CN113111353B - Container mirror library security evaluation system and method based on dependency relationship - Google Patents
Container mirror library security evaluation system and method based on dependency relationship Download PDFInfo
- Publication number
- CN113111353B CN113111353B CN202110394595.3A CN202110394595A CN113111353B CN 113111353 B CN113111353 B CN 113111353B CN 202110394595 A CN202110394595 A CN 202110394595A CN 113111353 B CN113111353 B CN 113111353B
- Authority
- CN
- China
- Prior art keywords
- mirror image
- detection
- container
- container mirror
- image detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Processing Or Creating Images (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a system and a method for evaluating the security of a container mirror library based on a dependency relationship, wherein the system comprises a management node and a detection node, and the management node and the detection node exchange data for cooperative work; the management node completes the construction of a container mirror image dependency tree in the container warehouse and the updating of the container mirror image dependency tree, and issues a container mirror image detection task; the detection node receives a issued container mirror image detection task, and the container mirror image detection task carries out complete safety detection on the container mirror image; if the potential safety hazard exists in the container mirror image, a sub-mirror image detection task is issued to a detection node; and searching all the sub-images of the container image in the container image dependency relationship tree by a sub-image detection task issued by the detection node, and detecting whether the file with the potential safety hazard is repaired in the sub-images. The method is beneficial to evaluating the vulnerability influence range, detecting the potential safety hazard in the container mirror image and analyzing the safety of the mirror image in the container mirror image library in a large scale.
Description
Technical Field
The invention relates to the technical field of security evaluation of container mirror image libraries, in particular to a system and a method for security evaluation of a container mirror image library based on dependency relationship.
Background
The virtual environment deployment and software running mode based on the container technology brings great convenience, and the mode of compiling for multiple deployments at one time brings increasing user requirements. Wherein, large-scale manufacturers such as Docker, Red Hat, Google and the like establish official storage warehouses containing massive container mirrors in a dispute. Meanwhile, the safety problem in the container ecological environment is also continuous, especially after unsafe mirror images are mixed in the storage warehouse, because various complex dependency relationships exist among the mirror images, a user can freely select and generate a new instance which possibly depends on a certain unsafe mirror image, therefore, how to quickly evaluate the influence range of the new instance in the storage warehouse is an urgent problem to be solved, especially at the initial stage of high-risk security vulnerability outbreak, the influence range can be quickly and accurately evaluated, and response time is won for preventing security events.
Chinese patent publication No. CN108958890A discloses a container mirror image detection method, device and electronic equipment, and the method includes: acquiring software features to be matched from a software feature set of a container mirror image to be detected by statically scanning the container mirror image to be detected; comparing the software features to be matched with software vulnerability features stored in a preset software vulnerability database; if the software vulnerability characteristics matched with the software characteristics to be matched exist in the software vulnerability library, determining a test case set corresponding to the matched software vulnerability characteristics; aiming at the software corresponding to the software features to be matched, detecting whether software bugs exist in the software corresponding to the software features to be matched or not by executing the test cases in the test case set; and when the software bugs exist, determining that the mirror image of the container to be tested has abnormity. The patent realizes the detection of the mirror image of the container to be detected by detecting whether software corresponding to the characteristics of the software to be matched has software bugs.
Current evaluation methods typically require running a detection tool for each image in the warehouse.
In view of the above prior art, the inventor considers that the method has a problem of consuming a large amount of time to download the mirror image to the local evaluation, and therefore, it is difficult to complete the security evaluation method for a large amount of container mirror libraries in a short time at the time of security vulnerability outbreak.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a system and a method for evaluating the safety of a container mirror image library based on dependency relationship.
The container mirror library safety evaluation system based on the dependency relationship comprises a management node and a detection node, wherein the management node and the detection node cooperate with each other by exchanging data;
the management node: completing the construction of a container mirror image dependency relationship tree in the container warehouse and the updating of the container mirror image dependency relationship tree, and issuing a container mirror image detection task;
the detection node: receiving a transmitted container mirror image detection task, and carrying out complete safety detection on a container mirror image by the container mirror image detection task to obtain and send a mirror image detection result; if the potential safety hazard exists in the container mirror image, a sub-mirror image detection task is issued to a detection node; a sub-mirror image detection task issued by a detection node searches all sub-mirror images of a container mirror image in a container mirror image dependency relationship tree, and detects whether a file with potential safety hazards is repaired in the sub-mirror images; and obtaining and sending a mirror image detection result.
Preferably, the management node comprises a relationship module, a task management module and a data processing module,
the relationship module: merging the container mirror image relations in the container mirror library into a container mirror image dependency relation tree according to a dependency relation generation algorithm, and updating the container mirror image dependency relation tree in real time when the container mirror images change;
the task management module: checking the security of the container mirror image library at regular time, and distributing container mirror image detection tasks to detection nodes layer by layer to the container mirror image dependency tree;
the data processing module: and receiving the mirror image detection result returned by the detection node, and storing the mirror image detection result.
Preferably, the detection node includes a communication module and a detection module, wherein:
the communication module: receiving a container mirror image detection task issued by a management node and a sub-mirror image detection task issued by a detection node;
the detection module: the container mirror image detection task carries out complete safety detection on the container mirror image, or the sub-mirror image detection task carries out detection on whether potential safety hazards exist on the sub-mirror image, and a mirror image detection result is obtained;
and the communication module transmits the mirror image detection result back to the management node in real time.
Preferably, the container mirror image detection task, the sub-mirror image detection task and the mirror image detection result are all transmitted through a distributed task scheduling technology, the container mirror image detection task is transmitted from the management node to the detection node through the distributed task scheduling technology, the sub-mirror image detection task is transmitted from the detection node to the detection node through the distributed task scheduling technology, and the mirror image detection result is transmitted from the detection node to the management node through the distributed task scheduling technology.
Preferably, the management node collects all the mirror image detection results, the mirror image detection results include a container mirror image detection result and a sub-mirror image detection result, the container mirror image detection result is a detection result obtained by the container mirror image detection task performing complete safety detection on the container mirror image, and the sub-mirror image detection result is a detection result obtained by the sub-mirror image detection task performing detection on whether potential safety hazards exist on the sub-mirror image; and after receiving the container mirror image detection result and the sub mirror image detection result, the management node combines the detection result with the detection result of the existing management node.
The invention provides a container mirror library security evaluation method based on dependency relationship, which comprises the following steps:
The management step comprises: completing the construction of a container mirror image dependency relationship tree in the container warehouse and the updating of the container mirror image dependency relationship tree, and issuing a container mirror image detection task;
a detection step: receiving a transmitted container mirror image detection task, and carrying out complete safety detection on a container mirror image by the container mirror image detection task to obtain and send a mirror image detection result; if the container mirror image has potential safety hazards, issuing a sub-mirror image detection task, searching all sub-mirror images of the container mirror image in a container mirror image dependency tree by the sub-mirror image detection task, and detecting whether the file with the potential safety hazards is repaired in the sub-mirror image; and obtaining and sending a mirror image detection result.
Preferably, the managing step includes the steps of:
a relation step: merging the container mirror image relations in the container mirror library into a container mirror image dependency relation tree according to a dependency relation generation algorithm, and updating the container mirror image dependency relation tree in real time when the container mirror images change;
and task management: checking the security of the container mirror image library at regular time, and distributing container mirror image detection tasks to detection nodes layer by layer to the container mirror image dependency tree;
and (3) data processing: and receiving the mirror image detection result returned by the detection node, and storing the mirror image detection result.
Preferably, the detecting step comprises the steps of:
communication step: receiving a container mirror image detection task issued by a management node and a sub-mirror image detection task issued by a detection node;
mirror image detection: the container mirror image detection task carries out complete safety detection on the container mirror image, or the sub-mirror image detection task carries out detection on whether potential safety hazards exist on the sub-mirror image, and a mirror image detection result is obtained;
and a result sending step: and sending the mirror image detection result.
Preferably, the container mirror image detection task, the sub-mirror image detection task and the mirror image detection result are all transmitted by a distributed task scheduling technology.
Preferably, the management node collects all the mirror image detection results, the mirror image detection results include a container mirror image detection result and a sub-mirror image detection result, the container mirror image detection result is a detection result obtained by the container mirror image detection task performing complete safety detection on the container mirror image, and the sub-mirror image detection result is a detection result obtained by the sub-mirror image detection task performing detection on whether potential safety hazards exist on the sub-mirror image; and after receiving the container mirror image detection result and the sub mirror image detection result, the management node combines the detection result with the detection result of the existing management node.
Compared with the prior art, the invention has the following beneficial effects:
1. the invention can be used for analyzing the security of the mirror image in the container mirror library in a large scale. The method comprises the steps that firstly, a mirror image dependency relationship tree in a container mirror image library is constructed by management nodes, mirror images or sub-mirror images of the mirror images of each container can be accurately positioned through the container mirror image dependency relationship tree, and the method can be used for evaluating vulnerability influence ranges. After receiving the mirror image detection task, the detection node firstly judges the type of the mirror image detection task and then uses different detection methods for different tasks. The mirror image security detection task can detect potential safety hazards existing in the mirror image, and the sub-mirror image security detection task can evaluate the influence range generated by a certain mirror image potential safety hazard. Finally, the detection node returns the detection result to the management node, and the management node merges the detection results;
2. and the detection node receives the sub-image detection task, does not need to completely scan all the sub-images, and only needs to check whether the file causing the potential safety hazard still exists in the container image and whether the part causing the potential safety hazard is repaired in the new file version.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a system block diagram of an embodiment of the present invention;
FIG. 2 is a flow chart of an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
The embodiment of the invention discloses a container mirror library security evaluation system based on dependency relationship, which comprises a management node and a detection node, wherein the management node and the detection node exchange data through a distributed task scheduling technology message channel so as to cooperatively work, as shown in fig. 1 and fig. 2. The distributed task scheduling technology adopts a Gearman distributed task scheduling framework. The management node constructs a container mirror image dependency relationship tree and issues container mirror image detection tasks layer by layer according to the container mirror image dependency relationship tree; and the detection node detects according to the issued container mirror image detection task and creates a sub-mirror image detection task for the mirror image with the safety risk. And task scheduling and data communication between the management node and the detection node are realized by adopting a Gearman distributed task scheduling framework.
The number of the management nodes and the detection nodes in the container mirror library security evaluation system based on the dependency relationship is not limited, and the management nodes and the detection nodes are set to be one management node and a plurality of detection nodes. Meanwhile, each detection node in the container mirror library security evaluation system based on the dependency relationship is generally positioned on different hosts, and the management node can independently operate on one host and can also share one host with a certain detection node.
The management node: and completing the construction of a container mirror image dependency tree in the container warehouse and the updating of the container mirror image dependency tree, and issuing a container mirror image detection task through a distributed task scheduling technology. The management node comprises a relation module, a task management module and a data processing module.
A relationship module: and merging the container mirror image relations in the container mirror library into a container mirror image dependency relation tree according to a dependency relation generation algorithm, and updating the container mirror image dependency relation tree in real time when the container mirror images are changed. The task management module: checking the security of the container mirror image library at regular time, and distributing container mirror image detection tasks to detection nodes layer by layer to the container mirror image dependency tree through a distributed task scheduling technology; and traversing the container mirror image dependency relation tree by the management node in a breadth-first mode, and respectively sending a container mirror image detection task to the detection node for each node container mirror image.
A data processing module: and receiving the mirror image detection result returned by the detection node through a distributed task scheduling technology, and storing the mirror image detection result.
And (3) detecting nodes: receiving a distributed container mirror image detection task through a distributed task scheduling technology; and the container mirror image detection task carries out complete safety detection on the container mirror image, if the container mirror image has potential safety hazards, the detection node creates a sub-mirror image detection task, and the sub-mirror image detection task is issued to the detection node through a distributed task scheduling technology. And a sub-mirror image detection task issued by the detection node confirms the file causing the potential safety hazard of the container mirror image, searches all sub-mirror images of the container mirror image in the dependency relationship tree of the container mirror image, and quickly detects whether the file with the potential safety hazard is repaired in the sub-mirror images to obtain a mirror image detection result. The child mirror image of the container mirror image is the child node of the node with the potential safety hazard. And the detection node receives the sub-image detection task, does not need to completely scan all the sub-images, and only needs to check whether the file causing the potential safety hazard still exists in the container image and whether the part causing the potential safety hazard is repaired in the new file version.
The detection node comprises a communication module and a detection module. A communication module: and receiving a container mirror image detection task issued by the management node and a sub-mirror image detection task issued by the detection node through a distributed task scheduling technology. A detection module: and the container mirror image detection task carries out complete safety detection on the container mirror image, or the sub-mirror image detection task carries out detection on whether potential safety hazards exist on the sub-mirror image, so that a mirror image detection result is obtained. And the communication module transmits the mirror image detection result back to the data processing module in real time through a distributed task scheduling technology.
The mirror image detection result comprises a container mirror image detection result and a sub-mirror image detection result, the container mirror image detection result is obtained by performing complete safety detection on a container mirror image by a container mirror image detection task, and the sub-mirror image detection result is obtained by detecting whether potential safety hazards exist on the sub-mirror image by the sub-mirror image detection task; and after receiving the container mirror image detection result and the sub-mirror image detection result, the data processing module combines the detection result with the detection result of the existing management node.
The management node constructs the dependency relationship of the container mirror images in the container mirror image library, the container mirror images are stored in a tree structure, the inter-dependency relationship among the container mirror images can be clearly shown, and a father node of any node can be regarded as the dependency mirror image of the current node. And then, the detection node performs safety detection layer by layer from the root node to the container mirror image dependency relationship tree. And positioning the container mirror image with potential safety hazard, sending a sub-mirror image detection task to a new detection node, rapidly scanning whether the file is repaired in the sub-nodes of the container mirror image nodes in the container mirror image dependency relationship tree, and returning a scanning result to the management node. And finally, the management node collects the mirror image detection results.
The detection node transmits the detection result back to the management node, the management node combines the detection results, multiple different potential safety hazards exist in the same mirror image, the management node combines the same mirror image, and the sub-mirror image influenced by each potential safety hazard is displayed.
The embodiment of the invention discloses a container mirror library security evaluation method based on a dependency relationship, which comprises the following steps as shown in figures 1 and 2:
a relation step: s1: the management node judges whether the container mirror dependency tree exists, if so, the step goes to S2, and if not, the step goes to S3. S2: acquiring the mirror image change occurring so far after the container mirror image dependency relationship tree is updated last time, including the modification and deletion of the container mirror image, updating the changed container mirror image relationship to the container mirror image dependency relationship tree by using a dependency relationship generation algorithm, and entering S4. S3: a container mirror dependency tree is built using a dependency generation algorithm, and S4 is entered.
The dependency algorithm generates a dependency tree according to the mirror layer hash value of the container mirror image:
let A, B, C be the three images whose image layers are a (1) -a (x), B (1) -B (y), and c (1) -c (z), and if a (1) ═ B (1), a (2) ═ B (2), … …, a (x) ═ B (x) exists, it indicates that image B depends on image a, and image B is the child node of image a in the container image dependency tree; if a (1) ≠ C (1) exists, indicating that there is no dependency between mirror A and mirror C, which are in two different branches in the container mirror dependency tree. Wherein mirror a has a total of x layers, mirror B has a y layer, mirror C has a z layer, a (1) represents the first layer of mirror a, a (2) represents the second layer of mirror a, a (x) represents the x-th layer of mirror a, B (1) represents the first layer of mirror B, B (2) represents the second layer of mirror B, B (y) represents the y-th layer of mirror B, C (1) represents the first layer of mirror C, and C (z) represents the z-th layer of mirror C.
In consideration of the actual situation, the generated dependency generation algorithm cannot be a tree in general, but a forest composed of a plurality of trees. The container software usually chooses to reserve an empty mirror, and at this time, chooses the reserved empty node as the root node of the dependency tree of the container mirror.
And a task management step: s4: and the management node judges whether the security evaluation needs to be carried out on the full-container mirror image library or the evaluation needs to be carried out on the influence range of a specific bug. Performing security evaluation on the full container mirror image library, and entering S5; and evaluating the influence range of a specific vulnerability, and entering S6. S5: and the management node reads the mirror image nodes layer by layer from the root node of the container mirror image dependency relationship tree, distributes a container mirror image detection task to the detection node and enters S7. S6: and the management node distributes the container mirror image detection tasks from the mirror image root node to be evaluated downwards layer by layer, specifies that the detection is carried out only by using a detection mode aiming at the vulnerability, and enters S7.
