CN113535577B - Application testing method and device based on knowledge graph, electronic equipment and medium - Google Patents
Application testing method and device based on knowledge graph, electronic equipment and medium Download PDFInfo
- Publication number
- CN113535577B CN113535577B CN202110847050.3A CN202110847050A CN113535577B CN 113535577 B CN113535577 B CN 113535577B CN 202110847050 A CN202110847050 A CN 202110847050A CN 113535577 B CN113535577 B CN 113535577B
- Authority
- CN
- China
- Prior art keywords
- information
- test script
- attribute
- application
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
Abstract
The present disclosure provides a knowledge-graph-based application testing method, an application testing apparatus, an electronic device, a computer-readable storage medium, and a computer program. The application testing method and the application testing device based on the knowledge graph can be used in the technical field of finance. The application testing method based on the knowledge graph is executed on the electronic equipment and comprises the following steps: acquiring characteristic information of an application; acquiring vulnerability information corresponding to the characteristic information; acquiring a test script; constructing a knowledge graph according to the feature information, the vulnerability information and the test script, wherein the knowledge graph comprises a first attribute between the feature information and the vulnerability information and a second attribute between the vulnerability information and the test script; selecting an effective test script aiming at the application according to the first attribute and the second attribute; executing the valid test script; and outputting the execution result.
Description
Technical Field
The present disclosure relates to the field of financial technologies, and more particularly, to a method and apparatus for testing an application based on a knowledge graph, an electronic device, a computer-readable storage medium, and a computer program product.
Background
With the development of the technology, in the whole process of the safety test, some automatic collection and scanning methods are introduced to improve the information collection efficiency and the judgment efficiency, meanwhile, a script library is established for the bugs under different conditions, and the scripts for executing response can be selected to complete the test according to the bugs under different conditions, so that the safety test efficiency and level are improved.
Disclosure of Invention
In view of the above, the present disclosure provides a knowledge graph-based application testing method, an application testing apparatus, an electronic device, a computer-readable storage medium, and a computer program product, which can improve testing quality and testing efficiency and have a high degree of automation.
One aspect of the present disclosure provides a knowledge-graph-based application testing method, which is executed on an electronic device and includes: acquiring characteristic information of an application; acquiring vulnerability information corresponding to the characteristic information; acquiring a test script; constructing a knowledge graph according to the feature information, the vulnerability information and the test script, wherein the knowledge graph comprises a first attribute between the feature information and the vulnerability information and a second attribute between the vulnerability information and the test script; selecting an effective test script aiming at the application according to the first attribute and the second attribute; executing the valid test script; and outputting the execution result.
According to the application testing method based on the knowledge graph, the vulnerability information is linked with the characteristic information through the first attribute, the testing script is linked with the vulnerability information through the second attribute, so that the knowledge graph is established, the effective testing script aiming at the tested application can be accurately obtained through the knowledge graph, the testing quality and the testing efficiency can be improved, meanwhile, the dependence degree on testing personnel can be reduced, the labor force can be saved, and the probability of human errors can be reduced. In addition, the application address is input, the whole-process test can be completed, and the automation degree is high.
In some embodiments, the obtaining a test script comprises: obtaining a test script with a mark, wherein the selecting an effective test script for the application according to the first attribute and the second attribute further comprises: and according to the mark, eliminating inefficient scripts in the effective test scripts which have a plurality of second attributes with the vulnerability information aiming at the vulnerability information.
In some embodiments, the indicia includes a number of executions and a quality, and the inefficient scripts include the valid test scripts that are relatively few executions and of low quality.
In some embodiments, the constructing a knowledge graph from the feature information, the vulnerability information, and the test script comprises: respectively establishing entities of the characteristic information, the vulnerability information and the test script; establishing a first vector edge from the first entity to a second entity by taking the characteristic information as the first entity and the vulnerability information as the second entity, wherein the first vector edge has a first attribute; and establishing a second vector edge from the second entity to a third entity by taking the test script as the third entity, wherein the second vector edge has a second attribute.
In some embodiments, the first attribute is a correspondence between the vulnerability information and the feature information.
In some embodiments, the second attribute is a correspondence between the test script and the vulnerability information.
In some embodiments, the feature information is m, the vulnerability information is n, the test scripts are t, m, n, and t are integers greater than or equal to 1, and selecting an effective test script for the application according to the first attribute and the second attribute includes: taking one piece of feature information as a starting point, and acquiring all the vulnerability information connected with the feature information by a first vector edge; according to all the vulnerability information connected with the characteristic information with a first vector side, all the test scripts connected with all the vulnerability information with a second vector side are obtained, and all the test scripts connected with all the vulnerability information with a second vector side are characteristic test scripts; repeating the steps until m pieces of feature information are used as starting points to obtain the feature test script; and solving and collecting the characteristic test scripts corresponding to the characteristic information to obtain effective test scripts aiming at the application.
In some embodiments, the obtaining the feature information of the application includes: at least one of framework information, a programming language, carrier framework information, and a carrier server of the application is obtained.
In some embodiments, executing the valid test script further comprises: and storing the execution result.
Another aspect of the present disclosure provides a knowledge-graph-based application testing apparatus, comprising: the first acquisition module is used for acquiring the characteristic information of the application; the second acquisition module is used for acquiring vulnerability information corresponding to the characteristic information; the third acquisition module is used for acquiring the test script with the mark; the map building module builds a knowledge map according to the feature information, the vulnerability information and the test script, wherein the knowledge map comprises a first attribute between the feature information and the vulnerability information and a second attribute between the vulnerability information and the test script; the script selection module selects an effective test script aiming at the application according to the first attribute and the second attribute; a script execution module for executing the valid test script; and the result output module is used for outputting the execution result.
Another aspect of the present disclosure provides an electronic device comprising one or more processors and one or more memories, wherein the memories are used for storing executable instructions, which when executed by the processors, implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed
Another aspect of the disclosure provides a computer program product comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of the embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which the methods, apparatus, according to embodiments of the disclosure, may be applied;
FIG. 2 schematically illustrates a flow diagram of a knowledge-graph based application testing method in accordance with an embodiment of the present disclosure;
FIG. 3 schematically shows a flow diagram for obtaining feature information of an application according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a diagram of a knowledge graph constructed from feature information, vulnerability information and test scripts according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram for building a knowledge-graph from feature information, vulnerability information and test scripts in accordance with an embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow diagram for selecting a valid test script for an application based on a first attribute and a second attribute, according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a flow diagram for obtaining a test script according to an embodiment of the present disclosure;
FIG. 8 schematically illustrates a block diagram of a knowledge-graph based application testing apparatus according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a block diagram of a knowledge-graph based application testing apparatus according to another embodiment of the present disclosure;
FIG. 10 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure. In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second", may explicitly or implicitly include one or more of the described features.
With the development of the technology, in the whole process of the safety test, some automatic collection and scanning methods are introduced to improve the information collection efficiency and the judgment efficiency, meanwhile, a script library is established for the bugs under different conditions, and the scripts for executing response can be selected to complete the test according to the bugs under different conditions, so that the safety test efficiency and level are improved.
In the related technical scheme, the information collection and analysis at each stage are automatically processed, so that the efficiency is improved. However, the test scripts are not managed effectively, that is, when there are a large number of scripts with different levels in the script library and different vulnerability combinations of a Web application are faced, hundreds of test scripts may be selected, or different scripts need to be written for the vulnerability combinations. In addition, although the automation level of each stage is reached, a tester is still required to analyze and develop key nodes in the test flow, which is highly dependent on the test level of a safety tester, so that the test cost is high, and the test quality is difficult to guarantee.
Embodiments of the present disclosure provide a knowledge-graph-based application testing method, an application testing apparatus, an electronic device, a computer-readable storage medium, and a computer program product. The application testing method based on the knowledge graph can be executed on the electronic equipment and comprises the following steps: acquiring characteristic information of an application; acquiring vulnerability information corresponding to the characteristic information; acquiring a test script; constructing a knowledge graph according to the feature information, the vulnerability information and the test script, wherein the knowledge graph comprises a first attribute between the feature information and the vulnerability information and a second attribute between the vulnerability information and the test script; selecting an effective test script aiming at the application according to the first attribute and the second attribute; executing a valid test script; and outputting the execution result.
It should be noted that the application testing method, the application testing apparatus, the electronic device, the computer-readable storage medium, and the computer program product based on the knowledge graph according to the present disclosure may be used in the financial field, and may also be used in any field other than the financial field, and the field of the present disclosure is not limited herein.
Fig. 1 schematically illustrates an exemplary system architecture 100 to which a knowledge-graph based application testing method, application testing apparatus, electronic device, computer-readable storage medium, and computer program product may be applied, according to embodiments of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the application testing method based on knowledge graph provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the application testing device provided by the embodiment of the present disclosure may be generally disposed in the server 105. The application testing method based on knowledge-graph provided by the embodiments of the present disclosure may also be performed by a server or a cluster of servers different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the application testing apparatus provided in the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The knowledge-graph-based application testing method according to the embodiment of the present disclosure will be described in detail with reference to fig. 2 to 7 based on the scenario described in fig. 1.
FIG. 2 schematically illustrates a flow diagram of a knowledge-graph based application testing method that may be performed on an electronic device, in accordance with an embodiment of the present disclosure.
As shown in fig. 2, the application testing method based on the knowledge-graph of the embodiment includes operations S210 to S270.
In operation S210, feature information of an application is obtained, where the application may include, but is not limited to, a Web application (Web App), a Native App (Native App), or a Hybrid App (Hybrid App), and the Web application is taken as an example for illustration herein, but is not to be construed as a limitation of the present disclosure. As one practical way, as shown in fig. 3, the operation S210 of acquiring the feature information of the application includes an operation S211 of: at least one of framework information, a programming language, carrier framework information, and a carrier server of the application is obtained. Taking a web application as an example, the characteristic information of the application may be understood as at least one of frame information of the application, a programming language, web frame information on which the application is based, and a web server.
In operation S220, vulnerability information corresponding to the feature information is acquired. It can be understood that one feature information may have one corresponding vulnerability information, or may have a plurality of corresponding vulnerability information, for example, two vulnerability information, three vulnerability information, or four vulnerability information, etc., and some feature information may also have no vulnerability information. The vulnerability information is utilized by a lawbreaker, which may threaten the security performance of the application, for example, if the vulnerability information corresponding to the architecture information of the online banking application is utilized by the lawbreaker, the property of the client may be damaged. The vulnerability information itself may also cause the application to be unable to use it normally.
In operation S230, a test script is obtained, where in the test process, the test script may be used to find vulnerability information, so as to prompt the testing personnel and the developer about vulnerability information in the feature information, so that the developer may repair the vulnerability in time.
In operation S240, as shown in fig. 4, a knowledge graph is constructed according to the feature information, the vulnerability information and the test script, wherein the knowledge graph includes a first attribute between the feature information and the vulnerability information and a second attribute between the vulnerability information and the test script.
As one practical way, as shown in fig. 5, the operation S240 of constructing the knowledge graph according to the feature information, the vulnerability information and the test script includes operations S241 to S243.
In operation S241, entities of the feature information, the vulnerability information, and the test script are respectively established.
In operation S242, a first vector edge from the first entity to the second entity is established with the feature information as the first entity and the vulnerability information as the second entity, and the first vector edge has a first attribute.
In operation S243, with the test script as the third entity, a second vector edge from the second entity to the third entity is established, where the second vector edge has the second attribute.
Specifically, the first attribute is a corresponding relationship between the vulnerability information and the characteristic information. The second attribute is the corresponding relation between the test script and the vulnerability information. Therefore, the connection relation between the characteristic information and the vulnerability information can be established through the first vector edge with the first attribute, so that the characteristic information and the vulnerability information corresponding to the characteristic information can have a visual connection relation in the knowledge graph; the vulnerability information and the test script can be connected through the second vector edge with the second attribute, so that the vulnerability information and the test script corresponding to the vulnerability information can have an intuitive connection relation in the knowledge graph.
In operation S250, a valid test script for the application is selected according to the first attribute and the second attribute. As a possible implementation manner, as shown in fig. 6, operation S250 selects an effective test script for an application according to the first attribute and the second attribute, including operation S251 to operation S254.
In operation S251, all vulnerability information connected to a first vector edge of one piece of feature information is obtained using the one piece of feature information as a starting point.
In operation S252, according to all vulnerability information connected while having the first vector with the feature information, all test scripts connected while having the second vector with the all vulnerability information are obtained, and all test scripts connected while having the second vector with the all vulnerability information are feature test scripts.
In operation S253, the above steps are repeated until the m pieces of feature information are all obtained as a starting point to obtain the feature test script.
In operation S254, the feature test scripts corresponding to each feature information are merged to obtain a valid test script for the application.
Therefore, the selection of the valid test script for the application according to the first attribute and the second attribute can be conveniently realized through the operations S251 to S254
In operation S260, a valid test script is executed.
In operation S270, the execution result is output.
Taking a specific web application as an example, and referring to fig. 4, the application may be an online banking App of a bank, and the feature information of the online banking App includes a web page frame (specifically, a read frame), a web page server (specifically, an Nginx server), an application frame (specifically, a Spring frame), and an application programming language (specifically, Java language).
The method comprises the steps of taking an React frame as a starting point, finding vulnerability information corresponding to the React frame through a first attribute, namely the corresponding relation between the vulnerability information and characteristic information, wherein the vulnerability information corresponding to the React frame can be xss vulnerability specifically, finding a test script corresponding to xss vulnerability through a second attribute, namely the corresponding relation between the test script and the vulnerability information, wherein the test script corresponding to xss vulnerability can be EXP1 specifically, and therefore, the EXP1 is used as the characteristic test script of the React frame.
The method comprises the steps that a Nginx server is taken as a starting point, vulnerability information corresponding to the Nginx server is found through a first attribute, namely the corresponding relation between the vulnerability information and characteristic information, the vulnerability information corresponding to the Nginx server can be a CVE1 vulnerability, a test script corresponding to a CVE1 vulnerability is found through a second attribute, namely the corresponding relation between the test script and the vulnerability information, the test script corresponding to the CVE1 vulnerability can be EXP2 and EXP3, and therefore the EXP2 and the EXP3 are taken as characteristic test scripts of the Nginx server.
Finding vulnerability information corresponding to the Spring frame by taking the Spring frame as a starting point and through a first attribute, namely the corresponding relation between the vulnerability information and the characteristic information, wherein the vulnerability information corresponding to the Spring frame can be a CVExxx vulnerability and a SQL injection vulnerability, and through a second attribute, namely the corresponding relation between a test script and the vulnerability information, a test script corresponding to the CVExxx vulnerability can be found, and the test script corresponding to the CVExxx vulnerability can be EXP 4; a test script corresponding to the SQL entry vulnerability is also found, and the test script corresponding to the SQL entry vulnerability may be EXP 5. Thus, EXP4 and EXP5 are used as feature test scripts for the Spring framework.
The method comprises the steps of taking Java language as a starting point, finding vulnerability information corresponding to the Java language through a first attribute, namely the corresponding relation between the vulnerability information and characteristic information, wherein the vulnerability information corresponding to the Java language can be SQL injection vulnerability, finding a test script corresponding to the SQL injection vulnerability through a second attribute, namely the corresponding relation between the test script and the vulnerability information, and the test script corresponding to the SQL injection vulnerability can be EXP5, so that the EXP5 is used as the characteristic test script of the Java language.
In summary, the feature test script EXP1 corresponding to the fact frame, the feature test scripts EXP2 and EXP3 corresponding to the Nginx server, the feature test scripts EXP4 and EXP5 corresponding to the Spring frame, and the feature test script EXP5 corresponding to the Java language are merged to obtain an effective test script for the internet banking App: EXP1, EXP2, EXP3, EXP4, and EXP 5.
Thus, EXP1, EXP2, EXP3, EXP4 and EXP5 can be executed, and then the execution result can be obtained and output.
According to the application testing method based on the knowledge graph, the vulnerability information is connected with the characteristic information through the first attribute, the testing script is connected with the vulnerability information through the second attribute, so that the knowledge graph is established, the effective testing script aiming at the tested application can be accurately obtained through the knowledge graph, the testing quality and the testing efficiency can be improved, meanwhile, the dependence degree on testing personnel can be reduced, the labor force can be saved, and the probability of human errors can be reduced. In addition, the application address is input in the method, the whole process test can be completed, and the automation degree is high.
FIG. 7 schematically shows a flow diagram for obtaining a test script according to an embodiment of the disclosure.
The acquiring of the test script in operation S230 includes operation S231.
In operation S231, a test script with a flag is acquired.
As shown in fig. 2, after the operation S250 selects the valid test script for the application according to the first attribute and the second attribute, the method further includes an operation S280: and rejecting inefficient scripts in a plurality of effective test scripts having a second attribute with the vulnerability information aiming at the vulnerability information according to the marks. As some specific examples, the indicia may include a number of executions and a quality, and the inefficient scripts include valid test scripts that are executed relatively infrequently and of low quality.
Continuing with the internet banking App for illustration, referring to fig. 4, valid test scripts for the CVE1 vulnerability information may be EXP2 and EXP3, the label of EXP2 is executed 3 times and has low quality, the label of EXP3 is executed 5 times and has high quality, and EXP2 and EXP3 are compared according to the label of EXP2 and the label of EXP3, where the number of execution times of EXP2 is less than that of EXP3, EXP2 is a script with low quality, and EXP3 is a script with high quality, so that, compared with EXP3, EXP2 is determined to be an inefficient script, and then EXP2 may be eliminated, and only EXP3 is taken as a valid test script for the CVE1 vulnerability information. By eliminating the low-efficiency scripts, the test efficiency can be improved and the test quality can be improved while the test is smoothly completed.
According to some embodiments of the present disclosure, as shown in fig. 2, after the operation S260 executes the valid test script, the method further includes an operation S290: and storing the execution result. Thus, the stored execution results can be used as empirical data for later review and learning.
Based on the application testing method based on the knowledge graph, the present disclosure also provides an application testing device 10 based on the knowledge graph. The knowledge-graph based application testing device 10 will be described in detail below with reference to fig. 8.
FIG. 8 schematically shows a block diagram of the knowledge-graph based application testing device 10 according to an embodiment of the present disclosure.
The knowledge graph-based application testing device 10 comprises a first acquisition module 1, a second acquisition module 2, a third acquisition module 3, a graph construction module 4, a script selection module 5, a script execution module 6 and a result output module 7.
The first obtaining module 1 is configured to perform operation S210: and acquiring characteristic information of the application. The first obtaining module 1 may obtain the feature information of the application from the mobile terminal where the application is installed; the first obtaining module 1 may also obtain the characteristic information of the application from the server side of the application; the first obtaining module 1 may also obtain the feature information of the application from the mobile terminal and the server segment where the application is installed.
The second obtaining module 2 is configured to perform operation S220: and acquiring vulnerability information corresponding to the characteristic information. The vulnerability information corresponding to the feature information may be stored in the mobile terminal or the server terminal, and the second obtaining module 2 may obtain the vulnerability information from the mobile terminal and/or the server terminal in which the vulnerability information is stored. Of course, the vulnerability information may also exist on a website of the browser, and the second obtaining module 2 may search the vulnerability information from the website and download and obtain the vulnerability information.
The third obtaining module 3 is configured to perform operation S230: and acquiring the test script with the mark. The test script can be a test script uploaded to a script library of the mobile terminal and/or the server terminal by a tester.
The map building module 4 performs operation S240: and constructing a knowledge graph according to the feature information, the vulnerability information and the test script, wherein the knowledge graph comprises a first attribute between the feature information and the vulnerability information and a second attribute between the vulnerability information and the test script.
The script selecting module 5 performs operation S250: and selecting an effective test script aiming at the application according to the first attribute and the second attribute.
The script execution module 6 is configured to execute operation S260: a valid test script is executed.
The result output module 7 is configured to perform operation S270: and outputting an execution result.
Since the application testing device 10 based on the knowledge graph is configured based on the application testing method, the beneficial effects of the application testing device 10 based on the knowledge graph are the same as those of the application testing method based on the knowledge graph, and are not described herein again.
In addition, according to the embodiment of the present disclosure, any multiple modules of the first obtaining module 1, the second obtaining module 2, the third obtaining module 3, the map building module 4, the script selecting module 5, the script executing module 6, and the result outputting module 7 may be combined into one module to be implemented, or any one module thereof may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of other modules and implemented in one module.
According to the embodiment of the present disclosure, at least one of the first obtaining module 1, the second obtaining module 2, the third obtaining module 3, the graph constructing module 4, the script selecting module 5, the script executing module 6 and the result outputting module 7 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware such as any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementation manners of software, hardware and firmware, or implemented by a suitable combination of any several of them.
Alternatively, at least one of the first obtaining module 1, the second obtaining module 2, the third obtaining module 3, the graph building module 4, the script selecting module 5, the script executing module 6 and the result outputting module 7 may be at least partially implemented as a computer program module, which may perform a corresponding function when the computer program module is executed.
The knowledge-graph based application testing device 20 according to an embodiment of the present disclosure is described in detail below with reference to fig. 9. It is to be understood that the following description is illustrative only and is not intended to be in any way limiting of the present disclosure.
The main functional modules of the knowledge-graph-based application testing device 20 include a WEB application information collection module 21, a vulnerability management module 22, an EXP script management module 23, a knowledge-graph construction module 24, a script execution module 25 and a test result display module 26.
The WEB application information collection module 21 obtains the application fingerprint information of the application through the scanner according to the WEB address provided by the WEB application, and stores the application fingerprint information in the database. Applying fingerprint information typically includes: web frame information, programming language, Web server, various frames and the like.
The vulnerability management module 22 is used to store vulnerability information collected through various channels.
The EXP script management module 23 is configured to store, add, modify, and record specific vulnerabilities and execution times of each script. Meanwhile, the quality of the script can be marked manually by a tester through the module.
The knowledge graph construction module 24 is mainly based on the knowledge graph technology, and stores the application fingerprint information, the vulnerability information and the EXP script in a graph database form to establish a graph relation. The knowledge relationship is established based on the relationship between the application fingerprint information and the vulnerability information and based on the effect of the safety tester using the EXP script to test in the past. After the relation is established among the three, once new application fingerprint information is obtained, correlation analysis can be performed through the knowledge graph, so that the most suitable EXP test script is screened out and submitted to the script execution module 25 for execution.
The knowledge-graph building module 24 mainly comprises two functions: some functions extract and represent for the relationships: storing the application fingerprint information, the vulnerability information and the EXP script by an entity, and constructing a relational graph by establishing the vulnerability occurrence condition and utilizing the relation of the vulnerability script and the like.
The other part of the functions are correlation analysis: judging the fingerprint information, the vulnerability information and the EXP scripts, and selecting n EXP scripts to execute according to some judgment rules (attributes and the like).
The script execution module 25 is responsible for obtaining a script list from the knowledge graph construction module 24, executing the script list in sequence, and storing the result in the system. All script execution results are displayed through the test result display module 26, so that the testers can write reports and develop subsequent test references.
FIG. 10 schematically illustrates a block diagram of an electronic device adapted to implement a knowledge-graph based application testing method in accordance with an embodiment of the present disclosure.
As shown in fig. 10, an electronic apparatus 900 according to an embodiment of the present disclosure includes a processor 901 which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. Processor 901 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 901 may also include on-board memory for caching purposes. The processor 901 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic apparatus 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. The processor 901 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the programs may also be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 902 and/or RAM 903 described above and/or one or more memories other than the ROM 902 and RAM 903.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. The program code is for causing a computer system to perform the methods of the embodiments of the disclosure when the computer program product is run on the computer system.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 901. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, and downloaded and installed through the communication section 909 and/or installed from the removable medium 911. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 909, and/or installed from the removable medium 911. The computer program, when executed by the processor 901, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (8)
1. A knowledge-graph-based application testing method, performed on an electronic device, comprising:
acquiring characteristic information of an application, wherein the characteristic information of the application comprises at least one of framework information, programming language, carrier framework information and carrier server of the application;
acquiring vulnerability information corresponding to the characteristic information;
acquiring a test script, wherein the acquiring of the test script comprises acquiring the test script with a mark;
constructing a knowledge graph according to the feature information, the vulnerability information and the test script, wherein the knowledge graph comprises a first attribute between the feature information and the vulnerability information and a second attribute between the vulnerability information and the test script, the first attribute is the corresponding relation between the vulnerability information and the feature information, and the second attribute is the corresponding relation between the test script and the vulnerability information;
selecting an effective test script aiming at the application according to the first attribute and the second attribute;
according to the mark, eliminating a plurality of inefficient scripts in the effective test scripts which have the second attribute with the vulnerability information and are used for one vulnerability information;
executing the valid test script; and
and outputting an execution result.
2. The knowledge-graph-based application testing method of claim 1, wherein the indicia comprise a number of executions and a quality, and the inefficient scripts comprise the valid test scripts that are executed a relatively small number of times and have a low quality.
3. The method for application testing based on a knowledge-graph of claim 1, wherein the constructing a knowledge-graph from the feature information, the vulnerability information and the test script comprises:
respectively establishing entities of the characteristic information, the vulnerability information and the test script;
establishing a first vector edge from the first entity to a second entity by taking the characteristic information as the first entity and the vulnerability information as the second entity, wherein the first vector edge has a first attribute; and
and establishing a second vector edge from the second entity to a third entity by taking the test script as the third entity, wherein the second vector edge has a second attribute.
4. The application testing method based on the knowledge-graph according to claim 1, wherein the number of the feature information is m, the number of the vulnerability information is n, the number of the test scripts is t, m, n and t are integers greater than or equal to 1, and selecting the effective test script for the application according to the first attribute and the second attribute comprises:
taking one piece of feature information as a starting point, and acquiring all the vulnerability information connected with the feature information by a first vector edge;
according to all the vulnerability information connected with the characteristic information with a first vector side, all the test scripts connected with all the vulnerability information with a second vector side are obtained, and all the test scripts connected with all the vulnerability information with a second vector side are characteristic test scripts;
repeating the steps until m pieces of feature information are used as starting points to obtain the feature test script; and
and solving and collecting the characteristic test scripts corresponding to each piece of characteristic information to obtain an effective test script aiming at the application.
5. The knowledge-graph-based application testing method of claim 1, wherein executing the valid test script further comprises: and storing the execution result.
6. A knowledge-graph-based application testing apparatus, comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring the characteristic information of an application, and the characteristic information of the application comprises at least one of framework information, programming language, carrier framework information and carrier server of the application;
the second acquisition module is used for acquiring vulnerability information corresponding to the characteristic information;
the third acquisition module is used for acquiring the test script with the mark, wherein the acquisition of the test script comprises the acquisition of the test script with the mark;
the knowledge graph comprises first attributes between the characteristic information and the vulnerability information and second attributes between the vulnerability information and the test script, wherein the first attributes are the corresponding relation between the vulnerability information and the characteristic information, and the second attributes are the corresponding relation between the test script and the vulnerability information;
the script selection module selects an effective test script aiming at the application according to the first attribute and the second attribute;
according to the mark, eliminating a plurality of inefficient scripts in the effective test scripts which have the second attribute with the vulnerability information and are used for one vulnerability information;
a script execution module for executing the valid test script; and
and the result output module is used for outputting an execution result.
7. An electronic device, comprising:
one or more processors;
one or more memories for storing executable instructions that, when executed by the processor, implement the method of any of claims 1-5.
8. A computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, implement a method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110847050.3A CN113535577B (en) | 2021-07-26 | 2021-07-26 | Application testing method and device based on knowledge graph, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110847050.3A CN113535577B (en) | 2021-07-26 | 2021-07-26 | Application testing method and device based on knowledge graph, electronic equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113535577A CN113535577A (en) | 2021-10-22 |
| CN113535577B true CN113535577B (en) | 2022-07-19 |
Family
ID=78120922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110847050.3A Active CN113535577B (en) | 2021-07-26 | 2021-07-26 | Application testing method and device based on knowledge graph, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113535577B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969759B (en) * | 2022-06-07 | 2024-04-05 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Asset security assessment method, device, terminal and medium of industrial robot system |
| US11763007B1 (en) * | 2023-04-19 | 2023-09-19 | Citibank, N.A. | Systems and methods for performing vulnerability assessment on partially functional applications |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109101410A (en) * | 2017-06-20 | 2018-12-28 | 北京明略软件系统有限公司 | A kind of risk driven test method and device and computer readable storage medium |
| CN110688456A (en) * | 2019-09-25 | 2020-01-14 | 北京计算机技术及应用研究所 | Vulnerability knowledge base construction method based on knowledge graph |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106537332A (en) * | 2014-06-13 | 2017-03-22 | 查尔斯斯塔克德拉珀实验室公司 | Systems and methods for software analytics |
| CN110221978B (en) * | 2019-06-03 | 2023-03-14 | 北京丁牛科技有限公司 | Test case generation method and device |
| CN110888808B (en) * | 2019-11-16 | 2023-01-31 | 云南湾谷科技有限公司 | Web intelligent test method based on knowledge graph |
| CN111930623B (en) * | 2020-08-10 | 2023-07-25 | 中国工商银行股份有限公司 | Test case construction method and device and electronic equipment |
-
2021
- 2021-07-26 CN CN202110847050.3A patent/CN113535577B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109101410A (en) * | 2017-06-20 | 2018-12-28 | 北京明略软件系统有限公司 | A kind of risk driven test method and device and computer readable storage medium |
| CN110688456A (en) * | 2019-09-25 | 2020-01-14 | 北京计算机技术及应用研究所 | Vulnerability knowledge base construction method based on knowledge graph |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113535577A (en) | 2021-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113535577B (en) | Application testing method and device based on knowledge graph, electronic equipment and medium | |
| CN115061874A (en) | Log information verification method, device, equipment and medium | |
| CN113362173A (en) | Anti-duplication mechanism verification method, anti-duplication mechanism verification system, electronic equipment and storage medium | |
| CN112965916A (en) | Page testing method, page testing device, electronic equipment and readable storage medium | |
| CN112817831A (en) | Application performance monitoring method, device, computer system and readable storage medium | |
| CN111930629A (en) | Page testing method and device, electronic equipment and storage medium | |
| CN115203178A (en) | Data quality inspection method and device, electronic equipment and storage medium | |
| CN115292187A (en) | Method and device for automatically testing code-free page, electronic equipment and medium | |
| CN115080433A (en) | Testing method and device based on flow playback | |
| CN113918864A (en) | Website page testing method, testing system, testing device, electronic equipment and medium | |
| CN113127858A (en) | Anomaly detection model training method, anomaly detection method and anomaly detection device | |
| CN115629983A (en) | Test case set generation method, device, equipment and medium | |
| CN114116519A (en) | Interface test method and device, electronic equipment and storage medium | |
| CN117472734A (en) | Test method, device, equipment and storage medium | |
| CN114840435A (en) | Method, device, equipment, storage medium and program product for determining data flow direction | |
| CN116894004A (en) | Information display method and device, electronic equipment and computer readable storage medium | |
| CN116594876A (en) | Interface testing method, device, equipment and storage medium | |
| CN116467214A (en) | Code quality detection method, device, equipment and storage medium | |
| CN117435472A (en) | Page test method, device, equipment and medium | |
| CN114201410A (en) | Method, device, equipment and medium for monitoring executed degree of test case | |
| CN114817007A (en) | Information processing method and device, electronic equipment and computer readable storage medium | |
| CN114064484A (en) | Interface testing method and device, electronic equipment and readable storage medium | |
| CN117493207A (en) | Page processing method, device, electronic equipment and storage medium | |
| CN114625667A (en) | Page testing method, device, equipment, storage medium and program product | |
| CN114693421A (en) | Risk assessment method, apparatus, electronic device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |