CN112115473A - Method for security detection of Java open source assembly - Google Patents

Method for security detection of Java open source assembly Download PDF

Info

Publication number
CN112115473A
CN112115473A CN202010968713.2A CN202010968713A CN112115473A CN 112115473 A CN112115473 A CN 112115473A CN 202010968713 A CN202010968713 A CN 202010968713A CN 112115473 A CN112115473 A CN 112115473A
Authority
CN
China
Prior art keywords
open source
security
maven
file
source component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010968713.2A
Other languages
Chinese (zh)
Inventor
廖雷
李书红
林正勇
龙长春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN202010968713.2A priority Critical patent/CN112115473A/en
Publication of CN112115473A publication Critical patent/CN112115473A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for security detection of a Java open source component, which comprises the steps of constructing a private warehouse by adopting Maven, marking security risk levels on the open source component stored in the private warehouse, and storing the open source component as a first open source component; uploading a system engineering file, and extracting a plug-in to analyze the system engineering file by configuring maven dependency package information in a maven engineering pom file to obtain a list of second open source components on which the engineering file depends; and finding out a third source assembly corresponding to the second source assembly from the first source assembly, and comparing the second source assembly with the third source assembly to generate a safety report. The open source component library is defined, the open source components are safely marked through four safety dimensions, the open source components quoted by the uploaded system engineering files are detected, the open source components with safety risks are found, and the safety of the system engineering files is improved.

Description

Method for security detection of Java open source assembly
Technical Field
The invention relates to the technical field of network security, in particular to a method for security detection of a Java open source component.
Background
With the continuous deepening of social informatization, a computer software system is more and more complex, the software function is more and more complex, and the source code is more and more large, so that the correctness of a program is difficult to ensure. A great number of defects introduced in the software development process are one of the important reasons for generating software bugs. The system attacker can easily bypass the software security authentication by means of software security loopholes, attack and invade the information system, acquire illegal system user authority and execute a series of illegal operations and malicious attacks.
In the internet tide, more and more internet companies are gradually increasing software development strength and improving software technology content of related products. In the process, a plurality of open source components and open source software are used and secondarily developed, so that the open source components and the open source software are urgently required to be detected safely, and no method for detecting the open source components and the open source software in the prior art exists.
Disclosure of Invention
The invention aims to provide a method for security detection of a Java open source component, which is used for solving the problem that no security detection method for the open source component exists in the prior art.
The invention solves the problems through the following technical scheme:
a method for Java open source component security detection, comprising:
step S100: constructing a private warehouse by adopting Maven, marking a safety risk level on an open source component stored in the private warehouse, and storing the open source component as a first open source component; step S200: uploading a system engineering file, and extracting a plug-in to analyze the system engineering file by configuring maven dependency package information in a maven engineering pom file to obtain a list of second open source components on which the engineering file depends;
step S300: and finding out a third source assembly corresponding to the second source assembly from the first source assembly, and comparing the second source assembly with the third source assembly to generate a safety report.
The step S200 specifically includes:
step S210: establishing a base line for a maven code engineering file to be detected;
step S220: extracting a source code corresponding to the baseline version from a source code library;
step S230: compiling a source code engineering file, and downloading a dependency package on which the engineering file depends;
step S240: and configuring a maven dependency package information extraction plug-in the maven engineering pom file, executing a corresponding maven command, and generating a maven dependency package information data file of the current engineering file.
The step S300 specifically includes:
step S310: uploading a maven dependency package information data file;
step S320: and querying a maven open source dependent packet security database, comparing the maven dependent packet information one by one, and generating a security report.
The security risk level in the step S100 is marked by adopting three dimensions, wherein the three dimensions are authorization permission verification, virus Trojan horse detection and security vulnerability detection respectively;
the method for verifying the authorization permission comprises the following steps: obtaining authorization permission information of the open source assembly, and classifying security risks according to the authorization permission information;
the virus Trojan horse detection method comprises the following steps: virus Trojan detection is carried out on the split source component by integrating the existing virus Trojan detection interface;
the security vulnerability detection method comprises the following steps: and detecting the vulnerability of the switch source component by integrating the existing security vulnerability scanning software interface.
Before the step S300 generates the security report, it is further required to perform tamper-proof verification on the file and add the verification result to the security report, where the tamper-proof verification method for the file is as follows: and respectively performing MD5, SHA1 and SHA256 matching on the second opening source component and the third opening source component, and determining the file tampering risk level.
The private warehouse also stores open source software, and the security detection of the open source software is the same as the detection method of the open source assembly.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the invention defines a complete open source component library and an open source software library, carries out security standard on the open source components and software through four security dimensions of authorization permission (License) verification, virus Trojan detection, file tamper-proof verification and security vulnerability detection, and detects the open source components and software which are uploaded and quoted by system engineering files so as to find the open source components and software with security risks, provide rectification suggestions and improve the security of the system engineering files.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example (b):
referring to fig. 1, a method for security detection of a Java open source component includes:
step S100: constructing a private warehouse by adopting Maven, marking a safety risk level on an open source component stored in the private warehouse, and storing the open source component as a first open source component;
step S200: uploading a system engineering file, and extracting a plug-in to analyze the system engineering file by configuring maven dependency package information in a maven engineering pom file to obtain a list of second open source components on which the engineering file depends; the step S200 specifically includes:
step S210: a configuration manager establishes a base line for a maven code engineering file to be detected;
step S220: a developer extracts a source code corresponding to the baseline version from a source code library on site;
step S230: a developer compiles a source code engineering file and downloads a dependency package depended by the engineering file to the local;
step S240: and (3) configuring a maven dependency package information extraction plug-in the maven engineering pom file by a developer, executing a corresponding maven command, and generating a maven dependency package information data file of the current engineering file.
The plug-in coordinates and configuration are as follows:
configuring a plug-in:
Figure BDA0002683285940000041
acquiring coordinates:
mvn com.changhong.cloud:osc-sd-maven-plugin:1.0.0:detect\
-Ddetect.projectCode=codeXXX-Ddetect.projectName=nameXXX\
-Ddetect.email=somebody@changhong.com\
-Ddetect.serviceUrl=http://oscsd.changhong.io/v1
the security inspector copies the maven-dependent package information data file from the development unit. The extract Java component information command is as follows:
windows system
./osc-sd-tool_windows_amd64.exe
Linux system
./osc-sd-tool_linux_amd64
Macos system
./osc-sd-tool_darwin_amd64
And uploading the maven dependence package information data file by the security check personnel.
And the background program inquires the maven open-source dependency package safety database, compares the maven dependency package information one by one and generates a safety report. The background executes a security detection task:
mvn com.changhong.cloud:osc-sd-maven-plugin:1.0.0:detect
mvn com.changhong.cloud:osc-sd-maven-plugin:1.0.0:detect\
-Ddetect.projectCode=codeXXX-Ddetect.projectName=nameXXX\
-Ddetect.email=somebody@changhong.com\
-Ddetect.serviceUrl=http://oscsd.changhong.io/v1
and the safety inspection personnel feed the safety report back to the developer.
Example 2:
furthermore, the security risk level in step S100 is labeled by using three dimensions, where the three dimensions are authorization permission verification, virus trojan detection, and security vulnerability detection, respectively;
the method for verifying the authorization permission (License) comprises the following steps: obtaining authorization permission information of the open source assembly, and classifying security risks according to the authorization permission information;
the risk classification is as follows:
MIT-Low risk-program developer retains original author's license information in the modified source code;
apache 1.0-intermediate risk-open source component and open source software adopt Apache1.0 license certificates, and developers do not retain the license information of original authors in modified source codes;
apache 2.0-low risk-open source components and open source software adopt Apache2.0 license certificates, and developers do not retain license information of original authors in modified source codes;
other licensing agreements-intermediate hazards-open source components employ other licensing credentials, and developers do not retain the original author's licensing information in the modified source code.
The virus Trojan horse detection method comprises the following steps: virus Trojan detection is carried out on the split source component by integrating the existing virus Trojan detection interface;
the risk classification is as follows:
there is a virus-high risk;
suspected virus-intermediate risk;
no virus-no risk.
The security vulnerability detection method comprises the following steps: and detecting the vulnerability of the switch source component by integrating the existing security vulnerability scanning software interface.
The risk classification is as follows:
fatal security vulnerability-fatal risk;
severe security breaches-high risk risks;
high risk security hole-high risk;
medium risk security hole-medium risk;
low risk security hole-low risk.
Before the step S300 generates the security report, it is further required to perform tamper-proof verification on the file and add the verification result to the security report, where the tamper-proof verification method for the file is as follows: and respectively performing MD5, SHA1 and SHA256 matching on the second opening source component and the third opening source component, and determining the file tampering risk level.
The risk classification is as follows:
MD5 value match-no risk;
MD5 value mismatch-high risk;
SHA1 value match-no risk;
SHA1 value mismatch-high risk;
SHA256 value match-no risk;
SHA256 value mismatch-high risk.
Although the present invention has been described herein with reference to the illustrated embodiments thereof, which are intended to be preferred embodiments of the present invention, it is to be understood that the invention is not limited thereto, and that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure.

Claims (5)

1. A method for security detection of a Java open source component, comprising:
step S100: constructing a private warehouse by adopting Maven, marking a safety risk level on an open source component stored in the private warehouse, and storing the open source component as a first open source component;
step S200: uploading a system engineering file, and extracting a plug-in to analyze the system engineering file by configuring maven dependency package information in a maven engineering pom file to obtain a list of second open source components on which the engineering file depends;
step S300: and finding out a third source assembly corresponding to the second source assembly from the first source assembly, and comparing the second source assembly with the third source assembly to generate a safety report.
2. The method for security detection of a Java open source component according to claim 1, wherein the step S200 specifically includes:
step S210: establishing a base line for a maven code engineering file to be detected;
step S220: extracting a source code corresponding to the baseline version from a source code library;
step S230: compiling a source code engineering file, and downloading a dependency package on which the engineering file depends;
step S240: and configuring a maven dependency package information extraction plug-in the maven engineering pom file, executing a corresponding maven command, and generating a maven dependency package information data file of the current engineering file.
3. The method for security detection of a Java open source component according to claim 2, wherein the step S300 specifically includes:
step S310: uploading a maven dependency package information data file;
step S320: and querying a maven open source dependent packet security database, comparing the maven dependent packet information one by one, and generating a security report.
4. The method for security detection of the Java open source component according to claim 1, wherein the security risk level in step S100 is labeled with three dimensions, which are authorization permission verification, virus trojan detection, and security vulnerability detection, respectively;
the method for verifying the authorization permission comprises the following steps: obtaining authorization permission information of the open source assembly, and classifying security risks according to the authorization permission information;
the virus Trojan horse detection method comprises the following steps: virus Trojan detection is carried out on the split source component by integrating the existing virus Trojan detection interface;
the security vulnerability detection method comprises the following steps: and detecting the vulnerability of the switch source component by integrating the existing security vulnerability scanning software interface.
5. The method for security detection of a Java open source component according to claim 4, wherein before the step S300 generates the security report, a file tamper-proof verification is further performed and a verification result is added to the security report, and the file tamper-proof verification method includes: and respectively performing MD5, SHA1 and SHA256 matching on the second opening source component and the third opening source component, and determining the file tampering risk level.
CN202010968713.2A 2020-09-15 2020-09-15 Method for security detection of Java open source assembly Pending CN112115473A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010968713.2A CN112115473A (en) 2020-09-15 2020-09-15 Method for security detection of Java open source assembly

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010968713.2A CN112115473A (en) 2020-09-15 2020-09-15 Method for security detection of Java open source assembly

Publications (1)

Publication Number Publication Date
CN112115473A true CN112115473A (en) 2020-12-22

Family

ID=73803101

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010968713.2A Pending CN112115473A (en) 2020-09-15 2020-09-15 Method for security detection of Java open source assembly

Country Status (1)

Country Link
CN (1) CN112115473A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113343223A (en) * 2021-06-30 2021-09-03 招商局金融科技有限公司 Jar package safety monitoring method and device, computer equipment and storage medium
CN113343222A (en) * 2021-06-30 2021-09-03 招商局金融科技有限公司 Java project engineering safety verification method and device, computer equipment and storage medium
CN114647854A (en) * 2022-03-01 2022-06-21 深圳开源互联网安全技术有限公司 Component security detection method and device, firewall and component downloading system
CN115357898A (en) * 2022-07-08 2022-11-18 深圳开源互联网安全技术有限公司 Dependency analysis method, device and medium for JAVA component

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108293048A (en) * 2015-11-25 2018-07-17 索纳泰公司 The method and system of software hazard for control software exploitation
CN108763928A (en) * 2018-05-03 2018-11-06 北京邮电大学 A kind of open source software leak analysis method, apparatus and storage medium
CN110543767A (en) * 2019-08-10 2019-12-06 苏州浪潮智能科技有限公司 automatic monitoring method and system for open source component vulnerability
CN110618931A (en) * 2019-08-14 2019-12-27 重庆金融资产交易所有限责任公司 Dependency relationship detection method and device, computer equipment and readable storage medium
CN110909363A (en) * 2019-11-25 2020-03-24 中国人寿保险股份有限公司 Software third-party component vulnerability emergency response system and method based on big data
CN111309713A (en) * 2020-05-14 2020-06-19 深圳开源互联网安全技术有限公司 Method and device for generating Maven open source software library and storage medium
CN111625839A (en) * 2020-05-29 2020-09-04 深圳前海微众银行股份有限公司 Third-party component vulnerability detection method, device, equipment and computer storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108293048A (en) * 2015-11-25 2018-07-17 索纳泰公司 The method and system of software hazard for control software exploitation
CN108763928A (en) * 2018-05-03 2018-11-06 北京邮电大学 A kind of open source software leak analysis method, apparatus and storage medium
CN110543767A (en) * 2019-08-10 2019-12-06 苏州浪潮智能科技有限公司 automatic monitoring method and system for open source component vulnerability
CN110618931A (en) * 2019-08-14 2019-12-27 重庆金融资产交易所有限责任公司 Dependency relationship detection method and device, computer equipment and readable storage medium
CN110909363A (en) * 2019-11-25 2020-03-24 中国人寿保险股份有限公司 Software third-party component vulnerability emergency response system and method based on big data
CN111309713A (en) * 2020-05-14 2020-06-19 深圳开源互联网安全技术有限公司 Method and device for generating Maven open source software library and storage medium
CN111625839A (en) * 2020-05-29 2020-09-04 深圳前海微众银行股份有限公司 Third-party component vulnerability detection method, device, equipment and computer storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
测试开发KEVIN: "代码依赖包安全漏洞检测神器 —— Dependency", 《HTTPS://WWW.JIANSHU.COM/P/3618761F9BC6》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113343223A (en) * 2021-06-30 2021-09-03 招商局金融科技有限公司 Jar package safety monitoring method and device, computer equipment and storage medium
CN113343222A (en) * 2021-06-30 2021-09-03 招商局金融科技有限公司 Java project engineering safety verification method and device, computer equipment and storage medium
CN114647854A (en) * 2022-03-01 2022-06-21 深圳开源互联网安全技术有限公司 Component security detection method and device, firewall and component downloading system
CN115357898A (en) * 2022-07-08 2022-11-18 深圳开源互联网安全技术有限公司 Dependency analysis method, device and medium for JAVA component

Similar Documents

Publication Publication Date Title
US11455400B2 (en) Method, system, and storage medium for security of software components
CN112115473A (en) Method for security detection of Java open source assembly
KR101402057B1 (en) Analyzing system of repackage application through calculation of risk and method thereof
US20170161496A1 (en) Method and device for identifying virus apk
US9251282B2 (en) Systems and methods for determining compliance of references in a website
Allix et al. A Forensic Analysis of Android Malware--How is Malware Written and How it Could Be Detected?
EP2693356B1 (en) Detecting pirated applications
CN106845223B (en) Method and apparatus for detecting malicious code
Khanmohammadi et al. Empirical study of android repackaged applications
CN110298171B (en) Intelligent detection and safety protection method for mobile internet big data application
CN112231702B (en) Application protection method, device, equipment and medium
Yang et al. APKLancet: tumor payload diagnosis and purification for android applications
CN104517054A (en) Method, device, client and server for detecting malicious APK
CN102656593A (en) Detecting and responding to malware using link files
US9954874B2 (en) Detection of mutated apps and usage thereof
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
KR101228902B1 (en) Cloud Computing-Based System for Supporting Analysis of Malicious Code
Homaei et al. Athena: A framework to automatically generate security test oracle via extracting policies from source code and intended software behaviour
US10880316B2 (en) Method and system for determining initial execution of an attack
KR20160090566A (en) Apparatus and method for detecting APK malware filter using valid market data
Zhang et al. Android malware detection combined with static and dynamic analysis
Shi et al. Precise (Un) Affected Version Analysis for Web Vulnerabilities
CN106407815A (en) Vulnerability detection method and device
CN112671741B (en) Network protection method, device, terminal and storage medium
RU2696951C1 (en) Method of protecting software from undeclared capabilities contained in obtained updates

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201222

RJ01 Rejection of invention patent application after publication