CN105278929A

CN105278929A - Application program audit data processing method, device and system

Info

Publication number: CN105278929A
Application number: CN201410267652.1A
Authority: CN
Inventors: 王金锭
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2014-06-16
Filing date: 2014-06-16
Publication date: 2016-01-27

Abstract

The invention discloses an application program audit data processing method, device and system; the method comprises the following steps: obtaining an original audit result through carrying out static state audit for the application program; obtaining preset note information which indicates the false information in the original audit result; using the preset note information to note the source codes of the application program corresponding to the original audit result; filtering the audit result corresponding to the source codes having the preset note information, thus obtaining a non-false audit result; outputting the non-false audit result. The application program audit data processing method, device and system can solve the technical problems that the existing technology cannot accurately filter the false result in the audit result, thus improving the accuracy of filtering the false result from the audit result.

Description

Data processing method, device and system that application program is audited

Technical field

The present invention relates to data processing field, in particular to data processing method, device and system that a kind of application program is audited.

Background technology

Static auditing realizes to program the method that checks when not running application, and type checking, code spice inspection, Bug search and realize by static auditing with Safety Examination etc.Static auditing checks there is wrong report and fail to report owing to adopting feature or pattern match.False positive result is presented in static auditing report the test, causes interference to static auditing report the test, and inconvenient checking static auditing report the test, causes the Consumer's Experience of static auditing system poor.In order to promote Consumer's Experience, in static auditing system operation process, usually can carry out white list process to the content of the auditing result report being confirmed to be wrong report, the content of wrong report is no longer appeared in Audit Report.

For the content that there is wrong report in static auditing report, existing white list scheme carries out string matching according to the feature of auditing result content, and the auditing result meeting feature is directly filtered, and namely determines that this auditing result is for wrong report.If such as auditing result content comprises type, place source file and specific code content, white list rule also comprises type, source file and code text content, and the auditing result only meeting white list rule just can be filtered.But now white list scheme has larger limitation, when white list rule arranges stricter, if be modified by a variable name in the specific code content of auditing or method name, namely this white list rule does not gather effect.If by the specific code of auditing through obscuring process, source filename and variable name can arrange difference because obscure and change, and in this case, the general auditing result of white list rule to wrong report cannot be used to filter; When white list rule arranges looser, the auditing result of some non-wrong report may be caused to be filtered by mistake, cause existing white list scheme inaccurate to filtration wrong report, thus bring potential safety hazard.

For the inaccurate problem of the false positive result in filtering auditing result in prior art, at present effective solution is not yet proposed.

Summary of the invention

Embodiments provide the data processing method of a kind of application program audit, device and system, at least to solve the inaccurate problem of false positive result in prior art in filtering auditing result.

According to an aspect of the embodiment of the present invention, provide the data processing method of a kind of application program audit, the method comprises: obtain the original auditing result that application programs carries out static auditing; Obtain and preset annotation information, wherein, described default annotation information is characterize the information that described original auditing result is wrong report; Annotated by the source code of described default annotation information to application program corresponding to described original auditing result; Filter out-band has the auditing result that the source code of described default annotation information is corresponding, obtains non-wrong report auditing result; And export described non-wrong report auditing result.

According to the another aspect of the embodiment of the present invention, additionally provide the data processing equipment of a kind of application program audit, this device comprises: the first acquiring unit, carries out the original auditing result of static auditing for obtaining application programs; Second acquisition unit, for obtaining default annotation information, wherein, described default annotation information is characterize the information that described original auditing result is wrong report; Annotation unit, for annotating by the source code of described default annotation information to application program corresponding to described original auditing result; Filtering unit, has for filter out-band the auditing result that the source code of described default annotation information is corresponding, obtains non-wrong report auditing result; And output unit, for exporting described non-wrong report auditing result.

According to the another aspect of the embodiment of the present invention, additionally provide the data handling system of a kind of application program audit, this system comprises: annotation adds module, for storing default annotation information, and is annotated by the code of described default annotation information to application program corresponding to original auditing result; Static auditing system, for carrying out static auditing to the application program after annotation, obtains auditing result; And false positive result filtering module, in filtering auditing result with the auditing result that the source code of described default annotation information is corresponding.

In embodiments of the present invention, acquisition application programs is adopted to carry out the original auditing result of static auditing, obtain and preset annotation information, wherein, default annotation information is characterize the information that original auditing result is wrong report, annotated by the source code of default annotation information to application program corresponding to original auditing result, filtering, with auditing result corresponding to the source code of default annotation information, obtains non-wrong report auditing result, and export non-wrong report auditing result, due to the annotation that default annotation information is only the source code as application program, it is not a part for application program itself, therefore, even if the source code of application program is through obscuring process, the change of certain variable name or the change of method name, default annotation information can't be revised, this default annotation information still can characterize the result that auditing result corresponding to source code within the scope of this annotation is wrong report, namely filtering does not rely on application program itself with the auditing result that the source code of default annotation information is corresponding, thus the inaccurate technical matters of false positive result solved in prior art in filtering auditing result, and then achieve the technique effect of the false positive result improved in filtering auditing result.

Accompanying drawing explanation

Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:

Figure 1 shows that a kind of structured flowchart of computing machine;

Fig. 2 is the process flow diagram of the data processing method of auditing according to the application program of the embodiment of the present invention;

Fig. 3 is the block flow diagram of the data processing method of auditing according to the application program of the embodiment of the present invention;

Fig. 4 is the process flow diagram obtaining non-wrong report auditing result in the data processing method of auditing according to the application program of the embodiment of the present invention;

Fig. 5 is the process flow diagram judging the wrong report in secondary auditing result in the data processing method of auditing according to the application program of the embodiment of the present invention;

Fig. 6 is the schematic diagram of the data processing equipment of auditing according to the application program of the embodiment of the present invention;

Fig. 7 is the schematic diagram of filtering unit in the data processing equipment of auditing according to the application program of the embodiment of the present invention;

Fig. 8 is the schematic diagram of judge module in the data processing equipment of auditing according to the application program of the embodiment of the present invention;

Fig. 9 is the schematic diagram of the data handling system of auditing according to the application program of the embodiment of the present invention; And

Figure 10 is the schematic diagram of the terminal device for implementing the data processing method that application program is audited in the embodiment of the present invention.

Embodiment

The present invention program is understood better in order to make those skilled in the art person, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, should belong to the scope of protection of the invention.

It should be noted that, term " first ", " second " etc. in instructions of the present invention and claims and above-mentioned accompanying drawing are for distinguishing similar object, and need not be used for describing specific order or precedence.Should be appreciated that the data used like this can be exchanged in the appropriate case, so as embodiments of the invention described herein can with except here diagram or describe those except order implement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, such as, contain those steps or unit that the process of series of steps or unit, method, system, product or equipment is not necessarily limited to clearly list, but can comprise clearly do not list or for intrinsic other step of these processes, method, product or equipment or unit.

Explanation of technical terms

Java: be a kind of Object-Oriented Programming Languages can writing cross-platform software, release in nineteen ninety-five, popularity rankings second in programming language family, be only second to C language, especially after Android platform is released, Java language is widely used in writing Android application program, and more and more developer uses Java to carry out program development.

Annotation: be a kind of grammer metadata form in Java programming language, for self-defined grammer annotation interface, annotates Java source code.

SDK: refer to SoftwareDevelopmentKit, SDK (Software Development Kit) is developer for the developing instrument of application software set up for specific software package, software frame or general utility functions module etc. or the set of development interface.

Blacklist: the set being a known malicious data, the data meeting blacklist rule or be arranged in blacklist set are considered to illegal, and the program that will be employed is refused to pass through;

White list: refer to a data acquisition or meet the data acquisition of certain feature, the data being arranged in white list set are considered to legal.Such as, there is not the Java code snippet of security risk as white list through development validation.

Static auditing: static auditing is that application programs carries out the method checked when not running application, and type checking, code spice inspection, Bug search and realize by static auditing with Safety Examination etc.Static auditing realizes checking owing to adopting feature or pattern match, and there is wrong report and fail to report, false positive result produces interfere information to static auditing report the test viewer, affects the experience of auditing system.In system operation process, usually can carry out white list process to the auditing result content being confirmed to be wrong report, make it no longer appear in Audit Report.

Due to blacklist method choice refuse or escape potential dangerous input value, refuse known malicious data, the malicious data for the unknown cannot be got rid of, and therefore blacklist rule is generally incomplete; White list method defines the feature mode of known legal value, usually uses regular expression to make the rule of list clear, and the input data meeting white list rule by checking, will not meet, refusing illegal data.Therefore, in system operation process, white list rule is more conducive to the safety of application program relative to blacklist rule.

Embodiment 1

According to the embodiment of the present invention, provide the data processing method of a kind of application program audit.The data processing method of this application program audit can be performed by computing machine or similar arithmetic unit.Figure 1 shows that a kind of structured flowchart of computing machine.As shown in Figure 1, computing machine 100 comprises one or more (only illustrating one in figure) processor 102, storer 104 and transport module 106.One of ordinary skill in the art will appreciate that, the structure shown in Fig. 1 is only signal, and it does not cause restriction to the structure of above-mentioned electronic installation.Such as, computing machine 100 also can comprise than assembly more or less shown in Fig. 1, or has the configuration different from shown in Fig. 1.

Storer 104 can be used for storing software program and module, as data processing method and the programmed instruction/module corresponding to device of the application program audit in the embodiment of the present invention, processor 102 is by running the software program and module that are stored in storer 104, thus perform the application of various function and data processing, namely realize above-mentioned web page processing method and device.Storer 104 can comprise high speed random access memory, also can comprise nonvolatile memory, as one or more magnetic storage device, flash memory or other non-volatile solid state memories.In some instances, storer 104 can comprise the storer relative to the long-range setting of processor 102 further, and these remote memories can be connected to computing machine 100 by network.The example of above-mentioned network includes but not limited to internet, intranet, LAN (Local Area Network), mobile radio communication and combination thereof.

Transport module 106 for via a network reception or send data.Above-mentioned network instantiation can include spider lines and wireless network.In an example, transport module 106 comprises a network adapter (NetworkInterfaceController, be called for short NIC), and it to be connected with router by netting twine and other network equipments thus can to carry out communication with internet.In an example, transport module 106 is ethernet module, and it is for carrying out communication by ethernet line mode and internet.

Fig. 2 is the process flow diagram of the data processing method of auditing according to the application program of the embodiment of the present invention.As shown in the figure, the method comprises:

Step S202, obtains the original auditing result that application programs carries out static auditing.

Application programs carries out that static auditing can application programs carries out type checking, code spice inspection, bug search and Safety Examination etc., to ensure that application program does not in use have mistake or security breaches.After application programs carries out static auditing, export original auditing result, but because static auditing adopts the source code of the method application programs of feature or pattern match to detect, wrong report may be there is in audit process, be about to do not have the source code of the application program of defect or leak to be identified as the source code of defectiveness or leak, in the original auditing result of output, comprise the content of wrong report.

Step S204, obtains and presets annotation information, and wherein, default annotation information is characterize the information that original auditing result is wrong report.

Preset in annotation information the interface that includes annotation and form etc., such as, comprise the member variable that note name, the syntactic structure type (class or method etc.) of annotation effect and annotation needs comprise.Following example describes the self-defined annotation JgClassChecked of a java class rank, namely the application program utilizing Java language to write is carried out to the annotation of class rank.Its annotation form is JgClassChecked, and this annotation needs the description comprising author, date, type and comment tetra-members.Except the annotation definition of class rank, SDK also defines the annotation of method rank, and its annotation form is JgMethodChecked.

Preset comments forms in annotation information as follows:

Step S206, is annotated by the source code of default annotation information to application program corresponding to original auditing result.

If original auditing result is the auditing result of wrong report, so the source code of the application program corresponding to auditing result of wrong report is annotated, namely annotate by presetting the source code of annotation information to application program corresponding to original auditing result, in the source code of application program, just annotation has default annotation information like this, to characterize the code that annotated source code is safety, should not be recorded in original auditing result, namely determine to be reported as wrong report for this code in original auditing result.

Because default annotation information is for characterizing the wrong report information in original auditing result, when source code then by presetting annotation information application program annotates, do not need secure source codes all in application programs to annotate, only need annotate for by the source code reported by mistake.

When determining original auditing result for wrong report, the source code of application program corresponding to this original auditing result is annotated.Such as, the application program of writing for utilizing Java, first introduces AnnotationSDK, and adds code annotation according to the annotation interface of SDK definition on the source code of application program.If the source file that in original auditing result, false positive result is corresponding is a1.java, the code at this false positive result place is arranged in method f1, then before the method f1 of source file a1.java, the white list of adding method rank annotates, content is as JgMethodChecked (author=1, date=" 2014-05-22 ", type=" https_check ", comment=" and checked, issecurity ").JgMethodChecked annotation acts on method rank, is regarded as white list by the method code that JgMethodChecked annotates, and namely in auditing result, filtering the method rank annotates the source code of corresponding application program.In like manner, class rank can also be acted on JgClassChecked annotation, and the source code of the class rank acted on by JgClassChecked is also regarded as white list.

Step S208, filtering, with auditing result corresponding to the source code of default annotation information, obtains non-wrong report auditing result.

After to determine with the source code of default annotation information be safe code, filtering these with auditing result corresponding to the source code of default annotation information, obtain non-wrong report auditing result, namely after these auditing results of filtering, compared with original auditing result, in non-wrong report auditing result, do not comprise the content of wrong report.

Step S210, exports non-wrong report auditing result.

After exporting non-wrong report auditing result, because the source code of application program corresponding to non-wrong report auditing result exported is in-problem source code, thus the interference of wrong report content can not be received when checking auditing result, only need carry out repairing for the security threat in source code corresponding to non-auditing result or leak.

Pass through above-described embodiment, after obtaining original auditing result, the source code of application program corresponding to original auditing result is annotated, with auditing result corresponding to the source code characterizing this annotated application program for wrong report, by filtering, these obtain non-wrong report auditing result with the auditing result that the source code of the application program of default annotation information is corresponding, thus reach the object of the auditing result of filtering wrong report.Due to the annotation that default annotation information is only the source code as application program, it is not a part for application program itself, therefore, even if the source code of application program is through obscuring process, the change of certain variable name or the change of method name, default annotation information can't be revised, this default annotation information still can characterize the result that auditing result corresponding to source code within the scope of this annotation is wrong report, and namely filtering does not rely on application program itself with the auditing result that the source code of default annotation information is corresponding.To sum up, by above-described embodiment, the inaccurate problem of false positive result in prior art in filtering auditing result can be solved, thus reach the effect of the accuracy of the false positive result improved in filtering auditing result.

Fig. 3 is the block flow diagram of the data processing method of auditing according to the application program of the embodiment of the present invention.

As shown in the figure, application program is exporting original auditing result after static auditing system audit, again original auditing result is input in application program annotations module, application program secondary after annotation is submitted in static auditing system and checks, and export secondary auditing result, after false positive result in secondary auditing result is filtered, export non-wrong report auditing result.

Filter the false positive result in secondary auditing result, namely filtering is with auditing result corresponding to the source code of default annotation information, obtains non-wrong report auditing result and comprises the following steps shown in Fig. 4:

Step S402, obtains the source code of the application program after annotation.

Application program after application program annotations module annotation is submitted in static auditing system and again audits, if static auditing system acceptance to packet be the source code of application program, then direct source code to be audited; If static auditing system acceptance to packet be application package, not source code, be then converted to application source code by application package, so that the source code of static auditing system application programs is audited by unpacking with the means such as decompiling.

Step S404, carries out static auditing to the source code of the application program after annotation, obtains secondary auditing result.

Static auditing is carried out to the source code of the application program after annotation, to carry out the method for static auditing identical with the method for carrying out static auditing first for the source code of application programs again, the source code just again carrying out static auditing is the source code with default annotation information, obtains secondary auditing result after static auditing.

Step S406, judges whether have default annotation information in the source code of the application program that secondary auditing result is corresponding.

Obtain the source code of the application program that every bar auditing result is corresponding in secondary auditing result, and whether there is default annotation information in judging the source code that secondary auditing result is corresponding.

Step S408, if there is default annotation information in the source code of the application program that secondary auditing result is corresponding, then filtering has secondary auditing result corresponding to the source code of the application program of default annotation information, filtering is had the auditing result after secondary auditing result corresponding to the source code of the application program of default annotation information as non-wrong report auditing result.

Such as, in secondary auditing result, auditing result is a1.java:L10:test (" helloworld "), source code content corresponding to this auditing result has default annotation information JgMethodChecked (author=1, date=" 2014-05-22 ", type=" https_check ", comment=" checked, issecurity "), the then above-mentioned auditing result a1.java:L10:test of filtering (" helloworld "), " a1.java:L10:test (" helloworld ") " this content will not be there is in secondary auditing result so after filtering.So, filtering is somebody's turn to do the auditing result of " a1.java:L10:test (" helloworld ") " this auditing objectives as non-wrong report auditing result.

Pass through above-described embodiment, the source code corresponding to the auditing result of wrong report annotates, again static auditing is carried out to the application program after annotation, obtain secondary auditing result, and the auditing result filtering corresponding to the annotated source code of tool in secondary auditing result, do not comprised the non-wrong report auditing result of false positive result, the false positive result in secondary auditing result can be determined accurately according to the content of annotation, and, even if modify to the condition of audit when carrying out second time static auditing, the wrong report in auditing result also accurately can be judged.Especially when application programs is carried out fine setting and repeatedly carried out static auditing, owing to not needing all to add annotation at every turn, and the adjustment of application programs does not revise annotation information, therefore under the prerequisite of accuracy ensureing false positive result in filtering auditing result, improve efficiency.

Preferably, as shown in Figure 3, carry out annotation by the source code of default annotation information to application program corresponding to original auditing result to comprise: obtain and preset default source code corresponding to annotation information.Search the source code of the application program identical with default source code.The source code of the application program found is annotated according to the default annotation information that default source code is corresponding.

In the application program annotations module shown in Fig. 3, obtain and preset default source code corresponding to annotation information, such as, the code of " display type " is safe code in the application, should not appear in non-wrong report auditing result, preset the source code that default source code corresponding to annotation information is " display type ", in the source code of application program, so search the source code of " display type ", the default annotation information corresponding by this source code annotates.

As shown in Figure 3, after obtaining secondary auditing result, false positive result is filtered, so judge which bar auditing result is that the result of wrong report is just extremely important, below in conjunction with Fig. 5, the wrong report judged in secondary auditing result is described.

Preferably, judge that whether having annotation in the source code of the application program that secondary auditing result is corresponding comprises:

Step S501, obtains secondary auditing result.Namely an auditing result content is obtained.If have many auditing results in secondary auditing result, so read any result in many auditing results, if only there is an auditing result in secondary auditing result, so read this auditing result.

Step S502, resolves the source filename in secondary auditing result.Namely place source file title is obtained.The source file title that auditing result that parsing obtains in step S501 is corresponding, such as, auditing result is a1.java:L10:test (" helloworld "), and in this auditing result, source filename is called a1.java.

Step S503, reads the source code in application program corresponding to source filename.Namely source file content is read.Read the source code of application program corresponding to source filename, the source code read is all codes within the scope of the class at the tenth row source code place in source file title a1.java in auditing result or method, and test (" helloworld ") is a line in the source code of application program, auditing result thinks that this is for existing the code of security threat or leak.In order to accurately judge whether this code is wrong report, should check whether the method at this source code place or the category of class are annotated source code.

Step S504, judges whether comprise default annotation information in the source code that source filename is corresponding.

After reading source code corresponding to source filename, judge whether comprise default annotation information in the source code read.Such as, the content presetting annotation information is as follows:

JgMethodChecked (author=1, date=" 2014-05-22 ", type=" and https_check ", comment=" and checked, issecurity "), or,

JgClassChecked(author＝1,date＝”2014-05-22”,type＝”https_check”,comment＝”checked,issecurity”)，

If judge, in the source code read, there are JgMethodChecked or JgClassChecked printed words, then determine that the source code package of this reading is containing presetting annotation information.

Certainly, if application program is the program adopting other programming languages to write, such as, C language, default annotation information may be $ abcdefg etc., so determines when detecting $ abcdefg to comprise default annotation information in the source code read.

Step S505, if comprise default annotation information in judging the source code that source filename is corresponding, then in the source code that source filename is corresponding, search default annotation information line by line, wherein, if find default annotation information, then determine, in the source code of the application program that secondary auditing result is corresponding, there is annotation, if do not find default annotation information, then determine not there is annotation in the source code of the application program that secondary auditing result is corresponding.

If judge to comprise default annotation information in the source code read, then in the source code read, search annotation information line by line, namely perform step S5051 as shown in Figure 5 to step S505n.Default annotation information is found in the source code read, then determine that this source code is annotated, the auditing result that this source code is corresponding is wrong report, Non-precondition annotation information in the source code read, then determine that this source code does not have annotated, the non-wrong report of the auditing result that this source code is corresponding.

Default annotation information is searched line by line according to following steps:

Step S5051, judges in the source code that source filename is corresponding, whether current line is class definition head.

Step S5053, if current line is class definition head, then judges whether current line has default annotation information.

Step S5055, if current line has default annotation information, has then been designated as annotation to all rowers within the scope of the annotation of class definition head place class, and has read next line content.

Judge whether the current line read is class definition head, if current behavior class definition head, then judge such definition head is expert at whether have default annotation information, namely judge whether current line has default annotation information, if such definition head is expert at and is had default annotation information, then determine that the source code within the scope of the annotation of such definition head place class is safe code, namely any source code within the scope of such annotation should corresponding secondary auditing result, therefore, when class definition head has annotation, all provisional capitals within the scope of the annotation of class are marked, the annotated row of tool to characterize the row that is labeled.Such as, current line is the definition head classc1 of class and comprises annotation JgClassChecked, then mark enters the code range that this annotation administers is flag=1.

If current line Non-precondition annotation information, then read next line content.

Further, after judging in the source code that source filename is corresponding whether current line is class definition head, the method also comprises: if current line is not class definition head, then judge whether current line is that method defines head.And if judge that current line is not method definition head, then reading next line content.

In the scope of a class definition head, multiple row definition head may be comprised, then after judging that current line is not class definition head, judge whether current line is method definition head, if judge that current line is not method definition head, then perform step S5057, namely next line content is read.

Owing to defining head except comprising class in the source code of application program, also comprise method definition head.For method definition head, default annotation information can be searched line by line in accordance with the following steps:

Step S5052, judges in the source code that source filename is corresponding, whether current line content is method definition head.

Step S5054, if current line is method definition head, then judges whether current line has default annotation information.

Step S5056, if current line has default annotation information, then all rowers within the scope of the annotation of the other side legal adopted head place method have been designated as annotation, and read next line content.

Judge whether the current line read is method definition head, if current behavior method definition head, then judge the method definition head is expert at whether have default annotation information, namely judge whether current line has default annotation information, if the method definition head is expert at and is had default annotation information, then determine that the source code within the scope of the annotation of the method definition head place method is safe code, any source code within the scope of the annotation of i.e. the method should corresponding secondary auditing result, therefore, when method definition head has annotation, all provisional capitals within the scope of the annotation of method are marked, the annotated row of tool to characterize the row that is labeled.Such as, current line is the definition head publicvoidfun1 of method and comprises annotation JgMethodChecked, then mark enters the code range that this annotation administers is flag=1.If current line Non-precondition annotation information, then read next line content.

Preferably, in order to whether the row at the source code place accurately finding auditing result corresponding has annotation, then, after reading next line content, the method also comprises the steps:

Step S5058, judges whether next line content has been marked as annotation and whether annotation scope terminates.

Judge whether next line content has been marked as annotation, such as, there is the mark of flag=1, and whether current line is also within the scope of annotation.

The end line (initial row of method definition owning ' { ' and ' to end line } ' number of characters match) of method has been positioned at if current, and the method with the addition of JgMethodChecked annotation, then mark current method of having jumped out and annotate the code range of administering;

Be positioned at the end line (all to end line of the initial row of class definition ' { ' and ' } ' number of characters match) of class if current, and such with the addition of JgClassChecked and annotates, then mark current class of having jumped out and annotate the code range of administering;

If file reading content is to end of file by row, the code line that discovery auditing result item relates to is not in the scope of any default annotation information, the source code that then explanation current audit result is corresponding is not added annotation, then export current audit result for non-false positive result.

Step S5059, if next line content has been marked as annotation, and annotation scope does not terminate, then judge whether this next line content is the content recorded in secondary auditing result.

If next line content has been marked as annotation, and this row content is also within the scope of annotation, then judge whether this row content is the content recorded in secondary auditing result.Such as, a wherein auditing result in secondary auditing result is a1.java:L10:test (" helloworld "), from the first row of source file a1.java, read source code, until when reading the tenth row, judge that this row content is that a line recorded in auditing result.If next line content has not been marked as annotation, and annotation end of extent (EOE), then flag=0, read next line content.

If step S5060 next line content is the content recorded in secondary auditing result, then determine that the content recorded in secondary auditing result is annotated, wherein, after the content determining to record in secondary auditing result is annotated, filtering secondary auditing result.

If the content judging the next line read is the content recorded in secondary auditing result, and this row content is within the scope of annotation, namely annotation has been marked as, then determine that auditing result corresponding to this row content is the auditing result of wrong report, if read this capable be not the content recorded in secondary auditing result, then continue to read next line content.After the content determining to record in secondary auditing result is annotated, filter this secondary auditing result, make it not appear in non-wrong report auditing result.

In above-described embodiment, the source filename read of recording in secondary auditing result is utilized to get source file, and the content of source file is read line by line, when class definition head or method definition head have default annotation information, then all rowers that such definition head or method define in the annotation compass of competency of head are designated as annotation, like this, when finding the row recorded in secondary auditing result, if judge that this row has been marked as annotation, then determine that the secondary auditing result that this row is corresponding is wrong report, this auditing result of filtering from secondary auditing result; If judge that this row is not labeled as annotation, then determine the non-wrong report of this auditing result, should export in non-wrong report auditing result.Pass through above-described embodiment, by judging whether have annotation to determine by source code line by line, whether this auditing result is wrong report, when searching source code corresponding to auditing result and being expert at, each source code provisional capital be within the scope of annotation is marked, presetting annotation information is in time not marked in all source code lines, also can tell each source code lines by mark and whether there is annotation, judge line by line can avoid failing to judge, mark can avoid misjudgement, therefore, accurately can judge whether auditing result is wrong report by above-described embodiment, improve the accuracy judging wrong report.

It should be noted that, for aforesaid each embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in instructions all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.

Through the above description of the embodiments, those skilled in the art can be well understood to the mode that can add required general hardware platform by software according to the method for above-described embodiment and realize, hardware can certainly be passed through, but in a lot of situation, the former is better embodiment.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium (as ROM/RAM, magnetic disc, CD), comprising some instructions in order to make a station terminal equipment (can be mobile phone, computing machine, server, or the network equipment etc.) perform method described in each embodiment of the present invention.

Embodiment 2

According to the embodiment of the present invention, additionally provide a kind of data processing equipment of application program audit of the data processing method for performing the audit of above-mentioned application program.

Fig. 6 is the schematic diagram of the data processing equipment of auditing according to the application program of the embodiment of the present invention.As shown in the figure, this device comprises the first acquiring unit 60, second acquisition unit 62, annotation unit 64, filtering unit 66 and output unit 68.

First acquiring unit 60 carries out the original auditing result of static auditing for obtaining application programs.

Second acquisition unit 62 is for obtaining default annotation information, and wherein, default annotation information is characterize the information that original auditing result is wrong report.

Preset comments forms in annotation information as follows:

Annotation unit 64 is for annotating by presetting the source code of annotation information to application program corresponding to original auditing result.

Filtering unit 66 with auditing result corresponding to the source code of default annotation information, obtains non-wrong report auditing result for filtering.

Output unit 68 is for exporting non-wrong report auditing result.

As shown in Figure 3, application program is exporting original auditing result after static auditing system audit, again original auditing result is input in application program annotations module, application program secondary after annotation is submitted in static auditing system and checks, and export secondary auditing result, after false positive result in secondary auditing result is filtered, export non-wrong report auditing result.

False positive result in secondary auditing result is filtered, namely by filtering unit 66 filtering as shown in Figure 7 with auditing result corresponding to the source code of default annotation information, obtain non-wrong report auditing result, wherein, this filtering unit 66 comprises the first acquisition module 662, Audit Module 664, judge module 666 and filtering module 668.

First acquisition module 662 is for obtaining the source code of the application program after annotation.Application program after application program annotations module annotation is submitted in static auditing system and again audits, if static auditing system acceptance to packet be the source code of application program, then direct source code to be audited; If static auditing system acceptance to packet be application package, not source code, be then converted to application source code by application package, so that the source code of static auditing system application programs is audited by unpacking with the means such as decompiling.

Audit Module 664, for carrying out static auditing to the source code of the application program after annotation, obtains secondary auditing result.

Judge module 666 for judge the application program that secondary auditing result is corresponding source code in whether there is default annotation information.

When filtering module 668 for having default annotation information in the source code of application program corresponding to secondary auditing result, filtering has secondary auditing result corresponding to the source code of the application program of default annotation information, filtering is had the auditing result after secondary auditing result corresponding to the source code of the application program of default annotation information as non-wrong report auditing result.

Preferably, as shown in Figure 3, annotation unit comprises: the second acquisition module, for obtaining default source code corresponding to default annotation information.Search module, for searching the source code of the application program identical with default source code.Annotations module, for annotating according to the default annotation information that default source code is corresponding the source code of the application program found.

As shown in Figure 3, after obtaining secondary auditing result, false positive result is filtered, so judge which bar auditing result is that the result of wrong report is just extremely important, below in conjunction with Fig. 8, the wrong report judged in secondary auditing result is described.

Preferably, judge module comprises: obtain submodule 701, analyzing sub-module 702, reading submodule 703, judge submodule 704 and search submodule 705.

Obtain submodule 701 for obtaining secondary auditing result.Namely an auditing result content is obtained.If have many auditing results in secondary auditing result, so read any result in many auditing results, if only there is an auditing result in secondary auditing result, so read this auditing result.

Analyzing sub-module 702 is for resolving the source filename in secondary auditing result.Namely place source file title is obtained.The source file title that auditing result that parsing obtains in step S501 is corresponding, such as, auditing result is a1.java:L10:test (" helloworld "), and in this auditing result, source filename is called a1.java.

Reading submodule 703 is for reading the source code in application program corresponding to source filename.Namely source file content is read.Read the source code of application program corresponding to source filename, the source code read is all codes within the scope of the class at the tenth row source code place in source file title a1.java in auditing result or method, and test (" helloworld ") is a line in the source code of application program, auditing result thinks that this is for existing the code of security threat or leak.In order to accurately judge whether this code is wrong report, should check whether the method at this source code place or the category of class are annotated source code.

Judge submodule 704 is for judging whether comprise default annotation information in the source code that source filename is corresponding.

Search submodule 705 for when judging to comprise default annotation information in the source code that source filename is corresponding, default annotation information is searched line by line in the source code that source filename is corresponding, wherein, if find default annotation information, then determine, in the source code of the application program that secondary auditing result is corresponding, there is annotation, if do not find default annotation information, then determine not there is annotation in the source code of the application program that secondary auditing result is corresponding.

Utilization is searched submodule and is searched default annotation information line by line, wherein, searches submodule 705 and comprises:

First judges that sub-module 7051 is for judging in the source code that source filename is corresponding, whether current line is class definition head.

Second judge sub-module 7053 at current line be class definition head time, judge whether current line has default annotation information.

First mark sub-module 7055, for when current line has default annotation information, has been designated as annotation to all rowers within the scope of the annotation of class definition head place class, and has read next line content.

Further, this device also comprises: the 3rd judges sub-module, for judging in the source code that source filename is corresponding, whether current line is after class defines head, when current line is not class definition head, judges whether current line is device definition head.And the 4th judges sub-module, for when judging that current line is not device definition head, read next line content.

In the scope of a class definition head, multiple row definition head may be comprised, then after judging that current line is not class definition head, judge whether current line is method definition head, if judge that current line is not method definition head, then reader 7057 reads next line content.

Owing to defining head except comprising class in the source code of application program, also comprise method definition head.For method definition head, search submodule and can search default annotation information line by line by following sub-module, wherein, search submodule and also comprise:

5th judges that sub-module 7052 is for judging in the source code that source filename is corresponding, whether current line content is device definition head.

6th judge sub-module 7054 at current line be device definition head time, judge whether current line has default annotation information.

Second mark sub-module 7056, for when current line has default annotation information, has been designated as annotation to all rowers within the scope of the annotation of device definition head place device, and has read next line content.

Preferably, in order to whether the row at the source code place accurately finding auditing result corresponding has annotation, this is searched submodule and comprises: the 7th judges that sub-module 7058, the 8th judges sub-module 7059 and determines sub-module 7060.

7th judges that sub-module 7058 is for after reading next line content, judges whether next line content has been marked as annotation and whether annotation scope terminates.

8th judges that sub-module 7059 is for when next line content has been marked as annotation, and annotation scope does not terminate, then judge whether next line content is the content recorded in secondary auditing result.

Determine that sub-module 7060 is for when next line content is the content recorded in secondary auditing result, determine that the content recorded in secondary auditing result is annotated, wherein, after the content determining to record in secondary auditing result is annotated, filtering secondary auditing result.

Embodiment 3

According to the embodiment of the present invention, additionally provide the data handling system of a kind of application program audit.As shown in Figure 9, the data handling system of this application program audit comprises:

Annotation adds module 802 for storing default annotation information, and is annotated by the code of default annotation information to application program corresponding to original auditing result; Static auditing system 804, for carrying out static auditing to the application program after annotation, obtains auditing result; And false positive result filtering module 806 in filtering auditing result with the auditing result that the source code of default annotation information is corresponding.

The code being added module 802 application programs by annotation is annotated, application program after annotation is sent to static auditing system 804, auditing result is obtained after static auditing via static auditing system, the auditing result that recycling false positive result filtering module 806 is corresponding to the source code with default annotation information is audited, thus obtains the non-wrong report auditing result after the auditing result of filtering wrong report.

By this system, namely be safe source code by the source code that default annotation information annotates, just should not appear in the auditing result of static auditing, so, during by filtering with the auditing result that the source code of default annotation information is corresponding, the auditing result of non-wrong report can be obtained when not relying on character, the attribute and classification etc. of application program itself, thus inaccurate problem when solving the wrong report in prior art in filtering auditing result, improve the accuracy of filtering auditing result.

Embodiment 4

According to the embodiment of the present invention, additionally provide a kind of terminal device of the data processing method for implementing the audit of above-mentioned application program, as shown in Figure 10, this terminal device comprises: storer 901, processor 902, input equipment 903 and output device 904.

The original auditing result that application programs carries out static auditing is obtained by input equipment 903.

Store in storer 901 by default annotation information, wherein, default annotation information is characterize the information that original auditing result is wrong report.

Processor 902 annotates by presetting the source code of annotation information to application program corresponding to original auditing result.Filtering, with auditing result corresponding to the source code of default annotation information, obtains non-wrong report auditing result.

Non-wrong report auditing result is exported by output device 904.

Processor 902 filtering with auditing result corresponding to the source code of default annotation information, can also obtain non-wrong report auditing result in the following manner: the source code obtaining the application program after annotation.Static auditing is carried out to the source code of the application program after annotation, obtains secondary auditing result.Judge, in the source code of the application program that secondary auditing result is corresponding, whether there is default annotation information.And if in the source code of application program corresponding to secondary auditing result, there is default annotation information, then filtering has secondary auditing result corresponding to the source code of the application program of default annotation information, filtering is had the auditing result after secondary auditing result corresponding to the source code of the application program of default annotation information as non-wrong report auditing result.Wherein, non-wrong report auditing result can be exported by output device 904.

Preferably, processor 902 judges whether have annotation in the source code of the application program that secondary auditing result is corresponding in the following manner: obtain secondary auditing result.Resolve the source filename in secondary auditing result.Read the source code in application program corresponding to source filename.Judge whether comprise default annotation information in the source code that source filename is corresponding.If comprise default annotation information in judging the source code that source filename is corresponding, then in the source code that source filename is corresponding, search default annotation information line by line, wherein, if find default annotation information, then determine, in the source code of the application program that secondary auditing result is corresponding, there is annotation, if do not find default annotation information, then determine not there is annotation in the source code of the application program that secondary auditing result is corresponding.

Preferably, processor 902 searches default annotation information in the following manner line by line: judge in the source code that source filename is corresponding, whether current line is class definition head.If current line is class definition head, then judge whether current line has default annotation information.If current line has default annotation information, then annotation is designated as to all rowers within the scope of the annotation of class definition head place class, and has read next line content.

Preferably, processor 902, after judging in the source code that source filename is corresponding whether current line is class definition head, also performs following steps: if current line is not class definition head, then judge whether current line is that method defines head.And if judge that current line is not method definition head, then reading next line content.

Preferably, processor 902 searches default annotation information in the following manner line by line: judge in the source code that source filename is corresponding, whether current line content is method definition head.If current line is method definition head, then judge whether current line has default annotation information.If current line has default annotation information, then all rowers within the scope of the annotation of the other side legal adopted head place method have been designated as annotation, and read next line content.

Preferably, processor 902, after reading next line content, can also carry out following steps: judge whether next line content has been marked as annotation and whether annotation scope terminates.If next line content has been marked as annotation, and annotation scope does not terminate, then judge whether next line content is the content recorded in secondary auditing result.If next line content is the content recorded in secondary auditing result, then determine that the content recorded in secondary auditing result is annotated, wherein, after the content determining to record in secondary auditing result is annotated, filtering secondary auditing result.

Preferably, processor 902 annotates the source code of application program corresponding to original auditing result in the following manner: obtain and preset default source code corresponding to annotation information.Search the source code of the application program identical with default source code.And to the application program found

Embodiment 5

Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium may be used for the program code of the data processing method of the application program audit storing the embodiment of the present invention.

Alternatively, in the present embodiment, storage medium is set to store the program code for performing following steps:

Step S1, obtains the original auditing result that application programs carries out static auditing.

Step S2, obtains and presets annotation information, and wherein, default annotation information is characterize the information that original auditing result is wrong report.

Step S3, is annotated by the source code of default annotation information to application program corresponding to original auditing result.

Step S4, filtering, with auditing result corresponding to the source code of default annotation information, obtains non-wrong report auditing result.

Step S5, exports non-wrong report auditing result.

Alternatively, in the present embodiment, above-mentioned storage medium can include but not limited to: USB flash disk, ROM (read-only memory) (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.

Alternatively, in the present embodiment, processor performs the source code of the application program after obtaining annotation according to the program code stored in storage medium; Static auditing is carried out to the source code of the application program after annotation, obtains secondary auditing result; Judge, in the source code of the application program that secondary auditing result is corresponding, whether there is default annotation information; And if in the source code of application program corresponding to secondary auditing result, there is default annotation information, then filtering has secondary auditing result corresponding to the source code of the application program of default annotation information, filtering is had the auditing result after secondary auditing result corresponding to the source code of the application program of default annotation information as non-wrong report auditing result.

Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium and obtains secondary auditing result; Resolve the source filename in secondary auditing result; Read the source code in application program corresponding to source filename; Judge whether comprise default annotation information in the source code that source filename is corresponding; If comprise default annotation information in judging the source code that source filename is corresponding, then in the source code that source filename is corresponding, search default annotation information line by line, wherein, if find default annotation information, then determine, in the source code of the application program that secondary auditing result is corresponding, there is annotation, if do not find default annotation information, then determine not there is annotation in the source code of the application program that secondary auditing result is corresponding.

Alternatively, the concrete example in the present embodiment can with reference to the example described in above-described embodiment 1 and embodiment 2, and the present embodiment does not repeat them here.

The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.

Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium: judge in the source code that source filename is corresponding, whether current line is class definition head; If current line is class definition head, then judge whether current line has default annotation information; If current line has default annotation information, then annotation is designated as to all rowers within the scope of the annotation of class definition head place class, and has read next line content.

Alternatively, in the present embodiment, if it is not class definition head that processor performs current line according to the program code stored in storage medium, then judge whether current line is method definition head; And if judge that current line is not method definition head, then reading next line content.

Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium: judge in the source code that source filename is corresponding, whether current line content is method definition head; If current line is method definition head, then judge whether current line has default annotation information; If current line has default annotation information, then all rowers within the scope of the annotation of the other side legal adopted head place method have been designated as annotation, and read next line content.

Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium: judge whether next line content has been marked as annotation and whether annotation scope terminates; If next line content has been marked as annotation, and annotation scope does not terminate, then judge whether next line content is the content recorded in secondary auditing result; If next line content is the content recorded in secondary auditing result, then determine that the content recorded in secondary auditing result is annotated, wherein, after the content determining to record in secondary auditing result is annotated, filtering secondary auditing result.

Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium: obtain and preset default source code corresponding to annotation information; Search the source code of the application program identical with default source code; And the source code of the application program found is annotated according to the default annotation information that default source code is corresponding.

If the integrated unit in above-described embodiment using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in the storage medium that above computer can read.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in storage medium, comprises all or part of step of some instructions in order to make one or more computer equipment (can be personal computer, server or the network equipment etc.) perform method described in each embodiment of the present invention.

In the above embodiment of the present invention, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.

In several embodiments that the application provides, should be understood that, disclosed client, the mode by other realizes.Wherein, device embodiment described above is only schematic, the such as division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of unit or module or communication connection can be electrical or other form.

The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.

The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims

1. a data processing method for application program audit, is characterized in that, comprising:

Obtain the original auditing result that application programs carries out static auditing;

Obtain and preset annotation information, wherein, described default annotation information is characterize the information that described original auditing result is wrong report;

Annotated by the source code of described default annotation information to application program corresponding to described original auditing result;

Filter out-band has the auditing result that the source code of described default annotation information is corresponding, obtains non-wrong report auditing result; And

Export described non-wrong report auditing result.

2. method according to claim 1, is characterized in that, filter out-band has the auditing result that the source code of described default annotation information is corresponding, obtains non-wrong report auditing result and comprises:

Obtain the source code of the application program after annotation;

Static auditing is carried out to the source code of the application program after described annotation, obtains secondary auditing result;

Judge, in the source code of the application program that described secondary auditing result is corresponding, whether there is described default annotation information; And

If there is described default annotation information in the source code of the application program that described secondary auditing result is corresponding, then filtering has secondary auditing result corresponding to the source code of the application program of described default annotation information, filtering is had the auditing result after secondary auditing result corresponding to the source code of the application program of described default annotation information as described non-wrong report auditing result.

3. method according to claim 2, is characterized in that, judges that whether having annotation in the source code of the application program that described secondary auditing result is corresponding comprises:

Obtain described secondary auditing result;

Resolve the source filename in described secondary auditing result;

Read the source code in described application program corresponding to described source filename;

Judge whether comprise described default annotation information in the source code that described source filename is corresponding;

If comprise described default annotation information in judging the source code that described source filename is corresponding, then in the source code that described source filename is corresponding, search described default annotation information line by line,

Wherein, if find described default annotation information, then determine, in the source code of the application program that described secondary auditing result is corresponding, there is annotation, if do not find described default annotation information, then determine not there is annotation in the source code of the application program that described secondary auditing result is corresponding.

4. method according to claim 3, is characterized in that, searches described default annotation information line by line and comprises:

Judge in the source code that described source filename is corresponding, whether current line is class definition head;

If described current line is described class definition head, then judge whether described current line has described default annotation information;

If described current line has described default annotation information, then annotation is designated as to all rowers within the scope of the annotation of described class definition head place class, and has read next line content.

5. method according to claim 4, is characterized in that, after judging in the source code that described source filename is corresponding whether current line is class definition head, described method also comprises:

If described current line is not described class definition head, then judge whether described current line is method definition head; And

If judge that described current line is not method definition head, then read next line content.

6. method according to claim 3, is characterized in that, searches described default annotation information line by line and comprises:

Judge in the source code that described source filename is corresponding, whether current line content is method definition head;

If described current line is described method definition head, then judge whether described current line has described default annotation information;

If described current line has described default annotation information, then annotation is designated as to all rowers within the scope of the annotation of described method definition head place method, and has read next line content.

7. the method according to any one of claim 4 to 6, is characterized in that, after reading next line content, described method also comprises:

Judge whether described next line content has been marked as annotation and whether described annotation scope terminates;

If described next line content has been marked as annotation, and described annotation scope does not terminate, then judge whether described next line content is the content recorded in described secondary auditing result;

If described next line content is the content recorded in described secondary auditing result, then determine that the content recorded in described secondary auditing result is annotated,

Wherein, after the content determining to record in described secondary auditing result is annotated, secondary auditing result described in filtering.

8. method according to claim 1, is characterized in that, carries out annotation comprise by the source code of described default annotation information to application program corresponding to described original auditing result:

Obtain the default source code that described default annotation information is corresponding;

Search the source code of the described application program identical with described default source code; And

The source code of the application program found is annotated according to the default annotation information that described default source code is corresponding.

9. a data processing equipment for application program audit, is characterized in that, comprising:

First acquiring unit, carries out the original auditing result of static auditing for obtaining application programs;

Second acquisition unit, for obtaining default annotation information, wherein, described default annotation information is characterize the information that described original auditing result is wrong report;

Annotation unit, for annotating by the source code of described default annotation information to application program corresponding to described original auditing result;

Filtering unit, has for filter out-band the auditing result that the source code of described default annotation information is corresponding, obtains non-wrong report auditing result; And

Output unit, for exporting described non-wrong report auditing result.

10. device according to claim 9, is characterized in that, described filtering unit comprises:

First acquisition module, for obtaining the source code of the application program after annotation;

Audit Module, for carrying out static auditing to the source code of the application program after described annotation, obtains secondary auditing result;

Judge module, for judge the application program that described secondary auditing result is corresponding source code in whether there is described default annotation information; And

Filtering module, during for there is described default annotation information in the source code of application program corresponding to described secondary auditing result, filtering has secondary auditing result corresponding to the source code of the application program of described default annotation information, filtering is had the auditing result after secondary auditing result corresponding to the source code of the application program of described default annotation information as described non-wrong report auditing result.

11. devices according to claim 10, is characterized in that, described judge module comprises:

Obtain submodule, for obtaining described secondary auditing result;

Analyzing sub-module, for resolving the source filename in described secondary auditing result;

Reading submodule, for reading the source code in described application program corresponding to described source filename;

Judge submodule, for judging whether comprise described default annotation information in the source code that described source filename is corresponding;

Searching submodule, for when judging to comprise described default annotation information in the source code that described source filename is corresponding, in the source code that described source filename is corresponding, searching described default annotation information line by line,

12. devices according to claim 11, is characterized in that, described in search submodule and comprise:

First judges sub-module, for judging in the source code that described source filename is corresponding, whether current line is class definition head;

Second judges sub-module, during for being described class definition head at described current line, judges whether described current line has described default annotation information;

First mark sub-module, for when described current line has described default annotation information, has been designated as annotation to all rowers within the scope of the annotation of described class definition head place class, and has read next line content.

13. devices according to claim 12, is characterized in that, described device also comprises:

3rd judges sub-module, for judging in the source code that described source filename is corresponding, whether current line is after class defines head, when described current line is not described class definition head, judges whether described current line is device definition head; And

4th judges sub-module, for when judging that described current line is not device definition head, reads next line content.

14. devices according to claim 11, is characterized in that, described in search submodule and comprise:

5th judges sub-module, for judging in the source code that described source filename is corresponding, whether current line content is device definition head;

6th judges sub-module, during for being described device definition head at described current line, judges whether described current line has described default annotation information;

Second mark sub-module, for when described current line has described default annotation information, has been designated as annotation to all rowers within the scope of the annotation of described device definition head place device, and has read next line content.

15., according to claim 12 to the device according to any one of 14, is characterized in that, described in search submodule and comprise:

7th judges sub-module, for after reading next line content, judges whether described next line content has been marked as annotation and whether described annotation scope terminates;

8th judges sub-module, and for when described next line content has been marked as annotation, described annotation scope does not terminate, then judge whether described next line content is the content recorded in described secondary auditing result;

Determine sub-module, for when described next line content is the content recorded in described secondary auditing result, determine that the content recorded in described secondary auditing result is annotated,

16. devices according to claim 9, is characterized in that, described annotation unit comprises:

Second acquisition module, for obtaining default source code corresponding to described default annotation information;

Search module, for searching the source code of the described application program identical with described default source code; And

Annotations module, for annotating according to the default annotation information that described default source code is corresponding the source code of the application program found.

The data handling system of 17. 1 kinds of application program audits, is characterized in that, comprising:

Annotation adds module, for storing default annotation information, and is annotated by the code of described default annotation information to application program corresponding to original auditing result;

Static auditing system, for carrying out static auditing to the application program after annotation, obtains auditing result; And

False positive result filtering module, in filtering auditing result with the auditing result that the source code of described default annotation information is corresponding.