CN114020634B - Evaluation method and system for autonomous controllability of software product - Google Patents
Evaluation method and system for autonomous controllability of software product Download PDFInfo
- Publication number
- CN114020634B CN114020634B CN202111333681.XA CN202111333681A CN114020634B CN 114020634 B CN114020634 B CN 114020634B CN 202111333681 A CN202111333681 A CN 202111333681A CN 114020634 B CN114020634 B CN 114020634B
- Authority
- CN
- China
- Prior art keywords
- autonomous
- code
- open source
- information
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000011156 evaluation Methods 0.000 title claims abstract description 43
- 230000007547 defect Effects 0.000 claims abstract description 65
- 238000004458 analytical method Methods 0.000 claims abstract description 38
- 238000001514 detection method Methods 0.000 claims abstract description 21
- 238000000034 method Methods 0.000 claims abstract description 18
- 238000012545 processing Methods 0.000 claims abstract description 11
- 230000006870 function Effects 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 6
- 239000000203 mixture Substances 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 230000002567 autonomic effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000013210 evaluation model Methods 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000000691 measurement method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000004445 quantitative analysis Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a method and a system for evaluating the autonomous controllability of a software product, wherein the method comprises the steps of obtaining software code information; performing multi-level code traceability analysis on the software source code; according to the open source code and the autonomous code information, calculating to obtain the autonomous file proportion, the autonomous code segment proportion, the open source file proportion and the open source code segment proportion of the percentages, and weighting and calculating to obtain an autonomous proportion Z; performing security defect detection on the autonomous code, and calculating a defect value IV of the autonomous code; processing the open source code information to calculate an open source code vulnerability value OV; and obtaining the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV. The method is a quantifiable evaluation method, and reduces the influence of other factors on the judgment of the autonomous controllability.
Description
Technical Field
The invention relates to the field of software security evaluation, in particular to an evaluation method and system for autonomous controllability of a software product.
Background
With the rapid development of the software industry, the software supply chain becomes more complex and diversified, so that the autonomy and the security of software products face great challenges. In particular, open source software is increasing, so that most of the existing software is assembled, and the existing software consists of source code and open source software code which are independently developed by enterprises.
Source code is the source of software, source code autonomous and security are the basis for autonomous control of software. Statistics indicate that there are 1 code defect per thousand lines of code. Open source software also commonly has various flaws and vulnerabilities, even with malicious code. In recent years, technological companies at home and abroad frequently suffer attack events due to source code loopholes, and security threats are increasingly serious.
At present, software products developed by domestic enterprises commonly use a considerable amount of open source codes, even open source codes with known vulnerabilities, and have huge safety risks and hidden dangers, so that the autonomous controllability of domestic software is greatly compromised. In addition, the development period of the domestic software is too short, the functions of the bias software are realized and the performance is improved, the importance degree of the security defects and loopholes of the software is not enough, and the autonomous codes researched and developed by the user have too much security risk, so that the controllability of the domestic software is seriously influenced.
The existing software autonomous controllability evaluation methods are divided into two main types, wherein the first type is based on an integrated evaluation method of an autonomous controllable evaluation model, a quantized value is obtained through evaluating factors such as technical level, intellectual property level, capital proportion in enterprise stock authority, staff proportion in the enterprise, enterprise qualification, software documents, software compiling environment and the like of a software development enterprise, and the weight of each factor is given according to expert opinion, so that the software autonomous controllability is calculated. The evaluation method has two problems, namely, the subjective factor of the evaluation result is greatly influenced by the experience of an expert; secondly, the factors of non-software products are concerned too much, and an autonomous code proportion detection method of the software products cannot be given, so that the actual operability is not strong.
The second type is to judge whether the software is developed autonomously or not through two angles, namely, whether the software code is consistent with a software design description document or not and whether the code which is not covered by the test case exists in the code or not is checked. The method can only give qualitative judgment on whether the software product is autonomously developed or not, and cannot give quantitative analysis on the autonomous controllable degree. Another problem is that the code covered by the test case does not prove sufficiently self-developing.
In addition, under the condition that the network security threat is increasingly serious, the existing software autonomous controllability evaluation method has a major defect, namely the influence of software code defects and loopholes on the autonomous controllability is not fully considered. Therefore, a quantifiable evaluation method is urgently needed to be provided in terms of the autonomous proportion of software codes, code defects, security holes and the like, and the problem of autonomous controllability evaluation of software products is solved.
Disclosure of Invention
In order to solve the technical problems, the invention provides an evaluation method and system for the autonomous controllability of a software product, which are used for solving the technical problems of incomplete evaluation consideration factors, inaccurate measurement method and result of the autonomous controllability of the software in the prior art. The invention can automatically evaluate the autonomous degree and the safe controllable degree of the software code, and realize the autonomous controllable degree evaluation of the software product from three aspects of autonomous proportion of the software code, autonomous code defects and open source code security holes.
According to a first aspect of the present invention, there is provided a method of assessing the autonomous controllability of a software product, the method comprising the steps of:
Step 1, analyzing a software source code to obtain software code information, wherein the software code information comprises a software architecture, a file dependency relationship, a file type, a file number and code fingerprint information;
step2, performing multi-level code traceability analysis on the software source code to identify an open source code, an open source file, an autonomous code and an autonomous file;
And 3, calculating according to the open source codes and the independent code information and according to the file and code classification to respectively obtain the number of independent files, the number of open source files, the number of independent code segments and the number of open source code segments, and calculating to obtain the percentage of independent file proportion, independent code segment proportion, open source file proportion and open source code segment proportion. The autonomous ratio Z is calculated by re-weighting according to the following formula:
Z=autonomous file proportion×c1+autonomous code segment proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the proportion of the autonomous code segments;
Performing security defect detection on the autonomous code, determining the defect condition of the autonomous code, obtaining the number of security defect items and the risk level of each security defect item, and then calculating a defect value IV of the autonomous code;
Processing the open source code information, extracting useful information for vulnerability comparison, eliminating useless information or interference information judged by subsequent vulnerabilities, and carrying out normalization processing on the useful information to form open source code comparison information; comparing the open source code comparison information with normalized vulnerability information of a vulnerability database to determine open source code vulnerability conditions including vulnerability quantity and vulnerability risk level, and calculating an open source code vulnerability value OV;
the normalized vulnerability information is vulnerability information which is obtained by normalizing vulnerability information published by public vulnerability libraries such as CNNVD Chinese national information security vulnerability library, CNVD Chinese national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like, and then forming the vulnerability information with uniform data format;
Step4, obtaining the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV, classifying the autonomous controllability of the software product according to the set autonomous controllability class classification condition, and finally automatically generating a software product autonomous controllability evaluation report; the software product autonomous controllability F is calculated according to the following formula:
F=Z×W1+IV×W2+OV×W3
Wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the open source code vulnerability value.
The multi-level code traceability analysis comprises: and based on the dependency relationship and the code fingerprint information, carrying out multi-level traceability analysis on files and code segments with an open source component information base, and identifying open source components and versions. Through analysis and judgment of the similarity degree with the open source assembly, files and codes higher than a preset threshold are open source files and open source codes, and files and codes equal to or lower than the preset threshold are autonomous files and autonomous codes.
Optionally, the security flaw detection on the autonomous code includes: and performing security defect detection such as buffer overflow, memory leakage, array out-of-range, uninitialized variable use, dangerous function, dead code, information leakage, improper authority management and the like.
According to a second aspect of the present invention, there is provided an assessment system for autonomous controllability of a software product, the system comprising:
The software product autonomous controllability evaluation system comprises a software source code composition analysis module, an open source component information base, a multi-level software traceability analysis module, an autonomous code proportion calculation module, an autonomous code security detection module, an open source code comparison information extraction module, a vulnerability base, a vulnerability comparison analysis engine and an evaluation report automatic generation module.
The software source code composition analysis module is used for analyzing the software source code and obtaining software code information, wherein the software code information comprises a software architecture, file dependency relations, file types, file numbers and code fingerprint information;
the open source component information base integrates various open source component information at home and abroad, including open source file names, file fingerprints, code fingerprints and source codes;
The multi-level software traceability analysis module performs multi-level traceability analysis of files and code segments with information in an open source component information base based on the dependency relationship and the code fingerprint information, and the files and codes higher than a preset threshold value are open source files and open source codes and the files and codes equal to or lower than the preset threshold value are autonomous files and autonomous codes through analysis and judgment of the similarity degree with the open source component, so that the open source codes, the open source files, the autonomous codes and the autonomous files are identified;
The autonomous code proportion calculation module calculates according to the open source codes and the autonomous code information and the file and code classification to respectively obtain the number of autonomous files, the number of open source files, the number of autonomous code segments and the number of open source code segments, calculates to obtain the percentage of autonomous file proportion, autonomous code segment proportion, open source file proportion and open source code segment proportion, and calculates to obtain an autonomous proportion Z according to the following formula:
z=autonomous file proportion×c1+autonomous code proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the autonomous code proportion;
the autonomous code security detection module performs security defect detection of buffer overflow, memory leakage, array out-of-range, uninitialized use of variables, dangerous functions, dead codes, information leakage and improper authority management to obtain the number of security defect items and the risk level of each security defect item; according to the number of the safety defects and the risk level, calculating to obtain an autonomous code defect value IV;
The open source code comparison information extraction module extracts useful information for vulnerability comparison by processing and analyzing the open source code information, eliminates subsequent vulnerability judgment useless information or interference information, and improves accuracy and high efficiency of vulnerability comparison; normalizing the useful information to form open source code comparison information;
The vulnerability database integrates vulnerability information of public vulnerability databases at home and abroad, and comprises information such as affected entities, vulnerability content description and the like, and the vulnerability information of different sources is normalized to form normalized vulnerability information; the public vulnerability database comprises CNNVD China national information security vulnerability database, CNVD national information security vulnerability sharing platform and foreign CVE public vulnerability exposure;
The vulnerability comparison analysis engine compares the open source code comparison information with normalized vulnerability information provided by a vulnerability database to determine vulnerability conditions of the open source code, including vulnerability quantity and vulnerability risk level; according to the number of the loopholes and the risk level, calculating to obtain an open source code loophole value OV;
the normalized vulnerability information is vulnerability information which is obtained by normalizing vulnerability information published by public vulnerability libraries such as CNNVD Chinese national information security vulnerability library, CNVD Chinese national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like, and then forming the vulnerability information with uniform data format;
The automatic evaluation report generation module obtains the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV; according to the autonomous controllability F of the software product, classifying the autonomous controllability of the software product according to a set autonomous controllability classifying condition, and finally automatically generating an autonomous controllability evaluation report of the software product;
F=Z×W1+IV×W2+OV×W3
Wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the open source code vulnerability value.
According to a third aspect of the present invention, there is provided an assessment system for autonomous controllability of a software product, comprising:
A processor for executing a plurality of instructions;
A memory for storing a plurality of instructions;
the instructions are stored by the memory, and are loaded by the processor and execute the method for evaluating the autonomous controllability of the software product as described above.
According to a fourth aspect of the present invention, there is provided a computer-readable storage medium having stored therein a plurality of instructions; the instructions are used for loading and executing the method for evaluating the autonomous controllability of the software product by the processor.
According to the scheme, the invention provides the method for evaluating the autonomous controllability of the software product, which evaluates the autonomous degree and the security controllability of the software product from three aspects of autonomous proportion of the software code, autonomous code defects and open source code security holes, and is a quantifiable evaluation method. The invention focuses on the autonomous controllability of the software product, reduces the influence of other factors on the autonomous controllability judgment, and particularly firstly proposes to judge the autonomous controllability of the software product from the angles of code defects and security holes, thereby fully reflecting the essential requirement that the security is autonomous controllable.
The automatic evaluation system for the automatic controllability of the software product provided by the invention is an automatic evaluation system, has automatic detection and evaluation functions for the automatic controllability of the software product, obviously reduces the artificial dependence of the detection and evaluation process, reduces the artificial subjective deviation of the evaluation result, improves the evaluation efficiency and the result consistency of the automatic controllability of the software product, and greatly reduces the evaluation difficulty of the automatic controllability of the software product.
The foregoing description is only an overview of the present invention, and is intended to provide a better understanding of the present invention, as it is embodied in the following description, with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention, illustrate the invention and together with the description serve to explain the invention. In the drawings:
FIG. 1 is a flowchart of an evaluation method for the autonomous controllability of a software product according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an architecture of an evaluation system for autonomous controllability of a software product according to an embodiment of the present invention.
Detailed Description
First, a software product autonomous controllability evaluation method according to an embodiment of the present invention is described with reference to fig. 1, where the method includes the following steps:
Step 1, analyzing a software source code to obtain software code information, wherein the software code information comprises a software architecture, a file dependency relationship, a file type, a file number and code fingerprint information;
step2, performing multi-level code traceability analysis on the software source code to identify an open source code, an open source file, an autonomous code and an autonomous file;
The multi-level code traceability analysis comprises: and based on the dependency relationship and the code fingerprint information, carrying out multi-level traceability analysis on files, code segments and the like with an open source component information base, and identifying open source components and versions. Through analysis and judgment of the similarity degree with the open source assembly, files and codes higher than a preset threshold are open source files and open source codes, and files and codes equal to or lower than the preset threshold are autonomous files and autonomous codes;
And 3, calculating according to the open source codes and the independent code information and according to the file and code classification to respectively obtain the number of independent files, the number of open source files, the number of independent code segments and the number of open source code segments, and calculating to obtain the percentage of independent file proportion, independent code segment proportion, open source file proportion and open source code segment proportion. The autonomous ratio Z is calculated by re-weighting according to the following formula:
Z=autonomous file proportion×c1+autonomous code segment proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the proportion of the autonomous code segments; the invention provides an embodiment, wherein the weight value is given based on the condition that the autonomous file and the autonomous code segment are equally important, C1 is 50, and C2 is 50;
Meanwhile, performing security defect detection on the autonomous code, determining the defect condition of the autonomous code, obtaining the number of security defect items and the risk level of each security defect item, and then calculating the defect value IV of the autonomous code;
the invention provides a specific embodiment for calculating an autonomous code defect value IV, wherein IV is divided into 100; no safety defect was found, IV was 100; finding a low risk defect, button 5, and so on, until button 0; a risk defect is found, button 10, and so on, until button 0; finding a high risk defect with IV of 0;
Optionally, the security flaw detection on the autonomous code includes: performing security defect item detection such as buffer overflow, memory leakage, array out-of-range, uninitialized variable use, dangerous function, dead code, information leakage, improper authority management and the like;
Meanwhile, processing the open source code information, extracting useful information for vulnerability comparison, eliminating useless information or interference information judged by subsequent vulnerabilities, and carrying out normalization processing on the useful information to form open source code comparison information; comparing the open source code comparison information with normalized vulnerability information of a vulnerability database to determine open source code vulnerability conditions including vulnerability quantity and vulnerability risk level, and calculating an open source code vulnerability value OV;
The invention provides a specific embodiment for calculating an open source code vulnerability value OV, wherein the OV is divided into 100; no loopholes were found, OV was 100; finding a low risk vulnerability, buckling 5, and so on until 0; finding a risk leak, buckling 10, and so on, until it reaches 0; finding a high risk vulnerability, wherein OV is 0;
the normalized vulnerability information is vulnerability information which is obtained by normalizing vulnerability information published by public vulnerability libraries such as CNNVD Chinese national information security vulnerability library, CNVD Chinese national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like, and then forming the vulnerability information with uniform data format;
And 4, obtaining the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV, grading the autonomous controllability of the software product according to the set autonomous controllability grading condition, and finally automatically generating a software product autonomous controllability evaluation report. The software product autonomous controllability F is calculated according to the following formula:
F=Z×W1+IV×W2+OV×W3
wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the vulnerability value of the open source code; the present invention provides an embodiment wherein W1 is 50%; w2 is 25%; 25% of W3 bit; the weight value is obtained according to different importance degrees, and in the embodiment of the invention, the weight value is obtained under the condition that the autonomous degree and the safety degree of the software product are equally important, and the autonomous code safety and the open source code safety are equally important.
The higher the autonomic controllability F value of the software product, the higher the autonomic controllability level. The autonomous controllability class classification condition is specifically as follows: AAA level: f is more than or equal to 90; grade AA: f is more than or equal to 90 and is more than or equal to 80; class a: f is more than 80 and equal to or more than 70; b level: f is more than or equal to 70 and is more than or equal to 60; c level: f is more than 60 and is more than or equal to 50; d stage: 50 > F.
The invention further provides an evaluation system for the autonomous controllability of the software product, which is shown in fig. 2 and comprises a software source code composition analysis module, an open source component information base, a multi-level software traceability analysis module, an autonomous code proportion calculation module, an autonomous code security detection module, an open source code comparison information extraction module, a vulnerability database, a vulnerability comparison analysis engine and an evaluation report automatic generation module.
The software source code composition analysis module is used for analyzing the software source code and obtaining software code information, wherein the software code information comprises a software architecture, file dependency relations, file types, file numbers and code fingerprint information;
The open source component information base integrates various open source component information at home and abroad, including open source file names, file fingerprints, code fingerprints, source codes and the like;
The multi-level software traceability analysis module performs multi-level traceability analysis of files, code segments and the like with information in an open source component information base based on the dependency relationship and the code fingerprint information, and the files and codes higher than a preset threshold value are open source files and open source codes and the files and codes equal to or lower than the preset threshold value are autonomous files and autonomous codes through analysis and judgment of the similarity degree with the open source component, so that the open source codes, the open source files, the autonomous codes and the autonomous files are identified;
The autonomous code proportion calculation module calculates according to the open source codes and the autonomous code information and the file and code classification to respectively obtain the number of autonomous files, the number of open source files, the number of autonomous code segments and the number of open source code segments, calculates to obtain the percentage of autonomous file proportion, autonomous code segment proportion, open source file proportion and open source code segment proportion, and calculates to obtain an autonomous proportion Z according to the following formula:
z=autonomous file proportion×c1+autonomous code proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the autonomous code proportion; the invention provides an embodiment, wherein the weight value is given based on the condition that the autonomous file and the autonomous code segment are equally important, C1 is 50, and C2 is 50;
the autonomous code security detection module detects security defects such as buffer overflow, memory leakage, array out-of-range, uninitialized variable use, dangerous functions, dead codes, information leakage, improper authority management and the like, and obtains the number of security defect items and the risk level of each security defect item; according to the number of the safety defects and the risk level, calculating to obtain an autonomous code defect value IV;
the present invention provides an embodiment wherein the IV is divided fully into 100; no safety defect was found, IV was 100; finding a low risk defect, button 5, and so on, until button 0; a risk defect is found, button 10, and so on, until button 0; finding a high risk defect with IV of 0;
The open source code comparison information extraction module extracts useful information for vulnerability comparison by processing and analyzing the open source code information, eliminates subsequent vulnerability judgment useless information or interference information, and improves accuracy and high efficiency of vulnerability comparison; normalizing the useful information to form open source code comparison information;
The vulnerability database integrates vulnerability information of public vulnerability databases at home and abroad, and comprises information such as affected entities, vulnerability content description and the like, and the vulnerability information of different sources is normalized to form normalized vulnerability information; the public vulnerability database comprises CNNVD China national information security vulnerability database, CNVD national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like;
The vulnerability comparison analysis engine compares the open source code comparison information with normalized vulnerability information provided by a vulnerability database to determine vulnerability conditions of the open source code, including vulnerability quantity and vulnerability risk level; and according to the vulnerability quantity and the risk level, calculating to obtain an open source code vulnerability value OV.
The present invention provides an embodiment wherein OV is split fully into 100; no loopholes were found, OV was 100; finding a low risk vulnerability, buckling 5, and so on until 0; finding a risk leak, buckling 10, and so on, until it reaches 0; finding a high risk vulnerability, wherein OV is 0;
The normalized vulnerability information refers to vulnerability information which is published by public vulnerability libraries such as CNNVD Chinese national information security vulnerability library, CNVD Chinese national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like, and then the vulnerability information with uniform data format is formed.
The automatic evaluation report generation module obtains the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV; and according to the autonomous controllability F of the software product, classifying the autonomous controllability of the software product according to a set autonomous controllability classifying condition, and finally automatically generating a software product autonomous controllability evaluation report.
F=Z×W1+IV×W2+OV×W3
Wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the open source code vulnerability value. The present invention provides an embodiment wherein W1 is 50%; w2 is 25%; 25% of W3 bit; the weight value is obtained according to different importance degrees, and in the embodiment of the invention, the weight value is obtained under the condition that the autonomous degree and the safety degree of the software product are equally important, and the autonomous code safety and the open source code safety are equally important.
The higher the autonomic controllability F value of the software product, the higher the autonomic controllability level. The autonomous controllability class classification condition is specifically as follows: AAA level: f is more than or equal to 90; grade AA: f is more than or equal to 90 and is more than or equal to 80; class a: f is more than 80 and equal to or more than 70; b level: f is more than or equal to 70 and is more than or equal to 60; c level: f is more than 60 and is more than or equal to 50; d stage: 50 > F.
The embodiment of the invention further provides an evaluation system for the autonomous controllability of the software product, which comprises the following steps:
A processor for executing a plurality of instructions;
A memory for storing a plurality of instructions;
the instructions are stored by the memory, and loaded and executed by the processor, so as to implement the software product autonomous controllability evaluation method as described above.
The embodiment of the invention further provides a computer readable storage medium, wherein a plurality of instructions are stored in the storage medium; the instructions are used for loading and executing the software product autonomous controllability evaluation method by the processor.
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
In the several embodiments provided in the present invention, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for making a computer device (which may be a personal computer, a physical machine Server, or a network cloud Server, etc., and need to install a Windows or Windows Server or Linux operating system) execute part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only of the preferred embodiments of the present invention, and is not intended to limit the present invention in any way, but any simple modification, equivalent variation and modification made to the above embodiments according to the technical substance of the present invention still fall within the scope of the technical solution of the present invention.
Claims (6)
1. A method for evaluating the autonomous controllability of a software product, the method comprising the steps of:
Step 1, analyzing a software source code to obtain software code information, wherein the software code information comprises a software architecture, a file dependency relationship, a file type, a file number and code fingerprint information;
step2, performing multi-level code traceability analysis on the software source code to identify an open source code, an open source file, an autonomous code and an autonomous file;
Step 3, calculating according to the open source codes and the independent code information and according to the file and code classification, respectively obtaining the number of independent files, the number of open source files, the number of independent code segments and the number of open source code segments, and calculating to obtain the percentage of independent file proportion, independent code segment proportion, open source file proportion and open source code segment proportion; the autonomous ratio Z is calculated by re-weighting according to the following formula:
Z=autonomous file proportion×c1+autonomous code segment proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the proportion of the autonomous code segments;
Performing security defect detection on the autonomous code, determining the defect condition of the autonomous code, obtaining the number of security defect items and the risk level of each security defect item, and then calculating a defect value IV of the autonomous code;
Processing the open source code information, extracting useful information for vulnerability comparison, eliminating useless information or interference information judged by subsequent vulnerabilities, and carrying out normalization processing on the useful information to form open source code comparison information; comparing the open source code comparison information with normalized vulnerability information of a vulnerability database to determine open source code vulnerability conditions including vulnerability quantity and vulnerability risk level, and calculating an open source code vulnerability value OV;
Normalizing the vulnerability information refers to normalizing the vulnerability information published by the public vulnerability library to form vulnerability information with uniform data format;
Step4, obtaining the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV, classifying the autonomous controllability of the software product according to the set autonomous controllability class classification condition, and finally automatically generating a software product autonomous controllability evaluation report; the software product autonomous controllability F is calculated according to the following formula:
F=Z×W1+IV×W2+OV×W3
Wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the open source code vulnerability value.
2. The method of claim 1, wherein the multi-level code trace-source analysis comprises: based on the dependency relationship and the code fingerprint information, carrying out multi-level traceability analysis on files and code segments with an open source component information base, and identifying open source components and versions; through analysis and judgment of the similarity degree with the open source component, files and codes higher than a preset threshold value are determined to be open source files and open source codes, and files and codes equal to or lower than the preset threshold value are autonomous files and autonomous codes.
3. The method of claim 1, wherein the security flaw detection of autonomous codes comprises: and performing security defect detection of buffer overflow, memory leakage, array out-of-range, uninitialized variable use, dangerous function, dead code, information leakage and improper authority management.
4. The system for evaluating the autonomous controllability of the software product is characterized by comprising an analysis module, an open source component information base, a multi-level software traceability analysis module, an autonomous code proportion calculation module, an autonomous code safety detection module, an open source code comparison information extraction module, a vulnerability base, a vulnerability comparison analysis engine and an automatic evaluation report generation module, wherein the analysis module is composed of software source codes;
The software source code composition analysis module is used for analyzing the software source code and obtaining software code information, wherein the software code information comprises a software architecture, file dependency relations, file types, file numbers and code fingerprint information;
the open source component information base integrates various open source component information at home and abroad, including open source file names, file fingerprints, code fingerprints and source codes;
The multi-level software traceability analysis module performs multi-level traceability analysis of files and code segments with information in an open source component information base based on the dependency relationship and the code fingerprint information, and the files and codes higher than a preset threshold value are open source files and open source codes and the files and codes equal to or lower than the preset threshold value are autonomous files and autonomous codes through analysis and judgment of the similarity degree with the open source component, so that the open source codes, the open source files, the autonomous codes and the autonomous files are identified;
The autonomous code proportion calculation module calculates according to the open source codes and the autonomous code information and the file and code classification to respectively obtain the number of autonomous files, the number of open source files, the number of autonomous code segments and the number of open source code segments, calculates to obtain the percentage of autonomous file proportion, autonomous code segment proportion, open source file proportion and open source code segment proportion, and calculates to obtain an autonomous proportion Z according to the following formula:
z=autonomous file proportion×c1+autonomous code proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the autonomous code proportion;
the autonomous code security detection module performs security defect detection of buffer overflow, memory leakage, array out-of-range, uninitialized use of variables, dangerous functions, dead codes, information leakage and improper authority management to obtain the number of security defect items and the risk level of each security defect item; according to the number of the safety defects and the risk level, calculating to obtain an autonomous code defect value IV;
The open source code comparison information extraction module extracts useful information for vulnerability comparison by processing and analyzing the open source code information, eliminates subsequent vulnerability judgment useless information or interference information, and improves accuracy and high efficiency of vulnerability comparison; normalizing the useful information to form open source code comparison information;
The vulnerability database integrates vulnerability information of the public vulnerability database, and comprises affected entities and vulnerability content description information, and the vulnerability information of different sources is normalized to form normalized vulnerability information;
The vulnerability comparison analysis engine compares the open source code comparison information with normalized vulnerability information provided by a vulnerability database to determine vulnerability conditions of the open source code, including vulnerability quantity and vulnerability risk level; according to the number of the loopholes and the risk level, calculating to obtain an open source code loophole value OV;
Normalizing the vulnerability information refers to normalizing the vulnerability information published by the public vulnerability library to form vulnerability information with uniform data format;
The automatic evaluation report generation module obtains the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV; according to the autonomous controllability F of the software product, classifying the autonomous controllability of the software product according to a set autonomous controllability classifying condition, and finally automatically generating an autonomous controllability evaluation report of the software product;
F=Z×W1+IV×W2+OV×W3
Wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the open source code vulnerability value.
5. An evaluation system for autonomous controllability of a software product, comprising:
A processor for executing a plurality of instructions;
A memory for storing a plurality of instructions;
wherein the plurality of instructions are for storage by the memory and loading and executing by the processor the method of any of claims 1-3.
6. A computer-readable storage medium having stored therein a plurality of instructions; the plurality of instructions for loading and executing the method of any of claims 1-3 by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111333681.XA CN114020634B (en) | 2021-11-11 | 2021-11-11 | Evaluation method and system for autonomous controllability of software product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111333681.XA CN114020634B (en) | 2021-11-11 | 2021-11-11 | Evaluation method and system for autonomous controllability of software product |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114020634A CN114020634A (en) | 2022-02-08 |
| CN114020634B true CN114020634B (en) | 2024-05-24 |
Family
ID=80063646
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111333681.XA Active CN114020634B (en) | 2021-11-11 | 2021-11-11 | Evaluation method and system for autonomous controllability of software product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114020634B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101751388B1 (en) * | 2016-07-05 | 2017-06-27 | (주)엔키소프트 | Big data analytics based Web Crawling System and The Method for searching and collecting open source vulnerability analysis target |
| WO2017214364A1 (en) * | 2016-06-08 | 2017-12-14 | Veracode, Inc. | Systems and methods for flaw attribution and correlation |
| CN108763928A (en) * | 2018-05-03 | 2018-11-06 | 北京邮电大学 | A kind of open source software leak analysis method, apparatus and storage medium |
| CN108804326A (en) * | 2018-06-12 | 2018-11-13 | 上海新炬网络技术有限公司 | A kind of software code automatic testing method |
| CN109918294A (en) * | 2019-01-29 | 2019-06-21 | 刘建鹏 | A kind of autonomous controllability detection method of mixed source software and system |
| CN111651344A (en) * | 2019-12-12 | 2020-09-11 | 中国电子科技集团公司第二十八研究所 | Software defect detection rule grading and combination strategy method for large-scale complex information system |
| CN113177001A (en) * | 2021-05-24 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Vulnerability detection method and device for open source component |
| CN113434870A (en) * | 2021-07-14 | 2021-09-24 | 中国电子科技网络信息安全有限公司 | Vulnerability detection method, device, equipment and medium based on software dependence analysis |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11138317B2 (en) * | 2017-07-14 | 2021-10-05 | Accenture Global Solutions Limited | System and method for locating and correcting vulnerabilities in a target computer system |
-
2021
- 2021-11-11 CN CN202111333681.XA patent/CN114020634B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017214364A1 (en) * | 2016-06-08 | 2017-12-14 | Veracode, Inc. | Systems and methods for flaw attribution and correlation |
| KR101751388B1 (en) * | 2016-07-05 | 2017-06-27 | (주)엔키소프트 | Big data analytics based Web Crawling System and The Method for searching and collecting open source vulnerability analysis target |
| CN108763928A (en) * | 2018-05-03 | 2018-11-06 | 北京邮电大学 | A kind of open source software leak analysis method, apparatus and storage medium |
| CN108804326A (en) * | 2018-06-12 | 2018-11-13 | 上海新炬网络技术有限公司 | A kind of software code automatic testing method |
| CN109918294A (en) * | 2019-01-29 | 2019-06-21 | 刘建鹏 | A kind of autonomous controllability detection method of mixed source software and system |
| CN111651344A (en) * | 2019-12-12 | 2020-09-11 | 中国电子科技集团公司第二十八研究所 | Software defect detection rule grading and combination strategy method for large-scale complex information system |
| CN113177001A (en) * | 2021-05-24 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Vulnerability detection method and device for open source component |
| CN113434870A (en) * | 2021-07-14 | 2021-09-24 | 中国电子科技网络信息安全有限公司 | Vulnerability detection method, device, equipment and medium based on software dependence analysis |
Non-Patent Citations (2)
| Title |
|---|
| 信息安全技术 开源代码安全审计规范.2019,全文. * |
| 基于Sigmoid函数的软件漏洞风险评价算法;王帆;洪流;顾欣;;信息安全研究;20181105(11);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114020634A (en) | 2022-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108304720B (en) | Android malicious program detection method based on machine learning | |
| Ray et al. | On the" naturalness" of buggy code | |
| Gegick et al. | Prioritizing software security fortification throughcode-level metrics | |
| Zimmermann et al. | Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista | |
| CN108268777B (en) | Similarity detection method for carrying out unknown vulnerability discovery by using patch information | |
| Aloraini et al. | An empirical study of security warnings from static application security testing tools | |
| Jimenez et al. | Vulnerability prediction models: A case study on the linux kernel | |
| CN109933984B (en) | Optimal clustering result screening method and device and electronic equipment | |
| Walden et al. | Savi: Static-analysis vulnerability indicator | |
| Saccente et al. | Project achilles: A prototype tool for static method-level vulnerability detection of Java source code using a recurrent neural network | |
| Alrubaye et al. | Automating the detection of third-party Java library migration at the function level. | |
| CN110414222B (en) | Application privacy disclosure problem detection method and device based on component association | |
| Sajnani et al. | Is popularity a measure of quality? an analysis of maven components | |
| CN112182588A (en) | Operating system vulnerability analysis and detection method and system based on threat intelligence | |
| Yang et al. | Vuldigger: A just-in-time and cost-aware tool for digging vulnerability-contributing changes | |
| Ivanova et al. | Regularmutator: a mutation testing tool for solidity smart contracts | |
| CN114003920A (en) | Security assessment method and device for system data, storage medium and electronic equipment | |
| Autili et al. | Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoption | |
| CN115622738A (en) | RBF neural network-based safety emergency disposal system and method | |
| CN115225336A (en) | Vulnerability availability calculation method and device for network environment | |
| CN116578980A (en) | Code analysis method and device based on neural network and electronic equipment | |
| Jiang et al. | Evaluating the data inconsistency of open-source vulnerability repositories | |
| CN114020634B (en) | Evaluation method and system for autonomous controllability of software product | |
| CN111400718A (en) | Method and device for detecting system vulnerability and attack and related equipment | |
| CN108763092B (en) | Code defect detection method and device based on cross validation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240423 Address after: 100083 No. 211 middle Fourth Ring Road, Haidian District, Beijing Applicant after: NO.15 INSTITUTE OF CHINA ELECTRONICS TECHNOLOGY Group Corp. Country or region after: China Address before: 100083 No. 211 middle Fourth Ring Road, Haidian District, Beijing Applicant before: NO.15 INSTITUTE OF CHINA ELECTRONICS TECHNOLOGY Group Corp. Country or region before: China Applicant before: CETC (Beijing) information evaluation and Certification Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |