CN115016831A - Dependent component information acquisition method and device and storage medium - Google Patents

Dependent component information acquisition method and device and storage medium Download PDF

Info

Publication number
CN115016831A
CN115016831A CN202210944206.4A CN202210944206A CN115016831A CN 115016831 A CN115016831 A CN 115016831A CN 202210944206 A CN202210944206 A CN 202210944206A CN 115016831 A CN115016831 A CN 115016831A
Authority
CN
China
Prior art keywords
component
dependent
dependency
components
component information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210944206.4A
Other languages
Chinese (zh)
Inventor
张涛
宁戈
杜玉洁
周雅飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Anpro Information Technology Co ltd
Original Assignee
Beijing Anpro Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Anpro Information Technology Co ltd filed Critical Beijing Anpro Information Technology Co ltd
Priority to CN202210944206.4A priority Critical patent/CN115016831A/en
Publication of CN115016831A publication Critical patent/CN115016831A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment disclosed in the application provides a method, a device and a storage medium for acquiring information of a dependent component. The method comprises the steps of obtaining and analyzing a dependency configuration file of a target software project, obtaining information of a direct dependency component of the target software project, and then obtaining the dependency configuration files (which do not exist in the software project) of the direct dependency component and the indirect dependency component in the target software project layer by layer or directly obtaining a dependency tree lock file of the target software project; and then (correspondingly) acquiring the component information of all the indirect dependent components according to the dependent configuration file/the direct dependent component information of the direct dependent components and the indirect dependent components and the dependent tree lock file, and displaying the component information of the direct dependent components and the indirect dependent components.

Description

Dependent component information acquisition method and device and storage medium
Technical Field
Embodiments disclosed herein relate generally to the field of software component analysis/open source software security testing technologies, and more particularly, to a dependent component information acquisition method, device, and storage medium.
Background
And the application of the open source component greatly improves the software development efficiency. Particularly, with the rise of open source movement, a large number of open source projects are receiving wide attention and widely applied. The components provided by the open source project generally have good performance, reliability and robustness. However, in software development practice, components provided by open source projects often lack effective examination and management on the problems of security and the like, and further bring security risks and intellectual property risks to software supply chain security.
Furthermore, not only the introduction of open source components poses a threat to software supply chain security. In fact, the improvement of software development efficiency by software component (or component) development is not limited to the wide application of the open-source component, but also relates to the reasonable reference of the self-research component, the landing application of the commercial third-party component (which is generally closed-source) in the software project, and the related open-source component by the self-research component and the commercial third-party component. However, the application of self-research components, commercial third-party components, and in particular their reference to the switch component, is clearly the root cause of further complications to software supply chain security issues.
In order to thoroughly eliminate potential safety hazards and intellectual property compliance problems caused by introduction of open source components, the information of the open source components introduced in the software project needs to be comprehensively mastered, wherein the open source components comprise open source components on which the software project directly depends and open source components on which the software project indirectly depends; the indirectly dependent open-source components should include, in addition to the directly dependent open-source components directly/indirectly dependent below the directly dependent open-source components, self-research components and commercially available third-party components directly/indirectly dependent below the directly dependent open-source components. In the software development process, for the analysis of components such as software components, developers usually obtain related information through a dependent component query command to complete specific analysis, however, the method excessively depends on manual query, the output dependent component information is not easy to read, and the output dependent component information is often too concise and lacks some important component related information.
SCA/OSS (Software Composition Analysis/Open Source Software Security testing technology) is used as a novel Open Source treatment technology, provides related Software component Analysis capability, and is expected to solve the problems. However, the software dependent component analysis function based on the component dependent knowledge base in the existing SCA/OSS technology can only better solve the problem of acquiring the component information of the directly dependent official open-source component and the corresponding indirectly dependent component in the software project, but cannot cover the acquisition of the related component information of the self-research component and the commercial third-party component (and even the unofficial channel open-source component), especially for the acquisition of information of open source components referenced by self-research components, commercial third-party components, etc., obviously without apprehension, even if some SCA/OSS technology is supported to guarantee the security of the software supply chain, there still exists a small loophole in the coverage of relying on the acquisition of component information, any point of security detection loss may cause a huge loss due to a high risk vulnerability hidden in the related dependent component or a compliance problem.
Disclosure of Invention
According to the embodiments disclosed in the present application, a method, an apparatus and a storage medium for obtaining dependent component information are provided, in which direct dependent component information in a dependent configuration file is obtained by obtaining and analyzing the dependent configuration file of a target software project, and then dependent configuration files of direct dependent components and indirect dependent components (none of the dependent configuration files exist in the target software project) or dependent tree lock files of the target software project are obtained layer by layer, and component information of all indirect dependent components is obtained (correspondingly) according to the dependent configuration files of the direct dependent components and the indirect dependent components/the direct dependent component information and the dependent tree lock files, and the component information of the direct dependent components and the indirect dependent components is displayed, so as to solve the problem that the dependent component information in the software project is difficult to obtain, The problems of complex process, difficult operation, wrong result and the like are solved, and particularly the problem that the prior art is difficult to comprehensively and exhaustively acquire all dependent component information is solved.
In a first aspect of the present disclosure, a dependent component information acquisition method is provided. The method comprises the following steps: acquiring a dependency configuration file of a target software project; analyzing the dependency configuration file, and acquiring the direct dependency component information of the target software project from the dependency configuration file; acquiring a dependency configuration file (namely the dependency configuration file of the direct dependency component) from a local warehouse/a private warehouse/an official public warehouse according to the information of the direct dependency component, then acquiring the dependency configuration file of the direct dependency component according to the dependency configuration file, and continuously acquiring the dependency configuration file of an intermediate dependency component of the target software project layer by layer or more directly acquiring a dependency tree lock file of the target software project; correspondingly acquiring the component information of all indirect dependent components of the target software project according to the dependent configuration files of the direct dependent components and the indirect dependent components or the direct dependent component information and the dependent tree lock files; and further displaying the component information of the direct dependent component and the indirect dependent component.
In a second aspect of the present disclosure, a dependent component information acquisition apparatus is provided. The device includes: at least one processor, a memory coupled to the at least one processor, and a computer program stored in the memory; wherein the processor executes the computer program to implement the dependent component information obtaining method according to the first aspect.
In a third aspect of the disclosure, a computer-readable storage medium is provided. The medium having stored thereon computer instructions related to analysis of software components; the computer instructions are capable of implementing the dependent component information acquisition method of the first aspect when executed by a computer processor.
In a fourth aspect of the disclosure, a computer program product is provided. The program product includes a computer program that, when executed by a computer processor, is capable of implementing the dependent component information acquisition method recited in the first aspect.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent upon consideration of the following detailed description, taken in conjunction with the accompanying drawings. In the drawings, like or similar reference characters designate like or similar elements, and wherein:
FIG. 1 illustrates a schematic diagram of a process that relies on component information acquisition in some embodiments of the present disclosure;
FIG. 2 illustrates a block diagram of a computing device capable of implementing various embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
The terms "include" and its similar terms are to be understood as open-ended inclusions, i.e., "including but not limited to," in the description of the embodiments of the present disclosure. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The terms "first," "second," and the like may refer to different or the same object. Other explicit and implicit definitions are also possible below.
