CN112560048A - Code security scanning method, code security scanning system and storage medium - Google Patents
Code security scanning method, code security scanning system and storage medium Download PDFInfo
- Publication number
- CN112560048A CN112560048A CN202011528489.1A CN202011528489A CN112560048A CN 112560048 A CN112560048 A CN 112560048A CN 202011528489 A CN202011528489 A CN 202011528489A CN 112560048 A CN112560048 A CN 112560048A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- code
- processed
- processing
- code security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000001514 detection method Methods 0.000 claims abstract description 28
- 230000001419 dependent effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
A code security scanning method, a code security scanning system and a storage medium are provided, wherein the code security scanning method comprises the following steps: constructing a vulnerability processing priority table according to the existing vulnerability database and the vulnerability hazard degree; detecting whether a third party package is uploaded to an artifactary terminal or not; scanning a code vulnerability to be processed in a third square packet through a code security detection tool, and acquiring a corresponding code vulnerability name to be processed; and processing the code vulnerability to be processed according to the vulnerability processing priority table and the code vulnerability name to be processed. According to the code security scanning method, the vulnerability processing priority table is established, so that the hazard degrees of different code vulnerabilities to be processed can be known, and the code vulnerabilities with high hazard degrees can be processed preferentially. The third-party package uploaded to the artifactary end can be actively scanned through the code safety detection tool, so that the existence of a leak can be rapidly detected from the source, and further expansion of harm is avoided.
Description
Technical Field
The invention belongs to the technical field of information, and particularly relates to a code security scanning method, a code security scanning system and a storage medium.
Background
Code security scanning is one of the more software application security solutions mentioned in recent years. Code security scan refers to a method of security vulnerability checking a code by a specific rule, by which a security vulnerability existing in the code can be discovered.
At present, a method for processing code security vulnerabilities mainly comprises the steps of carrying out manual analysis on scanning results and then carrying out manual repair. If the vulnerabilities are directly repaired, the influences caused by different vulnerabilities can not be well known, and the vulnerabilities can only be checked and processed according to the sequence of the discovered vulnerabilities, so that some critical vulnerabilities cannot be preferentially processed, and further damage is further expanded.
Disclosure of Invention
The present invention is directed to solving at least one of the problems of the prior art. Therefore, the invention provides a code security scanning method capable of processing code bugs according to different damage degrees. The invention also provides a code security scanning system and a storage medium for storing computer executable instructions of the code security scanning method.
The code security scanning method according to the embodiment of the first aspect of the invention comprises the following steps:
constructing a vulnerability processing priority table according to the existing vulnerability database and the vulnerability hazard degree;
detecting whether a third party package is uploaded to an artifactary terminal or not;
scanning the loopholes of the codes to be processed in the third-party package through a code security detection tool, and acquiring corresponding loophole names of the codes to be processed;
and processing the code vulnerability to be processed according to the vulnerability processing priority table and the name of the code vulnerability to be processed.
The code security scanning method provided by the embodiment of the invention at least has the following technical effects: the vulnerability processing priority table is established through the existing vulnerability database and the vulnerability hazard degree, so that after the code security detection tool scans the to-be-processed code vulnerability, the hazard degrees of different to-be-processed code vulnerabilities can be known, and the to-be-processed code vulnerability with high hazard degree can be preferentially processed. The third-party package uploaded to the artifactary end can be actively scanned through the code safety detection tool, so that the existence of a leak can be rapidly detected from the source, and further expansion of harm is avoided.
According to some embodiments of the invention, the code security detection tool employs a JFrog XRAY component.
According to some embodiments of the present invention, the vulnerability handling priority table includes a plurality of in-repository vulnerability names and a plurality of priority handling levels corresponding to the plurality of in-repository vulnerability names; the priority processing levels are respectively: high risk vulnerabilities, general vulnerabilities, minor vulnerabilities.
According to some embodiments of the present invention, the processing the plurality of to-be-processed code bugs according to the bug processing priority table and the to-be-processed code bug names includes the following steps:
scanning the vulnerability processing priority table according to the vulnerability names of the codes to be processed, and acquiring a plurality of in-library vulnerability names corresponding to the vulnerability names of the codes to be processed;
acquiring priority processing levels corresponding to the plurality of in-library vulnerability names, and generating a vulnerability to-be-processed file information table;
and transmitting the vulnerability to-be-processed file information table to a vulnerability processing end.
According to some embodiments of the present invention, the code security scanning method further includes the following steps:
constructing a notification address table according to the corresponding relation between the product name and the information of the technical responsible person;
acquiring a source of the third party bag through the JFrog XRAY component, and acquiring problem product information from the source;
and scanning the product name consistent with the problem product information in the notification address table, if so, acquiring the information of the technology responsible person, and notifying the corresponding vulnerability handling terminal according to the information of the technology responsible person.
According to some embodiments of the present invention, the code security scanning method further includes the following steps:
and scanning the product name consistent with the problem product information in the notification address table, if not, creating a new entry in the notification address table, and notifying a vulnerability comprehensive processing end.
A code security scanning system according to an embodiment of the second aspect of the present invention includes:
the database is internally provided with a vulnerability database and a vulnerability processing priority table constructed according to the vulnerability database and the vulnerability hazard degree;
the code security detection tool is used for detecting the loopholes of the codes to be processed in the third square packet uploaded to the artifactary end and acquiring corresponding names of the loopholes of the codes to be processed;
and the vulnerability processing module is used for processing the vulnerability of the code to be processed according to the vulnerability processing priority table and the vulnerability name of the code to be processed.
The code security scanning system provided by the embodiment of the invention at least has the following technical effects: the vulnerability processing priority table is established through the existing vulnerability database and the vulnerability hazard degree, so that after the code security detection tool scans the to-be-processed code vulnerability, the hazard degrees of different to-be-processed code vulnerabilities can be known, and the to-be-processed code vulnerability with high hazard degree can be preferentially processed. The third-party package uploaded to the artifactary end can be actively scanned through the code safety detection tool, so that the existence of a leak can be rapidly detected from the source, and further expansion of harm is avoided.
According to some embodiments of the invention, the code security detection tool employs a JFrog XRAY component.
According to some embodiments of the present invention, the code security scanning system further includes a tracing unit and a vulnerability notification unit; a notification address table is built in the database according to the corresponding relation between the product name and the information of the technical responsible person; the source tracing unit is used for acquiring a source of the third party bag through the JFrog XRAY assembly and acquiring problem product information from the source; and the vulnerability notification unit is used for scanning the product name consistent with the problem product information in the notification address table and notifying the corresponding vulnerability processing terminal according to the corresponding technical responsible person information.
The computer-readable storage medium according to the third aspect of the invention stores computer-executable instructions for causing a computer to perform the code security scanning method of the above aspect.
The computer-readable storage medium according to the embodiment of the invention has at least the following advantages: storage and transfer of computer-executable instructions may be facilitated by a storage medium.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a simplified flow diagram of a code security scanning method according to an embodiment of the present invention;
fig. 2 is a block diagram of a code security scanning system according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.
In the description of the present invention, if there are first, second, third, fourth, etc. described only for the purpose of distinguishing technical features, they are not to be interpreted as indicating or implying relative importance or implying number of indicated technical features or implying precedence of indicated technical features.
In the description of the present invention, unless otherwise explicitly defined, terms such as arrangement, connection and the like should be broadly construed, and those skilled in the art can reasonably determine the specific meanings of the above terms in the present invention in combination with the detailed contents of the technical solutions.
A code security scanning method according to an embodiment of the first aspect of the invention is described below with reference to fig. 1 to 2.
The code security scanning method provided by the embodiment of the invention comprises the following steps:
constructing a vulnerability processing priority table according to the existing vulnerability database and the vulnerability hazard degree;
detecting whether a third party package is uploaded to an artifactary terminal or not;
scanning a code vulnerability to be processed in a third square packet through a code security detection tool, and acquiring a corresponding code vulnerability name to be processed;
and processing the code vulnerability to be processed according to the vulnerability processing priority table and the code vulnerability name to be processed.
The vulnerability database generally uses an NVD (national vulnerability database), a plurality of code security detection tools on the market carry the database, and the national vulnerability database contains a public third-party bag containing vulnerabilities. However, the influence of the vulnerability on a specific product cannot be known only through the vulnerability database, and here, sequencing is performed according to the degree of harm of different vulnerabilities to the product, and finally, a corresponding vulnerability processing priority table is constructed. The vulnerability processing priority table can be convenient for subsequent scanning and use, and can be directly modified when different products are detected.
In order to ensure the early discovery of the bugs and further reduce the harm caused by the bugs, when a third-party package is uploaded to an artifactary end, the third-party package is scanned through a code safety detection tool, and therefore whether the bugs exist in the third-party package is found.
The code security detection tool can scan the code loopholes to be processed in the third party packet, further can know the names of the code loopholes to be processed, can know the processing sequence of all the found code loopholes to be processed by further matching with the loophole processing priority table, and then transmits the loopholes to the loophole processing end for sequential processing. When the code vulnerability to be processed is not scanned, directly marking the detected vulnerability on the third-party package; when a code vulnerability to be processed is detected, the vulnerability processing priority table is not required to be considered, and the vulnerability is directly sent to a vulnerability processing end for processing.
According to the code security scanning method provided by the embodiment of the invention, the vulnerability processing priority table is established through the existing vulnerability database and the vulnerability degree, so that after the code security detection tool scans the to-be-processed code vulnerability, the hazard degrees of different to-be-processed code vulnerabilities can be known, and the to-be-processed code vulnerability with high hazard degree can be preferentially processed. The third-party package uploaded to the artifactary end can be actively scanned through the code safety detection tool, so that the existence of a leak can be rapidly detected from the source, and further expansion of harm is avoided.
In some embodiments of the invention, the code security detection tool employs the JFrog XRAY component. The JFrog XRAY component works together with the Artifactory end, any third party package (e.g. struts2.3.5.jar) uploaded to the Artifactory end can be subjected to vulnerability scanning by the JFrog XRAY component, once the JFrog XRAY component is taken to the uploaded third party package, the JFrog XRAY component initiates comparison of sha1/sha256 codes of the third party package with sha1/sha256 codes of a vulnerability database, and if the comparison is successful, the package is indicated to have vulnerability risk. The JFrog XRAY component supports WhiteSource, Aqua, BlackDuck, etc. data providers.
The JFrog XRAY component is different from any other binary analysis product. Each unpacked component is examined separately for potential vulnerabilities and policy violations and mapped and merged into an Xray platform generic component graph representing the entire organizational software structure. This allows the user to obtain maximum visibility into software dependent items and to truly understand the impact of each problem discovered.
In some embodiments of the invention, the vulnerability handling priority table comprises a plurality of in-repository vulnerability names and a plurality of priority handling levels corresponding to the plurality of in-repository vulnerability names; the plurality of priority levels are respectively: high risk vulnerabilities, general vulnerabilities, minor vulnerabilities. For a certain product, different vulnerabilities may cause problems of different degrees, so the priorities of the vulnerabilities in the library need to be sorted, so that a specially-assigned person can be arranged to handle when a high-risk vulnerability is found, and further expansion of damage is avoided.
In some embodiments of the present invention, processing a plurality of to-be-processed code bugs according to a bug processing priority table and to-be-processed code bug names includes the following steps:
scanning a vulnerability processing priority table according to a plurality of to-be-processed code vulnerability names, and acquiring a plurality of in-library vulnerability names corresponding to the plurality of to-be-processed code vulnerability names;
acquiring priority processing levels corresponding to a plurality of in-library vulnerability names, and generating a vulnerability to-be-processed file information table;
and transmitting the vulnerability to-be-processed file information table to a vulnerability processing end.
After the names of the vulnerabilities of the codes to be processed are obtained, the corresponding priority processing levels of the vulnerabilities can be known as long as the same in-library vulnerability names are scanned and matched in the vulnerability processing priority table according to the names, after all vulnerabilities are subjected to priority ranking, a corresponding vulnerability to-be-processed file information table can be generated, and the vulnerability to-be-processed file information table comprises the names of the vulnerabilities of the codes to be processed and the corresponding priority processing levels. Therefore, after the vulnerability to-be-processed file information table is received at the vulnerability processing end, processing can be started from the vulnerability with the highest risk degree.
In some embodiments of the present invention, the code security scanning method further includes the following steps:
constructing a notification address table according to the corresponding relation between the product name and the information of the technical responsible person;
acquiring a source of the third party bag through the JFrog XRAY assembly, and acquiring problem product information from the source;
and scanning the product name consistent with the problem product information in the notification address table, if so, acquiring the information of the technology accountant, and notifying the corresponding vulnerability handling terminal according to the information of the technology accountant.
In practical engineering, one platform not only serves only one product, but also a plurality of products can be simultaneously carried out in the same platform. Therefore, after finding the code vulnerability to be processed, the source of the third party package needs to be obtained first, and then the source finds the information of the technology accountant, so as to inform the corresponding technology accountant to perform vulnerability processing.
In order to quickly locate a specific technical responsible person, a notification address table is constructed, and a product name and technical responsible person information corresponding to the product name are marked in the notification address table; therefore, only the problem product information of the product with the problem needs to be known, the product name in the notification address list can be matched quickly, and the technical responsible person can be known. There are many ways to notify the vulnerability handling end where the technical responsible person is located, and the most common is: mail notifications and Web Hook notifications.
In some embodiments of the present invention, the code security scanning method further includes the following steps:
and scanning the product name consistent with the problem product information in the notification address table, if not, creating a new entry in the notification address table, and notifying the vulnerability comprehensive processing end.
In actual engineering, information integration may not be performed in advance, so that a notification address table may not have a corresponding product name, and at this time, a new entry may be established separately for the product in the notification address table, and the vulnerability comprehensive processing end is notified to perform comprehensive processing. The specific source is typically determined and then the complete entry is replenished for subsequent use.
The code security scanning system comprises a database, a code security detection tool and a vulnerability processing module.
The database is internally provided with a vulnerability database and a vulnerability processing priority table constructed according to the vulnerability database and the vulnerability hazard degree;
the code security detection tool is used for detecting the loopholes of the codes to be processed in the third square packet uploaded to the artifactary end and acquiring corresponding names of the loopholes of the codes to be processed;
and the vulnerability processing module is used for processing the to-be-processed code vulnerability according to the vulnerability processing priority table and the to-be-processed code vulnerability name.
The vulnerability database generally uses an NVD (national vulnerability database), a plurality of code security detection tools on the market carry the database, and the national vulnerability database contains a public third-party bag containing vulnerabilities. However, the influence of the vulnerability on the product cannot be known only through the vulnerability database, and the vulnerability is sequenced according to the damage degree of different vulnerabilities to the product, and finally a corresponding vulnerability processing priority table is generated. The vulnerability processing priority table can be convenient for subsequent scanning and use, and can be conveniently modified when different products are detected.
The code security detection tool can scan out the code loopholes to be processed in the third square packet, further can know the names of the code loopholes to be processed, further matches the loophole processing priority table through the loophole processing module, can know the processing sequence of all found code loopholes to be processed, and then transmits the loopholes to the loophole processing end for sequential processing. When the code vulnerability to be processed is not scanned, directly marking the detected vulnerability on the third-party package; when a code vulnerability to be processed is detected, the vulnerability processing priority table is not required to be considered, and the vulnerability is directly sent to a vulnerability processing end for processing.
According to the code security scanning system provided by the embodiment of the invention, the vulnerability processing priority table is established through the existing vulnerability database and the vulnerability degree, so that after the code security detection tool scans the to-be-processed code vulnerability, the hazard degrees of different to-be-processed code vulnerabilities can be known, and the to-be-processed code vulnerability with high hazard degree can be preferentially processed. The third-party package uploaded to the artifactary end can be actively scanned through the code safety detection tool, so that the existence of a leak can be rapidly detected from the source, and further expansion of harm is avoided.
In some embodiments of the invention, according to some embodiments of the invention, the code security detection tool employs a JFrog XRAY component. The Frog XRAY component works with JFrog artifactry, any third party package (e.g., struts2.3.5.jar) uploaded to artifactry will be scanned for vulnerabilities by XRAY, once the JFrog XRAY component takes the uploaded third party package, it will initiate a comparison of the third party package sha1/sha256 code with the sha1/sha256 code of the vulnerability database, and if the comparison is successful, it will indicate that this package is at vulnerability risk. The JFrog XRAY component supports WhiteSource, Aqua, BlackDuck, etc. data providers.
The JFrog XRAY component is different from any other binary analysis product. Each unpacked component is examined separately for potential vulnerabilities and policy violations and mapped and merged into an Xray platform generic component graph representing the entire organizational software structure. This allows the user to obtain maximum visibility into software dependent items and to truly understand the impact of each problem discovered.
In some embodiments of the present invention, the code security scanning system further includes a tracing unit and a vulnerability notification unit; a notification address table is built in the database according to the corresponding relation between the product name and the information of the technical responsible person; the source tracing unit is used for acquiring a source of the third party package through the JFrog XRAY assembly and acquiring problem product information from the source; and the vulnerability notification unit is used for scanning the product name consistent with the problem product information in the notification address table and notifying the corresponding vulnerability processing terminal according to the corresponding technical accountant information.
In practical engineering, one platform not only serves only one product, but also a plurality of products can be simultaneously carried out in the same platform. Therefore, after finding the code vulnerability to be processed, the source of the third party package needs to be obtained first, and then the source finds the information of the technology accountant, so as to inform the corresponding technology accountant to perform vulnerability processing.
In order to quickly locate a specific technical responsible person, a notification address table is constructed, and a product name and technical responsible person information corresponding to the product name are marked in the notification address table; therefore, only the problem product information of the product with the problem needs to be known, the product name in the notification address list can be matched quickly, and the technical responsible person can be known. There are many ways to notify the vulnerability handling end where the technical responsible person is located, and the most common is: mail notifications and Web Hook notifications.
According to the third aspect of the invention, the computer-readable storage medium stores computer-executable instructions for causing a computer to execute the code security scanning method.
Computer-readable storage media according to embodiments of the present invention may facilitate storage and transfer of computer-executable instructions by the storage media.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an illustrative embodiment," "an example," "a specific example," or "some examples" or the like mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although the embodiments of the present invention have been described in detail with reference to the accompanying drawings, the present invention is not limited to the embodiments, and those skilled in the art will understand that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
Claims (10)
1. A method for secure scanning of a code, comprising the steps of:
constructing a vulnerability processing priority table according to the existing vulnerability database and the vulnerability hazard degree;
detecting whether a third party package is uploaded to an artifactary terminal or not;
scanning the loopholes of the codes to be processed in the third-party package through a code security detection tool, and acquiring corresponding loophole names of the codes to be processed;
and processing the code vulnerability to be processed according to the vulnerability processing priority table and the name of the code vulnerability to be processed.
2. The method for the secure scanning of a code according to claim 1, characterized in that said code security detection tool employs the JFrog XRAY component.
3. The code security scanning method according to claim 2, wherein the vulnerability handling priority table includes a plurality of in-repository vulnerability names and a plurality of priority handling levels corresponding to the plurality of in-repository vulnerability names; the priority processing levels are respectively: high risk vulnerabilities, general vulnerabilities, minor vulnerabilities.
4. The code security scanning method according to claim 3, wherein the processing a plurality of the code vulnerabilities to be processed according to the vulnerability processing priority table and the code vulnerability names to be processed comprises the following steps:
scanning the vulnerability processing priority table according to the vulnerability names of the codes to be processed, and acquiring a plurality of in-library vulnerability names corresponding to the vulnerability names of the codes to be processed;
acquiring priority processing levels corresponding to the plurality of in-library vulnerability names, and generating a vulnerability to-be-processed file information table;
and transmitting the vulnerability to-be-processed file information table to a vulnerability processing end.
5. The code security scanning method of claim 2, further comprising the steps of:
constructing a notification address table according to the corresponding relation between the product name and the information of the technical responsible person;
acquiring a source of the third party bag through the JFrog XRAY component, and acquiring problem product information from the source;
and scanning the product name consistent with the problem product information in the notification address table, if so, acquiring the information of the technology responsible person, and notifying the corresponding vulnerability handling terminal according to the information of the technology responsible person.
6. The code security scanning method of claim 5, further comprising the steps of:
and scanning the product name consistent with the problem product information in the notification address table, if not, creating a new entry in the notification address table, and notifying a vulnerability comprehensive processing end.
7. A code security scanning system, comprising:
the database is internally provided with a vulnerability database and a vulnerability processing priority table constructed according to the vulnerability database and the vulnerability hazard degree;
the code security detection tool is used for detecting the loopholes of the codes to be processed in the third square packet uploaded to the artifactary end and acquiring corresponding names of the loopholes of the codes to be processed;
and the vulnerability processing module is used for processing the vulnerability of the code to be processed according to the vulnerability processing priority table and the vulnerability name of the code to be processed.
8. The code security scanning system of claim 7, wherein the code security detection tool employs a JFrog XRAY component.
9. The code security scanning system of claim 8, further comprising a tracing unit and a vulnerability notification unit; a notification address table is built in the database according to the corresponding relation between the product name and the information of the technical responsible person; the source tracing unit is used for acquiring a source of the third party bag through the JFrog XRAY assembly and acquiring problem product information from the source; and the vulnerability notification unit is used for scanning the product name consistent with the problem product information in the notification address table and notifying the corresponding vulnerability processing terminal according to the corresponding technical responsible person information.
10. A computer-readable storage medium characterized by: the computer-readable storage medium stores computer-executable instructions for causing a computer to perform a code security scanning method as claimed in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011528489.1A CN112560048B (en) | 2020-12-22 | 2020-12-22 | Code security scanning method, code security scanning system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011528489.1A CN112560048B (en) | 2020-12-22 | 2020-12-22 | Code security scanning method, code security scanning system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112560048A true CN112560048A (en) | 2021-03-26 |
| CN112560048B CN112560048B (en) | 2024-01-30 |
Family
ID=75031317
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011528489.1A Active CN112560048B (en) | 2020-12-22 | 2020-12-22 | Code security scanning method, code security scanning system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112560048B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022247199A1 (en) * | 2021-05-24 | 2022-12-01 | 深圳前海微众银行股份有限公司 | Vulnerability detection method and apparatus for open-source component |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106598842A (en) * | 2016-11-10 | 2017-04-26 | 乐视控股(北京)有限公司 | Code detection method and device and electronic equipment |
| CN107392031A (en) * | 2017-08-04 | 2017-11-24 | 杭州安恒信息技术有限公司 | The scan method and device of leak |
| US20190114435A1 (en) * | 2017-10-13 | 2019-04-18 | 2509757 Ontario Inc. | Security risk identification in a secure software lifecycle |
| CN109871696A (en) * | 2018-12-29 | 2019-06-11 | 重庆城市管理职业学院 | A kind of automatic collection and vulnerability scanning system and method, computer of vulnerability information |
| CN110110527A (en) * | 2019-05-10 | 2019-08-09 | 重庆八戒电子商务有限公司 | A kind of discovery method of loophole component, discovery device, computer installation and storage medium |
| CN110781078A (en) * | 2019-09-29 | 2020-02-11 | 苏州浪潮智能科技有限公司 | Code vulnerability processing method and device |
| US20200120126A1 (en) * | 2018-10-15 | 2020-04-16 | International Business Machines Corporation | Prioritizing vulnerability scan results |
| CN111625839A (en) * | 2020-05-29 | 2020-09-04 | 深圳前海微众银行股份有限公司 | Third-party component vulnerability detection method, device, equipment and computer storage medium |
-
2020
- 2020-12-22 CN CN202011528489.1A patent/CN112560048B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106598842A (en) * | 2016-11-10 | 2017-04-26 | 乐视控股(北京)有限公司 | Code detection method and device and electronic equipment |
| CN107392031A (en) * | 2017-08-04 | 2017-11-24 | 杭州安恒信息技术有限公司 | The scan method and device of leak |
| US20190114435A1 (en) * | 2017-10-13 | 2019-04-18 | 2509757 Ontario Inc. | Security risk identification in a secure software lifecycle |
| US10706156B2 (en) * | 2017-10-13 | 2020-07-07 | 1230604 BC Ltd. | Security risk identification in a secure software lifecycle |
| US20200120126A1 (en) * | 2018-10-15 | 2020-04-16 | International Business Machines Corporation | Prioritizing vulnerability scan results |
| CN109871696A (en) * | 2018-12-29 | 2019-06-11 | 重庆城市管理职业学院 | A kind of automatic collection and vulnerability scanning system and method, computer of vulnerability information |
| CN110110527A (en) * | 2019-05-10 | 2019-08-09 | 重庆八戒电子商务有限公司 | A kind of discovery method of loophole component, discovery device, computer installation and storage medium |
| CN110781078A (en) * | 2019-09-29 | 2020-02-11 | 苏州浪潮智能科技有限公司 | Code vulnerability processing method and device |
| CN111625839A (en) * | 2020-05-29 | 2020-09-04 | 深圳前海微众银行股份有限公司 | Third-party component vulnerability detection method, device, equipment and computer storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022247199A1 (en) * | 2021-05-24 | 2022-12-01 | 深圳前海微众银行股份有限公司 | Vulnerability detection method and apparatus for open-source component |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112560048B (en) | 2024-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8199965B1 (en) | System, method, and computer program product for preventing image-related data loss | |
| US8549642B2 (en) | Method and system for using spam e-mail honeypots to identify potential malware containing e-mails | |
| RU2551820C2 (en) | Method and apparatus for detecting viruses in file system | |
| US6763462B1 (en) | E-mail virus detection utility | |
| JP6374631B1 (en) | Use multiple levels of policy management to manage risk | |
| CN102982284B (en) | For the scanning device of rogue program killing, cloud management equipment and method and system | |
| US9628513B2 (en) | Electronic message manager system, method, and computer program product for scanning an electronic message for unwanted content and associated unwanted sites | |
| CN103034808B (en) | Scan method, equipment and system and cloud management and equipment | |
| CN102663288A (en) | Virus killing method and device thereof | |
| WO2014082599A1 (en) | Scanning device, cloud management device, method and system for checking and killing malicious programs | |
| US8341746B2 (en) | Identifying malware | |
| US20140053263A1 (en) | System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature | |
| US10747879B2 (en) | System, method, and computer program product for identifying a file used to automatically launch content as unwanted | |
| US8856931B2 (en) | Network browser system, method, and computer program product for scanning data for unwanted content and associated unwanted sites | |
| CN105095769A (en) | Information service software vulnerability detection method | |
| US7539871B1 (en) | System and method for identifying message propagation | |
| CN107977576A (en) | A kind of host leakage location and method based on employing fingerprint | |
| CN109492399A (en) | Risk file test method, device and computer equipment | |
| CN112560048A (en) | Code security scanning method, code security scanning system and storage medium | |
| KR100864867B1 (en) | The method and apparatus for detecting malicious file in mobile terminal | |
| US20130246536A1 (en) | System, method, and computer program product for providing a rating of an electronic message | |
| CN114866532B (en) | Method, device, equipment and medium for uploading security check result information of endpoint file | |
| CN114003914A (en) | File security detection method and device, electronic equipment and storage medium | |
| CN111723372B (en) | Virus checking and killing method and device and computer readable storage medium | |
| EP1749255A1 (en) | Prioritizing intrusion detection logs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 518000 building 501, 502, 601, 602, building D, wisdom Plaza, Qiaoxiang Road, Gaofa community, Shahe street, Nanshan District, Shenzhen City, Guangdong Province Patentee after: China Southern Power Grid Digital Platform Technology (Guangdong) Co.,Ltd. Address before: 518000 building 501, 502, 601, 602, building D, wisdom Plaza, Qiaoxiang Road, Gaofa community, Shahe street, Nanshan District, Shenzhen City, Guangdong Province Patentee before: China Southern Power Grid Shenzhen Digital Power Grid Research Institute Co.,Ltd. |