Communication step: s7: and the detection node receives the container mirror image detection task, judges whether the task is the container mirror image detection task, if so, the step S8 is carried out, and if not, the step S9 is carried out.
A detection step: s8: and detecting the safety of the container mirror image, recording a file generating the potential safety hazard if the potential safety hazard of the container mirror image is detected, creating a sub-mirror image safety detection task aiming at the container mirror image, and distributing the sub-mirror image safety detection task to an idle detection node to obtain a container mirror image detection result.
In order to improve the detection efficiency, when the mirror image detection task is performed, the content of the file contained in the parent node mirror image on the dependency tree of the container mirror image is not detected any more, and the content is actually completed in the earlier mirror image detection task.
A first data processing step: and receiving a container mirror image detection result returned by the detection node, and storing the container mirror image detection result.
A detection step: s9: and searching child nodes of the current mirror image on the container mirror image dependency tree, namely child mirrors of the container. And checking whether the file causing the potential safety hazard is repaired in the sub-mirror image to obtain a sub-mirror image detection result.
In order to improve the detection efficiency, if a file with potential safety hazard cannot be found in the sub-image, it is indicated that the file is not modified in the sub-image, that is, the potential safety hazard is repaired.
A second data processing step: and receiving the sub-image detection result returned by the detection node, and storing the sub-image detection result.
S10: and the data processing module in the management node merges the mirror image detection results, and displays the mirror images with potential safety hazards and the sub-mirror images influenced by the potential safety hazards.
And the mirror image detection result returned by the detection node is transmitted by adopting a JSON format, and the management node stores the acquisition result of the JSON format into the NoSQL type database in a proper mode.
The method comprises the steps of analyzing the content of the mirror image through a hierarchical analysis means, establishing the dependency relationship between the mirror image and the existing mirror image in the process of downloading the mirror image on line, and only downloading a new added layer to efficiently establish a global dependency graph, so that when the dangerous mirror image with security holes is found, other affected mirror images can be quickly and accurately evaluated according to the dependency relationship, and the full-scale evaluation of a container mirror image library is realized. Finally, the inventor realizes a prototype system based on the method, can iterate the dependency graph on line and timely respond to the evaluation requirement.
It is well within the knowledge of a person skilled in the art to implement the system and its various devices, modules, units provided by the present invention in a purely computer readable program code means that the same functionality can be implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the present invention can be regarded as a hardware component, and the devices, modules and units included therein for implementing various functions can also be regarded as structures within the hardware component; means, modules, units for realizing various functions can also be regarded as structures in both software modules and hardware components for realizing the methods.
The foregoing description has described specific embodiments of the present invention. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (5)
1. A container mirror library security evaluation system based on dependency relationship is characterized by comprising a management node and a plurality of detection nodes, wherein the management node and the detection nodes cooperate with each other through data exchange;
the management node: completing the construction of a container mirror image dependency relationship tree in the container warehouse and the updating of the container mirror image dependency relationship tree, and issuing a container mirror image detection task;
the detection node: receiving a container mirror image detection task issued by a management node, wherein the container mirror image detection task carries out complete safety detection on a container mirror image to obtain and send a mirror image detection result; if the potential safety hazard exists in the container mirror image, a sub-mirror image detection task is issued to a detection node; aiming at a sub-mirror image detection task issued by a detection node, searching all sub-mirror images of a container mirror image in a container mirror image dependency tree, and detecting whether a file with potential safety hazard is repaired in the sub-mirror images; obtaining and sending a mirror image detection result;
The management node comprises a relation module, a task management module and a data processing module;
the relationship module: merging the container mirror image relations in the container mirror library into a container mirror image dependency relation tree according to a dependency relation generation algorithm, and updating the container mirror image dependency relation tree in real time when the container mirror images change;
the task management module: checking the security of the container mirror image library at regular time, and distributing container mirror image detection tasks to detection nodes layer by layer to the container mirror image dependency tree;
the data processing module: receiving a mirror image detection result returned by the detection node, and storing the mirror image detection result;
the management node collects all mirror image detection results, the mirror image detection results comprise container mirror image detection results and sub-mirror image detection results, the container mirror image detection results are detection results obtained by the container mirror image detection tasks performing complete safety detection on container mirror images, and the sub-mirror image detection results are detection results obtained by the sub-mirror image detection tasks performing detection on whether potential safety hazards exist on the sub-mirror images; after receiving the container mirror image detection result and the sub-mirror image detection result, the management node combines the detection result with the detection result of the existing management node;
The container mirror image detection task, the sub-mirror image detection task and the mirror image detection result are transmitted through a distributed task scheduling technology, the container mirror image detection task is transmitted from the management node to the detection node through the distributed task scheduling technology, the sub-mirror image detection task is transmitted from the detection node to the detection node through the distributed task scheduling technology, and the mirror image detection result is transmitted from the detection node to the management node through the distributed task scheduling technology.
2. The dependency-based container mirror library security assessment system according to claim 1, wherein the detection node comprises a communication module and a detection module, wherein:
the communication module: receiving a container mirror image detection task issued by a management node and a sub-mirror image detection task issued by a detection node;
the detection module is used for: the container mirror image detection task carries out complete safety detection on the container mirror image, or the sub-mirror image detection task carries out detection on whether potential safety hazards exist on the sub-mirror image, and a mirror image detection result is obtained;
and the communication module transmits the mirror image detection result back to the management node in real time.
3. A container mirror library security assessment method based on dependency relationship, which is applied to the container mirror library security assessment system based on dependency relationship of any one of claims 1-2, and comprises the following steps:
The management step comprises: completing the construction of a container mirror image dependency relationship tree in the container warehouse and the updating of the container mirror image dependency relationship tree, and issuing a container mirror image detection task;
a detection step: receiving a transmitted container mirror image detection task, and carrying out complete safety detection on a container mirror image by the container mirror image detection task to obtain and send a mirror image detection result; if the container mirror image has potential safety hazards, issuing a sub-mirror image detection task, searching all sub-mirror images of the container mirror image in a container mirror image dependency tree by the sub-mirror image detection task, and detecting whether the file with the potential safety hazards is repaired in the sub-mirror image; obtaining and sending a mirror image detection result;
the managing step includes the steps of:
a relation step: merging the container mirror image relations in the container mirror library into a container mirror image dependency relation tree according to a dependency relation generation algorithm, and updating the container mirror image dependency relation tree in real time when the container mirror images change;
and task management: checking the security of the container mirror image library at regular time, and distributing container mirror image detection tasks to detection nodes layer by layer to the container mirror image dependency tree;
and (3) data processing: receiving a mirror image detection result returned by the detection node, and storing the mirror image detection result;
The management node collects all mirror image detection results, wherein the mirror image detection results comprise container mirror image detection results and sub-mirror image detection results, the container mirror image detection results are detection results obtained by complete safety detection of a container mirror image by a container mirror image detection task, and the sub-mirror image detection results are detection results obtained by detecting whether potential safety hazards exist in the sub-mirror image by the sub-mirror image detection task; and after receiving the container mirror image detection result and the sub mirror image detection result, the management node combines the detection result with the detection result of the existing management node.
4. The dependency-based container mirror library security assessment method according to claim 3, wherein the detecting step comprises the steps of:
communication step: receiving a container mirror image detection task issued by a management node and a sub-mirror image detection task issued by a detection node;
mirror image detection: the container mirror image detection task carries out complete safety detection on the container mirror image, or the sub-mirror image detection task carries out detection on whether potential safety hazards exist on the sub-mirror image, and a mirror image detection result is obtained;
and a result sending step: and sending the mirror image detection result.
5. The dependency-based container mirror library security assessment method according to claim 3, wherein the container mirror detection task, the sub-mirror detection task and the mirror detection result are all transmitted by a distributed task scheduling technique.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110394595.3A CN113111353B (en) | 2021-04-13 | 2021-04-13 | Container mirror library security evaluation system and method based on dependency relationship |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110394595.3A CN113111353B (en) | 2021-04-13 | 2021-04-13 | Container mirror library security evaluation system and method based on dependency relationship |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113111353A CN113111353A (en) | 2021-07-13 |
| CN113111353B true CN113111353B (en) | 2022-06-28 |
Family
ID=76716482
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110394595.3A Active CN113111353B (en) | 2021-04-13 | 2021-04-13 | Container mirror library security evaluation system and method based on dependency relationship |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113111353B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108958890A (en) * | 2018-07-25 | 2018-12-07 | 北京奇艺世纪科技有限公司 | Container microscope testing method, apparatus and electronic equipment |
| CN109358857A (en) * | 2018-08-22 | 2019-02-19 | 华为技术有限公司 | Mirror image building, mirrored storage, mirror image distribution method and device |
| CN111240794A (en) * | 2018-11-28 | 2020-06-05 | 阿里巴巴集团控股有限公司 | Container mirror image extraction method and device and container mirror image testing method and device |
| CN112231052A (en) * | 2020-09-29 | 2021-01-15 | 中山大学 | High-performance distributed container mirror image distribution system and method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10223534B2 (en) * | 2015-10-15 | 2019-03-05 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
| US11727117B2 (en) * | 2018-12-19 | 2023-08-15 | Red Hat, Inc. | Vulnerability analyzer for application dependencies in development pipelines |
-
2021
- 2021-04-13 CN CN202110394595.3A patent/CN113111353B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108958890A (en) * | 2018-07-25 | 2018-12-07 | 北京奇艺世纪科技有限公司 | Container microscope testing method, apparatus and electronic equipment |
| CN109358857A (en) * | 2018-08-22 | 2019-02-19 | 华为技术有限公司 | Mirror image building, mirrored storage, mirror image distribution method and device |
| CN111240794A (en) * | 2018-11-28 | 2020-06-05 | 阿里巴巴集团控股有限公司 | Container mirror image extraction method and device and container mirror image testing method and device |
| CN112231052A (en) * | 2020-09-29 | 2021-01-15 | 中山大学 | High-performance distributed container mirror image distribution system and method |
Non-Patent Citations (1)
| Title |
|---|
| SecDr:一种内容安全的Docker镜像仓库;魏兴慎等;《计算机与现代化》;20180515(第05期);70-78 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113111353A (en) | 2021-07-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11704618B2 (en) | Application mapping and alerting based on data dependencies | |
| CN105094783B (en) | method and device for testing stability of android application | |
| Berenbach | The evaluation of large, complex UML analysis and design models | |
| US8589884B2 (en) | Method and system for identifying regression test cases for a software | |
| US20160041893A1 (en) | System and method for display of software quality | |
| US9569737B2 (en) | Methods and tools for creating and evaluating system blueprints | |
| US20080115104A1 (en) | Software development system and method for intelligent document output based on user-defined rules | |
| US8799859B2 (en) | Augmented design structure matrix visualizations for software system analysis | |
| Staron et al. | Dashboards for continuous monitoring of quality for software product under development | |
| CN107885660A (en) | Fund system automatic test management method, device, equipment and storage medium | |
| US9542164B1 (en) | Managing an application variable using variable attributes | |
| CN113987541A (en) | Data access control method and device and electronic equipment | |
| Serrano et al. | An approach to debug interactions in multi-agent system software tests | |
| KR100910336B1 (en) | A system and method for managing the business process model which mapped the logical process and the physical process model | |
| CN104679500B (en) | Method and device for realizing automatic generation of entity class | |
| CN114329727A (en) | Construction supervision method, device, equipment and medium based on BIM modeling | |
| CN114237466A (en) | Routing inspection point configuration method and device | |
| Yin et al. | On representing resilience requirements of microservice architecture systems | |
| US20110138360A1 (en) | LEVERAGING THE RELATIONSHIP BETWEEN OBJECT IDs AND FUNCTIONS IN DIAGNOSING SOFTWARE DEFECTS DURING THE POST-DEPLOYMENT PHASE | |
| Yin et al. | On representing resilience requirements of microservice architecture systems | |
| CN113535567B (en) | Software testing method, device, equipment and medium | |
| CN113111353B (en) | Container mirror library security evaluation system and method based on dependency relationship | |
| CN112783475A (en) | Embedded software demand analysis method | |
| CN111984882A (en) | Data processing method, system and equipment | |
| CN114510180A (en) | Role authority control method and device of application program and mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |