CN111625272A - Automatic source code auditing and developing method - Google Patents
Automatic source code auditing and developing method Download PDFInfo
- Publication number
- CN111625272A CN111625272A CN202010514596.2A CN202010514596A CN111625272A CN 111625272 A CN111625272 A CN 111625272A CN 202010514596 A CN202010514596 A CN 202010514596A CN 111625272 A CN111625272 A CN 111625272A
- Authority
- CN
- China
- Prior art keywords
- code
- local
- source code
- vulnerability
- audit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000012550 audit Methods 0.000 claims abstract description 13
- 238000011161 development Methods 0.000 claims abstract description 13
- 238000012986 modification Methods 0.000 claims abstract description 9
- 230000004048 modification Effects 0.000 claims abstract description 9
- 238000004364 calculation method Methods 0.000 claims abstract description 7
- 238000013500 data storage Methods 0.000 claims abstract description 5
- 238000001514 detection method Methods 0.000 claims description 7
- 238000012423 maintenance Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a source code automatic audit development method, which comprises the following steps: s1, acquiring network code error data; s2, analyzing an error data storage database; s3, constructing a local code index; s4, comparing the network error data with the local code index; s5, starting a calculation engine to analyze a comparison result; s6, indicating a local error code modification scheme; and S7, setting vulnerability priority. According to the method, the problem code samples at the source code level are obtained from all code hosting warehouses on the acquisition network all the time, so that the vulnerability samples can be known at the first time, local source code modification can be carried out, and the vulnerability is prevented from occurring; the problem that the rules need to be redefined every time a new vulnerability is updated in the traditional auditing tool is solved; the maintenance cost is reduced.
Description
Technical Field
The invention relates to the field of computers, in particular to a source code automatic auditing and developing method.
Background
At present, based on a source code vulnerability scanning auditing technology, an abstract syntax tree means is used to manually generate error code vulnerabilities into 'rules', and the rules need to be redefined each time a new vulnerability at a source code level is found, plug-ins need to be redefined, and a new version is released.
In computer science, an Abstract Syntax Tree (AST), or simply Syntax Tree (Syntax Tree), is an Abstract representation of the Syntax structure of source code. It represents the syntactic structure of the programming language in the form of a tree, each node on the tree representing a structure in the source code. The syntax is said to be "abstract" in that the syntax does not represent every detail that appears in the true syntax. For example, nesting brackets are implicit in the structure of the tree and are not present in the form of nodes; whereas a conditional jump statement like the if-condition-then may be represented using a node with two branches.
The auditing technology can cause users to frequently update versions, bring much inconvenience, finally, developers can omit vulnerabilities of source code levels, and developed software has potential safety hazards of the source code levels.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a source code automatic audit development method based on the prior design mode.
The invention aims to be realized by the following technical scheme: an automatic audit development method of source codes comprises the following steps:
s1, acquiring network code error data;
s2, analyzing the error data storage database;
s3, constructing a local code index;
s4, comparing the network error data with the local code index;
s5, starting a calculation engine to analyze the comparison result;
s6, indicating a local error code modification scheme;
and S7, setting vulnerability priority.
The step S1 specifically includes: all public code repository data information is obtained, including but not limited to GitHub, code cloud.
The step S2 includes the following sub-steps:
s201, classifying error data information;
s202, storing the classified error data information into a database;
wherein, the step S201 further includes the following non-sequentially executed sub-steps:
A. classifying according to the network problem code languages;
B. classifying according to the problem level of the network problem codes;
C. classified according to network problem code solutions.
The step S3 specifically includes: and generating an index library from the source code file in the local code warehouse according to the grammar, the paragraph and the service level.
The step S4 includes the following sub-steps:
s401, acquiring a network problem code in a database;
s402, analyzing the network problem codes into an abstract syntax tree;
and S403, detecting the local code index library through the abstract syntax tree to obtain the network problem code with high similarity.
The step S5 specifically includes: and obtaining a comparison result of S4, and calculating, analyzing and detecting results to indicate the detailed address of the code vulnerability and the address of the network problem.
The step S6 specifically includes: and searching a solution for the calculated code vulnerability detailed address through an error sample so as to allow a developer to modify the local code.
The step S7 specifically includes: and setting the priority of the monitored code loopholes, and when the code loopholes appear in the local code warehouse for multiple times, improving the priority of the code loopholes so as to ignore the code loopholes with lower priority in the next detection and save the detection time.
The invention has the beneficial effects that:
(1) according to the method, the problem code samples at the source code level are obtained from all code hosting warehouses on the acquisition network all the time, so that the vulnerability samples can be known at the first time, local source code modification can be carried out, and the vulnerability is prevented from occurring;
(2) the invention solves the problem that the rules need to be redefined every time a new vulnerability is updated in the traditional auditing tool; the maintenance cost is reduced.
Drawings
FIG. 1 is a block diagram of the process flow of the present invention.
Detailed Description
In order to more clearly understand the technical features, objects and effects of the present invention, the embodiments of the present invention will be described with reference to the accompanying drawings, but the scope of the present invention is not limited to the following.
As shown in fig. 1, the present invention provides a source code automatic audit development method, which comprises the following steps:
s1, acquiring network code error data;
s2, analyzing an error data storage database;
s3, constructing a local code index;
s4, comparing the network error data with the local code index;
s5, starting a calculation engine to analyze a comparison result;
s6, indicating a local error code modification scheme;
and S7, vulnerability priority.
Preferably, the acquiring of the network code error data in S1 requires that all common code repository data information be acquired comprehensively, such as: GitHUB, code cloud, etc.
Preferably, the analyzing the error data storage database in S2 mainly comprises the following steps:
s201, classifying according to the language of the network problem codes;
s202, classifying according to the problem level of the network problem codes;
s203, classifying according to the network problem code solution.
Preferably, the classification in S201 mainly affects, and the language handle and the original code auditing manner are different according to different languages.
Preferably, the classification in S202 mainly affects, and the problem is preferably modified according to different problem levels.
Preferably, the classification in S203 mainly affects whether the problem code has a solution.
Constructing the local code index as described in S3, including: and generating an index library from the source code file in the local code warehouse according to the grammar, the paragraph and the service level.
Comparing the network error data with the local code index in S4, the main steps are as follows:
s401 is used as a generation index base for the local code.
S402, the network problem codes in the database are obtained.
S403 parses the network problem code into an abstract syntax tree.
S404 detects a native code index library using the abstract syntax tree.
And the starting calculation engine in the S5 analyzes the comparison result, calculates the detection result through the calculation engine according to the comparison result of the S4, and indicates the code missing detailed address and the network problem address.
The method for indicating a local error code modification scheme of S6 includes: and indicating the calculated error code detailed address, and finding a solution through an error sample so as to allow a developer to modify the local code.
The vulnerability priority of S7, comprising: the vulnerability is detected indeed, and appears in the local code warehouse for many times, the code vulnerability priority is improved, so that the source code vulnerability with lower priority can be ignored in the next detection, and the detection time is saved.
Example (b):
the source code automatic audit development method comprises the following steps:
and S1, comprehensively acquiring all public code warehouse data information, such as: GitHUB, code cloud, etc.
And S2, storing the obtained results in the S1 in a local database according to language, problem level and solution classification.
And S3, generating an index library from the source code file in the local code warehouse according to the grammar, the paragraph and the service level.
And S4, analyzing the network problem codes into an abstract syntax tree, and detecting an index library generated by the local code warehouse.
S5, using the calculation engine, calculating the analysis result obtained in S4, and indicating the code missing detailed address and the network problem address.
And S6, indicating the calculated error code detail address, and finding a solution through the error sample so as to allow a developer to modify the local code.
At S7, the vulnerability is actually detected and appears many times in the local code repository, which will raise the code vulnerability priority.
The foregoing is illustrative of the preferred embodiments of this invention, and it is to be understood that the invention is not limited to the precise form disclosed herein and that various other combinations, modifications, and environments may be resorted to, falling within the scope of the concept as disclosed herein, either as described above or as apparent to those skilled in the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (8)
1. A source code automatic audit development method is characterized by comprising the following steps:
s1, acquiring network code error data;
s2, analyzing the error data storage database;
s3, constructing a local code index;
s4, comparing the network error data with the local code index;
s5, starting a calculation engine to analyze the comparison result;
s6, indicating a local error code modification scheme;
and S7, setting vulnerability priority.
2. The method for automated source code audit development according to claim 1, wherein the step S1 is specifically: all public code repository data information is obtained, including but not limited to GitHub, code cloud.
3. The source code automated audit development method according to claim 1 wherein said step S2 includes the sub-steps of:
s201, classifying error data information;
s202, storing the classified error data information into a database;
wherein, the step S201 further includes the following non-sequentially executed sub-steps:
classifying according to the network problem code languages;
classifying according to the problem level of the network problem codes;
classified according to network problem code solutions.
4. The method for automated source code audit development according to claim 1, wherein the step S3 is specifically: and generating an index library from the source code file in the local code warehouse according to the grammar, the paragraph and the service level.
5. The source code automated audit development method according to claim 1 wherein said step S4 includes the sub-steps of:
s401, acquiring a network problem code in a database;
s402, analyzing the network problem codes into an abstract syntax tree;
and S403, detecting the local code index library through the abstract syntax tree to obtain the network problem code with high similarity.
6. The method for automated source code audit development according to claim 1, wherein the step S5 is specifically: and obtaining a comparison result of S4, and calculating, analyzing and detecting results to indicate the detailed address of the code vulnerability and the address of the network problem.
7. The method for automated source code audit development according to claim 1, wherein the step S6 is specifically: and searching a solution for the calculated code vulnerability detailed address through an error sample so as to allow a developer to modify the local code.
8. The method for automated source code audit development according to claim 1, wherein the step S7 is specifically: and setting the priority of the monitored code loopholes, and when the code loopholes appear in the local code warehouse for multiple times, improving the priority of the code loopholes so as to ignore the code loopholes with lower priority in the next detection and save the detection time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010514596.2A CN111625272A (en) | 2020-06-08 | 2020-06-08 | Automatic source code auditing and developing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010514596.2A CN111625272A (en) | 2020-06-08 | 2020-06-08 | Automatic source code auditing and developing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111625272A true CN111625272A (en) | 2020-09-04 |
Family
ID=72271349
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010514596.2A Pending CN111625272A (en) | 2020-06-08 | 2020-06-08 | Automatic source code auditing and developing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111625272A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112100626A (en) * | 2020-09-24 | 2020-12-18 | 成都信息工程大学 | Development method for improving source code audit vulnerability hit rate |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140192675A1 (en) * | 2013-01-07 | 2014-07-10 | Verizon Patent And Licensing Inc. | Method and apparatus for internet protocol (ip) logical wire security |
| CN104933368A (en) * | 2014-03-21 | 2015-09-23 | 腾讯科技(深圳)有限公司 | Network security vulnerability detection method and apparatus |
| CN108763928A (en) * | 2018-05-03 | 2018-11-06 | 北京邮电大学 | A kind of open source software leak analysis method, apparatus and storage medium |
| CN109697362A (en) * | 2018-12-13 | 2019-04-30 | 西安四叶草信息技术有限公司 | Network hole detection method and device |
| CN110460571A (en) * | 2019-07-05 | 2019-11-15 | 深圳壹账通智能科技有限公司 | Operation system loophole processing method, device, computer equipment and storage medium |
| CN111177731A (en) * | 2019-12-26 | 2020-05-19 | 江苏深度空间信息科技有限公司 | Software source code vulnerability detection method based on artificial neural network |
-
2020
- 2020-06-08 CN CN202010514596.2A patent/CN111625272A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140192675A1 (en) * | 2013-01-07 | 2014-07-10 | Verizon Patent And Licensing Inc. | Method and apparatus for internet protocol (ip) logical wire security |
| CN104933368A (en) * | 2014-03-21 | 2015-09-23 | 腾讯科技(深圳)有限公司 | Network security vulnerability detection method and apparatus |
| CN108763928A (en) * | 2018-05-03 | 2018-11-06 | 北京邮电大学 | A kind of open source software leak analysis method, apparatus and storage medium |
| CN109697362A (en) * | 2018-12-13 | 2019-04-30 | 西安四叶草信息技术有限公司 | Network hole detection method and device |
| CN110460571A (en) * | 2019-07-05 | 2019-11-15 | 深圳壹账通智能科技有限公司 | Operation system loophole processing method, device, computer equipment and storage medium |
| CN111177731A (en) * | 2019-12-26 | 2020-05-19 | 江苏深度空间信息科技有限公司 | Software source code vulnerability detection method based on artificial neural network |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112100626A (en) * | 2020-09-24 | 2020-12-18 | 成都信息工程大学 | Development method for improving source code audit vulnerability hit rate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110737899B (en) | Intelligent contract security vulnerability detection method based on machine learning | |
| CN110502227B (en) | Code complement method and device, storage medium and electronic equipment | |
| CN109033843B (en) | Java file dependency analysis method and module for distributed static detection system | |
| US5905892A (en) | Error correcting compiler | |
| Wittern et al. | Statically checking web API requests in JavaScript | |
| US8364696B2 (en) | Efficient incremental parsing of context sensitive programming languages | |
| CN111258614B (en) | Method, system, equipment and storage medium for detecting upgrade exception of project third-party library | |
| Nam et al. | Marble: Mining for boilerplate code to identify API usability problems | |
| CN111475196B (en) | Compiling alarm tracing method and device, electronic equipment and computer readable medium | |
| CN112860265A (en) | Method and device for detecting operation abnormity of source code database | |
| CN113901083A (en) | Heterogeneous data source operation resource analysis positioning method and equipment based on multiple analyzers | |
| CN117113347A (en) | Large-scale code data feature extraction method and system | |
| CN114691196A (en) | Code defect detection method and device for dynamic language and electronic equipment | |
| CN111625272A (en) | Automatic source code auditing and developing method | |
| Black et al. | Evolved similarity techniques in malware analysis | |
| CN113821496B (en) | Database migration method, system, device and computer readable storage medium | |
| CN114691197A (en) | Code analysis method and device, electronic equipment and storage medium | |
| CN114281688A (en) | Codeless or low-code automatic case management method and device | |
| CN114201759A (en) | Software vulnerability identification method and system based on software package naming matrix | |
| CN113722215A (en) | Method, system, device and storage medium for detecting software code risk | |
| Tukaram | Design and development of software tool for code clone search, detection, and analysis | |
| Nguyen et al. | Using topic model to suggest fine-grained source code changes | |
| CN116561768B (en) | Device firmware vulnerability detection method, device and storage medium | |
| KR20040096259A (en) | System and method for source code checking | |
| CN118113301B (en) | Program code checking method and system for numerical weather forecast mode program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200904 |
|
| RJ01 | Rejection of invention patent application after publication |