CN112464241A - Code vulnerability scanning method, system, terminal and storage medium - Google Patents
Code vulnerability scanning method, system, terminal and storage medium Download PDFInfo
- Publication number
- CN112464241A CN112464241A CN202011165036.7A CN202011165036A CN112464241A CN 112464241 A CN112464241 A CN 112464241A CN 202011165036 A CN202011165036 A CN 202011165036A CN 112464241 A CN112464241 A CN 112464241A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- scanning
- historical
- information
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 230000008439 repair process Effects 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000012038 vulnerability analysis Methods 0.000 claims description 3
- 230000004931 aggregating effect Effects 0.000 claims 1
- 238000004220 aggregation Methods 0.000 claims 1
- 230000002776 aggregation Effects 0.000 claims 1
- 238000007689 inspection Methods 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a code vulnerability scanning method, a system, a terminal and a storage medium, comprising the following steps: summarizing historical vulnerability IDs and corresponding vulnerability information from historical code scanning results to generate a vulnerability information table; extracting all vulnerability IDs from the current scanning result; judging whether the vulnerability ID has a matching historical vulnerability ID in a vulnerability information table: if yes, outputting the vulnerability information of the matching historical vulnerability ID; if not, analyzing the vulnerability corresponding to the vulnerability ID by using a scanning tool to acquire vulnerability information corresponding to the vulnerability ID. The invention reduces the workload of code scanning, improves the scanning efficiency and saves the inspection time.
Description
Technical Field
The invention relates to the technical field of code development, in particular to a code vulnerability scanning method, a system, a terminal and a storage medium.
Background
In the internet era, due to the close relationship between the update iteration of the technology and the implementation of the code, the quality security of the code becomes an increasingly concerned aspect. For codes with a great number of lines, the quality and safety of the codes are difficult to be inspected only by people, so that the quality and safety of the codes are improved by performing primary code scanning by means of a code scanning tool.
Based on the above problems, in the prior art, only the branches of the code are compared, and the changed code branch is screened out, and the changed branch code is scanned, but this method cannot locate the responsible person of the problem; meanwhile, in the prior art, some ID records are carried out on the vulnerabilities so as to facilitate later checking, but for some vulnerabilities which do not need to be repaired, codes are required to be analyzed every time to judge whether the vulnerabilities need to be repaired. This results in code scanning repeatability, reducing scanning efficiency.
Disclosure of Invention
In view of the above-mentioned deficiencies of the prior art, the present invention provides a code vulnerability scanning method, system, terminal and storage medium to solve the above-mentioned technical problems.
In a first aspect, the present invention provides a code vulnerability scanning method, including:
summarizing historical vulnerability IDs and corresponding vulnerability information from historical code scanning results to generate a vulnerability information table;
extracting all vulnerability IDs from the current scanning result;
judging whether the vulnerability ID has a matching historical vulnerability ID in a vulnerability information table:
if yes, outputting the vulnerability information of the matching historical vulnerability ID;
if not, analyzing the vulnerability corresponding to the vulnerability ID by using a scanning tool to acquire vulnerability information corresponding to the vulnerability ID.
Further, the summarizing the historical vulnerability ID and the corresponding vulnerability information from the historical code scanning result includes:
and extracting historical vulnerability IDs and corresponding vulnerability interpretation, repair requirement, severity level and accountant information from the scanning results of the past times.
Further, the method further comprises:
marking the scanning time of the scanning results of the previous times and then storing the scanning results in a database;
judging whether the scanning result of the latest version exists in the database according to the code updating time:
if not, the updated code is scanned by calling a scanning tool.
Further, the method further comprises:
and saving the vulnerability information corresponding to the vulnerability ID obtained by the current scanning to a vulnerability information table.
In a second aspect, the present invention provides a code vulnerability scanning system, including:
the historical vulnerability summarizing unit is configured to summarize historical vulnerability IDs and corresponding vulnerability information from historical code scanning results to generate a vulnerability information table;
the ID extraction unit is configured to extract all vulnerability IDs from the current scanning result;
the ID matching unit is configured for judging whether the vulnerability ID has a matching historical vulnerability ID in the vulnerability information table;
the historical vulnerability output unit is configured for outputting vulnerability information of the matched historical vulnerability ID if the vulnerability ID has the matched historical vulnerability ID in the vulnerability information table;
and the vulnerability analysis unit is configured to analyze the vulnerability corresponding to the vulnerability ID by using a scanning tool if the vulnerability ID does not have a matching historical vulnerability ID in the vulnerability information table, and acquire vulnerability information corresponding to the vulnerability ID.
Further, the history vulnerability summarizing unit comprises:
and the information summarizing module is configured to extract the historical vulnerability ID and corresponding vulnerability interpretation, repair requirement, severity level and responsible person information from the scanning results of the past time.
Further, the system further comprises:
the result storage unit is configured to store the scanning time marked by the scanning result of each time in a database;
the time checking unit is configured for judging whether the scanning result of the latest version exists in the database according to the code updating time;
and the scanning execution unit is configured to invoke a scanning tool to scan the updated code if the scanning result of the latest version does not exist.
Further, the system further comprises:
and the information storage unit is configured to store the vulnerability information corresponding to the vulnerability ID acquired by current scanning into a vulnerability information table.
In a third aspect, a terminal is provided, including:
a processor, a memory, wherein,
the memory is used for storing a computer program which,
the processor is used for calling and running the computer program from the memory so as to make the terminal execute the method of the terminal.
In a fourth aspect, a computer storage medium is provided having stored therein instructions that, when executed on a computer, cause the computer to perform the method of the above aspects.
The beneficial effect of the invention is that,
according to the code vulnerability scanning method, the code vulnerability scanning system, the code vulnerability scanning terminal and the storage medium, vulnerability information in historical scanning results is collected, vulnerability IDs are generated to identify scanned vulnerabilities, and in the subsequent scanning process, vulnerabilities of existing vulnerability IDs do not need to be analyzed, and only corresponding historical vulnerability information needs to be called. Therefore, the invention reduces the workload of code scanning, improves the scanning efficiency and saves the inspection time.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention.
FIG. 2 is a schematic block diagram of a system of one embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention. The execution subject in fig. 1 may be a code vulnerability scanning system.
As shown in fig. 1, the method includes:
and 150, if not, analyzing the vulnerability corresponding to the vulnerability ID by using a scanning tool to acquire vulnerability information corresponding to the vulnerability ID.
Specifically, the code vulnerability scanning method includes:
and S1, summarizing the historical vulnerability ID and the corresponding vulnerability information from the historical code scanning result, and generating a vulnerability information table.
Firstly, whether the system meets the configuration requirement of scanning software installation is automatically identified according to the installation configuration file, and if the system meets the configuration requirement, the software package is installed in a specified directory.
From the first scanning, the ID is allocated to the loopholes found in the scanning result of each time, and the ID of each loophole is unique. And allocating an ID to the vulnerability in the first scanning result and analyzing vulnerability information, wherein the vulnerability information comprises vulnerability interpretation, restoration requirements (whether restoration is needed), severity level and accountant information. And if newly added bugs are found during subsequent scanning, still distributing the ID and analyzing the bug information. And summarizing all bugs with the bug IDs and related bug information to a bug information table.
And S2, extracting all vulnerability IDs from the current scanning result.
And identifying the date of the code to be scanned and the date (if any) of the code scanning in the Gitlab code warehouse, and if the date of the scanning result is before the date of the code, indicating that the latest version of the scanning result does not exist and the code needs to be scanned.
And calling a scanning tool to scan the codes, and extracting all vulnerability IDs from the scanning result.
S3, judging whether the vulnerability ID has a matching historical vulnerability ID in the vulnerability information table: if yes, outputting the vulnerability information of the matching historical vulnerability ID; if not, analyzing the vulnerability corresponding to the vulnerability ID by using a scanning tool to acquire vulnerability information corresponding to the vulnerability ID.
And judging whether each vulnerability ID extracted in the step S2 has a matching historical vulnerability ID in the vulnerability information table, and if a newly added vulnerability ID which does not have the matching historical vulnerability ID exists, analyzing the vulnerability corresponding to the newly added vulnerability ID to obtain vulnerability information of the newly added vulnerability ID.
And directly outputting the vulnerability information corresponding to the matching historical vulnerability ID for the vulnerability ID which is matched with the historical vulnerability ID in the vulnerability information table.
And summarizing the vulnerability information of the newly added vulnerability ID and the vulnerability information with the vulnerability ID matched with the historical vulnerability ID to obtain the scanning result.
And storing the vulnerability information of the newly added vulnerability ID into a vulnerability information table.
As shown in fig. 2, the system 200 includes:
a historical vulnerability summarizing unit 210 configured to summarize historical vulnerability IDs and corresponding vulnerability information from historical code scanning results, and generate a vulnerability information table;
an ID extraction unit 220 configured to extract all vulnerability IDs from the current scanning result;
an ID matching unit 230 configured to determine whether the vulnerability ID has a matching history vulnerability ID in the vulnerability information table;
a historical vulnerability output unit 240 configured to output vulnerability information of a matching historical vulnerability ID if the vulnerability ID exists in a vulnerability information table;
and the vulnerability analysis unit 250 is configured to analyze the vulnerability corresponding to the vulnerability ID by using a scanning tool to acquire vulnerability information corresponding to the vulnerability ID if the vulnerability ID does not have a matching historical vulnerability ID in the vulnerability information table.
Optionally, as an embodiment of the present invention, the history vulnerability summarizing unit includes:
and the information summarizing module is configured to extract the historical vulnerability ID and corresponding vulnerability interpretation, repair requirement, severity level and responsible person information from the scanning results of the past time.
Optionally, as an embodiment of the present invention, the system further includes:
the result storage unit is configured to store the scanning time marked by the scanning result of each time in a database;
the time checking unit is configured for judging whether the scanning result of the latest version exists in the database according to the code updating time;
and the scanning execution unit is configured to invoke a scanning tool to scan the updated code if the scanning result of the latest version does not exist.
Optionally, as an embodiment of the present invention, the system further includes:
and the information storage unit is configured to store the vulnerability information corresponding to the vulnerability ID acquired by current scanning into a vulnerability information table.
Fig. 3 is a schematic structural diagram of a terminal 300 according to an embodiment of the present invention, where the terminal 300 may be used to execute the code vulnerability scanning method according to the embodiment of the present invention.
Among them, the terminal 300 may include: a processor 310, a memory 320, and a communication unit 330. The components communicate via one or more buses, and those skilled in the art will appreciate that the architecture of the servers shown in the figures is not intended to be limiting, and may be a bus architecture, a star architecture, a combination of more or less components than those shown, or a different arrangement of components.
The memory 320 may be used for storing instructions executed by the processor 310, and the memory 320 may be implemented by any type of volatile or non-volatile storage terminal or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk. The executable instructions in memory 320, when executed by processor 310, enable terminal 300 to perform some or all of the steps in the method embodiments described below.
The processor 310 is a control center of the storage terminal, connects various parts of the entire electronic terminal using various interfaces and lines, and performs various functions of the electronic terminal and/or processes data by operating or executing software programs and/or modules stored in the memory 320 and calling data stored in the memory. The processor may be composed of an Integrated Circuit (IC), for example, a single packaged IC, or a plurality of packaged ICs connected with the same or different functions. For example, the processor 310 may include only a Central Processing Unit (CPU). In the embodiment of the present invention, the CPU may be a single operation core, or may include multiple operation cores.
A communication unit 330, configured to establish a communication channel so that the storage terminal can communicate with other terminals. And receiving user data sent by other terminals or sending the user data to other terminals.
The present invention also provides a computer storage medium, wherein the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments provided by the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Therefore, the vulnerability information in the historical scanning result is collected, the vulnerability ID is generated to identify the scanned vulnerability, and in the subsequent scanning process, the vulnerability of the existing vulnerability ID does not need to be analyzed, and only the corresponding historical vulnerability information needs to be called. Therefore, the present invention reduces the workload of code scanning, improves the scanning efficiency, and saves the viewing time, and the technical effects achieved by the present embodiment can be referred to the above description, which is not repeated herein.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, where the computer software product is stored in a storage medium, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like, and the storage medium can store program codes, and includes instructions for enabling a computer terminal (which may be a personal computer, a server, or a second terminal, a network terminal, and the like) to perform all or part of the steps of the method in the embodiments of the present invention.
The same and similar parts in the various embodiments in this specification may be referred to each other. Especially, for the terminal embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant points can be referred to the description in the method embodiment.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, systems or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
Although the present invention has been described in detail by referring to the drawings in connection with the preferred embodiments, the present invention is not limited thereto. Various equivalent modifications or substitutions can be made on the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and these modifications or substitutions are within the scope of the present invention/any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A code vulnerability scanning method is characterized by comprising the following steps:
summarizing historical vulnerability IDs and corresponding vulnerability information from historical code scanning results to generate a vulnerability information table;
extracting all vulnerability IDs from the current scanning result;
judging whether the vulnerability ID has a matching historical vulnerability ID in a vulnerability information table:
if yes, outputting the vulnerability information of the matching historical vulnerability ID;
if not, analyzing the vulnerability corresponding to the vulnerability ID by using a scanning tool to acquire vulnerability information corresponding to the vulnerability ID.
2. The method of claim 1, wherein aggregating historical vulnerability IDs and corresponding vulnerability information from historical code scans comprises:
and extracting historical vulnerability IDs and corresponding vulnerability interpretation, repair requirement, severity level and accountant information from the scanning results of the past times.
3. The method of claim 1, further comprising:
marking the scanning time of the scanning results of the previous times and then storing the scanning results in a database;
judging whether the scanning result of the latest version exists in the database according to the code updating time:
if not, the updated code is scanned by calling a scanning tool.
4. The method of claim 1, further comprising:
and saving the vulnerability information corresponding to the vulnerability ID obtained by the current scanning to a vulnerability information table.
5. A code vulnerability scanning system, comprising:
the historical vulnerability summarizing unit is configured to summarize historical vulnerability IDs and corresponding vulnerability information from historical code scanning results to generate a vulnerability information table;
the ID extraction unit is configured to extract all vulnerability IDs from the current scanning result;
the ID matching unit is configured for judging whether the vulnerability ID has a matching historical vulnerability ID in the vulnerability information table;
the historical vulnerability output unit is configured for outputting vulnerability information of the matched historical vulnerability ID if the vulnerability ID has the matched historical vulnerability ID in the vulnerability information table;
and the vulnerability analysis unit is configured to analyze the vulnerability corresponding to the vulnerability ID by using a scanning tool if the vulnerability ID does not have a matching historical vulnerability ID in the vulnerability information table, and acquire vulnerability information corresponding to the vulnerability ID.
6. The system of claim 5, wherein the historical vulnerability aggregation unit comprises:
and the information summarizing module is configured to extract the historical vulnerability ID and corresponding vulnerability interpretation, repair requirement, severity level and responsible person information from the scanning results of the past time.
7. The system of claim 5, further comprising:
the result storage unit is configured to store the scanning time marked by the scanning result of each time in a database;
the time checking unit is configured for judging whether the scanning result of the latest version exists in the database according to the code updating time;
and the scanning execution unit is configured to invoke a scanning tool to scan the updated code if the scanning result of the latest version does not exist.
8. The system of claim 5, further comprising:
and the information storage unit is configured to store the vulnerability information corresponding to the vulnerability ID acquired by current scanning into a vulnerability information table.
9. A terminal, comprising:
a processor;
a memory for storing instructions for execution by the processor;
wherein the processor is configured to perform the method of any one of claims 1-4.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011165036.7A CN112464241A (en) | 2020-10-27 | 2020-10-27 | Code vulnerability scanning method, system, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011165036.7A CN112464241A (en) | 2020-10-27 | 2020-10-27 | Code vulnerability scanning method, system, terminal and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112464241A true CN112464241A (en) | 2021-03-09 |
Family
ID=74834586
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011165036.7A Withdrawn CN112464241A (en) | 2020-10-27 | 2020-10-27 | Code vulnerability scanning method, system, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112464241A (en) |
-
2020
- 2020-10-27 CN CN202011165036.7A patent/CN112464241A/en not_active Withdrawn
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107819627B (en) | System fault processing method and server | |
| CN111858482B (en) | Attack event tracing and tracing method, system, terminal and storage medium | |
| CN110554938B (en) | BIOS (basic input output System) testing method, system, terminal and storage medium based on script set | |
| CN111475411A (en) | Server problem detection method, system, terminal and storage medium | |
| CN113448862B (en) | Software version testing method and device and computer equipment | |
| CN114546738A (en) | Server general test method, system, terminal and storage medium | |
| CN109788052B (en) | Server configuration remote query method, device, terminal and storage medium | |
| CN110287700B (en) | iOS application security analysis method and device | |
| CN117493188A (en) | Interface testing method and device, electronic equipment and storage medium | |
| CN112256532A (en) | Test interface generation method and device, computer equipment and readable storage medium | |
| CN112464241A (en) | Code vulnerability scanning method, system, terminal and storage medium | |
| CN115576831A (en) | Test case recommendation method, device, equipment and storage medium | |
| CN115496470A (en) | Full-link configuration data processing method and device and electronic equipment | |
| CN114722401A (en) | Equipment safety testing method, device, equipment and storage medium | |
| CN109688025B (en) | Test monitoring method, device, terminal and storage medium based on digital KVM | |
| CN114282221A (en) | Injection vulnerability detection method, system, terminal and storage medium | |
| CN114490238A (en) | Method, system, terminal and storage medium for monitoring whole server diagnosis process | |
| CN113672497A (en) | Method, device and equipment for generating non-buried point event and storage medium | |
| CN111124854A (en) | Method, system, terminal and storage medium for distributing smoking test cases | |
| CN111309598A (en) | Test case execution environment recovery method, system, terminal and storage medium | |
| CN112835803B (en) | Tool generation method, test data construction method, device, equipment and medium | |
| CN115454800A (en) | Log data verification method and device, electronic equipment, storage medium and product | |
| CN117150123A (en) | Resource allocation method and system based on cloud computing | |
| CN114168459A (en) | Service testing method and device, electronic equipment and readable storage medium | |
| CN115525521A (en) | Log data verification method and device, electronic equipment, storage medium and product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210309 |
|
| WW01 | Invention patent application withdrawn after publication |