CN113536316B - Method and device for detecting component dependency information - Google Patents

Method and device for detecting component dependency information Download PDF

Info

Publication number
CN113536316B
CN113536316B CN202110672570.5A CN202110672570A CN113536316B CN 113536316 B CN113536316 B CN 113536316B CN 202110672570 A CN202110672570 A CN 202110672570A CN 113536316 B CN113536316 B CN 113536316B
Authority
CN
China
Prior art keywords
dependency information
dependency
component
information
original
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110672570.5A
Other languages
Chinese (zh)
Other versions
CN113536316A (en
Inventor
洪二稳
万振华
王颉
李华
董燕
汪杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Seczone Technology Co Ltd
Original Assignee
Seczone Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Seczone Technology Co Ltd filed Critical Seczone Technology Co Ltd
Priority to CN202110672570.5A priority Critical patent/CN113536316B/en
Publication of CN113536316A publication Critical patent/CN113536316A/en
Application granted granted Critical
Publication of CN113536316B publication Critical patent/CN113536316B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • G06F16/90344Query processing by using string matching techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Stored Programmes (AREA)

Abstract

The application provides a method and a device for detecting component dependent information, wherein the method comprises the following steps: analyzing the preset file by using the regular expression to obtain original dependency information; the original dependency information includes: and in the preset file record, the dependency relationship among the components is realized. Acquiring real dependency information through the index of a data structure of a preset file; the true dependency information includes: and in the index pointing of the data structure of the preset file, the dependency relationship among the components is realized. And detecting the original dependency information by applying the real dependency information according to the comparison result. Therefore, the real dependency information is acquired from the data structure level through the index of the data structure, so that the dependency information in the preset file can be corrected by using the real dependency information, and the overall state of the information is changed. If the technical scheme of the application is used for detection, the comprehensiveness is higher; meanwhile, the accuracy is high, and false detection is not easy.

Description

Method and device for detecting component dependency information
Technical Field
The present application relates to the field of information detection technologies, and in particular, to a method and an apparatus for detecting component dependent information.
Background
In recent years, among the demands for development of software, it is important to shorten the period of development of software, and in order to achieve this, it is necessary to introduce a third party component.
With the increase of the security awareness of software, whether a third party component is secure or not has a problem is also paid more attention, and is also paid more attention. In the conventional component detection method, some components are compared safely according to hash values of the components, and if at least one identical target hash value match is satisfied, the detected component is determined to be problematic.
However, by comparing the hash value with the component versions in the known dangerous component library, components that still have partial field errors are easily missed. The reason is that the components are mostly open-sourced, in the actual service development process, the code can be cited after secondary processing, and as long as the content of the original component is slightly changed, the hash value corresponding to the original component is correspondingly changed, if the original component is directly analyzed by the regular expression, the missing detection or the false detection of the component is easily caused.
Disclosure of Invention
The technical problems to be solved by the application are as follows: the detection comprehensiveness and the accuracy of the component detection mode provided in the prior art are low.
In order to solve the technical problems, the application adopts the following technical scheme: a method of detecting component dependent information, comprising:
analyzing the preset file by using the regular expression to obtain original dependency information; the original dependency information includes: in the preset file record, the dependency relationship among the components is recorded;
acquiring real dependency information through the index of the data structure of the preset file; the true dependency information includes: in the index pointing of the data structure of the preset file, the dependency relationship among the components is realized;
according to the identification of the shared component of the original dependency information and the real dependency information, the real dependency information is applied to compare the dependency relationship between components in the original dependency information;
and according to the comparison result, applying the real dependency information to correct the dependency relationship among components in the original dependency information.
The obtaining the real dependency information through the index of the data structure of the preset file includes:
and analyzing by applying a dependency relationship regular expression managed by the package according to the index of the data structure of the preset file, and generating the real dependency information.
Specifically, the parsing the preset file by using the regular expression to obtain the original dependency information includes:
analyzing the content of the preset file through a regular expression, and extracting the dependency relationship to be detected;
and extracting the identification parameters and the parameters to be corrected in the preset file according to the dependency relationship to be detected. The component names in the preset file belong to the original dependency information and are the identification of the shared components of the original dependency information and the real dependency information; the parameter to be corrected is the inter-component dependency relationship in the original dependency information.
Further, the identification of the common component includes: component names, the inter-component dependencies comprising: a component version; the application of the real dependency information to compare the inter-component dependency relationship in the original dependency information includes:
traversing the components of the project where the preset file is located, and summarizing the names and the versions of the components in the preset file;
and matching the component names in the preset file with the component names in the real dependency information, and then comparing the component versions.
Wherein the applying the real dependency information to correct the inter-component dependency relationship in the original dependency information includes:
obtaining component names with consistent comparison in the real dependency information;
the component names which are consistent in comparison in the real dependency information are applied to obtain the version information of the components in the real dependency information;
and replacing the component version information in the original dependency information by using the component version information in the real dependency information.
Further, the parsing the preset file by using the regular expression, after obtaining the original dependency information, further includes:
and removing invalid characters in the original dependency information.
Specifically, the parsing the preset file by using the regular expression includes:
obtaining a gemspec file from a Ruby item, and taking the gemspec file as the preset file;
the application of the regular expression to analyze the preset file to obtain the original dependency information specifically comprises the following steps:
analyzing the gemspec file by using a regular expression to acquire a dependency relationship in the gemspec file; the dependency relationship in the gemspec file includes: component identification in the Ruby item and dependency information among the components; the component identification in the Ruby item is the identification of the common component of the original dependency information and the real dependency information.
In the foregoing, the index of the data structure of the preset file is a directory where the preset file is located, and the analyzing by applying the dependency relationship regular expression managed by the package to generate the real dependency information according to the index of the data structure of the preset file includes: and under the directory where the preset file is located, analyzing by applying the dependency relationship regular expression managed by the package to acquire the real dependency information.
Further, the method further comprises: and applying the corrected original dependency information to detect the loopholes of the third-party components.
A second aspect of the present application provides a device for detecting component-dependent information, including:
the first analysis module is used for analyzing the preset file by applying the regular expression to acquire original dependency information; the original dependency information comprises the dependency relationship among components in the preset file record;
the second analysis module is used for acquiring real dependency information through the index of the data structure of the preset file; the real dependency information comprises dependency relations among components in index directions of a data structure where the preset file is located;
the comparison module is used for comparing the original dependency information by applying the real dependency information according to the identification of the shared component of the original dependency information and the real dependency information;
and the correction module is used for applying the real dependency information to correct the original dependency information.
The method has the advantages that the real dependency information is acquired from the data structure level through the index of the data structure, so that the real dependency information can be used for correcting the dependency information in the preset file, and the overall state of the information is changed. If the technical scheme of the application is used for vulnerability detection, the comprehensiveness of component detection is higher, and the relative comparison is complete; meanwhile, the component detection accuracy is high, and false detection is not easy.
Drawings
The following details the specific construction of the present application with reference to the accompanying drawings
FIG. 1 is a flowchart showing a method for detecting component-dependent information according to a first embodiment of the present application;
FIG. 2 is a flowchart of acquiring original dependency information according to a second embodiment of the present application;
FIG. 3 is a flow chart of comparing original dependency information according to a third embodiment of the present application;
FIG. 4 is a flow chart of the fourth embodiment of the application for correcting original dependency information;
fig. 5 is a schematic program module diagram of a device for detecting component-dependent information according to a fifth embodiment of the present application.
Detailed Description
In order to describe the technical content, the constructional features, the achieved objects and effects of the present application in detail, the following description is made in connection with the embodiments and the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for detecting component-dependent information according to a first embodiment of the present application. The first aspect of the present application introduces a method for detecting component dependent information, and discusses the method according to a certain order of operation; the execution order may be multithreaded, parallel, or analyzed in other order of execution. The method comprises the following steps:
s101, analyzing a preset file by applying a regular expression to acquire original dependency information; the original dependency information includes: in the preset file record, the dependency relationship among the components is recorded;
step S102, acquiring real dependency information through indexes of the data structures of the preset files; the true dependency information includes: in the index pointing of the data structure of the preset file, the dependency relationship among the components is realized;
step S103, according to the identification of the shared component of the original dependency information and the real dependency information, the original dependency information is detected by applying the real dependency information;
and step S104, applying the real dependency information to correct the dependency relationship among the components in the original dependency information according to the comparison result.
In this embodiment, because the data structure recorded in the preset file is easy to be confused under the influence of projects such as secondary development, the information of the component is easy to be problematic; correspondingly, the index of the file must generate a certain explicit change to ensure the normal operation of the item where the component is located. On the basis, on one hand, according to a conventional vulnerability detection mode, analyzing a file through a regular expression to obtain original dependency information; on the other hand, by indexing the data structure, the true dependency information is acquired from the level of the data structure, so that the true dependency information can be used for correction. Based on the above, if the technical scheme of the application is used for detection, the comprehensiveness is higher; meanwhile, the component detection accuracy is high, and false detection is not easy.
The above items are specifically constituted by respective components by compiling a program constructed. The process of analyzing the preset file may be that each component in the program is sequentially called to compile and generate a corresponding compiled file, the compiled file is checked, and the packaging processing is performed under the condition that the checking of each compiled file is correct, so as to obtain an installation package corresponding to the software. The compiled file is checked, for example, whether the output format after the compiled file is run is wrong, whether preset error data is output, or the like.
The original dependency information and the real dependency information respectively have respective ranges, and include information such as component names, component versions and the like under the dependency relationship. The expression forms can be various, and can be hash values or other character strings, so that a dependence system of the whole system is formed.
The above-mentioned middle index is a storage engine for quickly finding records, which can improve performance of items, especially when the data amount in the table is larger and larger, the influence of the index on the performance is more and more important, and mainly faces developers and applications.
Referring to fig. 2, fig. 2 is a flowchart of acquiring original dependency information according to a second embodiment of the present application. Step S101, the parsing the preset file by using the regular expression to obtain original dependency information, including:
and S201, analyzing the content of the preset file through a regular expression, and extracting the dependency relationship to be detected.
Step S202, following the dependency relationship to be detected, extracting the identification parameters and the parameters to be corrected in a preset file; the component names in the preset file belong to the original dependency information and are the identification of the shared components of the original dependency information and the real dependency information; the parameter to be corrected is the inter-component dependency relationship in the original dependency information.
Unlike conventional vulnerability detection approaches that only select identification parameters, the scheme purposely divides identification parameters and correction parameters for analyzing and correcting original dependencies. The identification parameter may be a component name, a sequence number, or other key bytes, and may be used as the identification parameter as long as the identification parameter does not have a specific reference relationship. The parameters to be corrected generally refer to parameters that may be changed, for example, data such as component version information.
Optionally, when vulnerability detection is performed on the Ruby item, the original dependency information can be directly obtained by using a built-in preset rule. For example, the gemspec file may be directly analyzed according to a regular expression (.add\w_dependency) obtained from the data dependency.
The regular expression is a logic formula for operating the character string, namely, a "regular character string" is formed by a plurality of specific characters defined in advance and a combination of the specific characters, and the "regular character string" is used for expressing a filtering logic for the character string.
Optionally, in step S101, the parsing the preset file by using the regular expression to obtain original dependency information further includes: and removing invalid characters in the original dependency information.
Because in conventional development, the preset file is mainly used as an annotation file of a developer, certain components with open sources may be used in the development process of a project, the components with open sources are often independently completed by a plurality of developers, each developer has different ideas and habits, and certain invalid characters in the method may appear; wherein, the invalid character can be removed by [% </[ \ ] - () { } > = "', ] in the regular expression.
The invalid characters in different projects and coding specifications are different, mainly refer to characters which cannot be processed or recognized by current software, and the characters are valid under one specification and may become invalid in another specification. For example, data of a variable type is defined in an item of Java, and belongs to an invalid character in a Ruby item.
In this embodiment, invalid characters are removed, so that the detection effect of the method is more accurate and the applicability is wider. It should be noted that although invalid characters can be removed only by using a common regular expression, the prior art does not have a related idea of correcting version information, and thus needs to be emphasized.
It is to be appreciated that Ruby is a completely object oriented language whose variables are of no type, and thus, relative to C, C # And the development cycle is shorter in terms of the languages. For this reason, too, after a large number of components with open sources are introduced in the development of Ruby's project, the security of the project should be further emphasized. In one specific embodiment, therefore,
step S101, analyzing a preset file by applying a regular expression, and before acquiring original dependency information, comprising the following steps: obtaining a gemspec file from a Ruby item, and taking the gemspec file as the preset file;
step S101, the parsing the preset file by using the regular expression, where obtaining the original dependency information includes:
analyzing the gemspec file by using a regular expression to acquire a dependency relationship in the gemspec file; the dependency relationship in the gemspec file includes: component identification in the Ruby item and dependency information among the components; the component identification in the Ruby item is the identification of the common component of the original dependency information and the real dependency information.
In an embodiment, the file suffix name obtained directly from the Ruby item is gemspec. The gempec file refers to a file used for constructing a gem package manager of a Ruby item and used for storing item basic information and component information. However, after the secondary development, the data within the gemspec file may not be altered, and therefore, it needs to be detected and analyzed.
In the above description, the gemspec file, also called a developer file of package attribute, stores basic information such as author, annotation, example usage, use license, dependency, etc.; often in a simple plain text format.
In the above description, the index of the data structure of the preset file includes various forms such as directory structure and hyperlink. In this embodiment, a directory structure is used as an index to a data structure.
Step S102, obtaining the real dependency information through the index of the data structure of the preset file, including: and analyzing by applying a dependency relationship regular expression managed by the package according to the index of the data structure of the preset file, and generating the real dependency information.
In this embodiment, a gem package is managed, which contains the basic information of the package. When running a project, the address or name of the component is required to call or multiplex the data, and after research and practice, the real dependency relationship can be obtained more accurately by using the package information in the gem package.
The index of the data structure of the preset file is the directory where the preset file is located, and under the directory where the preset file is located, the dependency relationship regular expression managed by the package is applied to analyze, so that the real dependency information is obtained. When detecting and analyzing Ruby items, a unique command (gem dependency) of the gem can be executed under the catalog of the file of the gemspec, and then the data is analyzed, so that the real dependency information in the gem package is directly analyzed. It should be noted that the unique command of gem is mainly developed and not used as data correction.
Further, according to the dependency relationship in the gem package, the component identification and the corresponding dependency information are obtained. In this embodiment, in order to ensure better vulnerability detection effect, the dependency relationship is constructed by using the identifier of the shared component. Therefore, the integral dependency relationship can be better displayed, and the developer can conveniently check. The identification of the common component includes: component names, the inter-component dependencies comprising: component version.
Further, referring to fig. 3, fig. 3 is a flowchart illustrating an original dependency information comparison according to a third embodiment of the present application.
Step S103, comparing the dependency relationship between components in the original dependency information by using the real dependency information, including:
step S301, traversing components of the project where the preset file is located, and summarizing component names and component versions in the preset file;
the step of traversing the components of the item where the preset file is located refers to sequentially detecting each component along the original dependency relationship of the components, and mainly checking the value of the identification parameter. The step of summarizing the identification parameters may have periodicity, or may set the periodicity according to the needs of the client, so as to update periodically. In this embodiment, the name of the component in the preset file is used as the identification parameter.
Step S302, after the component names in the preset file are matched with the component names in the real dependency information, the component versions are compared.
In this embodiment, in order to more comprehensively and accurately detect vulnerabilities, the component is traversed, the identification parameters are summarized, then the identification parameters are used to perform data matching, and after the original dependency information is analyzed and judged, the real dependency information is considered to be used for correction.
Specifically, referring to fig. 4, fig. 4 is a flowchart illustrating the modification of original dependency information according to a fourth embodiment of the present application. In step S104, the applying the real dependency information to correct the inter-component dependency relationship in the original dependency information includes:
step S401, obtaining component names which are consistent in comparison in the real dependency information;
step S402, the component names which are consistent in comparison in the real dependency information are applied to obtain the version information of the components in the real dependency information;
step S403, replacing the component version information in the original dependency information by using the component version information in the real dependency information.
In this embodiment, in order to reduce the operation difficulty and avoid the problem caused by new parameter reference, after data matching is performed by using the component name as the identification parameter, the version information of the real dependency information correction component is directly applied to replace the version information in the parameter to be corrected. It should be noted that in the development of the Ruby project, since the development period is short, the version update is relatively fast, the version information is easy to be ignored, and the difficulty of manual modification is high, the technical scheme of the embodiment is particularly suitable for the dependency information detection of the Ruby project.
Further, the method further comprises: and applying the corrected original dependency information to detect the loopholes of the third-party components.
It should be appreciated that in most vulnerability detection technologies, a regular expression manner is directly used to directly obtain dependency information from a preset file, so as to adapt to the conventional technology. In this embodiment, emphasis is placed on that the method is particularly suitable for leak detection of third party components, and a better detection effect can be obtained.
Referring to fig. 5, fig. 5 is a schematic program module diagram of a device for detecting component dependent information according to a fifth embodiment of the application. A second aspect of the present application provides a device for detecting component-dependent information, including:
the first parsing module 100 is configured to parse the preset file by applying the regular expression to obtain original dependency information; the original dependency information comprises the dependency relationship among components in the preset file record;
the second parsing module 200 is configured to obtain real dependency information through an index of a data structure of the preset file; the real dependency information comprises dependency relations among components in index directions of a data structure where the preset file is located;
a comparison module 300, configured to apply the real dependency information to compare the original dependency information according to the identifier of the shared component of the original dependency information and the real dependency information;
and the correction module 400 is used for applying the real dependency information to correct the original dependency information.
Specifically, the second parsing module 200 is further configured to parse, according to the index of the data structure of the preset file, the dependency relationship regular expression managed by the application package, and generate the real dependency information.
The comparison module 300 is specifically configured to parse the content of the preset file through a regular expression, and extract a dependency relationship to be detected;
the method is also specifically used for extracting the component names and parameters to be corrected in a preset file according to the dependency relationship to be detected; the component names in the preset file belong to the original dependency information and are the identification of the shared components of the original dependency information and the real dependency information; the parameter to be corrected is the inter-component dependency relationship in the original dependency information.
The first parsing module 100 is specifically configured to traverse components of the item where the preset file is located, and summarize names and component versions of the components in the preset file;
and the method is also specifically used for comparing the component version after matching the component name in the preset file with the component name in the real dependency information.
The correction module 400 is specifically configured to:
obtaining component names with consistent comparison in the real dependency information;
and comparing consistent component names in the real dependency information to obtain the version information of the components in the real dependency information.
And replacing the component version information in the original dependency information by using the component version information in the real dependency information.
Further, the first parsing module 100 is further configured to remove invalid characters in the original dependency information.
The first parsing module 100 is specifically configured to obtain a gemspec file from a Ruby item;
analyzing the gemspec file to obtain the component identification and the corresponding dependency information in the Ruby item.
Further, the apparatus further comprises: and the vulnerability detection module 500 applies the corrected original dependency information to perform vulnerability detection of the third party component.
In this embodiment, by the device loading method, the device may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of modules is merely a logical function division, and there may be additional divisions of actual implementation, e.g., multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The functional modules in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
The integrated modules, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In order to achieve the above embodiments, the embodiments of the present application further provide an electronic device. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices.
The foregoing description is only illustrative of the present application and is not intended to limit the scope of the application, and all equivalent structures or equivalent processes or direct or indirect application in other related technical fields are included in the scope of the present application.

Claims (9)

1. A method for detecting component-dependent information, comprising:
analyzing the preset file by using the regular expression to obtain original dependency information; the original dependency information includes: in the preset file record, the dependency relationship among the components is recorded;
acquiring real dependency information through the index of the data structure of the preset file; the true dependency information includes: in the index pointing of the data structure of the preset file, the dependency relationship among the components is realized;
according to the identification of the shared component of the original dependency information and the real dependency information, the real dependency information is applied to compare the dependency relationship between components in the original dependency information;
according to the comparison result, the true dependency information is applied to correct the dependency relationship among components in the original dependency information;
the applying the regular expression to analyze the preset file to obtain the original dependency information includes:
analyzing the content of the preset file through a regular expression, and extracting the dependency relationship to be detected;
extracting the component names and parameters to be corrected in a preset file according to the dependency relationship to be detected; the component names in the preset file belong to original dependency information and are identifiers of shared components of the original dependency information and the real dependency information; the parameter to be corrected is the inter-component dependency relationship in the original dependency information.
2. The method for detecting component dependency information according to claim 1, wherein the obtaining real dependency information by indexing the data structure of the preset file includes:
and analyzing by applying a dependency relationship regular expression managed by the package according to the index of the data structure of the preset file, and generating the real dependency information.
3. The method for detecting component-dependent information as in claim 1, wherein the identification of the common component comprises: component names, the inter-component dependencies comprising: a component version; the application of the real dependency information to compare the inter-component dependency relationship in the original dependency information includes:
traversing the components of the project where the preset file is located, and summarizing the names and the versions of the components in the preset file;
and matching the component names in the preset file with the component names in the real dependency information, and then comparing the component versions.
4. The method for detecting component dependency information according to claim 3, wherein applying the true dependency information to correct the inter-component dependency relationship in the original dependency information according to the comparison result comprises:
obtaining component names with consistent comparison in the real dependency information;
the component names which are consistent in comparison in the real dependency information are applied to obtain the version information of the components in the real dependency information;
and replacing the component version information in the original dependency information by using the component version information in the real dependency information.
5. The method for detecting component dependency information as set forth in claim 1, wherein the parsing the preset file by using the regular expression, after obtaining the original dependency information, further includes:
and removing invalid characters in the original dependency information.
6. The method for detecting component dependency information as set forth in claim 1, wherein the parsing the preset file using the regular expression includes, before obtaining the original dependency information:
obtaining a gemspec file from a Ruby item, and taking the gemspec file as the preset file;
the application of the regular expression to analyze the preset file to obtain the original dependency information specifically comprises the following steps:
analyzing the gemspec file by using a regular expression to acquire a dependency relationship in the gemspec file; the dependency relationship in the gemspec file includes: component identification in the Ruby item and dependency information among the components; the component identification in the Ruby item is the identification of the common component of the original dependency information and the real dependency information.
7. The method for detecting component dependency information according to claim 2, wherein the index of the data structure of the preset file is a directory where the preset file is located, and the analyzing by using the dependency regular expression managed by the package according to the index of the data structure of the preset file, to generate the real dependency information includes:
and under the directory where the preset file is located, analyzing by applying the dependency relationship regular expression managed by the package to acquire the real dependency information.
8. The method for detecting component dependency information according to any one of claims 1 to 7, further comprising:
and applying the corrected original dependency information to detect the loopholes of the third-party components.
9. A device for detecting component-dependent information, comprising:
the first analysis module is used for analyzing the content of the preset file through the regular expression and extracting the dependency relationship to be detected; extracting the component names and parameters to be corrected in a preset file according to the dependency relationship to be detected; the component names in the preset file belong to the original dependency information and are the identification of the shared components of the original dependency information and the real dependency information; the parameter to be corrected is the inter-component dependency relationship in the original dependency information; the original dependency information comprises the dependency relationship among components in the preset file record;
the second analysis module is used for acquiring real dependency information through the index of the data structure of the preset file; the real dependency information comprises dependency relations among components in index directions of a data structure where the preset file is located;
the comparison module is used for comparing the original dependency information by applying the real dependency information according to the identification of the shared component of the original dependency information and the real dependency information;
and the correction module is used for applying the real dependency information to correct the original dependency information.
CN202110672570.5A 2021-06-17 2021-06-17 Method and device for detecting component dependency information Active CN113536316B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110672570.5A CN113536316B (en) 2021-06-17 2021-06-17 Method and device for detecting component dependency information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110672570.5A CN113536316B (en) 2021-06-17 2021-06-17 Method and device for detecting component dependency information

Publications (2)

Publication Number Publication Date
CN113536316A CN113536316A (en) 2021-10-22
CN113536316B true CN113536316B (en) 2023-08-11

Family

ID=78125076

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110672570.5A Active CN113536316B (en) 2021-06-17 2021-06-17 Method and device for detecting component dependency information

Country Status (1)

Country Link
CN (1) CN113536316B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117216770A (en) * 2023-09-25 2023-12-12 江苏天好富兴数据技术有限公司 DevOps pipeline super-fusion deployment safety detection system and method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103119561A (en) * 2010-09-23 2013-05-22 苹果公司 Systems and methods for compiler-based vectorization of non-leaf code
CN108287758A (en) * 2017-01-09 2018-07-17 阿里巴巴集团控股有限公司 A kind of application resource management method, application method and device
CN108475360A (en) * 2015-12-31 2018-08-31 微软技术许可有限责任公司 Distributed Calculation relies on management system
CN111061643A (en) * 2019-12-24 2020-04-24 五八同城信息技术有限公司 SDK cluster compatibility detection method and device, electronic equipment and storage medium
CN111967017A (en) * 2020-07-28 2020-11-20 深圳开源互联网安全技术有限公司 Method and device for generating dependency relationship, terminal equipment and storage medium
CN112394942A (en) * 2020-11-24 2021-02-23 季明 Distributed software development compiling method and software development platform based on cloud computing

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8707284B2 (en) * 2009-12-22 2014-04-22 Microsoft Corporation Dictionary-based dependency determination

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103119561A (en) * 2010-09-23 2013-05-22 苹果公司 Systems and methods for compiler-based vectorization of non-leaf code
CN108475360A (en) * 2015-12-31 2018-08-31 微软技术许可有限责任公司 Distributed Calculation relies on management system
CN108287758A (en) * 2017-01-09 2018-07-17 阿里巴巴集团控股有限公司 A kind of application resource management method, application method and device
CN111061643A (en) * 2019-12-24 2020-04-24 五八同城信息技术有限公司 SDK cluster compatibility detection method and device, electronic equipment and storage medium
CN111967017A (en) * 2020-07-28 2020-11-20 深圳开源互联网安全技术有限公司 Method and device for generating dependency relationship, terminal equipment and storage medium
CN112394942A (en) * 2020-11-24 2021-02-23 季明 Distributed software development compiling method and software development platform based on cloud computing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王嘉捷等.WebView 组件漏洞自动化检测与验证方法.《北京理工大学学报》.2020,第40卷(第2期),第169-174页. *

Also Published As

Publication number Publication date
CN113536316A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
Davies et al. Software bertillonage: Determining the provenance of software development artifacts
CN111967017B (en) Method, device, terminal equipment and storage medium for generating dependency relationship
JP2019053729A (en) Test method and test apparatus of smart contract
CN110209684A (en) Tracking, device, system and the medium of database D DL change operation
US11314863B2 (en) Behavioral threat detection definition and compilation
US11036479B2 (en) Devices, systems, and methods of program identification, isolation, and profile attachment
US20230252135A1 (en) Behavioral threat detection definition and compilation
CN109271789B (en) Malicious process detection method and device, electronic equipment and storage medium
Møller et al. Automated detection of client-state manipulation vulnerabilities
JP2018505506A (en) Machine-based instruction editing
CN112099880B (en) Method and system for reducing application program driven by scene
CN113536316B (en) Method and device for detecting component dependency information
Harrand et al. The behavioral diversity of java json libraries
CN111352631B (en) Interface compatibility detection method and device
CN103198244A (en) Method for protecting dynamic linking library (DLL)
CN112445706A (en) Program abnormal code acquisition method and device, electronic equipment and storage medium
CN116841906A (en) Intelligent contract detection method and device and electronic equipment
US20230367882A1 (en) Systems and processes for facilitating edits to software bill of materials
CN115080984A (en) Third-party library file vulnerability detection method and device, electronic equipment and storage medium
CN107451050A (en) Function acquisition methods and device, server
CN113672233A (en) Server out-of-band management method, device and equipment based on Redfish
CN112363758A (en) Method and device for acquiring third-party component information of open source project
US20230367881A1 (en) Systems and processes for creating software bill of materials for large distributed builds
Han et al. An static propositional function model to detect software vulnerability
Zeng et al. OSSDetector: Towards a More Accurate Approach for C/C++ Third-Party Library Detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant