 (en) | Security tool | |
WO2018121266A1 (en) | Method and device for obtaining application and terminal device | |
US20130254546A1 (en) | Methods for Identifying the Guarantor of an Application | |
CN105993156A (en) | Server access authentication method and device | |
CN101496022B (en) | Method for providing protected access of corresponding program | |
WO2017215650A1 (en) | Automatic login method and device for micro-game client, program, and medium | |
TWI805514B (en) | Traceability system and its method | |
US20160004850A1 (en) | Secure download from internet marketplace | |
US11586657B1 (en) | Virtual secure rooms | |
CN111723369A (en) | File management method, equipment and medium of FTP server | |
CN110874225B (en) | Data verification method and device, embedded equipment and storage medium | |
CN108173824B (en) | Data service platform and access method, device and storage medium thereof |