Disclosure of Invention
In order to solve the technical problems, the invention provides an evaluation method and system for the autonomous controllability of a software product, which are used for solving the technical problems of incomplete evaluation consideration factors, inaccurate measurement method and result of the autonomous controllability of the software in the prior art. The invention can automatically evaluate the autonomous degree and the safe controllable degree of the software code, and realize the autonomous controllable degree evaluation of the software product from three aspects of autonomous proportion of the software code, autonomous code defects and open source code security holes.
According to a first aspect of the present invention, there is provided a method of assessing the autonomous controllability of a software product, the method comprising the steps of:
Step 1, analyzing a software source code to obtain software code information, wherein the software code information comprises a software architecture, a file dependency relationship, a file type, a file number and code fingerprint information;
step2, performing multi-level code traceability analysis on the software source code to identify an open source code, an open source file, an autonomous code and an autonomous file;
And 3, calculating according to the open source codes and the independent code information and according to the file and code classification to respectively obtain the number of independent files, the number of open source files, the number of independent code segments and the number of open source code segments, and calculating to obtain the percentage of independent file proportion, independent code segment proportion, open source file proportion and open source code segment proportion. The autonomous ratio Z is calculated by re-weighting according to the following formula:
Z=autonomous file proportion×c1+autonomous code segment proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the proportion of the autonomous code segments;
Performing security defect detection on the autonomous code, determining the defect condition of the autonomous code, obtaining the number of security defect items and the risk level of each security defect item, and then calculating a defect value IV of the autonomous code;
Processing the open source code information, extracting useful information for vulnerability comparison, eliminating useless information or interference information judged by subsequent vulnerabilities, and carrying out normalization processing on the useful information to form open source code comparison information; comparing the open source code comparison information with normalized vulnerability information of a vulnerability database to determine open source code vulnerability conditions including vulnerability quantity and vulnerability risk level, and calculating an open source code vulnerability value OV;
the normalized vulnerability information is vulnerability information which is obtained by normalizing vulnerability information published by public vulnerability libraries such as CNNVD Chinese national information security vulnerability library, CNVD Chinese national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like, and then forming the vulnerability information with uniform data format;
Step4, obtaining the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV, classifying the autonomous controllability of the software product according to the set autonomous controllability class classification condition, and finally automatically generating a software product autonomous controllability evaluation report; the software product autonomous controllability F is calculated according to the following formula:
F=Z×W1+IV×W2+OV×W3
Wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the open source code vulnerability value.
The multi-level code traceability analysis comprises: and based on the dependency relationship and the code fingerprint information, carrying out multi-level traceability analysis on files and code segments with an open source component information base, and identifying open source components and versions. Through analysis and judgment of the similarity degree with the open source assembly, files and codes higher than a preset threshold are open source files and open source codes, and files and codes equal to or lower than the preset threshold are autonomous files and autonomous codes.
Optionally, the security flaw detection on the autonomous code includes: and performing security defect detection such as buffer overflow, memory leakage, array out-of-range, uninitialized variable use, dangerous function, dead code, information leakage, improper authority management and the like.
According to a second aspect of the present invention, there is provided an assessment system for autonomous controllability of a software product, the system comprising:
The software product autonomous controllability evaluation system comprises a software source code composition analysis module, an open source component information base, a multi-level software traceability analysis module, an autonomous code proportion calculation module, an autonomous code security detection module, an open source code comparison information extraction module, a vulnerability base, a vulnerability comparison analysis engine and an evaluation report automatic generation module.
The software source code composition analysis module is used for analyzing the software source code and obtaining software code information, wherein the software code information comprises a software architecture, file dependency relations, file types, file numbers and code fingerprint information;
the open source component information base integrates various open source component information at home and abroad, including open source file names, file fingerprints, code fingerprints and source codes;
The multi-level software traceability analysis module performs multi-level traceability analysis of files and code segments with information in an open source component information base based on the dependency relationship and the code fingerprint information, and the files and codes higher than a preset threshold value are open source files and open source codes and the files and codes equal to or lower than the preset threshold value are autonomous files and autonomous codes through analysis and judgment of the similarity degree with the open source component, so that the open source codes, the open source files, the autonomous codes and the autonomous files are identified;
The autonomous code proportion calculation module calculates according to the open source codes and the autonomous code information and the file and code classification to respectively obtain the number of autonomous files, the number of open source files, the number of autonomous code segments and the number of open source code segments, calculates to obtain the percentage of autonomous file proportion, autonomous code segment proportion, open source file proportion and open source code segment proportion, and calculates to obtain an autonomous proportion Z according to the following formula:
z=autonomous file proportion×c1+autonomous code proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the autonomous code proportion;
the autonomous code security detection module performs security defect detection of buffer overflow, memory leakage, array out-of-range, uninitialized use of variables, dangerous functions, dead codes, information leakage and improper authority management to obtain the number of security defect items and the risk level of each security defect item; according to the number of the safety defects and the risk level, calculating to obtain an autonomous code defect value IV;
The open source code comparison information extraction module extracts useful information for vulnerability comparison by processing and analyzing the open source code information, eliminates subsequent vulnerability judgment useless information or interference information, and improves accuracy and high efficiency of vulnerability comparison; normalizing the useful information to form open source code comparison information;
The vulnerability database integrates vulnerability information of public vulnerability databases at home and abroad, and comprises information such as affected entities, vulnerability content description and the like, and the vulnerability information of different sources is normalized to form normalized vulnerability information; the public vulnerability database comprises CNNVD China national information security vulnerability database, CNVD national information security vulnerability sharing platform and foreign CVE public vulnerability exposure;
The vulnerability comparison analysis engine compares the open source code comparison information with normalized vulnerability information provided by a vulnerability database to determine vulnerability conditions of the open source code, including vulnerability quantity and vulnerability risk level; according to the number of the loopholes and the risk level, calculating to obtain an open source code loophole value OV;
the normalized vulnerability information is vulnerability information which is obtained by normalizing vulnerability information published by public vulnerability libraries such as CNNVD Chinese national information security vulnerability library, CNVD Chinese national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like, and then forming the vulnerability information with uniform data format;
The automatic evaluation report generation module obtains the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV; according to the autonomous controllability F of the software product, classifying the autonomous controllability of the software product according to a set autonomous controllability classifying condition, and finally automatically generating an autonomous controllability evaluation report of the software product;
F=Z×W1+IV×W2+OV×W3
Wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the open source code vulnerability value.
According to a third aspect of the present invention, there is provided an assessment system for autonomous controllability of a software product, comprising:
A processor for executing a plurality of instructions;
A memory for storing a plurality of instructions;
the instructions are stored by the memory, and are loaded by the processor and execute the method for evaluating the autonomous controllability of the software product as described above.
According to a fourth aspect of the present invention, there is provided a computer-readable storage medium having stored therein a plurality of instructions; the instructions are used for loading and executing the method for evaluating the autonomous controllability of the software product by the processor.
According to the scheme, the invention provides the method for evaluating the autonomous controllability of the software product, which evaluates the autonomous degree and the security controllability of the software product from three aspects of autonomous proportion of the software code, autonomous code defects and open source code security holes, and is a quantifiable evaluation method. The invention focuses on the autonomous controllability of the software product, reduces the influence of other factors on the autonomous controllability judgment, and particularly firstly proposes to judge the autonomous controllability of the software product from the angles of code defects and security holes, thereby fully reflecting the essential requirement that the security is autonomous controllable.
The automatic evaluation system for the automatic controllability of the software product provided by the invention is an automatic evaluation system, has automatic detection and evaluation functions for the automatic controllability of the software product, obviously reduces the artificial dependence of the detection and evaluation process, reduces the artificial subjective deviation of the evaluation result, improves the evaluation efficiency and the result consistency of the automatic controllability of the software product, and greatly reduces the evaluation difficulty of the automatic controllability of the software product.
The foregoing description is only an overview of the present invention, and is intended to provide a better understanding of the present invention, as it is embodied in the following description, with reference to the preferred embodiments of the present invention and the accompanying drawings.
Detailed Description
First, a software product autonomous controllability evaluation method according to an embodiment of the present invention is described with reference to fig. 1, where the method includes the following steps:
Step 1, analyzing a software source code to obtain software code information, wherein the software code information comprises a software architecture, a file dependency relationship, a file type, a file number and code fingerprint information;
step2, performing multi-level code traceability analysis on the software source code to identify an open source code, an open source file, an autonomous code and an autonomous file;
The multi-level code traceability analysis comprises: and based on the dependency relationship and the code fingerprint information, carrying out multi-level traceability analysis on files, code segments and the like with an open source component information base, and identifying open source components and versions. Through analysis and judgment of the similarity degree with the open source assembly, files and codes higher than a preset threshold are open source files and open source codes, and files and codes equal to or lower than the preset threshold are autonomous files and autonomous codes;
And 3, calculating according to the open source codes and the independent code information and according to the file and code classification to respectively obtain the number of independent files, the number of open source files, the number of independent code segments and the number of open source code segments, and calculating to obtain the percentage of independent file proportion, independent code segment proportion, open source file proportion and open source code segment proportion. The autonomous ratio Z is calculated by re-weighting according to the following formula:
Z=autonomous file proportion×c1+autonomous code segment proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the proportion of the autonomous code segments; the invention provides an embodiment, wherein the weight value is given based on the condition that the autonomous file and the autonomous code segment are equally important, C1 is 50, and C2 is 50;
Meanwhile, performing security defect detection on the autonomous code, determining the defect condition of the autonomous code, obtaining the number of security defect items and the risk level of each security defect item, and then calculating the defect value IV of the autonomous code;
the invention provides a specific embodiment for calculating an autonomous code defect value IV, wherein IV is divided into 100; no safety defect was found, IV was 100; finding a low risk defect, button 5, and so on, until button 0; a risk defect is found, button 10, and so on, until button 0; finding a high risk defect with IV of 0;
Optionally, the security flaw detection on the autonomous code includes: performing security defect item detection such as buffer overflow, memory leakage, array out-of-range, uninitialized variable use, dangerous function, dead code, information leakage, improper authority management and the like;
Meanwhile, processing the open source code information, extracting useful information for vulnerability comparison, eliminating useless information or interference information judged by subsequent vulnerabilities, and carrying out normalization processing on the useful information to form open source code comparison information; comparing the open source code comparison information with normalized vulnerability information of a vulnerability database to determine open source code vulnerability conditions including vulnerability quantity and vulnerability risk level, and calculating an open source code vulnerability value OV;
The invention provides a specific embodiment for calculating an open source code vulnerability value OV, wherein the OV is divided into 100; no loopholes were found, OV was 100; finding a low risk vulnerability, buckling 5, and so on until 0; finding a risk leak, buckling 10, and so on, until it reaches 0; finding a high risk vulnerability, wherein OV is 0;
the normalized vulnerability information is vulnerability information which is obtained by normalizing vulnerability information published by public vulnerability libraries such as CNNVD Chinese national information security vulnerability library, CNVD Chinese national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like, and then forming the vulnerability information with uniform data format;
And 4, obtaining the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV, grading the autonomous controllability of the software product according to the set autonomous controllability grading condition, and finally automatically generating a software product autonomous controllability evaluation report. The software product autonomous controllability F is calculated according to the following formula:
F=Z×W1+IV×W2+OV×W3
wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the vulnerability value of the open source code; the present invention provides an embodiment wherein W1 is 50%; w2 is 25%; 25% of W3 bit; the weight value is obtained according to different importance degrees, and in the embodiment of the invention, the weight value is obtained under the condition that the autonomous degree and the safety degree of the software product are equally important, and the autonomous code safety and the open source code safety are equally important.
The higher the autonomic controllability F value of the software product, the higher the autonomic controllability level. The autonomous controllability class classification condition is specifically as follows: AAA level: f is more than or equal to 90; grade AA: f is more than or equal to 90 and is more than or equal to 80; class a: f is more than 80 and equal to or more than 70; b level: f is more than or equal to 70 and is more than or equal to 60; c level: f is more than 60 and is more than or equal to 50; d stage: 50 > F.
The invention further provides an evaluation system for the autonomous controllability of the software product, which is shown in fig. 2 and comprises a software source code composition analysis module, an open source component information base, a multi-level software traceability analysis module, an autonomous code proportion calculation module, an autonomous code security detection module, an open source code comparison information extraction module, a vulnerability database, a vulnerability comparison analysis engine and an evaluation report automatic generation module.
The software source code composition analysis module is used for analyzing the software source code and obtaining software code information, wherein the software code information comprises a software architecture, file dependency relations, file types, file numbers and code fingerprint information;
The open source component information base integrates various open source component information at home and abroad, including open source file names, file fingerprints, code fingerprints, source codes and the like;
The multi-level software traceability analysis module performs multi-level traceability analysis of files, code segments and the like with information in an open source component information base based on the dependency relationship and the code fingerprint information, and the files and codes higher than a preset threshold value are open source files and open source codes and the files and codes equal to or lower than the preset threshold value are autonomous files and autonomous codes through analysis and judgment of the similarity degree with the open source component, so that the open source codes, the open source files, the autonomous codes and the autonomous files are identified;
The autonomous code proportion calculation module calculates according to the open source codes and the autonomous code information and the file and code classification to respectively obtain the number of autonomous files, the number of open source files, the number of autonomous code segments and the number of open source code segments, calculates to obtain the percentage of autonomous file proportion, autonomous code segment proportion, open source file proportion and open source code segment proportion, and calculates to obtain an autonomous proportion Z according to the following formula:
z=autonomous file proportion×c1+autonomous code proportion×c2
Wherein, C1 is the weight value of the autonomous file proportion; c2 is the weight value of the autonomous code proportion; the invention provides an embodiment, wherein the weight value is given based on the condition that the autonomous file and the autonomous code segment are equally important, C1 is 50, and C2 is 50;
the autonomous code security detection module detects security defects such as buffer overflow, memory leakage, array out-of-range, uninitialized variable use, dangerous functions, dead codes, information leakage, improper authority management and the like, and obtains the number of security defect items and the risk level of each security defect item; according to the number of the safety defects and the risk level, calculating to obtain an autonomous code defect value IV;
the present invention provides an embodiment wherein the IV is divided fully into 100; no safety defect was found, IV was 100; finding a low risk defect, button 5, and so on, until button 0; a risk defect is found, button 10, and so on, until button 0; finding a high risk defect with IV of 0;
The open source code comparison information extraction module extracts useful information for vulnerability comparison by processing and analyzing the open source code information, eliminates subsequent vulnerability judgment useless information or interference information, and improves accuracy and high efficiency of vulnerability comparison; normalizing the useful information to form open source code comparison information;
The vulnerability database integrates vulnerability information of public vulnerability databases at home and abroad, and comprises information such as affected entities, vulnerability content description and the like, and the vulnerability information of different sources is normalized to form normalized vulnerability information; the public vulnerability database comprises CNNVD China national information security vulnerability database, CNVD national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like;
The vulnerability comparison analysis engine compares the open source code comparison information with normalized vulnerability information provided by a vulnerability database to determine vulnerability conditions of the open source code, including vulnerability quantity and vulnerability risk level; and according to the vulnerability quantity and the risk level, calculating to obtain an open source code vulnerability value OV.
The present invention provides an embodiment wherein OV is split fully into 100; no loopholes were found, OV was 100; finding a low risk vulnerability, buckling 5, and so on until 0; finding a risk leak, buckling 10, and so on, until it reaches 0; finding a high risk vulnerability, wherein OV is 0;
The normalized vulnerability information refers to vulnerability information which is published by public vulnerability libraries such as CNNVD Chinese national information security vulnerability library, CNVD Chinese national information security vulnerability sharing platform, foreign CVE public vulnerability exposure and the like, and then the vulnerability information with uniform data format is formed.
The automatic evaluation report generation module obtains the autonomous controllability F of the software product through weighted calculation according to the autonomous code proportion Z, the autonomous code defect value IV and the open source code vulnerability value OV; and according to the autonomous controllability F of the software product, classifying the autonomous controllability of the software product according to a set autonomous controllability classifying condition, and finally automatically generating a software product autonomous controllability evaluation report.
F=Z×W1+IV×W2+OV×W3
Wherein W1 is an autonomous proportional weight value; w2 is the weight value of the autonomous code defect value; w3 is the weight value of the open source code vulnerability value. The present invention provides an embodiment wherein W1 is 50%; w2 is 25%; 25% of W3 bit; the weight value is obtained according to different importance degrees, and in the embodiment of the invention, the weight value is obtained under the condition that the autonomous degree and the safety degree of the software product are equally important, and the autonomous code safety and the open source code safety are equally important.
The higher the autonomic controllability F value of the software product, the higher the autonomic controllability level. The autonomous controllability class classification condition is specifically as follows: AAA level: f is more than or equal to 90; grade AA: f is more than or equal to 90 and is more than or equal to 80; class a: f is more than 80 and equal to or more than 70; b level: f is more than or equal to 70 and is more than or equal to 60; c level: f is more than 60 and is more than or equal to 50; d stage: 50 > F.
The embodiment of the invention further provides an evaluation system for the autonomous controllability of the software product, which comprises the following steps:
A processor for executing a plurality of instructions;
A memory for storing a plurality of instructions;
the instructions are stored by the memory, and loaded and executed by the processor, so as to implement the software product autonomous controllability evaluation method as described above.
The embodiment of the invention further provides a computer readable storage medium, wherein a plurality of instructions are stored in the storage medium; the instructions are used for loading and executing the software product autonomous controllability evaluation method by the processor.
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
In the several embodiments provided in the present invention, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for making a computer device (which may be a personal computer, a physical machine Server, or a network cloud Server, etc., and need to install a Windows or Windows Server or Linux operating system) execute part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only of the preferred embodiments of the present invention, and is not intended to limit the present invention in any way, but any simple modification, equivalent variation and modification made to the above embodiments according to the technical substance of the present invention still fall within the scope of the technical solution of the present invention.