The technical term "target software item" in the description of the embodiments of the present disclosure refers to any software item to be analyzed; "target software project" is typically submitted for inspection analysis in the form of a source code package; for "target software items" that are not in the form of software packages, the source code packages for detection analysis may be exported specifically by IDE environment plug-in translation (e.g., compression).
The introduction of dependent components in a software project will undoubtedly bring about the improvement of software development efficiency, but the introduction of components, especially open source components, inevitably causes software supply chain security problems. In the software development process, the introduction management of the open source component is supported by some relatively effective measures and related technical tools; for example, the aforementioned developer grasps and manages the introduction of related components, particularly open source components, through a query command of the package manager. However, with the introduction of a large number of components and the increasing complexity of a software supply chain of complex component reference relationships (particularly, references to open source components such as self-research components, multiple layers of inter-level references, and the like), simple manual query and manual management cannot support the management of components of medium and large software projects. The software component analysis function of the existing SCA/OSS technology can only better cover the acquisition and management of part of the dependent component information of the software project (the dependent component information mainly refers to the open source component information of an official channel; by means of collecting the information of the official open source component and the like, most of the components depending on a knowledge base can be ensured to cover the open source component of the official channel relatively completely, and other component information can not be apprehended), so that the real requirement can not be met obviously.
Thus, according to an embodiment of the present disclosure, a solution that relies on component information acquisition is proposed. In the scheme, rather than relying mainly on a component dependence knowledge base (considering the real situation, it is difficult to cover all components) as the dependent component information is acquired in the existing SCA/OSS technology, corresponding direct dependent component information is acquired by acquiring and analyzing a dependence configuration file of a target software project, then a direct dependent component, an indirect dependent component dependence configuration file or a direct dependent tree lock file of the target software project is acquired layer by layer, and then component information of all indirect dependent components is acquired (correspondingly) according to the direct dependent component, the indirect dependent component dependence configuration file or the direct dependent component information and the dependent tree lock file, and the component information of the direct dependent component and the indirect dependent component is displayed, so that the problem that the dependent component information in the software project is difficult to acquire, The process is complicated, the operation is not easy, the result is not accurate, and the like. Compared with the prior art, the scheme does not need to use a package manager to respectively import the target software package into different package managers, the dependent component information in the target software project is extracted more easily, incomplete and inaccurate results caused by untimely updating and insufficient coverage of the component dependent knowledge base are avoided, and particularly, self-research components, commercial third-party components and the like can be covered in the results.
Embodiments of the present disclosure will be described below in detail with reference to the accompanying drawings. FIG. 1 illustrates a schematic diagram of a process that relies on component information acquisition in some embodiments of the present disclosure. As shown in fig. 1, a process 100 for obtaining dependent component information mainly includes: acquiring a dependency configuration file of a target software project (refer to a block 101); analyzing the dependency configuration file, and acquiring direct dependency component information of the target software project (refer to a block 102); acquiring component information of all indirectly dependent components of the target software project (refer to a block 103); component information of the directly dependent component and the indirectly dependent component is shown (refer to block 104). At block 101, the obtained dependency configuration file, which is also commonly referred to as a package manager configuration file; for the target software project, the detection analysis is submitted in the form of a source code package, or the source code package for the detection analysis is output through the conversion (e.g. compression) of the IDE environment plug-in, the source code package can be directly analyzed, and then the dependency configuration file can be obtained. In some of the foregoing embodiments, the process of obtaining the dependency configuration file may include: and analyzing the source code packet of the target software project to match preset rules (such as matching the format of the packet manager configuration file and the file name) to acquire the dependency configuration file correlation in the source code packet. For the software items in the code repository, in some embodiments of the foregoing embodiments, the code content tree structure of the target software item may also be obtained through an interface provided by the code repository, and then the package manager configuration file, that is, the dependent configuration file, is sorted out according to the file name. At block 102, component information of directly dependent components in the dependent configuration file (i.e., directly dependent component information of the dependent configuration file) may be obtained by regular expression matching by intercepting text content of a dependent declaration section in the dependent configuration file. In block 103, instead of obtaining component information of indirectly dependent components by querying a component-dependent repository as in the existing SCA/OSS technology (in most component-dependent repositories, dependent component information of self-researched components, commercial third-party components are lacking, and any one of the above mentioned dependent component information is difficult to update), some of the embodiments claim to obtain their dependent profiles (i.e. dependent profiles of each directly dependent component) from a local/private/official public repository based on directly dependent component information, then obtain indirectly dependent component information that is referenced downwards from the dependent profiles and accordingly obtain dependent profiles of current indirectly dependent components from the local/private/official public repository, and repeat the above operations to obtain the rest of indirectly dependent component information layer by layer, until the dependent component has no downward dependency. In some package managers, a dependency tree lock file mechanism is also provided for the software project, so some of the embodiments may also obtain the dependency tree lock file of the target software project directly (if there is a correlation mechanism) and obtain component information of all indirectly dependent components of the target software project based on the dependency tree lock file. The method comprises the steps of obtaining a dependency tree lock file of a target software project, and specifically obtaining the dependency tree lock file directly from a source code warehouse of the target software project by accessing the source code warehouse. In the process of acquiring the dependent component information based on the dependent tree lock file, all the component information of the indirectly dependent components can be acquired according to the directly dependent component information and the dependent tree lock file, so that the accuracy and the reliability of the result are ensured. At block 104, presenting the obtained component information of the direct dependent component and the indirect dependent component; the exposed component information typically includes at least information such as the name of the component.
In some embodiments, the acquired directly dependent components may include self-developed components, commercial third party components. For the obtained self-research component and the commercial third-party component, the component dependence knowledge base cannot generally cover the related component information, and timely update of the related component information is more difficult.
Similarly, some of the above embodiments, where the self-research component/commercial third-party component serves as a direct dependent component, the corresponding indirect dependent component may also include the self-research component and the commercial third-party component, that is: the indirect dependent component of the direct dependent component may also include a self-research component, a commercial third-party component, and an indirect dependent component indirectly referenced by the indirect dependent component may also include a self-research component and a commercial third-party component (of course, an indirect dependent component directly referenced by the self-research component and the commercial third-party component is also a self-research component/commercial third-party component in practice).
In some embodiments, there are several (not less than two) dependency profiles in the target item of software, i.e., at least two of the dependency profiles are obtained at block 101, and their respective directly dependent component information and indirectly dependent component information are obtained at block 102 and block 103, respectively.
Various programming languages, such as Java, have advantages such as good interactivity and cross-platform robustness, and are commonly used to develop business-related web applications. Because the time and the oriented scenes of different programming languages are different, the subsequent development difference is obvious, and different package managers are developed according to respective characteristics. Different programming languages usually have common packet managers, and some typical programming languages and common packet managers are, for example, java (maven), python (pip), C/C + + (conn), Javascript (backend (npm)), frontend (bower), Ruby (bundle), etc.; and each package manager generally adopts a dependency management file (namely, a dependency configuration file) which can be recognized and utilized by itself, for example, the naming mode of the dependency configuration file of maven (namely, the file name (here, the file name refers to the complete file name)) is pom. Therefore, some of the above embodiments may be: the dependent configuration files correspond to different packet managers respectively; correspondingly, in a block 102 and a block 103, respectively simulating each package manager to analyze and obtain respective direct dependency component information, indirect dependency component dependency configuration file and indirect dependency component information; similarly, if the package management supports the dependency tree lock file mechanism, the direct dependency component information and the project dependency tree lock file can be respectively obtained, and the indirect dependency component information can be further obtained according to the project dependency tree lock file and the corresponding direct dependency component information.
The above process is described in detail herein using the package manager and some of its dependent configuration files as examples. In this example, assuming that the dependent configuration files obtained from the target software project include files named pom. xml and package. json, direct dependent component information, indirect dependent component dependent configuration files, and indirect dependent component information corresponding to the dependent configuration files pom. xml and package. json are obtained, respectively. Here, the above component information acquisition process will be further described in detail by taking maven (pom.xml) as an example. Maven is a major project management tool for automated build and dependency management of Java projects. Maven manages components through coordinates. Typical coordinate elements include the vendor name (Groupid), component name (artifacted), and Version number (Version), while the warehouse site plus coordinate triplet often constitutes the url that accesses the component and its associated information. For example, "https:// repo1.maven. org/maven 2/" is the website address of maven's official public warehouse (here the official public warehouse, including a series of approved warehouses such as the official web warehouse, the official mirror warehouse, etc., capable of downloading official components), "org/spring frames" is the vendor name, "spring-beans" is the component name, "5.3.18" is the component version number, then the component spring-beans-5.3.18 access link is "https:// repo1.maven. org/maven2/org/spring frame/spring-beans/5.3.18/". In the process of acquiring the dependent component information, acquiring the component information of the directly dependent component/the indirectly dependent component from the dependent configuration file (the component information at least comprises a vendor name, a component version number and a corresponding warehouse access address/path), converting into an access link for accessing a component information storage site according to the component information, skipping acquiring a target component package (taking a component spring-beans-5.3.18 as an example, namely spring-beans-5.3.18. jar), directly acquiring the dependent configuration file (taking a component spring-beans-5.3.18 as an example, namely spring-beans-5.3.18. pot), repeating the operation until no downward dependence exists, and acquiring the component information according to the acquired dependent configuration file.
In some embodiments, the component information obtained, whether directly dependent on the component information or indirectly dependent on the component information, may include: component name, component version, component type, etc.
In some embodiments, the obtaining of the dependent component information may further include: acquiring a target software project component dependency tree; among them, the dependency tree acquisition process, in some of the embodiments, may include: and recording the reference relation among the direct dependency components and the indirect dependency components, and generating a component dependency tree of the target software project according to the reference relation and the component information of the direct dependency components and the indirect dependency components.
In some embodiments, if a dependency tree lock mechanism exists, the dependency tree lock file of the target software project may also be traversed, and then an accurate component dependency tree of the target software project is output according to the direct dependency component information and the traversal.
Some of the foregoing embodiments, wherein the component information may be: the position information of any direct dependency group or indirect dependency component in the component dependency tree is included.
Some of the above embodiments may also be to expose any of the directly dependent groups/indirectly dependent components in the component dependency tree.
According to some embodiments of the present disclosure, there is also provided an apparatus relying on component information acquisition; the apparatus, in particular, may be a computing device. Fig. 2 illustrates a block diagram of a computing device 200 of the above-described embodiments, which may be used to implement some embodiments of the present disclosure. As shown in fig. 2, the computing device 200 includes a Central Processing Unit (CPU) 201 capable of performing various appropriate operations and processes according to computer program instructions stored in a Read Only Memory (ROM) 202 or computer program instructions loaded from a storage unit 208 into a Random Access Memory (RAM) 203, and in the (RAM) 203, various program codes, data required for the operation of the computing device 200 may also be stored. The CPU201, ROM202, RAM203 are connected to each other via a bus 204, and an input/output (I/O) interface 205 is also connected to the bus 204. Some components of computing device 200 are accessed through I/O interface 205, including: an input unit 206 such as a keyboard and mouse; an output unit 207 such as a display and the like; a storage unit 208 such as a magnetic disk, an optical disk, a Solid State Disk (SSD), etc., and a communication unit 209 such as a network card, a modem, etc. The communication unit 209 enables the computing apparatus 200 to exchange information/data with other apparatuses through a computer network. The CPU201 is capable of executing the various methods and processes described in the above embodiments, such as the process 100. In some embodiments, process 100 may be implemented as a computer software program embodied on a computer-readable medium, such as storage unit 208. In some embodiments, part or all of the computer program is loaded or installed into the computing device 200. When loaded into RAM203 and executed by CPU201, the computer programs can perform some or all of the operations of process 100.
The functions described herein above may all be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a load programmable logic device (CPLD), and the like.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program code, when executed by the processor or controller, causes the functions/acts specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (10)

1. A dependent component information acquisition method, the method comprising:
acquiring a dependency configuration file of a target software project;
analyzing the dependent configuration file to obtain the direct dependent component information in the dependent configuration file;
acquiring a dependency configuration file of the direct dependency component from a local warehouse/a private server warehouse/an official public warehouse according to the information of the direct dependency component, and acquiring a dependency configuration file of an indirect dependency component of the target software project layer by layer according to the dependency configuration file, or directly acquiring a dependency tree lock file of the target software project;
acquiring component information of all indirect dependent components according to the dependent configuration files/the direct dependent component information and the dependent tree lock files of the direct dependent components and the indirect dependent components;
and displaying the component information of the direct dependent component and the indirect dependent component.
2. The method of claim 1,
the direct dependent component comprises a self-research component and a commercial third-party component.
3. The method of claim 2,
the indirect dependency components corresponding to the direct dependency components belonging to the self-research component/commercial third-party component comprise self-research components and commercial third-party components.
4. The method of claim 1,
and if at least two dependent configuration files belonging to the target software project exist in the target software project, respectively acquiring direct dependent component information of the dependent configuration files and respectively acquiring component information of corresponding indirect dependent components.
5. The method of claim 4,
the dependency configuration files respectively correspond to different package managers;
the indirectly dependent component information is obtained by simulating the process of the corresponding packet manager obtaining the indirectly dependent component dependency configuration file,
or acquiring a corresponding project dependency tree lock file and further acquiring the indirect dependency component information according to the project dependency tree lock file and the corresponding direct dependency component information.
6. The method of claim 1,
the component information includes: component name, component version, component type.
7. The method of claim 1,
the acquisition of the dependent component information comprises the following steps: acquiring a dependency tree of a target software project component;
the dependency tree acquisition process comprises: recording the reference relation among the direct dependent components and the indirect dependent components and generating a component dependency tree of the target software project according to the reference relation and the component information of the direct dependent components and the indirect dependent components,
or traversing the dependency tree lock file of the target software project and outputting the accurate component dependency tree of the target software project according to the direct dependency component information and the traversal.
8. The method of claim 7,
the component information comprises position information of the direct dependency group/indirect dependency component in the component dependency tree;
and/or, exposing the directly dependent group/indirectly dependent component in the component dependency tree.
9. A dependent component information acquisition apparatus, characterized in that the apparatus comprises:
at least one processor, a memory coupled to the at least one processor, and a computer program stored in the memory;
wherein a processor executes the computer program, enabling the dependent component information acquisition method according to any one of claims 1 to 8.
10. A computer-readable storage medium, characterized in that,
the medium having stored thereon computer instructions related to analysis of software components;
the dependent component information acquisition method of any of claims 1 to 8, when executed by a computer processor.
CN202210944206.4A 2022-08-08 2022-08-08 Dependent component information acquisition method and device and storage medium Pending CN115016831A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210944206.4A CN115016831A (en) 2022-08-08 2022-08-08 Dependent component information acquisition method and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210944206.4A CN115016831A (en) 2022-08-08 2022-08-08 Dependent component information acquisition method and device and storage medium

Publications (1)

Publication Number Publication Date
CN115016831A true CN115016831A (en) 2022-09-06

Family

ID=83066221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210944206.4A Pending CN115016831A (en) 2022-08-08 2022-08-08 Dependent component information acquisition method and device and storage medium

Country Status (1)

Country Link
CN (1) CN115016831A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115543410A (en) * 2022-11-29 2022-12-30 深圳开源互联网安全技术有限公司 Component dependency relationship analysis method, device and medium
CN117667080A (en) * 2023-12-15 2024-03-08 北京安普诺信息技术有限公司 Method, device, equipment and medium for determining SCA component dependency information

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107766036A (en) * 2017-10-13 2018-03-06 深圳市金证科技股份有限公司 A kind of construction method of module, construction device and terminal device
US20180373525A1 (en) * 2017-06-27 2018-12-27 Red Hat, Inc. Constructing build environments for software
CN112711438A (en) * 2021-01-13 2021-04-27 苏州棱镜七彩信息科技有限公司 Dependent component information extraction method, dependent component information extraction device, and computer-readable storage medium
CN113065137A (en) * 2021-03-31 2021-07-02 深圳开源互联网安全技术有限公司 Method for detecting vulnerability of source component in PHP project

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180373525A1 (en) * 2017-06-27 2018-12-27 Red Hat, Inc. Constructing build environments for software
CN107766036A (en) * 2017-10-13 2018-03-06 深圳市金证科技股份有限公司 A kind of construction method of module, construction device and terminal device
CN112711438A (en) * 2021-01-13 2021-04-27 苏州棱镜七彩信息科技有限公司 Dependent component information extraction method, dependent component information extraction device, and computer-readable storage medium
CN113065137A (en) * 2021-03-31 2021-07-02 深圳开源互联网安全技术有限公司 Method for detecting vulnerability of source component in PHP project

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115543410A (en) * 2022-11-29 2022-12-30 深圳开源互联网安全技术有限公司 Component dependency relationship analysis method, device and medium
CN117667080A (en) * 2023-12-15 2024-03-08 北京安普诺信息技术有限公司 Method, device, equipment and medium for determining SCA component dependency information

Similar Documents

Publication Publication Date Title
CN107908541B (en) Interface testing method and device, computer equipment and storage medium
CN115016831A (en) Dependent component information acquisition method and device and storage medium
US20190317882A1 (en) Method and apparatus for testing a code file
US8732671B2 (en) Generating stack traces of call stacks that lack frame pointers
EP2572294B1 (en) System and method for sql performance assurance services
US9690549B2 (en) Editing software products using text mapping files
CN110825618B (en) Method and related device for generating test case
US20130263090A1 (en) System and method for automated testing
US20120030516A1 (en) Method and system for information processing and test care generation
US20200192789A1 (en) Graph based code performance analysis
CN115016832B (en) Method for deeply analyzing software component dependency relationship, related device and platform
Qin et al. Testmig: Migrating gui test cases from ios to android
CN109840192B (en) Method and device for automatic testing
CN110196809B (en) Interface testing method and device
US11436133B2 (en) Comparable user interface object identifications
CN113076104A (en) Page generation method, device, equipment and storage medium
Zaccarelli et al. Stream2segment: An open‐source tool for downloading, processing, and visualizing massive event‐based seismic waveform datasets
CN110597704B (en) Pressure test method, device, server and medium for application program
CN112231213A (en) Web automatic testing method, system, storage medium and terminal equipment
CN111324510B (en) Log processing method and device and electronic equipment
US9563541B2 (en) Software defect detection identifying location of diverging paths
CN113535577B (en) Application testing method and device based on knowledge graph, electronic equipment and medium
CN112148618A (en) Buried point testing method and buried point testing platform
US20160292067A1 (en) System and method for keyword based testing of custom components
US11544179B2 (en) Source traceability-based impact analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20220906