CN112906007A - Open source software vulnerability management and control method and device - Google Patents
Open source software vulnerability management and control method and device Download PDFInfo
- Publication number
- CN112906007A CN112906007A CN202110177893.7A CN202110177893A CN112906007A CN 112906007 A CN112906007 A CN 112906007A CN 202110177893 A CN202110177893 A CN 202110177893A CN 112906007 A CN112906007 A CN 112906007A
- Authority
- CN
- China
- Prior art keywords
- source software
- vulnerability
- open source
- open
- software vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000007726 management method Methods 0.000 claims description 43
- 238000004590 computer program Methods 0.000 claims description 12
- 238000003860 storage Methods 0.000 claims description 5
- 238000004519 manufacturing process Methods 0.000 abstract description 17
- 230000008439 repair process Effects 0.000 abstract description 10
- 230000007547 defect Effects 0.000 abstract description 9
- 238000003672 processing method Methods 0.000 abstract description 4
- 230000002265 prevention Effects 0.000 abstract 1
- 238000010276 construction Methods 0.000 description 21
- 238000012795 verification Methods 0.000 description 17
- 238000004891 communication Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 238000012038 vulnerability analysis Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012857 repacking Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 230000007480 spreading Effects 0.000 description 2
- 238000003892 spreading Methods 0.000 description 2
- 238000011282 treatment Methods 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 229940060321 after-bug Drugs 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000010835 comparative analysis Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 238000002203 pretreatment Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000011269 treatment regimen Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention belongs to the technical field of information security, and provides an open source software vulnerability management and control method and device, wherein the open source software vulnerability management and control method comprises the following steps: acquiring characteristic values corresponding to all code files in the system; traversing the characteristic values in an open source software vulnerability database to generate a traversal result; and managing and controlling the open source software bugs in the system according to the traversal result. The invention overcomes the defects of the traditional processing method of the open source software vulnerability in the prior art, the influence range of the current vulnerability is determined by comparing the vulnerability software fingerprint and the open source software fingerprint used by enterprises and the fingerprint in the open source software vulnerability database in an open source software fingerprint code comparison mode, the effective propagation prevention is automatically carried out on the open source software with the vulnerability according to the vulnerability solution provided by the open source software vulnerability database, and meanwhile, the automatic production environment vulnerability repair is realized, so that the purposes of timely finding, timely isolating and automatically upgrading are achieved.
Description
Technical Field
The application relates to the technical field of information security, in particular to a method and a device for managing and controlling vulnerabilities of open source software.
Background
With the explosive growth of the use of open source software in the financial industry and internet enterprises, each large enterprise usually pays attention to the availability and function implementation of the open source software when introducing the open source software, neglects the management and control of vulnerabilities, and the internet develops rapidly, so that a great amount of open source software is brought out, but once vulnerabilities are developed, the enterprise does not have an effective management and control means to discriminate which vulnerabilities exist in the open source software used by the enterprise, which vulnerabilities have influence, how to master vulnerability information as soon as possible and simultaneously block the spread of the vulnerabilities, and how to remedy the produced open source software with vulnerabilities. The most important problem faced by most internet enterprises in using open source software at present is the problem which needs to be solved urgently.
In the prior art, the method for managing and controlling the vulnerability of the open source software is to know the vulnerability risk of the open source software through a CNNVD (national information security vulnerability library), and to publish whether the vulnerability has information such as a repair scheme, an emergency solution measure and the like. The enterprise needs to subscribe the information, and once the open source software explodes (for example, the Fastjson bug in 2019), the enterprise starts to organize and comb the applications which are currently deployed to the production and use the open source software with the bugs, so as to organize the influence caused by the emergency production patch repairing bugs according to the bug repairing scheme published by the CNNVD.
The method has the following defects that the bug fixing efficiency is seriously influenced, firstly, certain delay exists in receiving information released by CNNVD, secondly, great time consumption is needed for combing which applications in a production environment use the open source software, and in addition, time delay exists in producing and patching after bug fixing. The time delay of the three aspects creates a very long available time window for the vulnerability, and in severe cases, huge potential safety hazards and property loss can be caused.
Disclosure of Invention
The invention belongs to the technical field of information security, overcomes the defects of the internet enterprises in the fields of finance and communication and the like in the aspect of vulnerability management and control of open source software, and the defects of low efficiency and long implementable period of the traditional means, and provides a high-efficiency, safe, intelligent and autonomous vulnerability management and control and treatment scheme and device.
In order to solve the technical problems, the invention provides the following technical scheme:
acquiring characteristic values corresponding to all code files in the system;
traversing the characteristic values in an open source software vulnerability database to generate a traversal result;
and managing and controlling the open source software bugs in the system according to the traversal result.
In an embodiment, the obtaining characteristic values corresponding to all code files in the system includes:
acquiring the code file according to the current code book base, the branch of the current code book base, the original baseline of the current code book base and the current baseline of the current code book base;
and calculating the MD5 value corresponding to the code file.
In an embodiment, the managing and controlling the open-source software vulnerability in the system according to the traversal result includes:
if the traversal result is the open-source software vulnerability corresponding to the MD5 value in the open-source software vulnerability database; and upgrading the open source software vulnerability.
In one embodiment, upgrading the open source software vulnerability includes:
determining an application service node and a deployment node directory corresponding to the open source software vulnerability;
and respectively upgrading the open source software loopholes of the application service nodes and the open source software loopholes of the deployment node catalog.
In a second aspect, the present invention provides an open source software vulnerability management and control apparatus, including:
an MD5 value acquisition unit, which is used for acquiring the characteristic values corresponding to all code files in the system;
the traversal result generating unit is used for traversing the characteristic values in the open-source software vulnerability database to generate a traversal result;
and the vulnerability control unit is used for controlling the open source software vulnerability in the system according to the traversal result.
In one embodiment, the MD5 value obtaining unit includes:
the code file acquisition module is used for acquiring the code file according to the current code book base, the branches of the current code book base, the original base line of the current code book base and the current base line of the current code book base;
and the MD5 value calculating module is used for calculating the MD5 value corresponding to the code file.
In an embodiment, the vulnerability management and control unit is specifically configured to upgrade the open-source software vulnerability.
In one embodiment, the vulnerability management unit includes:
the node determining module is used for determining an application service node and a deployment node directory corresponding to the open source software vulnerability;
and the vulnerability upgrading module is used for respectively upgrading the open source software vulnerability of the application service node and the open source software vulnerability of the deployment node directory.
In a third aspect, the present invention provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the method for managing and controlling the vulnerability of the source software when executing the program.
In a fourth aspect, the present invention provides a computer readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the open source software vulnerability management and control method.
As can be seen from the above description, the embodiments of the present invention provide a method and an apparatus for managing and controlling vulnerabilities of open source software, first obtain feature values corresponding to all code files in a system; traversing the characteristic values in the open-source software vulnerability database to generate a traversal result; and finally, managing and controlling the open source software bugs in the system according to the traversal result. The invention overcomes the defects of the traditional processing method for the vulnerability of the open source software in the industry, compares the vulnerability software fingerprint, the open source software fingerprint used by enterprises and the fingerprint in the open source software vulnerability database by utilizing the open source software fingerprint code comparison mode to determine the influence range of the current vulnerability, automatically and effectively prevents the propagation of the open source software with the vulnerability according to the vulnerability solution provided by the open source software vulnerability database, and simultaneously realizes the automatic production environment vulnerability repair so as to achieve the purposes of timely finding, timely isolating and automatically upgrading.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic flow chart illustrating a vulnerability management and control method of open source software according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating step 100 according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating step 300 according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating step 301 according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for managing and controlling vulnerabilities of open source software in an exemplary application of the present invention;
FIG. 6 is a schematic structural diagram of an open source software vulnerability management and control apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of the MD5 value obtaining unit 10 according to the embodiment of the present invention;
fig. 8 is a schematic structural diagram of the vulnerability management and control unit 30 in the embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device in an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a specific implementation manner of an open source software vulnerability management and control method, which is shown in fig. 1 and specifically includes the following contents:
step 100: and acquiring characteristic values corresponding to all code files in the system.
Open-source software (open-source) refers to software whose source code can be used by the public, and the use, modification and distribution of the software are not limited by licenses. Open source software is developed by a fleet of programmers distributed throughout the world, and may be developed by colleges, government agencies, contractors, associations, and business companies. The development of source codes is a human-oriented innovation mode which is characterized by open innovation and common innovation and is brought by the network revolution caused by the development of information technology. Due to friendly protocols and an open collaborative development mode, the number of the open source software is exponentially increased, and the use and the dependence of various industries, particularly the Internet technology industry, are more prominent.
It can be understood that, the code files in step 100 are in a one-to-one correspondence relationship with the corresponding characteristic values, a mapping between a plurality of code files in the system and the characteristic values (note that a plurality of code files are also provided) may be established first, and each code file in the system may be accurately and quickly searched according to the mapping.
Step 200: traversing the characteristic values in an open source software vulnerability database to generate a traversal result;
it is understood that a vulnerability is a flaw in the hardware, software, protocol implementation of a computer information system or network or system security policy that may allow an attacker to gain access to or destroy the system without authorization. Therefore, once a vulnerability is discovered, protective measures should be taken accordingly, or patches should be made, or upgrades should be replaced.
In step 200, the open-source software vulnerability database may be a national security vulnerability library (CNNVD), which sends various vulnerability information affecting system security in the internet and corresponding solutions in real time. Specifically, the software fingerprint with the bug in the bug database is compared with the bug fingerprint of the enterprise production deployment to define the bug influence range,
step 300: managing and controlling open source software bugs in the system according to the traversal result;
specifically, when the traversal result indicates that the corresponding characteristic value exists in the open-source software vulnerability database, the corresponding vulnerability exists in the system, and the system needs to be upgraded, otherwise, the system is considered to be safe at this time and does not need to be processed.
As can be seen from the above description, an embodiment of the present invention provides a method for managing and controlling vulnerabilities of open source software, which includes first obtaining feature values corresponding to all code files in a system; traversing the characteristic values in the open-source software vulnerability database to generate a traversal result; and finally, managing and controlling the open source software bugs in the system according to the traversal result. The invention overcomes the defects of the traditional processing method for the vulnerability of the open source software in the industry, compares the vulnerability software fingerprint, the open source software fingerprint used by enterprises and the fingerprint in the open source software vulnerability database by utilizing the open source software fingerprint code comparison mode to determine the influence range of the current vulnerability, automatically and effectively prevents the propagation of the open source software with the vulnerability according to the vulnerability solution provided by the open source software vulnerability database, and simultaneously realizes the automatic production environment vulnerability repair so as to achieve the purposes of timely finding, timely isolating and automatically upgrading.
In one embodiment, referring to fig. 2, step 100 further comprises:
step 101: acquiring the code file according to the current code book base, the branch of the current code book base, the original baseline of the current code book base and the current baseline of the current code book base;
specifically, all the involved code files in the current baseline are obtained through acquiring the current code base, the code branch used by the current construction, the original baseline of the code branch constructed at the current time and the code file involved in the current baseline of the code branch constructed at the current time.
Step 102: calculating an MD5 value corresponding to the code file;
it is understood that the MD5 value corresponds to the characteristic value in step 100, MD5(MessageDigestAlgorithmMD5), which is one of the hash algorithms widely used by computers to ensure the integrity and consistency of information transmission and provide integrity protection of information. The basic principle of MD5 is to compress data information into a 128-bit 2-ary number and generate a message digest. MD5 may generate an equally unique "software fingerprint" for any file, and if anyone makes any changes to the file, its MD5 value, i.e., the corresponding "software fingerprint," changes.
In one embodiment, referring to fig. 3, step 300 further comprises:
step 301: if the traversal result is the open-source software vulnerability corresponding to the MD5 value in the open-source software vulnerability database; and upgrading the open source software vulnerability.
Specifically, after the information with the vulnerability is provided for the user to make a decision, the user can make a decision on the vulnerability information and the upgrade recommended version provided by the user. And after the user decides to upgrade the version, reconstructing the product according to the recommended version selected by the user. On the other hand, when the building is carried out again, the fingerprint code which is built and calculated at this time is sent back to the vulnerability analysis tool again for analysis, and if the vulnerability analysis tool feeds back that vulnerability information does not exist in the building at this time, the building is successful.
In one embodiment, referring to fig. 4, step 301 further comprises:
step 3011: determining an application service node and a deployment node directory corresponding to the open source software vulnerability;
step 3012: and respectively upgrading the open source software loopholes of the application service nodes and the open source software loopholes of the deployment node catalog.
In steps 3011 and 3012, the product is first deployed on a server in the established callback verification environment for verification according to the deployment definition file (deployment definition file: information such as application service node defining the current product to be deployed, corresponding application deployment node directory, etc.) in the current product. And restarting and executing the automatic script verification according to the deployment strategy by the repacking verification environment, wherein the restarting is successful and the automatic script verification is passed. The automatic bug fixing can be deployed for production.
As can be seen from the above description, the embodiment of the present invention provides an open-source software vulnerability management and control method, which is implemented without manual intervention, by docking an open-source software vulnerability database (for example, a CNNVD information security vulnerability library), determining the vulnerability influence range by comparing a software fingerprint in which a vulnerability exists in the vulnerability database with a vulnerability fingerprint in enterprise production deployment, blocking and spreading a product in which a vulnerability exists at a construction source, so as to avoid vulnerability propagation, and repairing the vulnerability to ensure production safety.
To further illustrate the present solution, the present invention also provides a specific application example of the open-source software bug hole management and control method by taking CNNVD as an example, see fig. 5.
S1: interface calls are made with the CNNVD.
The newly issued vulnerability information can be synchronized back to the local database of the device in real time through a security vulnerability information interface externally provided by the CNNVD;
s2: and fingerprint code matching is carried out on the vulnerability information open source software.
S3: and comparing the vulnerability information.
Specifically, when new vulnerability information is received, the fingerprint code matching of vulnerability information open source software is carried out in a prefabricated product management information center; meanwhile, notifying the construction tool of vulnerability information; and the construction tool compares the vulnerability information in the device library during construction, if the vulnerability information exists, the construction is stopped at the moment, and the information with the vulnerability is prevented from being constructed into a formal delivery product, so that the vulnerability software is prevented from being spread automatically.
Further, the build tool performs the version artifact build by obtaining the current code base, the code branch used by the current build, the original baseline of the code branch when built, and the current baseline of the code branch when built. After acquiring the base lines of the version library, the branches, the start codes and the end codes, the construction tool downloads all information such as source codes, jar files and the like between the start and the end of the current branch to a disk of a compiler to which the construction tool belongs. Then, the building tool starts an independent thread to traverse aiming at the files under the specified disk directory on the current compiler, compiles the files into byte code files for Java codes, and simultaneously calculates the MD5 value of the files, and particularly calculates the MD5 value of jar files. And after the MD5 values of all files constructed at the time are calculated, the MD5 values are sent back to the vulnerability analysis tool for the vulnerability analysis tool to carry out comparison analysis in the vulnerability library.
And if the construction tool finds that the MD5 exists in the vulnerability information base after performing comparative analysis on the MD5 transmitted by the current construction, notifying the construction tool. And after receiving the notification of the vulnerability analysis tool, the construction tool terminates the current construction task and notifies a user of the vulnerability risk file in the current construction file by the message. In order to avoid further propagation and diffusion of the vulnerability, a user is asked to decide whether to automatically upgrade the vulnerability. The construction task is terminated, and the way of further spreading of the vulnerability is also blocked from the root.
S4: after the vulnerability information fingerprint code is successfully matched with the product management center, screening out all application information related to the vulnerability;
s5: checking an application test environment using the vulnerability open source software, and if the vulnerability open source software is used, removing Maven according to a solution provided by CNNVD to obtain a vulnerability upgrade repair version;
specifically, after the construction tool provides the information that the vulnerability exists in the current construction to the user for decision making, the user can make a decision for the vulnerability information and the upgrade recommendation version provided by the construction tool. After the user decides to upgrade the version, the building tool can actively rebuild the product according to the recommended version selected by the user. And when the building tool is built again, the fingerprint code constructed and calculated at this time is sent back to the vulnerability analysis tool again for analysis, and if the vulnerability analysis tool feeds back vulnerability information which does not exist in the current building, the building is successful. The construction tool deploys the product on a server in a formulated repackage verification environment for verification according to a deployment definition file (the deployment definition file: information such as an application service node defining the current product to be deployed and a corresponding application deployment node directory) in the current product. And restarting and executing the automatic script verification according to the deployment strategy by the repacking verification environment, wherein the restarting is successful and the automatic script verification is passed. The automatic bug fixing can be deployed for production. The version product which is verified by reinstalling can be distinguished from the production environment by parameters, the deployment definition file is executed by the construction tool, automatic deployment and verification are completed in production, and the automatic upgrading function is completed.
S6: informing a construction tool to reconstruct the version package and deploying the new version in a verification environment;
s7: and the reinstallation verification component performs reinstallation verification.
If the reinstallation verification is passed, the version is automatically released to the production; polling other applications related to the current vulnerability, and performing vulnerability repair and upgrade one by one; and after the polling is finished, notifying the vulnerability influence range, the influence function and the repair result to each application in the form of an email.
From the above description, the embodiment of the present invention provides an open source software vulnerability management and control method, which overcomes the defects of internet enterprises in the financial and communication fields, etc., in terms of open source software vulnerability management, as well as the defects of low efficiency of the traditional means and long implementable period, and provides an efficient, safe, intelligent and autonomous vulnerability management and treatment method. The method supports non-invasive support for all enterprise applications, changes the traditional post-treatment strategy into a pre-treatment control scheme, and effectively avoids the economic loss and potential safety hazard of vulnerability codes for enterprises. The beneficial effects are as follows:
1. the operation is simple: the full-process automatic operation is realized after the tool is deployed, manual intervention is not needed, and the vulnerability is automatically identified by the device after exposure.
2. The efficiency is high: compared with the manual vulnerability processing problem, the vulnerability file automatic updating tool can automatically update vulnerability files without manual intervention, and meanwhile patch of reorganized versions is avoided.
3. The timeliness is high: and (4) butting with the CNNVD, and triggering the device to carry out vulnerability repair work at the first time of vulnerability exposure.
4. The intelligent degree is high: after the vulnerability is exposed, the propagation and spread of vulnerability open source software can be automatically isolated in the first time, and the vulnerability spread is stopped from the source in the first time.
5. The safety is high: the device can trigger the repacking to verify the subassembly and carry out the verification of mould survey environment to the application service after upgrading at the in-process of automatic bug repair, and automatic deployment production after the verification passes avoids the risk that production environment can't normally work and roll back again and bring after upgrading.
Based on the same inventive concept, the embodiment of the present application further provides an open source software vulnerability management and control apparatus, which may be used to implement the method described in the above embodiment, such as the following embodiments. Because the principle of solving the problem of the open-source software vulnerability management and control device is similar to that of the open-source software vulnerability management and control method, the implementation of the open-source software vulnerability management and control device can be referred to the implementation of the open-source software vulnerability management and control method, and repeated parts are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
An embodiment of the present invention provides a specific implementation manner of an open-source software vulnerability management and control apparatus capable of implementing an open-source software vulnerability management and control method, and referring to fig. 6, the open-source software vulnerability management and control apparatus specifically includes the following contents:
an MD5 value obtaining unit 10, configured to obtain feature values corresponding to all code files in the system;
the traversal result generating unit 20 is configured to traverse the feature values in the open-source software vulnerability database to generate a traversal result;
and the vulnerability management and control unit 30 is used for managing and controlling the open-source software vulnerability in the system according to the traversal result.
In one embodiment, referring to fig. 7, the MD5 value obtaining unit 10 includes:
a code file obtaining module 101, configured to obtain the code file according to the current codebook, the branch of the current codebook, the original baseline of the current codebook, and the current baseline of the current codebook;
and the MD5 value calculating module 102 is used for calculating the MD5 value corresponding to the code file.
In an embodiment, the vulnerability management and control unit is specifically configured to upgrade the open-source software vulnerability.
In an embodiment, referring to fig. 8, the vulnerability management unit 30 includes:
a node determining module 301, configured to determine an application service node and a deployment node directory corresponding to the open-source software vulnerability;
the vulnerability updating module 302 is configured to update an open-source software vulnerability of an application service node and an open-source software vulnerability of a deployment node directory, respectively.
As can be seen from the above description, an embodiment of the present invention provides an open source software vulnerability management and control apparatus, which first obtains feature values corresponding to all code files in a system; traversing the characteristic values in the open-source software vulnerability database to generate a traversal result; and finally, managing and controlling the open source software bugs in the system according to the traversal result. The invention overcomes the defects of the traditional processing method for the vulnerability of the open source software in the industry, compares the vulnerability software fingerprint, the open source software fingerprint used by enterprises and the fingerprint in the open source software vulnerability database by utilizing the open source software fingerprint code comparison mode to determine the influence range of the current vulnerability, automatically and effectively prevents the propagation of the open source software with the vulnerability according to the vulnerability solution provided by the open source software vulnerability database, and simultaneously realizes the automatic production environment vulnerability repair so as to achieve the purposes of timely finding, timely isolating and automatically upgrading.
An embodiment of the present application further provides a specific implementation manner of an electronic device, which is capable of implementing all steps in the open-source software vulnerability management and control method in the foregoing embodiment, and referring to fig. 9, the electronic device specifically includes the following contents:
a processor (processor)1201, a memory (memory)1202, a communication Interface 1203, and a bus 1204;
the processor 1201, the memory 1202 and the communication interface 1203 complete communication with each other through the bus 1204; the communication interface 1203 is used for implementing information transmission between related devices such as server-side devices and client-side devices;
the processor 1201 is configured to call a computer program in the memory 1202, and when the processor executes the computer program, all steps in the open-source software vulnerability management and control method in the foregoing embodiment are implemented, for example, when the processor executes the computer program, the following steps are implemented:
step 100: acquiring characteristic values corresponding to all code files in the system;
step 200: traversing the characteristic values in an open source software vulnerability database to generate a traversal result;
step 300: and managing and controlling the open source software bugs in the system according to the traversal result.
An embodiment of the present application further provides a computer-readable storage medium capable of implementing all the steps in the open-source software vulnerability management and control method in the foregoing embodiment, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements all the steps of the open-source software vulnerability management and control method in the foregoing embodiment, for example, when the processor executes the computer program, the processor implements the following steps:
step 100: acquiring characteristic values corresponding to all code files in the system;
step 200: traversing the characteristic values in an open source software vulnerability database to generate a traversal result;
step 300: and managing and controlling the open source software bugs in the system according to the traversal result.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the hardware + program class embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to the partial description of the method embodiment.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Although the present application provides method steps as in an embodiment or a flowchart, more or fewer steps may be included based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or client product executes, it may execute sequentially or in parallel (e.g., in the context of parallel processors or multi-threaded processing) according to the embodiments or methods shown in the figures.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, in implementing the embodiments of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, and the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may therefore be considered as a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
The embodiments of this specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The described embodiments may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of an embodiment of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
The above description is only an example of the embodiments of the present disclosure, and is not intended to limit the embodiments of the present disclosure. Various modifications and variations to the embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the embodiments of the present specification should be included in the scope of the claims of the embodiments of the present specification.
Claims (10)
1. A method for managing and controlling open-source software bugs is characterized by comprising the following steps:
acquiring characteristic values corresponding to all code files in the system;
traversing the characteristic values in an open source software vulnerability database to generate a traversal result;
and managing and controlling the open source software bugs in the system according to the traversal result.
2. The method for managing and controlling the vulnerability of the open source software according to claim 1, wherein the obtaining the feature values corresponding to all the code files in the system comprises:
acquiring the code file according to the current code book base, the branch of the current code book base, the original baseline of the current code book base and the current baseline of the current code book base;
and calculating the MD5 value corresponding to the code file.
3. The method for managing and controlling the open-source software vulnerability of claim 2, wherein the managing and controlling the open-source software vulnerability in the system according to the traversal result comprises:
if the traversal result is the open-source software vulnerability corresponding to the MD5 value in the open-source software vulnerability database; and upgrading the open source software vulnerability.
4. The method for managing and controlling the open-source software vulnerability of claim 3, wherein upgrading the open-source software vulnerability comprises:
determining an application service node and a deployment node directory corresponding to the open source software vulnerability;
and respectively upgrading the open source software loopholes of the application service nodes and the open source software loopholes of the deployment node catalog.
5. The utility model provides an open source software vulnerability management and control device which characterized in that includes:
an MD5 value acquisition unit, which is used for acquiring the characteristic values corresponding to all code files in the system;
the traversal result generating unit is used for traversing the characteristic values in the open-source software vulnerability database to generate a traversal result;
and the vulnerability control unit is used for controlling the open source software vulnerability in the system according to the traversal result.
6. The open source software vulnerability management apparatus of claim 5, wherein the MD5 value obtaining unit comprises:
the code file acquisition module is used for acquiring the code file according to the current code book base, the branches of the current code book base, the original base line of the current code book base and the current base line of the current code book base;
and the MD5 value calculating module is used for calculating the MD5 value corresponding to the code file.
7. The open-source software vulnerability management and control apparatus of claim 6, wherein the vulnerability management and control unit is specifically configured to upgrade the open-source software vulnerability.
8. The open source software vulnerability management apparatus of claim 5, wherein the vulnerability management unit comprises:
the node determining module is used for determining an application service node and a deployment node directory corresponding to the open source software vulnerability;
and the vulnerability upgrading module is used for respectively upgrading the open source software vulnerability of the application service node and the open source software vulnerability of the deployment node directory.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the open source software vulnerability management method of any one of claims 1 to 4 when executing the program.
10. A computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the open source software vulnerability management method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110177893.7A CN112906007A (en) | 2021-02-09 | 2021-02-09 | Open source software vulnerability management and control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110177893.7A CN112906007A (en) | 2021-02-09 | 2021-02-09 | Open source software vulnerability management and control method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112906007A true CN112906007A (en) | 2021-06-04 |
Family
ID=76123070
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110177893.7A Pending CN112906007A (en) | 2021-02-09 | 2021-02-09 | Open source software vulnerability management and control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112906007A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023072002A1 (en) * | 2021-10-31 | 2023-05-04 | 华为技术有限公司 | Security detection method and apparatus for open source component package |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573525A (en) * | 2014-12-19 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Special information service software vulnerability fixing system based on white lists |
| CN106446691A (en) * | 2016-11-24 | 2017-02-22 | 工业和信息化部电信研究院 | Method and device for detecting integrated or customized open source project bugs in software |
| CN107977576A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of host leakage location and method based on employing fingerprint |
| CN108763928A (en) * | 2018-05-03 | 2018-11-06 | 北京邮电大学 | A kind of open source software leak analysis method, apparatus and storage medium |
-
2021
- 2021-02-09 CN CN202110177893.7A patent/CN112906007A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573525A (en) * | 2014-12-19 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Special information service software vulnerability fixing system based on white lists |
| CN107977576A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of host leakage location and method based on employing fingerprint |
| CN106446691A (en) * | 2016-11-24 | 2017-02-22 | 工业和信息化部电信研究院 | Method and device for detecting integrated or customized open source project bugs in software |
| CN108763928A (en) * | 2018-05-03 | 2018-11-06 | 北京邮电大学 | A kind of open source software leak analysis method, apparatus and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 杜涛: "基于特征匹配的Android软件漏洞检测方法设计", 晋中学院学报, no. 03 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023072002A1 (en) * | 2021-10-31 | 2023-05-04 | 华为技术有限公司 | Security detection method and apparatus for open source component package |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11340870B2 (en) | Software release workflow management | |
| US11231912B2 (en) | Post-deployment modification of information-technology application using lifecycle blueprint | |
| US8473913B2 (en) | Method of and system for dynamic automated test case generation and execution | |
| US9092224B2 (en) | Method and system to automatically enforce a hybrid branching strategy | |
| US10282200B2 (en) | Out-of-deployment-scope modification of information-technology application using lifecycle blueprint | |
| CN111783103A (en) | Dependency management method and device based on Maven, electronic device and storage medium | |
| US8938648B2 (en) | Multi-entity test case execution workflow | |
| US9003231B1 (en) | System for instantiating service instances for testing in a known state | |
| CN113434158A (en) | User-defined management method, device, equipment and medium for big data component | |
| US20160335069A1 (en) | Dependency handling for software extensions | |
| CN112130871A (en) | Method and device for remotely deploying middleware, computer equipment and storage medium | |
| CN110597518A (en) | Project construction method and device, computer equipment and storage medium | |
| CN112883342A (en) | Component management and control method, device and equipment | |
| US11231910B2 (en) | Topological lifecycle-blueprint interface for modifying information-technology application | |
| CN114527974B (en) | Method and device for realizing business function of software product and computer equipment | |
| CN115202669A (en) | Project construction method and system based on configuration file and related equipment | |
| CN111967022A (en) | Security vulnerability repairing method and device | |
| CN112906007A (en) | Open source software vulnerability management and control method and device | |
| CN111176677A (en) | Server system reinforcement updating method and device | |
| US9760364B2 (en) | Checks for software extensions | |
| CN113297081A (en) | Execution method and device of continuous integration assembly line | |
| CN112199441A (en) | Data synchronization processing method, device, equipment and medium based on big data platform | |
| CN110990249A (en) | Code scanning result processing method and device, computer equipment and storage medium | |
| CN115758424A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
| CN114491422A (en) | User operation authority auditing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |