CN111666203B - Positioning processing method and device of risk software, electronic equipment and storage medium - Google Patents
Positioning processing method and device of risk software, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111666203B CN111666203B CN202010305185.2A CN202010305185A CN111666203B CN 111666203 B CN111666203 B CN 111666203B CN 202010305185 A CN202010305185 A CN 202010305185A CN 111666203 B CN111666203 B CN 111666203B
- Authority
- CN
- China
- Prior art keywords
- software
- risk
- information
- identification information
- risk software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title abstract description 16
- 238000000034 method Methods 0.000 claims abstract description 50
- 230000008569 process Effects 0.000 claims abstract description 16
- 238000012545 processing Methods 0.000 claims description 40
- 230000015654 memory Effects 0.000 claims description 19
- 239000004973 liquid crystal related substance Substances 0.000 claims description 6
- 238000001514 detection method Methods 0.000 claims description 3
- 230000008520 organization Effects 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims 2
- 238000010586 diagram Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004807 localization Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
Abstract
The application discloses a positioning processing method and device of risk software, electronic equipment and a storage medium, and relates to the field of software security. The specific implementation scheme is as follows: acquiring identification information of risk software; detecting whether identification information of risk software exists in a pre-established software information database; if the risk software exists, the position information of the risk software in the code base corresponding to the identification information of the risk software is acquired from the software information database, compared with the manual positioning of the position of the risk software in the prior art, the position information of the risk software can be rapidly and accurately positioned by adopting the technical scheme of the application, the positioning time of the risk software can be effectively shortened, the positioning efficiency of the risk software can be effectively improved, responsibility personnel of the code base can conveniently and accurately process the risk software in time, damage is prevented in time, the risk of the software in the code base of an enterprise can be effectively reduced, and the safety of the software of the code base of the enterprise is improved.
Description
Technical Field
The present application relates to computer technologies, and in particular, to the field of software security, and in particular, to a method and apparatus for positioning risk software, an electronic device, and a storage medium.
Background
Random computer technology has been developed, and software development of various industries realized based on the computer technology has been increasing.
Many enterprises now have reference to open source community software for software development. The software of the open source community also usually has the risk of being vulnerable or attacked. This tends to present a significant hazard to enterprises that employ software of the open source community.
Moreover, enterprises often have millions, even billions and billions of lines of codes, and when the adopted open source software is at risk, responsibility personnel are required to manually search the position of the risk software from a code library so as to locate the risk software, so that the risk software can be processed in time. However, this approach of the prior art is very time consuming for the process of locating the risk software in the code library and is very inefficient for locating the risk software.
Disclosure of Invention
In order to solve the technical problems, the application provides a positioning processing method and device for risk software, electronic equipment and a storage medium.
According to a first aspect, there is provided a method for positioning risk software, including:
acquiring identification information of risk software;
detecting whether risk software corresponding to the identification information of the risk software exists in a pre-established software information database;
and if the risk software exists, acquiring the position information of the risk software in the code base, corresponding to the identification information of the risk software, from the software information database.
According to a second aspect, there is provided a positioning processing device of risk software, comprising:
the acquisition module is used for acquiring identification information of the risk software;
the detection module is used for detecting whether risk software corresponding to the identification information of the risk software exists in a pre-established software information database;
and the positioning module is used for acquiring the position information of the risk software corresponding to the identification information of the risk software in the code base from the software information database if the risk software exists.
According to a third aspect, there is provided an electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
According to a fourth aspect, there is provided a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method as described above.
According to a fifth aspect, there is provided a computer program product comprising a computer program which, when executed by a processor, implements a method as described above.
According to the technology disclosed by the application, the position information of the risk software can be rapidly and accurately positioned, the positioning time of the risk software can be effectively shortened, the positioning efficiency of the risk software can be effectively improved, further, responsibility personnel of a code library can conveniently and accurately process the risk software in time, damage is timely stopped, the risk of the software in the code library of an enterprise can be effectively reduced, and the safety of the software of the code library of the enterprise is improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
The drawings are included to provide a better understanding of the present application and are not to be construed as limiting the application. Wherein:
FIG. 1 is a schematic diagram of a first embodiment according to the present application;
FIG. 2 is a schematic diagram of a second embodiment according to the present application;
FIG. 3 is a schematic diagram of a third embodiment according to the present application;
FIG. 4 is a schematic diagram of a fourth embodiment according to the present application;
fig. 5 is a block diagram of an electronic device for implementing a method for processing location of risk software according to an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present application will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present application are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
FIG. 1 is a schematic diagram of a first embodiment according to the present application; as shown in fig. 1, the present embodiment provides a method for positioning risk software, which specifically includes the following steps:
s101, acquiring identification information of risk software;
s102, detecting whether identification information of risk software exists in a pre-established software information database; if so, executing step S103; otherwise, the processing is not executed once, and the process is ended.
S103, acquiring position information of risk software in a code base, corresponding to the identification information of the risk software, from a software information database.
The execution main body of the risk software positioning processing method of the embodiment may be a risk software positioning processing device, where the risk software positioning processing device may be an independent electronic entity, or may also be an application that adopts software integration, and may be capable of positioning risk software in a code library of an enterprise based on a pre-established software information database, so as to perform processing such as upgrading, bug repair or deleting on risk software in the code library of the enterprise in time, so as to ensure security of software in the code library of the enterprise.
The positioning processing device of the risk software in this embodiment may be disposed on a management system side of an enterprise, and correspondingly, the positioning processing device of the risk software may be disposed in each enterprise, so as to access a software information database of the enterprise, and when the risk software exists in a code base of the enterprise, the positioning of the risk software is performed timely and accurately.
In practical application, an open source code company can monitor own company's software in real time, and when the company's software itself has vulnerabilities or risks such as frequent attacks, the company's software release platform can release the software names and version numbers with risks, and release corresponding upgrade versions to overcome risks. Or some non-profitable software organizations can also monitor all open source software in the industry in real time, when detecting that a certain piece of software has vulnerabilities or is at risk of being frequently attacked and the like, the name and version number of the risky software and information of a company and the like can be released, and further solutions can be provided, such as what address of the company is used for acquiring the latest version of software for upgrading so as to overcome risks. That is, in the present embodiment, the name and version number of the software uniquely identify one piece of software together.
The positioning processing device of the risk software can monitor the risk software information published by the software publishing platform or the non-profitable software organization of each open source code company, and collect the name and version number of the risk software. In this embodiment, taking the case that the identification information of the risk software includes the name and version number of the risk software as an example, in practical application, other identification information, such as a unique ID generated based on the name and version number of the risk software, may be used to identify the risk software, which is not described herein in detail. And then detecting whether a pre-established software information database comprises the name and the version number of the risk software, if so, determining that the risk software corresponding to the name and the version number of the risk software exists in a code base of a corresponding enterprise, and acquiring the position information of the risk software in the code base from the software information database. That is, in the software information database pre-established in this embodiment, information of all the software of the enterprise may be recorded, and each piece of information of the software includes at least a name, a version number, and location information of the software in the code library. For example, the location information of the software in the code base in the present embodiment may be the location of the start line of the software in the code base, or the range of the code base from what line to what line.
According to the positioning processing method of the risk software, identification information of the risk software is collected; detecting whether identification information of risk software exists in a pre-established software information database; if the risk software exists, the position information of the risk software in the code base corresponding to the identification information of the risk software is acquired from the software information database, compared with the manual positioning of the position of the risk software in the prior art, the position information of the risk software can be rapidly and accurately positioned by adopting the technical scheme of the embodiment, the positioning time of the risk software can be effectively shortened, the positioning efficiency of the risk software can be effectively improved, responsibility personnel of the code base can conveniently and accurately process the risk software in time, damage is prevented in time, the risk of the software in the code base of an enterprise can be effectively reduced, and the safety of the software of the code base of the enterprise is improved.
FIG. 2 is a schematic diagram of a second embodiment according to the present application; the method for positioning risk software according to the present embodiment further describes the technical solution of the present application in more detail on the basis of the technical solution of the embodiment shown in fig. 1. As shown in fig. 2, the method for positioning risk software of the present embodiment may specifically include the following steps:
s201, based on a software dependency management tool, acquiring identification information and position information of all software in a code library;
s202, establishing a software information database comprising identification information and position information of all software in a code base;
s203, configuring contact ways of responsible persons of each piece of software in a software information database;
similarly, the identification information of the software of the present embodiment may include the name and version number of the software. Steps S201 and S202 of this embodiment are implementation manners of establishing a software information database according to the embodiment of the present application. The process of establishing the software information base can be performed offline and can be completed before the risk software is positioned. In this step S203, an optional way of establishing a software information database is provided, and in practical application, the software information database may not include the contact manner of the responsible person. The contact manner of the embodiment may include at least one of a phone number, an instant messaging account, a mailbox, and the like.
In practical application, each programming language has a fixed software dependency management tool, such as a software dependency management tool of Ant, maven, gradle in Java, a software dependency management tool of GCC, makefile, cmake in c++, and the like, and other programming languages also have corresponding software dependency management tools, which are not described in detail herein. The use of software in the enterprise's code library is recorded in the description file of the dependency management tool. The description file is a fixed file that records which software is used in the code base, such as Maven's description file pon.xml, where the software used will be written in a fixed format. For example, the software fastjson used will be written explicitly in the pom.xml in the following format:
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.51</version>
</dependency>
the step S201 is based on the software dependency management tool, and obtains the identification information and the location information of all the software in the code library, which may include the following two methods:
the first way is: the identification information and the position information of all software in the code base are obtained from the description file of the dependency management tool. Similarly, in this embodiment, the identification information of the software is taken as an example of the name and version number of the software. In particular implementations, a tool may be written that scans a software dependent management tool description file, such as Maven's pon.xml, including the name of the software used, version number, location information for the particular use, etc. The implementation of this scanning tool is different because the software-dependent management tool for each programming language is different in description file. Taking Maven of Java as an example, the implementation of this tool may be to find all code libraries containing pon.xml in all code libraries of a company, and scan all pon.xml files to obtain names and version numbers of software recorded therein.
However, in practical applications, the version number of some software may not be explicitly recorded in the pon. At this time, the version number of the software needs to be acquired by scanning other files of the software dependency management tool.
The second way is: identification information and location information of all software in the code library are obtained from the software dependency management tool by using commands provided by the dependency management tool. In practical application, each software dependency management tool can provide a service of command query, for example, a Java software management tool Maven provides an mvn dependencies command, according to the command, nouns, version numbers, position information and the like of software of a user caused by a current code library can be found, in this way, all code libraries of the same enterprise are sequentially analyzed, and names, version numbers, position information and the like of all software of all code libraries of the same enterprise can be obtained. Alternatively, if the enterprise includes a plurality of code libraries, the identity of the code library in which each piece of software is located may also be obtained.
Compared with the first implementation manner, the information acquisition is more comprehensive and accurate by using the mode of acquiring the identification information and the position information of all software in the code library by using the command provided by the dependency management tool, and meanwhile, the information acquisition from the file is avoided, and the implementation is simpler.
The software information database of the present embodiment may be implemented by using a database such as MySQL or elastic search.
It should be noted that, in this embodiment, after the software information database is established based on the steps S201 to S203, updating the software information database based on the software dependency management tool may be further included. Since it is possible to write new software code into the code library of the enterprise every day, the software information database can be updated every time new software code is written. Specifically, whether the code library writes new software codes can be determined through the software dependency management tool, and once the new software codes are written, the software information database can be updated timely based on the name, the version number and the position information of the newly written software, or the identification of the code library and the contact mode of the responsible person can be included.
In addition, alternatively, the software information database may be updated periodically in this embodiment. I.e. the software information database is not updated in real time for the newly written software code in the code library. The method is to detect whether the newly written software code exists in the code base based on the software dependency management tool at regular time every day, and the specific detection mode is the same as that when the software information database is built in the embodiment, and the name, version number and position information of the newly written software are updated, or the method can also comprise the identification of the code base and the contact mode of the responsible person, and the software information database is updated in time.
S204, acquiring identification information of risk software;
from this step on, the online localization of the risk software is started.
S205, detecting whether identification information of risk software exists in a software information database; if so, execute step S206; otherwise, the processing is not executed once, and the process is ended.
S206, acquiring position information of risk software in a code base, corresponding to the identification information of the risk software, from a software information database;
s207, performing risk alarming based on identification information and position information of risk software;
for example, this step may be implemented in at least one of the following ways:
(1) Based on the identification information and the position information of the risk software, sending out a voice alarm;
in the mode, voice alarm is adopted, for example, voice alarm can be directly sent out through a microphone, and identification information of risk software such as the name and version number of the software and the position information of the software also needs to be carried in voice alarm information.
(2) Based on the identification information and the position information of the risk software, popping up an alarm prompt on the current interface; and
the method adopts a display mode for alarming, for example, an alarming message carrying identification information of the risk software and position information of the software can be popped up on the current interface of the positioning processing device of the risk software.
(3) Acquiring the contact information of the responsible person corresponding to the identification information of the risk software from a software information database; and sending an alarm prompt based on the identification information and the position information of the risk software and the contact mode of the responsible person so as to inform the responsible person to process the risk software.
The method is to alarm in a mode of notifying the responsible person, for example, the responsible person can be notified of the risk software by mail, a safety work order or an alarm prompt carrying identification information and position information of the risk software through real-time communication, so as to notify the responsible person to immediately process the risk software. In particular, to avoid further harm to the risk software, the risk software may be deleted or upgraded to repair the vulnerability.
S208, acquiring processing information of risk software;
s209, updating a software information database according to the processing information of the risk software.
In this embodiment, the processing information of the risk software may include deleting the risk software in the code library, or acquiring an upgrade version from a release platform of the risk software, and upgrading the risk software to make it secure.
Specifically, the positioning processing device of the risk software of the embodiment may detect the processing information of the risk software based on the software dependency management. If yes, whether the version number of the risk software in the further description file is consistent with the version number in the software information database, if yes, the risk software is considered as the risk software, and at the moment, an alarm can be sent again. If the risk software is inconsistent, determining that the risk software is updated, further acquiring the position information of the updated software at the moment, and updating the version number and the position information of the software corresponding to the name in the software information database according to the version number and the position information of the updated software, thereby realizing the updating of the software information database. If the name of the risk software is known to be absent from the description file of the software dependency management tool, the risk software is considered to be deleted, and all the information of the software corresponding to the deleted name in the software information database is correspondingly deleted, so that the software information database is updated.
Or alternatively, the processing information of the risk software in the code library may also be detected by using commands provided by the software dependency management tool. After the risk software is updated or deleted, the software information database is updated in time, and the implementation process is similar to the above process and will not be repeated here.
The positioning processing method of the risk software of the embodiment can be applied to each enterprise or code hosting platform, for example, can be applied to the Github.
According to the positioning processing method of the risk software, the software information database comprising the identification information and the position information of all the software in the code library is established in the mode, and whether the identification information and the position information of all the software in the code library are obtained from the description file of the dependency management tool or the identification information and the position information of all the software in the code library are obtained from the software dependency management tool by using the command provided by the dependency management tool, the accuracy of the obtained identification information and the position information of the software can be effectively ensured, and the accuracy of the software information database can be effectively ensured, so that the accuracy of the subsequent positioning of the risk software based on the software information database can be effectively improved.
Further, in this embodiment, the software information database may be updated based on the software dependency management tool, so that when the software in the code library is updated, the information in the software information database may be updated in time, so that the accuracy of the software information database may be effectively ensured, and further the accuracy of subsequent positioning of risk software based on the software information database may be effectively improved.
Further, in this embodiment, risk alarm may be performed based on identification information and location information of risk software, for example, at least one mode of voice alarm, pop-up interface alarm and notification of responsible people may be specifically adopted, so that the risk software in the code library may be handled in time, harm of the risk software is effectively reduced, and security of software in the code library is improved.
Further, in this embodiment, the software information database may be updated according to the processing information of the risk software, so that the accuracy of the software information database may be effectively ensured, and further the accuracy of subsequent positioning of the risk software based on the software information database may be effectively improved.
FIG. 3 is a schematic diagram of a third embodiment according to the present application; as shown in fig. 3, the present embodiment provides a positioning processing device 300 for risk software, including:
the collection module 301 is configured to collect identification information of risk software;
the detection module 302 is configured to detect whether risk software corresponding to identification information of risk software exists in a pre-established software information database;
and the positioning module 303 is configured to obtain, if the risk software exists, location information of the risk software in the code base, where the location information corresponds to the identification information of the risk software, from the software information database.
The positioning processing device 300 for risk software of the present embodiment implements the implementation principle and the technical effect of the positioning processing for risk software by using the above modules, which are the same as the implementation of the above related method embodiments, reference may be made to the description of the above related embodiments for details, and details are not repeated herein.
FIG. 4 is a schematic diagram of a fourth embodiment according to the present application; as shown in fig. 4, the positioning processing device 300 for risk software of the present embodiment further describes the technical solution of the present application in more detail on the basis of the technical solution of the embodiment shown in fig. 3.
As shown in fig. 4, the positioning processing device 300 of risk software of the present embodiment further includes:
the establishing module 304 is configured to establish a software information database.
Further optionally, the establishing module 304 is configured to:
based on a software dependency management tool, acquiring identification information and position information of all software in a code base;
a software information database is established that includes identification information and location information for all software in the code library.
Further optionally, the establishing module 304 is configured to:
acquiring identification information and position information of all software in a code base from a description file of a software dependency management tool; or alternatively
Identification information and location information of all software in the code library are obtained from the software dependency management tool by using commands provided by the software dependency management tool.
Further optionally, the establishing module 304 is configured to:
configuring contact modes of responsible persons of each piece of software in a software information database;
as a further alternative, as shown in fig. 4, the positioning processing device 300 of risk software of the present embodiment further includes:
an updating module 305 for updating the software information database based on the software dependency management tool.
As a further alternative, as shown in fig. 4, the positioning processing device 300 of risk software of the present embodiment further includes:
the alarm module 306 is used for performing risk alarm based on the identification information and the position information of the risk software;
further optionally, the collection module 301 is further configured to obtain processing information of risk software;
the updating module 305 is further configured to update the software information database according to the processing information of the risk software.
Further optionally, the alarm module 306 is configured to:
based on the identification information and the position information of the risk software, sending out a voice alarm;
based on the identification information and the position information of the risk software, popping up an alarm prompt on the current interface; and/or
Acquiring the contact information of the responsible person corresponding to the identification information of the risk software from a software information database; and sending an alarm prompt based on the identification information and the position information of the risk software and the contact mode of the responsible person so as to inform the responsible person to process the risk software.
The positioning processing device 300 for risk software of the present embodiment implements the implementation principle and the technical effect of the positioning processing for risk software by using the above modules, which are the same as the implementation of the above related method embodiments, reference may be made to the description of the above related embodiments for details, and details are not repeated herein.
According to an embodiment of the present application, the present application also provides an electronic device and a readable storage medium.
As shown in fig. 5, a block diagram of an electronic device implementing a positioning processing method of risk software according to an embodiment of the present application is shown. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the applications described and/or claimed herein.
As shown in fig. 5, the electronic device includes: one or more processors 501, memory 502, and interfaces for connecting components, including high-speed interfaces and low-speed interfaces. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the electronic device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In other embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple electronic devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 501 is illustrated in fig. 5.
Memory 502 is a non-transitory computer readable storage medium provided by the present application. The memory stores instructions executable by the at least one processor to cause the at least one processor to execute the method for positioning risk software provided by the application. The non-transitory computer readable storage medium of the present application stores computer instructions for causing a computer to execute the risk software localization processing method provided by the present application.
The memory 502 is used as a non-transitory computer readable storage medium for storing non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules (e.g., related modules shown in fig. 3 and fig. 4) corresponding to a positioning processing method of risk software in an embodiment of the present application. The processor 501 executes various functional applications of the server and data processing, i.e., implements the positioning processing method of the risk software in the above-described method embodiment, by running non-transitory software programs, instructions, and modules stored in the memory 502.
Memory 502 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created by the use of an electronic device implementing a positioning processing method of risk software, and the like. In addition, memory 502 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, memory 502 optionally includes memory remotely located with respect to processor 501, which may be connected via a network to an electronic device implementing the location processing method of risk software. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The electronic device for implementing the positioning processing method of the risk software may further include: an input device 503 and an output device 504. The processor 501, memory 502, input devices 503 and output devices 504 may be connected by a bus or otherwise, for example in fig. 5.
The input device 503 may receive input numeric or character information and generate key signal inputs related to user settings and function controls of the electronic device implementing the location processing method of risk software, such as input devices for a touch screen, a keypad, a mouse, a track pad, a touch pad, a pointer stick, one or more mouse buttons, a track ball, a joystick, etc. The output devices 504 may include a display device, auxiliary lighting devices (e.g., LEDs), and haptic feedback devices (e.g., vibration motors), among others. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device may be a touch screen.
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASIC (application specific integrated circuit), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
These computing programs (also referred to as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
According to the technical scheme of the embodiment of the application, the identification information of the risk software is acquired; detecting whether identification information of risk software exists in a pre-established software information database; if the risk software exists, the position information of the risk software in the code base corresponding to the identification information of the risk software is acquired from the software information database, compared with the manual positioning of the position of the risk software in the prior art, the position information of the risk software can be rapidly and accurately positioned by adopting the technical scheme of the application, the positioning time of the risk software can be effectively shortened, the positioning efficiency of the risk software can be effectively improved, responsibility personnel of the code base can conveniently and accurately process the risk software in time, damage is prevented in time, the risk of the software in the code base of an enterprise can be effectively reduced, and the safety of the software of the code base of the enterprise is improved.
According to the technical scheme of the embodiment of the application, the software information database comprising the identification information and the position information of all the software in the code library is established in the mode, and the accuracy of the obtained identification information and the position information of the software can be effectively ensured no matter the identification information and the position information of all the software in the code library are obtained from the description file of the dependency management tool or the identification information and the position information of all the software in the code library are obtained from the software dependency management tool by using the command provided by the dependency management tool, so that the accuracy of the software information database can be effectively ensured, and the accuracy of the subsequent risk software positioning based on the software information database can be effectively improved.
According to the technical scheme of the embodiment of the application, the software information database can be updated based on the software dependency management tool so as to ensure that the information in the software information database can be updated in time when the software in the code library is updated, thereby effectively ensuring the accuracy of the software information database and further effectively improving the accuracy of subsequent positioning of risk software based on the software information database.
According to the technical scheme of the embodiment of the application, the risk alarm can be performed based on the identification information and the position information of the risk software, for example, at least one mode of voice alarm, pop-up interface alarm and notification of responsible persons can be adopted, so that the risk software in the code library can be processed in time, the harm of the risk software is effectively reduced, and the safety of the software in the code library is improved.
According to the technical scheme of the embodiment of the application, the software information database can be updated according to the processing information of the risk software, so that the accuracy of the software information database can be effectively ensured, and the accuracy of subsequent positioning of the risk software based on the software information database can be effectively improved.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present application may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution disclosed in the present application can be achieved, and are not limited herein.
The above embodiments do not limit the scope of the present application. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present application should be included in the scope of the present application.
Claims (14)
1. The method for positioning and processing the risk software is characterized by being applied to a positioning and processing device of the risk software at the management system side of an enterprise and comprising the following steps:
acquiring identification information of risk software;
detecting whether risk software corresponding to the identification information of the risk software exists in a pre-established software information database;
if the risk software exists, acquiring the position information of the risk software in a code base, corresponding to the identification information of the risk software, from the software information database; the position information of the risk software in the code base comprises the position of the starting line of the risk software in the code base or the code line range of the risk software in the code base;
collecting identification information of risk software, including:
acquiring names and version numbers of risk software by monitoring risk software information published by a software publishing platform or a non-profit software organization of each open source code company;
before detecting whether risk software corresponding to the identification information of the risk software exists in a pre-established software information database, the method further comprises:
establishing the software information database; the software information database comprises identification information and position information of all the software and configured contact modes of responsible persons of the software.
2. The method of claim 1, wherein building the software information database comprises:
acquiring identification information and position information of all software in the code library based on a software dependency management tool;
and establishing the software information database comprising identification information and position information of all the software in the code base.
3. The method of claim 2, wherein obtaining identification information and location information for all software in the code library based on a software dependency management tool comprises:
acquiring identification information and position information of all software in the code library from the description file of the software dependency management tool; or alternatively
And acquiring identification information and position information of all software in the code library from the software dependency management tool by using a command provided by the software dependency management tool.
4. The method of claim 2, further wherein after establishing the software information database, the method further comprises:
the software information database is updated based on a software dependency management tool.
5. The method according to any one of claims 1 to 4, wherein after acquiring the location information of the risk software corresponding to the identification information of the risk software in the code library from the software information database, the method further comprises:
performing risk alarming based on the identification information and the position information of the risk software;
further, after performing risk alarm based on the identification information of the risk software and the location information, the method further includes:
acquiring processing information of the risk software;
and updating the software information database according to the processing information of the risk software.
6. The method of claim 5, wherein performing a risk alert based on the identification information of the risk software and the location information comprises:
based on the identification information and the position information of the risk software, sending out a voice alarm;
based on the identification information and the position information of the risk software, popping up an alarm prompt on a current interface; and/or
Acquiring the contact information of the responsible person corresponding to the identification information of the risk software from the software information database; and sending an alarm prompt based on the identification information and the position information of the risk software and the contact mode of the responsible person so as to inform the responsible person to process the risk software.
7. The utility model provides a location processing apparatus of risk software which characterized in that, the location processing apparatus of risk software is located the management system side of enterprise, includes:
the acquisition module is used for acquiring identification information of the risk software;
the detection module is used for detecting whether risk software corresponding to the identification information of the risk software exists in a pre-established software information database;
the positioning module is used for acquiring the position information of the risk software corresponding to the identification information of the risk software in the code base from the software information database if the risk software exists; the position information of the risk software in the code base comprises the position of the starting line of the risk software in the code base or the code line range of the risk software in the code base;
the collection module is used for collecting names and version numbers of risk software published by a software publishing platform or a non-profit software organization of each open source code company through monitoring risk software information;
the apparatus further comprises:
the establishing module is used for establishing the software information database; the software information database comprises identification information and position information of all the software and configured contact modes of responsible persons of the software.
8. The apparatus of claim 7, wherein the means for establishing is configured to:
acquiring identification information and position information of all software in the code library based on a software dependency management tool;
and establishing the software information database comprising identification information and position information of all the software in the code base.
9. The apparatus of claim 8, wherein the means for establishing is configured to:
acquiring identification information and position information of all software in the code library from the description file of the software dependency management tool; or alternatively
And acquiring identification information and position information of all software in the code library from the software dependency management tool by using a command provided by the software dependency management tool.
10. The apparatus according to any one of claims 7-9, wherein the apparatus further comprises:
and the updating module is used for updating the software information database based on the software dependency management tool.
11. The apparatus of claim 10, wherein the apparatus further comprises:
the alarm module is used for carrying out risk alarm based on the identification information and the position information of the risk software;
further, the acquisition module is further used for acquiring processing information of the risk software;
the updating module is further used for updating the software information database according to the processing information of the risk software.
12. The apparatus of claim 11, wherein the alarm module is configured to:
based on the identification information and the position information of the risk software, sending out a voice alarm;
based on the identification information and the position information of the risk software, popping up an alarm prompt on a current interface; and/or
Acquiring the contact information of the responsible person corresponding to the identification information of the risk software from the software information database; and sending an alarm prompt based on the identification information and the position information of the risk software and the contact mode of the responsible person so as to inform the responsible person to process the risk software.
13. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
14. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010305185.2A CN111666203B (en) | 2020-04-17 | 2020-04-17 | Positioning processing method and device of risk software, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010305185.2A CN111666203B (en) | 2020-04-17 | 2020-04-17 | Positioning processing method and device of risk software, electronic equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111666203A CN111666203A (en) | 2020-09-15 |
CN111666203B true CN111666203B (en) | 2023-10-27 |
Family
ID=72382637
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010305185.2A Active CN111666203B (en) | 2020-04-17 | 2020-04-17 | Positioning processing method and device of risk software, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111666203B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113094711B (en) * | 2021-04-30 | 2023-05-16 | 云南电网有限责任公司 | Open source code detection method and system based on staged project development |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103473505A (en) * | 2012-06-06 | 2013-12-25 | 腾讯科技(深圳)有限公司 | Scanning prompt method and device for software vulnerabilities |
CN105164690A (en) * | 2013-07-12 | 2015-12-16 | 惠普发展公司,有限责任合伙企业 | Analyzing target software for security vulnerabilities |
CN106372463A (en) * | 2016-08-22 | 2017-02-01 | 北京深思数盾科技股份有限公司 | Middleware protection method, apparatus and system |
CN109753807A (en) * | 2019-01-09 | 2019-05-14 | 国家保密科技测评中心 | Safety detection method and device |
CN110232279A (en) * | 2019-06-06 | 2019-09-13 | 深圳前海微众银行股份有限公司 | A kind of leak detection method and device |
CN110909363A (en) * | 2019-11-25 | 2020-03-24 | 中国人寿保险股份有限公司 | Software third-party component vulnerability emergency response system and method based on big data |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10706156B2 (en) * | 2017-10-13 | 2020-07-07 | 1230604 BC Ltd. | Security risk identification in a secure software lifecycle |
US10733040B2 (en) * | 2018-02-01 | 2020-08-04 | Faro Technologies, Inc. | Individual bug fixed messages for software users |
-
2020
- 2020-04-17 CN CN202010305185.2A patent/CN111666203B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103473505A (en) * | 2012-06-06 | 2013-12-25 | 腾讯科技(深圳)有限公司 | Scanning prompt method and device for software vulnerabilities |
CN105164690A (en) * | 2013-07-12 | 2015-12-16 | 惠普发展公司,有限责任合伙企业 | Analyzing target software for security vulnerabilities |
CN106372463A (en) * | 2016-08-22 | 2017-02-01 | 北京深思数盾科技股份有限公司 | Middleware protection method, apparatus and system |
CN109753807A (en) * | 2019-01-09 | 2019-05-14 | 国家保密科技测评中心 | Safety detection method and device |
CN110232279A (en) * | 2019-06-06 | 2019-09-13 | 深圳前海微众银行股份有限公司 | A kind of leak detection method and device |
CN110909363A (en) * | 2019-11-25 | 2020-03-24 | 中国人寿保险股份有限公司 | Software third-party component vulnerability emergency response system and method based on big data |
Non-Patent Citations (5)
Title |
---|
【MAVEN】maven系列--pom.xml标签详解;千万之路刚开始;《https://www.jianshu.com/p/242f2349eef1》;第1-8页 * |
Java开发者测试可视化辅助实证分析;刘子聪;《中国优秀硕士学位论文全文数据库(信息科技辑)》(第02期);I138-915 * |
Towards agile security risk management in RE and beyond;Virginia N. L. Franqueira等;《Workshop on Empirical Requirements Engineering (EmpiRE 2011)》;33-36 * |
联合研发流程分析在软件项目风险数据库的应用;李震阳;《软件》(第10期);139-141 * |
软件安全开发关键技术的研究和实现;冯博;《中国博士学位论文全文数据库(信息科技辑)》(第01期);I138-19 * |
Also Published As
Publication number | Publication date |
---|---|
CN111666203A (en) | 2020-09-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9354860B2 (en) | Optimizing software change processes using real-time analysis and rule-based hinting | |
CN111666206B (en) | Method, device, equipment and storage medium for acquiring influence range of change code | |
US10346161B2 (en) | Automatic detection of potential merge errors | |
EP4006731A1 (en) | Method, apparatus, device, storage medium and computer program product for testing code | |
US20150120374A1 (en) | Automation of customer relationship management (crm) tasks responsive to electronic communications | |
CN111026572A (en) | Fault processing method and device of distributed system and electronic equipment | |
US20140280383A1 (en) | Alert Management | |
CN111913884A (en) | Distributed test method, device, equipment, system and readable storage medium | |
US10897512B2 (en) | Generating push notifications | |
CN111782669A (en) | Method and device for realizing distributed lock and electronic equipment | |
CN111666203B (en) | Positioning processing method and device of risk software, electronic equipment and storage medium | |
CN112506854A (en) | Method, device, equipment and medium for storing page template file and generating page | |
CN112269706A (en) | Interface parameter checking method and device, electronic equipment and computer readable medium | |
CN109462507B (en) | Configuration updating method, device and system and electronic equipment | |
US9122730B2 (en) | Free-text search for integrating management of applications | |
CN117280327A (en) | Detecting data center large scale interruptions through near real time/offline data using machine learning models | |
CN114035829A (en) | Page component updating method and device, electronic equipment and storage medium | |
CN112965799A (en) | Task state prompting method and device, electronic equipment and medium | |
CN112182581B (en) | Application testing method, device, application testing equipment and storage medium | |
US9921901B2 (en) | Alerting service desk users of business services outages | |
CN115421831A (en) | Method, device, equipment and storage medium for generating calling relation of activity component | |
CN111831317B (en) | Method and device for acquiring dependency relationship between services, electronic equipment and storage medium | |
CN114417070A (en) | Method, device and equipment for converging data authority and storage medium | |
CN111752835A (en) | Test assisting method, device, equipment and storage medium | |
CN113779616A (en) | Method and apparatus for identifying data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |