CN111625272A - Automatic source code auditing and developing method - Google Patents

Automatic source code auditing and developing method Download PDF

Info

Publication number
CN111625272A
CN111625272A CN202010514596.2A CN202010514596A CN111625272A CN 111625272 A CN111625272 A CN 111625272A CN 202010514596 A CN202010514596 A CN 202010514596A CN 111625272 A CN111625272 A CN 111625272A
Authority
CN
China
Prior art keywords
code
local
source code
vulnerability
audit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010514596.2A
Other languages
Chinese (zh)
Inventor
曹亮
刘魁
吴腾达
肖辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu University of Information Technology
Original Assignee
Chengdu University of Information Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu University of Information Technology filed Critical Chengdu University of Information Technology
Priority to CN202010514596.2A priority Critical patent/CN111625272A/en
Publication of CN111625272A publication Critical patent/CN111625272A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a source code automatic audit development method, which comprises the following steps: s1, acquiring network code error data; s2, analyzing an error data storage database; s3, constructing a local code index; s4, comparing the network error data with the local code index; s5, starting a calculation engine to analyze a comparison result; s6, indicating a local error code modification scheme; and S7, setting vulnerability priority. According to the method, the problem code samples at the source code level are obtained from all code hosting warehouses on the acquisition network all the time, so that the vulnerability samples can be known at the first time, local source code modification can be carried out, and the vulnerability is prevented from occurring; the problem that the rules need to be redefined every time a new vulnerability is updated in the traditional auditing tool is solved; the maintenance cost is reduced.

Description

Automatic source code auditing and developing method
Technical Field
The invention relates to the field of computers, in particular to a source code automatic auditing and developing method.
Background
At present, based on a source code vulnerability scanning auditing technology, an abstract syntax tree means is used to manually generate error code vulnerabilities into 'rules', and the rules need to be redefined each time a new vulnerability at a source code level is found, plug-ins need to be redefined, and a new version is released.
In computer science, an Abstract Syntax Tree (AST), or simply Syntax Tree (Syntax Tree), is an Abstract representation of the Syntax structure of source code. It represents the syntactic structure of the programming language in the form of a tree, each node on the tree representing a structure in the source code. The syntax is said to be "abstract" in that the syntax does not represent every detail that appears in the true syntax. For example, nesting brackets are implicit in the structure of the tree and are not present in the form of nodes; whereas a conditional jump statement like the if-condition-then may be represented using a node with two branches.
The auditing technology can cause users to frequently update versions, bring much inconvenience, finally, developers can omit vulnerabilities of source code levels, and developed software has potential safety hazards of the source code levels.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a source code automatic audit development method based on the prior design mode.
The invention aims to be realized by the following technical scheme: an automatic audit development method of source codes comprises the following steps:
s1, acquiring network code error data;
s2, analyzing the error data storage database;
s3, constructing a local code index;
s4, comparing the network error data with the local code index;
s5, starting a calculation engine to analyze the comparison result;
s6, indicating a local error code modification scheme;
and S7, setting vulnerability priority.
The step S1 specifically includes: all public code repository data information is obtained, including but not limited to GitHub, code cloud.
The step S2 includes the following sub-steps:
s201, classifying error data information;
s202, storing the classified error data information into a database;
wherein, the step S201 further includes the following non-sequentially executed sub-steps:
A. classifying according to the network problem code languages;
B. classifying according to the problem level of the network problem codes;
C. classified according to network problem code solutions.
The step S3 specifically includes: and generating an index library from the source code file in the local code warehouse according to the grammar, the paragraph and the service level.
The step S4 includes the following sub-steps:
s401, acquiring a network problem code in a database;
s402, analyzing the network problem codes into an abstract syntax tree;
and S403, detecting the local code index library through the abstract syntax tree to obtain the network problem code with high similarity.
The step S5 specifically includes: and obtaining a comparison result of S4, and calculating, analyzing and detecting results to indicate the detailed address of the code vulnerability and the address of the network problem.
The step S6 specifically includes: and searching a solution for the calculated code vulnerability detailed address through an error sample so as to allow a developer to modify the local code.
The step S7 specifically includes: and setting the priority of the monitored code loopholes, and when the code loopholes appear in the local code warehouse for multiple times, improving the priority of the code loopholes so as to ignore the code loopholes with lower priority in the next detection and save the detection time.
The invention has the beneficial effects that:
(1) according to the method, the problem code samples at the source code level are obtained from all code hosting warehouses on the acquisition network all the time, so that the vulnerability samples can be known at the first time, local source code modification can be carried out, and the vulnerability is prevented from occurring;
(2) the invention solves the problem that the rules need to be redefined every time a new vulnerability is updated in the traditional auditing tool; the maintenance cost is reduced.
Drawings
FIG. 1 is a block diagram of the process flow of the present invention.
Detailed Description
In order to more clearly understand the technical features, objects and effects of the present invention, the embodiments of the present invention will be described with reference to the accompanying drawings, but the scope of the present invention is not limited to the following.
As shown in fig. 1, the present invention provides a source code automatic audit development method, which comprises the following steps:
s1, acquiring network code error data;
s2, analyzing an error data storage database;
s3, constructing a local code index;
s4, comparing the network error data with the local code index;
s5, starting a calculation engine to analyze a comparison result;
s6, indicating a local error code modification scheme;
and S7, vulnerability priority.
Preferably, the acquiring of the network code error data in S1 requires that all common code repository data information be acquired comprehensively, such as: GitHUB, code cloud, etc.
Preferably, the analyzing the error data storage database in S2 mainly comprises the following steps:
s201, classifying according to the language of the network problem codes;
s202, classifying according to the problem level of the network problem codes;
s203, classifying according to the network problem code solution.
Preferably, the classification in S201 mainly affects, and the language handle and the original code auditing manner are different according to different languages.
Preferably, the classification in S202 mainly affects, and the problem is preferably modified according to different problem levels.
Preferably, the classification in S203 mainly affects whether the problem code has a solution.
Constructing the local code index as described in S3, including: and generating an index library from the source code file in the local code warehouse according to the grammar, the paragraph and the service level.
Comparing the network error data with the local code index in S4, the main steps are as follows:
s401 is used as a generation index base for the local code.
S402, the network problem codes in the database are obtained.
S403 parses the network problem code into an abstract syntax tree.
S404 detects a native code index library using the abstract syntax tree.
And the starting calculation engine in the S5 analyzes the comparison result, calculates the detection result through the calculation engine according to the comparison result of the S4, and indicates the code missing detailed address and the network problem address.
The method for indicating a local error code modification scheme of S6 includes: and indicating the calculated error code detailed address, and finding a solution through an error sample so as to allow a developer to modify the local code.
The vulnerability priority of S7, comprising: the vulnerability is detected indeed, and appears in the local code warehouse for many times, the code vulnerability priority is improved, so that the source code vulnerability with lower priority can be ignored in the next detection, and the detection time is saved.
Example (b):
the source code automatic audit development method comprises the following steps:
and S1, comprehensively acquiring all public code warehouse data information, such as: GitHUB, code cloud, etc.
And S2, storing the obtained results in the S1 in a local database according to language, problem level and solution classification.
And S3, generating an index library from the source code file in the local code warehouse according to the grammar, the paragraph and the service level.
And S4, analyzing the network problem codes into an abstract syntax tree, and detecting an index library generated by the local code warehouse.
S5, using the calculation engine, calculating the analysis result obtained in S4, and indicating the code missing detailed address and the network problem address.
And S6, indicating the calculated error code detail address, and finding a solution through the error sample so as to allow a developer to modify the local code.
At S7, the vulnerability is actually detected and appears many times in the local code repository, which will raise the code vulnerability priority.
The foregoing is illustrative of the preferred embodiments of this invention, and it is to be understood that the invention is not limited to the precise form disclosed herein and that various other combinations, modifications, and environments may be resorted to, falling within the scope of the concept as disclosed herein, either as described above or as apparent to those skilled in the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (8)

1. A source code automatic audit development method is characterized by comprising the following steps:
s1, acquiring network code error data;
s2, analyzing the error data storage database;
s3, constructing a local code index;
s4, comparing the network error data with the local code index;
s5, starting a calculation engine to analyze the comparison result;
s6, indicating a local error code modification scheme;
and S7, setting vulnerability priority.
2. The method for automated source code audit development according to claim 1, wherein the step S1 is specifically: all public code repository data information is obtained, including but not limited to GitHub, code cloud.
3. The source code automated audit development method according to claim 1 wherein said step S2 includes the sub-steps of:
s201, classifying error data information;
s202, storing the classified error data information into a database;
wherein, the step S201 further includes the following non-sequentially executed sub-steps:
classifying according to the network problem code languages;
classifying according to the problem level of the network problem codes;
classified according to network problem code solutions.
4. The method for automated source code audit development according to claim 1, wherein the step S3 is specifically: and generating an index library from the source code file in the local code warehouse according to the grammar, the paragraph and the service level.
5. The source code automated audit development method according to claim 1 wherein said step S4 includes the sub-steps of:
s401, acquiring a network problem code in a database;
s402, analyzing the network problem codes into an abstract syntax tree;
and S403, detecting the local code index library through the abstract syntax tree to obtain the network problem code with high similarity.
6. The method for automated source code audit development according to claim 1, wherein the step S5 is specifically: and obtaining a comparison result of S4, and calculating, analyzing and detecting results to indicate the detailed address of the code vulnerability and the address of the network problem.
7. The method for automated source code audit development according to claim 1, wherein the step S6 is specifically: and searching a solution for the calculated code vulnerability detailed address through an error sample so as to allow a developer to modify the local code.
8. The method for automated source code audit development according to claim 1, wherein the step S7 is specifically: and setting the priority of the monitored code loopholes, and when the code loopholes appear in the local code warehouse for multiple times, improving the priority of the code loopholes so as to ignore the code loopholes with lower priority in the next detection and save the detection time.
CN202010514596.2A 2020-06-08 2020-06-08 Automatic source code auditing and developing method Pending CN111625272A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010514596.2A CN111625272A (en) 2020-06-08 2020-06-08 Automatic source code auditing and developing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010514596.2A CN111625272A (en) 2020-06-08 2020-06-08 Automatic source code auditing and developing method

Publications (1)

Publication Number Publication Date
CN111625272A true CN111625272A (en) 2020-09-04

Family

ID=72271349

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010514596.2A Pending CN111625272A (en) 2020-06-08 2020-06-08 Automatic source code auditing and developing method

Country Status (1)

Country Link
CN (1) CN111625272A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112100626A (en) * 2020-09-24 2020-12-18 成都信息工程大学 Development method for improving source code audit vulnerability hit rate

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140192675A1 (en) * 2013-01-07 2014-07-10 Verizon Patent And Licensing Inc. Method and apparatus for internet protocol (ip) logical wire security
CN104933368A (en) * 2014-03-21 2015-09-23 腾讯科技(深圳)有限公司 Network security vulnerability detection method and apparatus
CN108763928A (en) * 2018-05-03 2018-11-06 北京邮电大学 A kind of open source software leak analysis method, apparatus and storage medium
CN109697362A (en) * 2018-12-13 2019-04-30 西安四叶草信息技术有限公司 Network hole detection method and device
CN110460571A (en) * 2019-07-05 2019-11-15 深圳壹账通智能科技有限公司 Operation system loophole processing method, device, computer equipment and storage medium
CN111177731A (en) * 2019-12-26 2020-05-19 江苏深度空间信息科技有限公司 Software source code vulnerability detection method based on artificial neural network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140192675A1 (en) * 2013-01-07 2014-07-10 Verizon Patent And Licensing Inc. Method and apparatus for internet protocol (ip) logical wire security
CN104933368A (en) * 2014-03-21 2015-09-23 腾讯科技(深圳)有限公司 Network security vulnerability detection method and apparatus
CN108763928A (en) * 2018-05-03 2018-11-06 北京邮电大学 A kind of open source software leak analysis method, apparatus and storage medium
CN109697362A (en) * 2018-12-13 2019-04-30 西安四叶草信息技术有限公司 Network hole detection method and device
CN110460571A (en) * 2019-07-05 2019-11-15 深圳壹账通智能科技有限公司 Operation system loophole processing method, device, computer equipment and storage medium
CN111177731A (en) * 2019-12-26 2020-05-19 江苏深度空间信息科技有限公司 Software source code vulnerability detection method based on artificial neural network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112100626A (en) * 2020-09-24 2020-12-18 成都信息工程大学 Development method for improving source code audit vulnerability hit rate

Similar Documents

Publication Publication Date Title
CN110737899B (en) Intelligent contract security vulnerability detection method based on machine learning
CN110502227B (en) Code complement method and device, storage medium and electronic equipment
CN109033843B (en) Java file dependency analysis method and module for distributed static detection system
US5905892A (en) Error correcting compiler
Wittern et al. Statically checking web API requests in JavaScript
US8364696B2 (en) Efficient incremental parsing of context sensitive programming languages
CN111258614B (en) Method, system, equipment and storage medium for detecting upgrade exception of project third-party library
Nam et al. Marble: Mining for boilerplate code to identify API usability problems
CN111475196B (en) Compiling alarm tracing method and device, electronic equipment and computer readable medium
CN112860265A (en) Method and device for detecting operation abnormity of source code database
CN113901083A (en) Heterogeneous data source operation resource analysis positioning method and equipment based on multiple analyzers
CN117113347A (en) Large-scale code data feature extraction method and system
CN114691196A (en) Code defect detection method and device for dynamic language and electronic equipment
CN111625272A (en) Automatic source code auditing and developing method
Black et al. Evolved similarity techniques in malware analysis
CN113821496B (en) Database migration method, system, device and computer readable storage medium
CN114691197A (en) Code analysis method and device, electronic equipment and storage medium
CN114281688A (en) Codeless or low-code automatic case management method and device
CN114201759A (en) Software vulnerability identification method and system based on software package naming matrix
CN113722215A (en) Method, system, device and storage medium for detecting software code risk
Tukaram Design and development of software tool for code clone search, detection, and analysis
Nguyen et al. Using topic model to suggest fine-grained source code changes
CN116561768B (en) Device firmware vulnerability detection method, device and storage medium
KR20040096259A (en) System and method for source code checking
CN118113301B (en) Program code checking method and system for numerical weather forecast mode program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200904

RJ01 Rejection of invention patent application after publication