CN106372511A - Source code detection system and method - Google Patents
Source code detection system and method Download PDFInfo
- Publication number
- CN106372511A CN106372511A CN201610720993.9A CN201610720993A CN106372511A CN 106372511 A CN106372511 A CN 106372511A CN 201610720993 A CN201610720993 A CN 201610720993A CN 106372511 A CN106372511 A CN 106372511A
- Authority
- CN
- China
- Prior art keywords
- source code
- detection
- detected
- compiler
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a source code detection system and method. The system comprises an interface unit used for receiving a to-be-detected source code and a detection type, a source code security management unit which identifies the to-be-detected source code to determine a programming language and a compiler version of the to-be-detected source code and sends a detection request comprising the detection type to a defect knowledge base, the defect knowledge base used for storing a plurality of rule bases and sending at least one rule base in the rule bases to a detection unit according to the detection type, an integrated compiler which compiles the to-be-detected source code according to the programming language and the compiler version of the to-be-detected source code to obtain compilation information, and the detection unit which detects the compilation information according to the at least one rule base to determine a detection result, wherein each rule base is associated with a detection policy.
Description
Technical field
The present invention relates to source code detection field, and more particularly, to a kind of source code detecting system and method.
Background technology
With network technology and developing rapidly of applying, information system security is faced with unprecedented challenge.Network
Change and interconnecting property has become as the developing direction of Current software and information system.Information system and the Internet or other networks
Interconnection, so that the probability that information system is attacked is increased, also resulting in the security threat that information system faces unprecedentedly increases.
On the other hand, enriching constantly with the miscellaneous service application building on information system, and software and information system are multiple
The continuous improvement of miscellaneous degree, in information system hide various potential safety hazards also get more and more, and be generally difficult to be found and
Eliminate.
Recent years, the frequent sternness disclosing current information system security situation of considerable safety event.Only
Only rely on traditional Security mechanism gradually unable to do what one wishes come the way to ensure information safety.Software code is to build system
The infrastructure component of system information, the presence of security breaches and without proper notice function (back door) in software code is that security incident frequently occurs
Root.Ignore the safety of software code itself, and rely solely on the methods such as the protection of periphery, repairing afterwards, house this by
End, necessarily gets half the result with twice the effort.Only pass through management and technological means ensure the safety of software code itself, then be aided with various safety
Preventive means, is only the basic solution solving the problems, such as current safety.
However, in the current various source code detection equal Integrated Development Tools of instrument, and the source that every kind of developing instrument provides
The detection meanss of code detection instrument, detection type and fineness etc. are all different.That is, user is specific in order to carry out
Source code detection write it is necessary to carry out source code using corresponding developing instrument.On the one hand, this mode can be made to user
Become the not convenient property that source code is write.For example, user get used to original developing instrument, but in order to continue source code inspection
Survey it has to use strange developing instrument.On the other hand, when user wishes to carry out multiple detection meanss, detection to source code
It is necessary to move to source code in different developing instruments during the detection of type and fineness.In this case, user must purchase
The testing result bought various development tools and obtained is multiple independent results that each developing instrument is detected.Multiple independences
It is lack of consistency and cannot reflect the truth of source code between result.
Content of the invention
In order to solve the above problems, the present invention provides a kind of source code detecting system, and described system includes:
Interface unit, for receiving source code to be detected and detection type;
Source code security managing unit, is identified to described source code to be detected, to determine described source to be detected
The programming language of code and compiler version, and the detection request including described detection type is sent to defect knowledge base;
Defect knowledge base, for store multiple rule bases and according to detection type by the plurality of rule base at least
One rule base is sent to detector unit, and wherein each rule base is associated with a kind of inspection policies;
Integrated compiler, the programming language according to described source code to be detected and compiler version are to described to be detected
Source code is compiled, to obtain compiling information;And
Detector unit, is detected to determine testing result to compiling information according at least one rule base described.
Preferably, wherein said integrated compiler includes at least one of herein below: c/c++ compiler, java/
Jsp compiler, c# compiler, python compiler and php compiler.
Preferably, the plurality of rule base is: defects detection rule base, conjunction rule detected rule storehouse and component detection of increasing income rule
Then storehouse.
Preferably, described defects detection rule base includes at least one of herein below: common deficiency list, safety are hidden
Suffer from list and misprogrammed list.
Preferably, described rule detected rule storehouse of closing includes at least one of herein below: computer security emergency response
Group cert safe coding specification and the c/c++ safe coding specification of automobile industry software reliability association misra.
Preferably, described component detection rule base of increasing income is included by collected by search engine and/or big data network
Increase income module information.
Preferably, described detector unit includes at least one of herein below: c/c++ detector, java/jsp detection
Device, c# detector, python detector, php detector and detector of tracing to the source.
Preferably, described source code security managing unit performs an analysis to determine whether that to testing result needs are carried out additionally
Detection, if not needing to carry out additional detections, generates examining report according to testing result.
Preferably, described source code security managing unit performs an analysis to determine whether that to testing result needs are carried out additionally
Detection, carries out additional detections if necessary, then pass through interface unit by testing result, source code to be detected and detection type
It is sent to fault management system, to carry out additional detections.
Preferably, also include updating described defect knowledge base using offline or online mode.
According to a further aspect in the invention, provide a kind of source code detection method, methods described includes:
Receive source code to be detected and detection type;
Described source code to be detected is identified, to determine programming language and the compiling of described source code to be detected
Device version;
Send the detection request including described detection type to the defect knowledge base for storing multiple rule bases, with basis
Detection type obtains at least one rule base from multiple rule bases, and wherein each rule base is associated with a kind of inspection policies;
Programming language according to described source code to be detected and compiler version are carried out to described source code to be detected
Compiling, to obtain compiling information;And
According at least one rule base described, compiling information is detected to determine testing result.
Preferably, wherein compiler includes at least one of herein below: c/c++ compiler, java/jsp compiler,
C# compiler, python compiler and php compiler.
Preferably, the plurality of rule base is: defects detection rule base, conjunction rule detected rule storehouse and component detection of increasing income rule
Then storehouse.
Preferably, described defects detection rule base includes at least one of herein below: common deficiency list, safety are hidden
Suffer from list and misprogrammed list.
Preferably, described rule detected rule storehouse of closing includes at least one of herein below: computer security emergency response
Group cert safe coding specification and the c/c++ safe coding specification of automobile industry software reliability association misra.
Preferably, described component detection rule base of increasing income is included by collected by search engine and/or big data network
Increase income module information.
Preferably, also include testing result being performed an analysis to determine whether need to carry out additional detections, if do not needed
Carry out additional detections, then examining report is generated according to testing result.
Preferably, also include testing result being performed an analysis to determine whether need to carry out additional detections, enter if necessary
Row additional detections, then be sent to fault management system by testing result, source code to be detected and detection type, with the volume of carrying out
Outer detection.
Preferably, also include updating described defect knowledge base using offline or online mode.
Brief description
By reference to the following drawings, the illustrative embodiments of the present invention can be more fully understood by:
Fig. 1 is the structural representation of the source code detecting system according to the preferred embodiment for the present invention;
Fig. 2 is the structural representation of the interface unit according to the preferred embodiment for the present invention;
Fig. 3 is the structural representation of the integrated compiler according to the preferred embodiment for the present invention;
Fig. 4 is the structural representation of the detector unit according to the preferred embodiment for the present invention;And
Fig. 5 is the flow chart of the source code detection method according to the preferred embodiment for the present invention.
Specific embodiment
With reference now to accompanying drawing, introduce the illustrative embodiments of the present invention, however, the present invention can be with many different shapes
Formula is implementing, and is not limited to embodiment described herein, provides these embodiments to be at large and fully disclose
The present invention, and fully pass on the scope of the present invention to person of ordinary skill in the field.For showing of being illustrated in the accompanying drawings
Term in example property embodiment is not limitation of the invention.In the accompanying drawings, identical cells/elements use identical attached
Icon is remembered.
Unless otherwise stated, term (inclusion scientific and technical terminology) used herein has to person of ordinary skill in the field
Common understand implication.Further it will be understood that the term being limited with the dictionary that is usually used is it should be understood to and it
The linguistic context of association area has consistent implication, and is not construed as Utopian or excessively formal meaning.
Fig. 1 is the structural representation of the source code detecting system 100 according to the preferred embodiment for the present invention.Source code detects
System 100 is directed to source code demand for security, on the basis of source code is carried out with high accuracy Analysis of Security Vulnerabilities and detection of tracing to the source,
Also can be with source code edition management system (for example, version control system svn, distributed version control system git), defect management
System (for example, defect tracking system bugzilla, bug-tracking system) etc. carries out slitless connection, with minimum cost
Realize the visualized management of source code safety, the software security quality being substantially improved.Source code detecting system 100 adopts source code
The software source code to be detected getting is compiled in corresponding translation and compiling environment, then passes through by Static Analysis Technology automatically
Data stream analysis techniques, symbolic execution technique, internal memory Accurate Model technology etc. be analyzed and check source code program grammer,
Structure, process, interface etc. are determining the safety of source code.
The source code that source code detecting system 100 is analyzed and the strategy that detects stems from for many years accumulates safely, and compatible state
Border authority's source code safety criterion and specification, including common deficiency list (cwe, common weakness enumeration),
Open weblication item security (owasp, open web application security project), typically weak
Point enumerates (cwe, common weakness enumeration), computer security emergency response group (cert, computer
Emergency response team) safe programming standard and automobile industry software reliability association (misra, motor
Industry software reliability association) c/c++ safe coding specification etc..Source code detection system
Unite 100 support code injections, cross site scripting, input validation, api misuse, Password Management, resource management's mistake, configuration error, no
13 big class such as good realization, abnormality processing, code spice, code quality and dangerous function, the inspection policies of more than 600 group,
So that it is guaranteed that source code safety detection result is accurate and authoritative.
As shown in figure 1, source code detecting system 100 includes: interface unit 101, source code security managing unit 102, lack
Sunken knowledge base 103, integrated compiler 104 and detector unit 105.Preferably, interface unit 101 is used for realizing source code detection
System 100 is exchanged with the information of external equipment or system.For example, interface unit 101 can receive source to be detected from code source
Code and detection type.Wherein, the code that source code to be detected can be write by all kinds program language, for example,
C, c++, java, jsp, c#, python and php etc..One of ordinary skill in the art are it will be appreciated that the present invention is not limited to
Said procedure language is detected, but any of program language can be detected.Wherein, detection type is used for
Distinguish source code to be detected detection project to be carried out, for example, defects detection, conjunction rule detection and/or component detection of increasing income.Excellent
Selection of land, detection project can be defects detection, close rule detection and/or any one in component detection of increasing income, two or all.
Detection type can represent detection project to represent this 7 kinds of detection projects using code or any mode, for example using code 1
Represent that detection project is that conjunction rule are detected, code 3 represents that detection project is increase income component detection, code 4 for defects detection, code 2
Represent that detection project is defects detection and conjunction rule detection, code 5 represent that detection project is defects detection and component detection of increasing income, generation
Code 6 expression detection projects are to close rule detection and increase income component detection and code 7 represent that detection project is defects detection, closes rule inspection
Survey and component detection of increasing income.Additionally, when source code detecting system 100 is analyzed to testing result and determines needing the volume of carrying out
During outer detection, testing result is sent to fault management system by interface unit 101.And, when user wishes to source to be detected
When code is rechecked, testing result is sent to third party's detecting system by interface unit 101.Generally, fault management system can be by
The testing result of source code detecting system 100 is integrated with the testing result of itself.Wherein, can include in testing result
Bug information.Additionally, source code detecting system 100 receives the bug information of fault management system feedback to provide customized development to take
Business.Testing result generally as reference or is compared object by third party's detecting system, and is treated according to the detection logic of itself
Detection source code carries out independent detection.Interface unit 101 realizes third party's detection instrument docking, realizes driving third party's detection system
System completes Detection task and receives the function of testing result.Additionally, source code detecting system 100 can also pass through interface unit
101 obtain, from third party's detecting system, the testing result that it is detected for source code to be detected.
Preferably, source code security managing unit 102 is the hinge unit of source code detecting system 100.Source code safety
Administrative unit 102 provides human-computer interaction interface, the instruction being responsible for receive user, obtains from outside and store software source to be detected
Code, work order is issued to modules such as integrated compiler, defect knowledge base and detector units and receives feedback result.User can
User management, Role Management, detection project management, source code are completed with the interactive interface by source code security managing unit 102
Management, common task management, plan target management, statistical analysiss etc. operate.
Preferably, source code security managing unit 102 is identified to described source code to be detected, to treat described in determining
The programming language of source code of detection and compiler version.Generally, before source code to be detected is compiled, need to obtain
Obtain the information related to source code.The programming language of source code and compiler version are that source code is compiled with necessary letter
Breath.For example, after source code to be detected is identified, determine source code be c, c++, java, jsp, c#, python or
php.Source code correctly could be compiled after determining programming language and compiler version.Additionally, source code safety
Administrative unit 102 can also identify the other information of described source code to be detected, the information such as such as lines of code.Preferably,
Source code security managing unit 102 sends the detection request including described detection type to defect knowledge base, to refer to defect storehouse
Show to be needed which rule base when carrying out source code detection.
Additionally, source code security managing unit 102 also with testing result determined by detector unit is analyzed with
Determine the need for carrying out additional detections.If not needing to carry out additional detections, examining report is generated according to testing result;As
Fruit needs to carry out additional detections, then be sent to testing result, source code to be detected and detection type by interface unit
Fault management system, to carry out additional detections.Fault management system can be according to testing result, source code to be detected and inspection
Survey type source code to be detected is detected, and targetedly strategy may be provided according to testing result.
For example, when the defects count in retrieval result determined by detector unit is far below meansigma methodss, may trigger
Additional detections.Unobstructedly, the defect concentration of common software engineer is generally 50~250 defect/kloc (defects/Qian Hangyuan
Code).Due to having strict software development quality administrative mechanism and multiple testing link, the ratio of defects of ripe software company will
Much lower, the defect concentration of common software development company is 4~40 defect/kloc and the lacking of high-caliber software company
Sunken density is 2~4 defect/kloc.At present, the average defect concentration of domestic software is 6 defect/kloc.For different
User, when defect/thousand row source code is significantly lower than industry meansigma methodss, source code security managing unit 102 can trigger extra inspection
Survey.For example, if shown in testing result, the defect/thousand row source code of the source code of common software development company is less than 0.1,
It would be possible that triggering additional detections.
Preferably, defect knowledge base 103 is the data base of storage source code detection strategy.Defect knowledge base 103 stores many
Individual rule base, including defects detection rule base, closes rule detected rule storehouse and component detection rule base etc. of increasing income.Defect knowledge base
The detection defect kind that 103 can provide includes buffer overflow, sql injection, cross site scripting, code quality, dangerous function etc.
13 big class, more than 600 group, and detectable assembly rule base of increasing income reaches 600,000.
Preferably, the source code that defects detection rule base is derived from for many years accumulates safely, and compatible internal authority source code peace
Full standards and norms, for example following 3 international standards or specification: common deficiency list cwe, is mitre company after cve
Another security breaches dictionary.Cwe is programmer and safe practitioner provides a coherent software defect typelib.
Cwe is intended to allow people to more fully understand software defect and to create the automatic chemical industry being capable of identify that, repair and stoping such defect
Tool;The big potential safety hazard list of owasp top 10: open weblication item security ten, is the most important project of owasp
One of.Owasp top 10 not only summarizes weblication most probable, most common, the most dangerous ten big potential safety hazards, also wraps
Include the suggestion how eliminating these hidden danger;And 25 kinds of misprogrammeds the most dangerous of cwe/sans, it is sans institute, mitre
The achievement that company and US and European a lot of top-level software security expert coact.Cwe/sans top 25 can help journey
Sequence person writes safer code, helps user to weigh software whether safety.
Preferably, close rule detected rule storehouse and support that the code of main flow international standards closes rule detected rule, comprising: meter
Calculation machine safe emergency response group cert safe programming standard, the c/c++ safe coding of automobile industry software reliability association misra
Specification etc..The source code analysis laboratory that wherein cert creates provides for software system and is applied to cert safe coding standard
Uniformity test.This test includes cert oracle safe coding standard for java, the cert c language peace for c
Full coding standard, the cert c++ language safe coding standard for c++, for the cert perl safe coding standard of perl.
The c/c++ safe coding specification of automobile industry software reliability association misra is the exploitation that misra is directed to the proposition of c, c++ language
Standard is it is intended to promote safety and the portability of embedded system.
Preferably, component detection of increasing income rule base is included by increasing income collected by search engine and/or big data network
Module information.Because the known bugs of assembly presence of increasing income and authorized agreement can bring risk to software, and indivedual research staff
In order to seek conveniently, directly quote the assembly of increasing income from the Internet and encoded, these assemblies of increasing income often have had leakage
Hole, this will reduce the overall security of exploitation software.Therefore, the present invention, on the basis of existing search engine reptile, establishes
Component detection of increasing income rule base, so that detector of tracing to the source (will be discussed in detail below) passes through to load this rule base, detects source
Whether assembly of increasing income is refer in code.Further, it is determined that the assembly of increasing income being used whether there is software use authorization
Problem, thus help user to evade the legal risk of assembly of increasing income.Meanwhile, the group of increasing income that the present invention also can quote in inspection software
There are which security breaches in part, thus at utmost reducing the security risk of Open Source Code introducing and solving conventional source code inspection
Survey technology cannot be carried out the problem of detection of tracing to the source.
Preferably, at least one of the plurality of rule base rule base is sent out by defect knowledge base 103 according to detection type
Give detector unit, wherein each rule base is associated with a kind of inspection policies.As described above, detection type can use code
Or any mode is representing detection project.For example, when the code of detection type is 1, defects detection is advised by defect knowledge base 103
Then storehouse is sent to detector unit 105;When the code of detection type is 2, defect knowledge base 103 sends closing rule detected rule storehouse
To detector unit 105;When the code of detection type is 3, defect knowledge base 103 component detection rule base of increasing income is sent to inspection
Survey unit 105;When the code of detection type is 4, defect knowledge base 103 by defects detection rule base and closes rule detected rule storehouse
It is sent to detector unit 105;When the code of detection type is 5, defect knowledge base 103 by defects detection rule base and is increased income group
Part detected rule storehouse is sent to detector unit 105;When the code of detection type is 6, defect knowledge base 103 will close rule detection rule
Then storehouse and component detection rule base of increasing income are sent to detector unit 105;When the code of detection type is 7, defect knowledge base 103
Defects detection rule base, conjunction rule detected rule storehouse and component detection rule base of increasing income are sent to detector unit 105.Preferably,
Each rule base is associated with a kind of inspection policies, and that is, defects detection rule base is associated with defects detection strategy, closes rule detection
Rule base is associated with closing rule inspection policies, and increases income component detection rule base and be associated with component detection strategy of increasing income.
Preferably, defect knowledge base 103 can periodically or non-periodically be updated.Wherein regularly updating can be for example, often
My god, be weekly or monthly updated.The content in any regular storehouse irregularly updating typically in defect knowledge base 103 occurs
It is updated during change.Additionally, defect knowledge base 103 would generally be updated by way of online or offline.
Preferably, integrated compiler 104 according to the programming language of described source code to be detected and compiler version to institute
State source code to be detected to be compiled, to obtain compiling information.Integrated compiler 104 is used for providing for main programming language
The source code of the programming languages such as translation and compiling environment, for example, c, c++, java, jsp, c#, python provides translation and compiling environment, so that
Corresponding source code can complete compiling to generate compiling information.During compiling, integrated compiler 104 can produce letter
The information such as number call relation, control stream information, variable Alias information, pointer information, data dependence relation and interface.Then, collect
Become compiler 104 can these information unification collect after pass to corresponding programming language detecting and alarm and carry out safety detection.Excellent
Selection of land, integrated compiler 104 includes c/c++ compiler, java/jsp compiler, c# compiler, python compiler and php
Compiler etc..
Preferably, integrated compiler 104 is compiled the compiling obtaining using c/c++ compiler to c/c++ source code
Information;Using java/jsp compiler, java/jsp source code is compiled with the compiling information obtaining;Using c# compiler
C# source code is compiled with the compiling information to obtain;Using python compiler, python source code is compiled obtaining
The compiling information obtaining;And using php compiler, php compiler source code is compiled with the compiling information obtaining.
Preferably, detector unit 105 is detected to determine detection to compiling information according at least one rule base described
Result.Detector unit 105 includes: c/c++ detector, java/jsp detector, c# detector, python detector, php detection
Device and detector of tracing to the source etc..Each detector receives the compiling information of the corresponding programming language from integrated compiler, in conjunction with
At least one rule base (each rule base corresponds to inspection policies) that defect knowledge base provides detects to source code.Inspection
Survey unit 105 and testing result is fed back to source code security managing unit 102.Preferably, testing result can include bug letter
The information such as breath, defect type, defect original position, defect end position.
Specifically, detector unit 105 receives the compiling information of c/c++ source code from integrated compiler 104 and is passed
Defeated to c/c++ detector, c/c++ detector is detected according to the c/c++ inspection policies loading, and draws analysis result.Detection
Unit 105 receives the compiling information of java/jsp/html/xml source code from integrated compiler 104 and is transmitted to
Java/jsp detector, java/jsp detector is detected according to the java/jsp/html/xml inspection policies loading, and draws
Analysis result.Detector unit 105 receives the compiling information of c#/aspx source code from integrated compiler 104 and is transmitted to
C#/aspx detector, c#/aspx detector is detected according to the c# inspection policies loading, and draws analysis result.Detector unit
105 receive the compiling information of python source code from integrated compiler 104 and are transmitted to python detector, python
Detector is detected according to the python inspection policies loading, and draws analysis result.And, detector unit 105 is from integrated volume
Translate device 104 to receive the compiling information of php source code and be transmitted to php detector, php detector is according to the php loading
Inspection policies are detected, draw analysis result.
Fig. 2 is the structural representation of the interface unit 200 according to the preferred embodiment for the present invention.Interface unit 200 is used for
The information realizing source code detecting system with external equipment or system exchanges.For example, interface unit 200 is responsible for and outside code
Source, external code edition management system, fault management system and Third party system etc. are docked, thus from svn, git etc.
Code library reads source code to be detected and to be sent to source code security managing unit etc. to be detected.And, interface unit 200 energy
Enough by the bug information transfer of the source code of source code security managing unit transmission to the fault management systems such as bugzilla, simultaneously
Receive the bug information of fault management system feedback and be forwarded back to source code security managing unit.In order to provide customized development to take
Business, interface unit 200 is docked with third party's detection instrument, realizes driving third party's detecting and alarm to complete Detection task and receive inspection
Survey the function of result.That is, interface unit 200 is by general with what the system external such as code library svn, git and bugzilla opened
Interface docks, and realizes the reading of source code and the interaction of bug information.By customized development and third party's detecting and alarm interface pair
Connect, realize the reception issuing with testing result of Detection task.
As shown in Fig. 2 interface unit 200 includes: code source interface 201, fault management system interface 202 and third party
Detecting system interface 203.Wherein, code source interface 201 is used for being communicated with code source 204, and code source can be each
The equipment of type, such as external code storehouse svn, git, user terminal, personal computer etc..Code source interface 201 can be from
Code source 204 receives source code to be detected and detection type.Wherein, source code to be detected can be by all kinds program
The code that language is write, for example, c, c++, java, jsp, c#, python and php etc..Wherein, detection type is used for distinguishing
Source code to be detected detection project to be carried out, for example, defects detection, conjunction rule detection and/or component detection of increasing income.Preferably
Ground, detection project can be defects detection, close rule detection and/or any one in component detection of increasing income, two or all.
Fault management system interface 202 is used for being communicated with fault management system 205.Fault management system 205 is for example
It is bugzilla etc..When source code detecting system testing result is analyzed and determine need to carry out additional detections when, lack
Testing result is sent to fault management system 205 by sunken management system interface 202.Generally, fault management system 205 can be by source
The testing result of code detection system is integrated with the testing result of itself.Wherein, bug letter can be included in testing result
Breath.Additionally, source code detecting system receive fault management system 205 feedback bug information with provide customized development service and
Preferably carry out software source code defect management.
Third party's detecting system interface 203 is used for being communicated with third party's detecting system 205.Third party's detecting system connects
Mouth 203 is non-standard configuration interface, provides personalized exploitation by user's request.Third party's detecting system interface 203 is responsible for third party
Detecting system 206 assigns sense command, and receives the testing result that third party detects instrument.For having have purchased fortify
The user of the instruments such as sca, checkmarx and coverity scan, the present invention passes through to provide third party's detecting system interface 203,
Can drive above 3 instruments that source code is rechecked, and unified feedback testing result, both complementary optimization source code detection knots
Really, also protect original input of user.Testing result generally as reference or is compared object by third party's detecting system 206,
And independent detection is carried out to source code to be detected according to the detection logic of itself.Additionally, source code detecting system can also be led to
Cross third party's detecting system interface 203 and obtain what it was detected for source code to be detected from third party's detecting system 206
Testing result.
Interface unit 200 is the basis that SDL management function is realized.By interface unit 200, register
Expense can by source code safety detection work be dissolved into developed with testing process in, at utmost help user automatically complete
Source code safety detection works, thus reducing source code testing cost expense.
Fig. 3 is the structural representation of the integrated compiler 300 according to the preferred embodiment for the present invention.Integrated compiler 300
Programming language according to described source code to be detected and compiler version are compiled to described source code to be detected, to obtain
Information must be compiled.Integrated compiler 300 is used for providing translation and compiling environment for main programming language, for example, c, c++, java,
The source code of the programming languages such as jsp, c#, python provides translation and compiling environment so that corresponding source code can complete to compile with
Generate compiling information.During compiling, integrated compiler 104 can produce function calling relationship, control stream information, variable
The information such as Alias information, pointer information, data dependence relation and interface.Then, integrated compiler 300 being capable of these information unification
Pass to corresponding programming language detecting and alarm after collecting and carry out safety detection.
As shown in figure 3, integrated compiler 300 includes: c/c++ compiler 301, java/jsp compiler 302, c# compiler
303rd, python compiler 304 and php compiler 305.Preferably, c/c++ compiler 301 is compiled to c/c++ source code
Translate the compiling information to obtain.Java/jsp compiler 302 is compiled the compiling information to obtain to java/jsp source code.
C# compiler 303 is compiled the compiling information to obtain to c# source code.Python compiler 304 enters to python source code
The compiling information to obtain for the row compiling.Php compiler 305 is compiled the compiling information to obtain to php compiler source code.
5 compilers in integrated compiler 300 are according to the programming language of described source code to be detected and compiler version
Originally after completing the compiling action to the source code of corresponding programming language, by the compiling information transmission producing to corresponding programming language inspection
Survey device to be detected.Source code static detection technique is analyzed two kinds of sides after typically having direct syntactic analysiss and compiling source code
Formula is it is preferable that the present invention illustrates as example in the second, but the thinking of the present invention is also applied for the first side
Formula.Preferably, it is analyzed detectable program execution path after present invention compiling source code, it is to avoid the mistake that false path brings
Report, the function calling relationship producing after simultaneously compiling, control stream information, variable Alias information, pointer information, data dependence relation
And the information such as interface, allow the source code analysis instrument adopted in this way provide more preferable Detection results.But, operator's handss
The dynamic translation and compiling environment that creates is not a simple thing, and the integrated compiler 300 of the present invention can be source code to be detected automatically
Create translation and compiling environment, and fully transparent to user, greatly improve source code detection while ensureing accuracy of detection
The efficiency of work.
Fig. 4 is the structural representation of the detector unit 400 according to the preferred embodiment for the present invention.Detector unit 400 basis
At least one rule base described is detected to compiling information to determine testing result.Detector unit 400 includes: c/c++ detection
Device 401, java/jsp detector 402, c# detector 403, python detector 404, php detector 405 and detection of tracing to the source
Device 406.Each detector receives the compiling information of the corresponding programming language from integrated compiler, and binding deficient knowledge base provides
At least one rule base (each rule base correspond to inspection policies) source code is detected.Detector unit 400 will be examined
Survey result and feed back to source code security managing unit.Preferably, testing result can include bug information, defect type, defect rise
The information such as beginning position, defect end position.
Specifically, detector unit 400 receives the compiling information of c/c++ source code from integrated compiler and is transmitted to
C/c++ detector 401, c/c++ detector 401 is detected according to the c/c++ inspection policies loading, and draws analysis result.Inspection
Survey unit 500 to receive the compiling information of java/jsp/html/xml source code from integrated compiler and be transmitted to java/
Jsp detector 402, java/jsp detector 402 is detected according to the java/jsp/html/xml inspection policies loading, and obtains
Go out analysis result.Detector unit 400 receives the compiling information of c#/aspx source code from integrated compiler and is transmitted to
C#/aspx detector 403, c#/aspx detector 403 is detected according to the c# inspection policies loading, and draws analysis result.Inspection
Survey unit 400 to receive the compiling information of python source code from integrated compiler and be transmitted to python detector 404,
Python detector 404 is detected according to the python inspection policies loading, and draws analysis result.And, detector unit 400
Receive the compiling information of php source code from integrated compiler and be transmitted to php detector 405, php detector 405
Detected according to the php inspection policies loading, drawn analysis result.
Preferably, detector unit 400 adopts the source code such as data-flow analysis, semiology analysis, internal memory Accurate Model technology quiet
State analytical technology, drastically increases accuracy of detection on the premise of ensureing source code safety detection efficiency.Wherein, data flow point
Analysis be a kind of under conditions of not operation program, obtain the technology of traffic flow information from program.Traffic flow information is finally passed
Pass detector unit and carry out further defect analysiss.In terms of traffic flow information acquisition, the precision problem of analysis is most important.This
The detector unit of invention mainly to increase the precision of analysis in terms of flowing insensitive, stream sensitivity and path-sensitive three.For example: stream
What insensitive analysis was given is the overall traffic flow information of a function;The sensitive analysis of stream is given each on control flow graph
The corresponding information of individual point;And path-sensitive analysis may provide multiple information to each point on control flow graph, along not
Same path reaches same program point and may produce different status informations, and path-sensitive analysis retains these different letters
Breath.
Preferably, the purpose of semiology analysis is to reduce the rate of false alarm of detection.Simulation is introduced in the detector unit of the present invention
Semiology analysis, ignore defect present in inaccessible code path in program.Symbolic simulation execution assumes that all of program
Input value is all value of symbol, carries out symbolic simulation execution according to the every paths in program to program.In program bifurcation, record
The constraint information to variable for the program, solves constraints simultaneously, judges whether this paths can perform, can not such that it is able to wipe out
Execution route.The advantage adopted in this way is all paths that have detected program of maximum possible;And avoid false road
The wrong report problem that footpath is brought.
Traditional static analytical technology can not internally deposit into row more Accurate Analysis, and the detector unit of the therefore present invention adopts internal memory
Accurate Model technology, can accurately simulated pointer computing, multilevel-pointer dereference and distinguish internal memory in array each not
Same element and the different domain of structure.By modeling to internal memory, Accurate Analysis can be carried out to the value of pointer expression formula, and
The each different side-play amount of pointer within the differentiation same object of sensing is so that the detection for pointer is more accurate.Pointer
Very universal in source code, can have the advantages that speed is fast, save internal memory using pointer, but the improper use of pointer also can be made
Become potential safety hazard, such as null pointer dereference may cause system crash.Therefore, the accurate simulation to pointer, can be effective
Pointer associated safety problem in ground detection source code.
Preferably, detector 406 of tracing to the source is opened to used in source code to be detected according to component detection rule base of increasing income
Source component is detected.The present invention, on the basis of existing search engine reptile, establishes component detection rule base of increasing income, so that
Detector 406 of must tracing to the source passes through to load this rule base, whether refer to assembly of increasing income in detection source code.Further, it is determined that
The assembly of increasing income being used whether there is the problem of software use authorization, thus helping user to evade the law wind of assembly of increasing income
Danger.Meanwhile, there are which security breaches in the assembly of increasing income that the present invention also can quote in inspection software, thus at utmost reduce opening
Source code introduce security risk and solve the problems, such as that conventional source code detection technique cannot be carried out detection of tracing to the source.
Detector 406 of tracing to the source travels through the module information of source code to be detected, the component detection of increasing income with defect knowledge base
Rule base is compared, and such as matches assembly of specifically increasing income, just will be anti-for the safety loophole information of the information of this assembly and presence
It is fed to source code security managing unit.Detector 406 of tracing to the source combines Internet basic, by search engine and big data skill
Art is it can be ensured that the module information of increasing income getting is most and the most complete.Can help look forward to by the assembly rule base of increasing income of magnanimity
Which industry finds to exist in time in software and increases income assembly, there is which security risk.
Fig. 5 is the flow chart of the source code detection method 500 according to the preferred embodiment for the present invention.Source code detection method
500 are directed to source code demand for security, on the basis of source code is carried out with high accuracy Analysis of Security Vulnerabilities and detection of tracing to the source, also may be used
With source code edition management system (for example, version control system svn, distributed version control system git), fault management system
(for example, defect tracking system bugzilla, bug-tracking system) etc. enters row information and exchanges, and is realized with minimum cost
The visualized management of source code safety, the software security quality being substantially improved.Source code detection method 500 adopts source code static
The software source code to be detected getting is compiled in corresponding translation and compiling environment by analytical technology automatically, then passes through data
Stream analytical technology, symbolic execution technique, internal memory Accurate Model technology etc. are analyzed and check the grammer of source code program, knot
Structure, process, interface etc. are determining the safety of source code.Source code detection method 500 support code injection, cross site scripting, defeated
Enter checking, api misuse, Password Management, resource management's mistake, configuration error, bad realization, abnormality processing, code spice, code
13 big class such as quality and dangerous function, the inspection policies of more than 600 group, so that it is guaranteed that the essence of source code safety detection result
Accurate and authoritative.
As shown in figure 5, source code detection method 500 is from the beginning of step 501 place.In step 501, receive source generation to be detected
Code and detection type.Wherein, the code that source code to be detected can be write by all kinds program language, for example, c, c
++, java, jsp, c#, python and php etc..Wherein, detection type is used for distinguishing source code to be detected inspection to be carried out
Survey project, for example, defects detection, conjunction rule detection and/or component detection of increasing income.Preferably, detection project can be defects detection,
Close rule detection and/or any one in component detection of increasing income, two or all.In step 502, to described source generation to be detected
Code is identified, to determine programming language and the compiler version of described source code to be detected.Generally, to source to be detected
Before code is compiled, need to obtain the information related to source code.The programming language of source code and compiler version are right
Source code is compiled necessary information.For example, after source code to be detected is identified, determine that source code is c, c+
+, java, jsp, c#, python or php.Source code just could be carried out after determining programming language and compiler version
Really compile.Additionally, source code detection method 500 can also identify the other information of described source code to be detected, such as generation
The information such as code line number.Preferably, the detection that source code detection method 500 includes described detection type to defect knowledge base transmission is asked
Which ask, rule base needed to the instruction of defect storehouse when carrying out source code detection.
Preferably, in step 503.Send to the defect knowledge base for storing multiple rule bases and include described detection type
Detection request, so that at least one rule base is obtained from multiple rule bases according to detection type.Defect knowledge base is storage source
The data base of code detection strategy.Defect knowledge base 103 stores multiple rule bases, including defects detection rule base, closes rule detection
Rule base and component detection rule base etc. of increasing income.As described above, detection type can be to be represented using code or any mode
Detection project.For example, when the code of detection type is 1, obtain defects detection rule base;When the code of detection type is 2,
Obtain and close rule detected rule storehouse;When the code of detection type is 3, obtain component detection rule base of increasing income;In detection type
When code is 4, obtains defects detection rule base and close rule detected rule storehouse;When the code of detection type is 5, obtain defect inspection
Survey rule base and component detection rule base of increasing income;When the code of detection type is 6, obtains and close rule detected rule storehouse and group of increasing income
Part detected rule storehouse;And when the code of detection type is 7, after remove defects detection rule base, close rule detected rule storehouse and opening
Source component detected rule storehouse.
Preferably, each rule base is associated with a kind of inspection policies, i.e. defects detection rule base and defects detection strategy
Associated, conjunction rule detected rule storehouse is associated with closing rule inspection policies, and increases income component detection rule base and assembly inspection of increasing income
Survey strategy associated.
Preferably, in step 504, the programming language according to described source code to be detected and compiler version are treated to described
The source code of detection is compiled, to obtain compiling information.Preferably, using c/c++ compiler, c/c++ source code is compiled
Translate the compiling information to obtain;Using java/jsp compiler, java/jsp source code is compiled with the compiling letter obtaining
Breath;Using c# compiler, c# source code is compiled with the compiling information obtaining;Using python compiler to python source
Code is compiled the compiling information to obtain;And using php compiler, php compiler source code is compiled obtaining
Compiling information.
Preferably, in step 505, compiling information is detected to determine detection knot according at least one rule base described
Really.Preferably, source code detection method 500 receives the compiling information of c/c++ source code and according to the c/c++ detection plan loading
Slightly detected, drawn analysis result;Receive the compiling information of java/jsp/html/xml source code and according to loading
Java/jsp/html/xml inspection policies are detected, draw analysis result;Receive the compiling information of c#/aspx source code simultaneously
And detected according to the c# inspection policies loading, draw analysis result;Receive compiling information and the root of python source code
Detected according to the python inspection policies loading, drawn analysis result;And, receive php source code compiling information and
Php inspection policies according to loading are detected, draw analysis result.Preferably, defect knowledge base directly will increase income assembly inspection
Survey strategy and be loaded into detector of tracing to the source, which there is in detector of tracing to the source analysis source code and increase income assembly, these assemblies of increasing income are deposited
In which security breaches.
Preferably, the analysis result drawing is fed back to source code security managing unit by source code detection method 500, to enter
Row is checked, statistical analysiss and generation are reported.Source code detection method 500 is submitted to bugzilla fault management system by need
Bug information transfer to be uploaded to external system interface etc., receive the feedback information of fault management system simultaneously.External system connects
The defect information of submission is carried out data interaction with fault management systems such as bugzilla by mouth, transmits bug information, receives defect pipe
The feedback of reason system and fresh information.Source code detection method 500 passes through customized development service and external system interface can be with
Third party's detecting and alarm docks (as fortify sca, checkmarx etc.), realizes Detection task and issues, and testing result reclaims etc.
Function.Source code detection method 500 periodically or non-periodically can update defect knowledge base by source code security managing unit.Update
Mode, using offline or by the way of online updating, is parsed to the upgrading getting and issued by source code security managing unit
Stored to defect knowledge base.
The present invention is described by reference to a small amount of embodiment.However, known in those skilled in the art, as
Subsidiary Patent right requirement is limited, except present invention others disclosed above embodiment equally falls the present invention's
In the range of.
Normally, all terms using in the claims are all solved in the usual implication of technical field according to them
Release, unless in addition clearly defined wherein.All of reference "/described/be somebody's turn to do [device, assembly etc.] " is all opened ground
It is construed at least one of described device, assembly etc. example, unless otherwise expressly specified.Any method disclosed herein
Step all need not be run with disclosed accurate order, unless explicitly stated otherwise.
Claims (10)
1. a kind of source code detecting system, described system includes:
Interface unit, for receiving source code to be detected and detection type;
Source code security managing unit, is identified to described source code to be detected, to determine described source code to be detected
Programming language and compiler version, and to defect knowledge base send includes described detection type detection ask;
Defect knowledge base, for storing multiple rule bases and according to detection type by least one of the plurality of rule base
Rule base is sent to detector unit, and wherein each rule base is associated with a kind of inspection policies;
Integrated compiler, the programming language according to described source code to be detected and compiler version are to described source generation to be detected
Code is compiled, to obtain compiling information;And
Detector unit, is detected to determine testing result to compiling information according at least one rule base described.
2. system according to claim 1, wherein said integrated compiler includes at least one of herein below: c/c+
+ compiler, java/jsp compiler, c# compiler, python compiler and php compiler.
3. system according to claim 1, the plurality of rule base is: defects detection rule base, conjunction rule detected rule storehouse
And component detection rule base of increasing income.
4. system according to claim 3, described defects detection rule base includes at least one of herein below: common
Defect list, potential safety hazard list and misprogrammed list.
5. system according to claim 3, described conjunction rule detected rule storehouse includes at least one of herein below: calculates
Machine safe emergency response group cert safe coding specification and the c/c++ safe coding of automobile industry software reliability association misra
Specification.
6. a kind of source code detection method, methods described includes:
Receive source code to be detected and detection type;
Described source code to be detected is identified, to determine programming language and the compiler version of described source code to be detected
This;
Send the detection request including described detection type to the defect knowledge base for storing multiple rule bases, with according to detection
Type obtains at least one rule base from multiple rule bases, and wherein each rule base is associated with a kind of inspection policies;
Programming language according to described source code to be detected and compiler version are compiled to described source code to be detected,
To obtain compiling information;And
According at least one rule base described, compiling information is detected to determine testing result.
7. method according to claim 6, wherein compiler include at least one of herein below: c/c++ compiler,
Java/jsp compiler, c# compiler, python compiler and php compiler.
8. method according to claim 6, the plurality of rule base is: defects detection rule base, conjunction rule detected rule storehouse
And component detection rule base of increasing income.
9. method according to claim 8, described defects detection rule base includes at least one of herein below: common
Defect list, potential safety hazard list and misprogrammed list.
10. method according to claim 8, described conjunction rule detected rule storehouse includes at least one of herein below: meter
The c/c++ of calculation machine safe emergency response group cert safe coding specification and automobile industry software reliability association misra compiles safely
Code specification.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610720993.9A CN106372511A (en) | 2016-08-24 | 2016-08-24 | Source code detection system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610720993.9A CN106372511A (en) | 2016-08-24 | 2016-08-24 | Source code detection system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106372511A true CN106372511A (en) | 2017-02-01 |
Family
ID=57879207
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610720993.9A Pending CN106372511A (en) | 2016-08-24 | 2016-08-24 | Source code detection system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106372511A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107992724A (en) * | 2017-12-14 | 2018-05-04 | 四川大学 | A kind of software security reinforcement means |
CN108334335A (en) * | 2018-04-04 | 2018-07-27 | 北京顶象技术有限公司 | A kind of software source code version determines method and device |
CN108710564A (en) * | 2017-09-15 | 2018-10-26 | 苏州棱镜七彩信息科技有限公司 | Source code comprehensive evaluating platform based on big data |
CN108898018A (en) * | 2018-07-23 | 2018-11-27 | 南方电网科学研究院有限责任公司 | A kind of program code safety detection method, equipment and readable storage medium storing program for executing |
CN109542769A (en) * | 2018-10-25 | 2019-03-29 | 武汉精立电子技术有限公司 | A kind of automated testing method of continuous integrating |
CN109828780A (en) * | 2018-12-28 | 2019-05-31 | 北京奇安信科技有限公司 | A kind of recognition methods of open source software and device |
CN109857630A (en) * | 2017-11-30 | 2019-06-07 | 阿里巴巴集团控股有限公司 | Code detection method, system and equipment |
CN109977022A (en) * | 2019-04-03 | 2019-07-05 | 网易(杭州)网络有限公司 | Inspection method, device, system and the storage medium of game resource |
CN111104335A (en) * | 2019-12-25 | 2020-05-05 | 清华大学 | C language defect detection method and device based on multi-level analysis |
CN114816558A (en) * | 2022-03-07 | 2022-07-29 | 深圳开源互联网安全技术有限公司 | Script injection method and device and computer readable storage medium |
WO2022222499A1 (en) * | 2021-04-24 | 2022-10-27 | 华为云计算技术有限公司 | Code processing method, and system, cluster, medium and program product |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101017458A (en) * | 2007-03-02 | 2007-08-15 | 北京邮电大学 | Software safety code analyzer based on static analysis of source code and testing method therefor |
WO2014048194A1 (en) * | 2012-09-29 | 2014-04-03 | 中兴通讯股份有限公司 | Android malicious application program detection method, system and device |
CN103713998A (en) * | 2013-11-07 | 2014-04-09 | 北京安码科技有限公司 | Extensible online static code defect analytical method |
CN105068925A (en) * | 2015-07-29 | 2015-11-18 | 北京理工大学 | Software security flaw discovering system |
-
2016
- 2016-08-24 CN CN201610720993.9A patent/CN106372511A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101017458A (en) * | 2007-03-02 | 2007-08-15 | 北京邮电大学 | Software safety code analyzer based on static analysis of source code and testing method therefor |
WO2014048194A1 (en) * | 2012-09-29 | 2014-04-03 | 中兴通讯股份有限公司 | Android malicious application program detection method, system and device |
CN103713998A (en) * | 2013-11-07 | 2014-04-09 | 北京安码科技有限公司 | Extensible online static code defect analytical method |
CN105068925A (en) * | 2015-07-29 | 2015-11-18 | 北京理工大学 | Software security flaw discovering system |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108710564A (en) * | 2017-09-15 | 2018-10-26 | 苏州棱镜七彩信息科技有限公司 | Source code comprehensive evaluating platform based on big data |
CN109857630B (en) * | 2017-11-30 | 2022-08-02 | 阿里巴巴集团控股有限公司 | Code detection method, system and equipment |
CN109857630A (en) * | 2017-11-30 | 2019-06-07 | 阿里巴巴集团控股有限公司 | Code detection method, system and equipment |
CN107992724A (en) * | 2017-12-14 | 2018-05-04 | 四川大学 | A kind of software security reinforcement means |
CN108334335B (en) * | 2018-04-04 | 2021-06-08 | 北京顶象技术有限公司 | Method and device for determining software source code version |
CN108334335A (en) * | 2018-04-04 | 2018-07-27 | 北京顶象技术有限公司 | A kind of software source code version determines method and device |
CN108898018A (en) * | 2018-07-23 | 2018-11-27 | 南方电网科学研究院有限责任公司 | A kind of program code safety detection method, equipment and readable storage medium storing program for executing |
CN109542769A (en) * | 2018-10-25 | 2019-03-29 | 武汉精立电子技术有限公司 | A kind of automated testing method of continuous integrating |
CN109828780A (en) * | 2018-12-28 | 2019-05-31 | 北京奇安信科技有限公司 | A kind of recognition methods of open source software and device |
CN109828780B (en) * | 2018-12-28 | 2022-09-16 | 奇安信科技集团股份有限公司 | Open source software identification method and device |
CN109977022A (en) * | 2019-04-03 | 2019-07-05 | 网易(杭州)网络有限公司 | Inspection method, device, system and the storage medium of game resource |
CN111104335A (en) * | 2019-12-25 | 2020-05-05 | 清华大学 | C language defect detection method and device based on multi-level analysis |
CN111104335B (en) * | 2019-12-25 | 2021-08-24 | 清华大学 | C language defect detection method and device based on multi-level analysis |
WO2022222499A1 (en) * | 2021-04-24 | 2022-10-27 | 华为云计算技术有限公司 | Code processing method, and system, cluster, medium and program product |
CN114816558A (en) * | 2022-03-07 | 2022-07-29 | 深圳开源互联网安全技术有限公司 | Script injection method and device and computer readable storage medium |
CN114816558B (en) * | 2022-03-07 | 2023-06-30 | 深圳市九州安域科技有限公司 | Script injection method, equipment and computer readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106354632B (en) | A kind of source code detection system and method based on Static Analysis Technology | |
CN106372511A (en) | Source code detection system and method | |
Jackson | A direct path to dependable software | |
EP1019818B1 (en) | Automated validation and verification of computer software | |
CN106295343B (en) | A kind of source code distributed detection system and method based on serializing intermediate representation | |
Fraser et al. | Sound empirical evidence in software testing | |
CN105787367B (en) | A kind of the patch safety detecting method and system of software upgrading | |
CN102141956A (en) | Method and system for managing response of security flaw during development | |
CN104021084A (en) | Method and device for detecting defects of Java source codes | |
CN108804326B (en) | Automatic software code detection method | |
Hejderup et al. | Can we trust tests to automate dependency updates? a case study of java projects | |
Tang et al. | Chatgpt vs sbst: A comparative assessment of unit test suite generation | |
CN104156311B (en) | A kind of embedded type C language target code level unit test method based on CPU emulator | |
Barbosa et al. | Enforcing exception handling policies with a domain-specific language | |
CN103294596A (en) | Early warning method for contract-type software fault based on program invariants | |
Pernsteiner et al. | Investigating safety of a radiotherapy machine using system models with pluggable checkers | |
Thomas et al. | A study of interactive code annotation for access control vulnerabilities | |
CN115659335A (en) | Block chain intelligent contract vulnerability detection method and device based on mixed fuzzy test | |
Bahaei et al. | A case study for risk assessment in AR-equipped socio-technical systems | |
Koyya et al. | Feedback for Programming Assignments Using Software‐Metrics and Reference Code | |
CN104572470B (en) | A kind of integer overflow fault detection method based on transformation relation | |
Kundu et al. | A UML model-based approach to detect infeasible paths | |
Barnes | Experiences in the industrial use of formal methods | |
Gleirscher et al. | Qualification of proof assistants, checkers, and generators: Where are we and what next? | |
Rajaram et al. | Taxonomy‐based testing and validation of a new defect classification for health software |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170201 |
|
RJ01 | Rejection of invention patent application after publication |