CN115543838A - Code scanning rule processing method and device, storage medium and electronic equipment - Google Patents

Code scanning rule processing method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN115543838A
CN115543838A CN202211311469.8A CN202211311469A CN115543838A CN 115543838 A CN115543838 A CN 115543838A CN 202211311469 A CN202211311469 A CN 202211311469A CN 115543838 A CN115543838 A CN 115543838A
Authority
CN
China
Prior art keywords
plug
deployed
rule
scanning
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211311469.8A
Other languages
Chinese (zh)
Inventor
欧建斌
李学优
何韶兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202211311469.8A priority Critical patent/CN115543838A/en
Publication of CN115543838A publication Critical patent/CN115543838A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3616Software analysis for verifying properties of programs using software metrics
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/443Optimisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/443Optimisation
    • G06F8/4434Reducing the memory space required by the program code
    • G06F8/4435Detection or removal of dead or redundant code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/447Target code generation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a method and a device for processing a code scanning rule, a storage medium and electronic equipment. Relates to the technical field of information security, and the method comprises the following steps: acquiring a plug-in source code of a plug-in to be deployed from a source code server, and compiling the plug-in source code to obtain a plug-in package of the plug-in to be deployed; analyzing the plug-in package to obtain a plug-in package analysis file, and performing normative check on the plug-in package analysis file through a rule server; performing exception detection on a plurality of scanning rules in the plug-in package analysis file to obtain a plug-in exception detection result, and rejecting exception rules in the plug-in source codes according to the plug-in exception detection result to obtain a target plug-in source code; and recompiling the source code of the target plug-in to obtain the target plug-in, and deploying the target plug-in to the target server. The invention solves the technical problem that plug-in conflicts are generated after the plug-ins are deployed because repeated rules cannot be found in time when the plug-ins containing a large number of scanning rules are deployed to a server through a plurality of manual operation steps in the related technology.

Description

Code scanning rule processing method and device, storage medium and electronic equipment
Technical Field
The invention relates to the technical field of information security, in particular to a method and a device for processing a code scanning rule, a storage medium and electronic equipment.
Background
A user customizes a development rule on the basis of a SonarQube (a code scanning tool), packages the development rule into a plug-in to be deployed to a SonarQube server for scanning, and needs a plurality of people to participate in the development of the rule together to form a personalized scanning rule if the scanning rule relates to a plurality of applications, a plurality of code languages and a plurality of styles of codes in the implementation process of the scanning rule, and the scanning rule deployment in the related technology has the following problems:
when the existing scheme deploys the rules, multiple steps are needed to be operated manually, automatic packaging cannot be achieved, errors are prone to occurring, and efficiency is low.
And (II) if the code scanning rules involved in the plug-in deployment are very many, the rules are easy to repeat, and the situation of plug-in conflict which cannot be predicted is caused, so that conflict is generated after the plug-ins are deployed.
And thirdly, the problem can not be solved quickly if the problem is found after the plug-in of the scanning rule is deployed, and the problem is manually solved because the related technology needs manual deployment, so that the cost for solving the problem is high.
And fourthly, the scanning rules cannot be managed uniformly, and the state of the rules cannot be mastered accurately, so that the scanning rule plug-in is difficult to deploy.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method and a device for processing a code scanning rule, a storage medium and electronic equipment, which at least solve the technical problem that plug-in conflicts are generated after plug-in deployment because repeated rules cannot be found in time when plug-ins containing a large number of scanning rules are deployed to a server through multiple steps of manual operation in the related technology.
According to an aspect of the embodiments of the present invention, there is provided a method for processing a code scanning rule, including: acquiring a plug-in source code of a plug-in to be deployed from a source code server, and compiling the plug-in source code to obtain a plug-in package of the plug-in to be deployed, wherein the plug-in to be deployed is used for scanning defects and loopholes of a program code, and the plug-in comprises a plurality of scanning rules for scanning the scanning program code; analyzing the plug-in package to obtain a plug-in package analysis file, and performing normative check on the plug-in package analysis file through a rule server; performing exception detection on a plurality of scanning rules in the plug-in package analysis file under the condition that the plug-in package analysis file passes the normative check to obtain a plug-in exception detection result, and eliminating exception rules in the plug-in source codes according to the plug-in exception detection result to obtain a target plug-in source code; and recompiling the source code of the target plug-in to obtain a target plug-in, and deploying the target plug-in to a target server.
Further, after obtaining the plug-in source code of the plug-in to be deployed from the source code server and compiling the plug-in source code to obtain the plug-in package of the plug-in to be deployed, the method further includes: determining the number of the plug-ins to be deployed in the plug-in package; and under the condition that a plurality of plug-ins to be deployed exist in the plug-ins to be deployed, analyzing the file according to the plug-in package, and performing conflict check on the plurality of plug-ins to be deployed.
Further, when a plurality of plug-ins to be deployed exist in the plug-ins to be deployed, performing conflict check on the plurality of plug-ins to be deployed according to the plug-in package analysis file, including: according to the plug-in package analysis file, detecting repeated plug-ins and repeated scanning rules in the plug-ins to be deployed; under the condition that the repeated plug-ins exist in the plurality of plug-ins to be deployed, rejecting the repeated plug-ins to be deployed according to the plug-in submission time of the repeated plug-ins; and under the condition that a repeated scanning rule exists in the plurality of plugins to be deployed, carrying out invalidation processing on repeated scanning rule codes corresponding to the repeated scanning rule according to the submission time of the plugins to be deployed to which the repeated scanning rule belongs.
Further, the normative check of the plug-in package analysis file through a rule server includes: reading a plug-in specification convention in the rule server and maintaining record information for maintaining the plug-in to be deployed; performing first normative check on the plug-in package analysis file according to the plug-in specification convention, and determining whether a scanning rule in the plug-in to be deployed conforms to the plug-in specification convention to obtain a first normative check result; performing second normative check on the plug-in package analysis file according to a first rule list in the maintenance record information to obtain a second normative check result, wherein the first rule list is used for recording scanning rule data of the plug-ins which are successfully deployed in the target server; and determining whether the plug-in package analysis file passes the normative check or not according to the first normative check result and the second normative check result.
Further, performing a second normative check on the plug-in package analysis file according to the first rule list in the maintenance record information, including: comparing a second rule list of the plug-in package analysis file with the first rule list, determining a newly added rule of the second rule list compared with the first rule list, and recording the newly added rule in the rule server, wherein the newly added rule is the newly added rule of the plug-in to be deployed compared with a plug-in version successfully deployed on the target server on the plug-in to be deployed; judging whether the name of the newly added rule exists in other deployed plug-ins or not according to the rule server; and under the condition that the name of the newly added rule exists in other deployed plug-ins, recording the newly added rule with repeated names in the rule server, and sending notification information to a target object.
Further, performing anomaly detection on the plurality of scanning rules in the plug-in package analysis file to obtain a plug-in anomaly detection result, including: reading a target program type path in a second rule list of the plug-in package analysis file; searching a unit test script in the plug-in package analysis file according to the target program type path, wherein the unit test script is used for performing unit test on the scanning rule in the plug-in to be deployed; performing unit test on the scanning rule in the plug-in package analysis file according to a positive test case and a negative test case in the unit test script to obtain a first anomaly detection result; code scanning is carried out on the plug-in source codes of the plug-in package analysis file, and code anomaly detection is carried out on the scanning rules in the plug-ins to be deployed to obtain a second anomaly detection result; and obtaining a plug-in abnormity detection result according to the first abnormity detection result and the second abnormity detection result.
Further, before deploying the target plug-in to the target server, the method includes: deploying the target plug-in to a test server in a test environment, and acquiring a first test item and a second test item for testing the target plug-in, wherein the first test item is used for performing regression testing on the target plug-in, the second test item is used for performing performance pressure testing on the target plug-in, and a test code segment in a unit test script is added in the first test item; performing regression testing on the target plug-in through the first testing project; and performing performance pressure test on the test server by adopting an asynchronous triggering mode through the second test item.
Further, after the target plug-in is deployed to the target server, the method further comprises: recording the abnormal condition of the target server in the process of scanning the program code through the target plug-in; counting the abnormal probability according to the abnormal condition, and judging whether the abnormal probability reaches a preset abnormal probability threshold value; and under the condition that the abnormal probability reaches the preset abnormal probability threshold value, performing offline processing on the target plug-in the target server, and sending notification information to a target object.
According to another aspect of the embodiments of the present invention, there is also provided a device for processing a code scanning rule, including: the system comprises a compiling unit and a judging unit, wherein the compiling unit is used for acquiring a plug-in source code of a plug-in to be deployed from a source code server and compiling the plug-in source code to obtain a plug-in package of the plug-in to be deployed, the plug-in to be deployed is used for scanning defects and loopholes of a program code, and the plug-in comprises a plurality of scanning rules for scanning the scanning program code; the first processing unit is used for analyzing the plug-in package to obtain a plug-in package analysis file, and performing normative check on the plug-in package analysis file through a rule server; the second processing unit is used for carrying out abnormity detection on a plurality of scanning rules in the plug-in package analysis file under the condition that the plug-in package analysis file passes the normative check to obtain a plug-in abnormity detection result, and eliminating the abnormity rules in the plug-in source codes according to the plug-in abnormity detection result to obtain a target plug-in source code; and the third processing unit is used for recompiling the source code of the target plug-in to obtain the target plug-in and deploying the target plug-in to the target server.
Further, the processing apparatus for code scanning rules further includes a determining unit, configured to determine the number of the plug-ins to be deployed in the plug-in package after obtaining the plug-in source code of the plug-ins to be deployed from the source code server and compiling the plug-in source code to obtain the plug-in package of the plug-ins to be deployed; and the checking unit is used for performing conflict checking on the plurality of plug-ins to be deployed according to the plug-in package analysis file under the condition that the plurality of plug-ins to be deployed exist in the plug-ins to be deployed.
Further, the inspection unit includes: the detection subunit is used for detecting repeated plug-ins and repeated scanning rules in the plug-ins to be deployed according to the plug-in package analysis file; the removing subunit is used for removing the repeated plug-ins to be deployed according to the plug-in submitting time of the repeated plug-ins under the condition that the repeated plug-ins exist in the plurality of plug-ins to be deployed; the first processing subunit is configured to, when a rescan rule exists in the multiple plugins to be deployed, perform invalidation processing on a rescan rule code corresponding to the rescan rule according to a submission time of the plugin to be deployed to which the rescan rule belongs.
Further, the first processing unit includes: the first reading subunit is used for reading the plug-in specification convention in the rule server and maintaining the maintenance record information of the plug-in to be deployed; the second processing subunit is configured to perform a first normative check on the plug-in package analysis file according to the plug-in specification convention, determine whether a scanning rule in the plug-in to be deployed conforms to the plug-in specification convention, and obtain a first normative check result; a third processing subunit, configured to perform a second normative check on the plug-in package analysis file according to the first rule list in the maintenance record information, to obtain a second normative check result, where the first rule list is used to record scan rule data of a plug-in that has been successfully deployed in the target server; and the determining subunit is used for determining whether the plug-in package analysis file passes the normative check or not according to the first normative check result and the second normative check result.
Further, the third processing subunit includes: the determining module is used for comparing a second rule list of the plug-in package analysis file with the first rule list, determining a newly added rule of the second rule list compared with the first rule list, and recording the newly added rule in the rule server, wherein the newly added rule is the newly added rule of the plug-in to be deployed compared with a plug-in version successfully deployed on the target server on the plug-in to be deployed; the judging module is used for judging whether the name of the newly added rule exists in other deployed plug-ins or not according to the rule server; and the processing module is used for recording the newly added rule with repeated naming in the rule server and sending notification information to the target object under the condition that the naming of the newly added rule exists in other deployed plug-ins.
Further, the second processing unit includes: the second reading subunit is used for reading a target program type path in a second rule list of the plug-in package analysis file; a searching subunit, configured to search, according to the target program class path, a unit test script in the plug-in package analysis file, where the unit test script is used to perform a unit test on a scanning rule in the plug-in to be deployed; the test subunit is used for carrying out unit test on the scanning rule in the plug-in package analysis file according to the positive test case and the negative test case in the unit test script to obtain a first abnormal detection result; the scanning subunit is used for performing code scanning on the plug-in source codes of the plug-in package analysis file and performing code anomaly detection on the scanning rules in the plug-in to be deployed to obtain a second anomaly detection result; and the fourth processing subunit is configured to obtain a plug-in anomaly detection result according to the first anomaly detection result and the second anomaly detection result.
Further, the processing device of the code scanning rule further comprises: the system comprises a deployment unit and a test unit, wherein the deployment unit is used for deploying the target plug-in to a test server in a test environment before deploying the target plug-in to the target server, and acquiring a first test item and a second test item for testing the target plug-in, the first test item is used for performing regression testing on the target plug-in, the second test item is used for performing performance pressure testing on the target plug-in, and a test code segment in a unit test script is added in the first test item; the first testing unit is used for performing regression testing on the target plug-in through the first testing item; and the second testing unit is used for performing performance pressure testing on the testing server in an asynchronous triggering mode through the second testing item.
Further, the processing device of the code scanning rule further comprises: the recording unit is used for recording the abnormal condition of the target server in the scanning process of the program code through the target plug-in after the target plug-in is deployed to the target server; the fourth processing unit is used for counting the abnormal probability according to the abnormal condition and judging whether the abnormal probability reaches a preset abnormal probability threshold value or not; and the fifth processing unit is used for performing offline processing on the target plug-in the target server and sending notification information to a target object under the condition that the abnormal probability reaches the preset abnormal probability threshold.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to perform the method of processing the code scanning rule of any one of the above via execution of executable instructions.
According to another aspect of the embodiments of the present invention, there is further provided a computer-readable storage medium, where a computer program is stored, and when the computer program runs, an apparatus in which the computer-readable storage medium is located is controlled to execute the processing method of the code scanning rule in any one of the above.
The method comprises the steps of obtaining plug-in source codes of plug-ins to be deployed from a source code server, compiling the plug-in source codes to obtain plug-in packages of the plug-ins to be deployed, wherein the plug-ins to be deployed are used for scanning defects and loopholes of program codes, and the plug-ins comprise a plurality of scanning rules for scanning the program codes; analyzing the plug-in package to obtain a plug-in package analysis file, and performing normative check on the plug-in package analysis file through a rule server; under the condition that the plug-in package analysis file passes through the normative inspection, carrying out anomaly detection on a plurality of scanning rules in the plug-in package analysis file to obtain a plug-in package anomaly detection result, and rejecting the anomaly rules in the plug-in package source codes according to the plug-in package anomaly detection result to obtain a target plug-in package source code; and recompiling the source code of the target plug-in to obtain the target plug-in, and deploying the target plug-in to a target server. Furthermore, the technical problem that plug-ins containing a large number of scanning rules are deployed to a server through multiple manual operation steps in the related technology, repeated rules cannot be found in time, and plug-in conflicts are generated after the plug-ins are deployed is solved. In the invention, the plug-in source code of the plug-in to be deployed acquired from the source code server is compiled and analyzed, the plug-in package analysis file is obtained through the compiling and analyzing by the rule server, and the target plug-in which passes the normative inspection and the abnormal detection is deployed on the target server, so that the situation that the plug-in is deployed by manually operating a plurality of plug-in deployment steps is avoided, the problem of the plug-in is difficult to detect, and the technical effects of improving the plug-in deployment efficiency and the plug-in detection problem efficiency are realized.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention and do not constitute a limitation of the invention. In the drawings:
FIG. 1 is a flow diagram of an alternative method of processing code scanning rules in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of an alternative plugin specification convention for code scanning rules, according to an embodiment of the present invention;
FIG. 3 is a flowchart one of an alternative code scanning rule packing deployment according to an embodiment of the present invention;
FIG. 4 is a flowchart II of an alternative code scanning rule packing deployment according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an alternative code scanning rule processing apparatus according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of description, some terms related to the present invention will be described below.
Code scanning: in software engineering, a scanning tool is used for scanning a program source code of the software engineering to find out some potential problems, security vulnerabilities or problems of irregular writing and the like existing in the code, and a scanned object may be an uncompiled source code or a target code compiled by the source code
It should be noted that the method and the apparatus for processing the code scanning rule in the present disclosure may be used in the field of information security technology to scan codes and check for problems existing in the codes, and may also be used in any field other than the field of information security technology to scan codes and check for problems existing in the codes, and the application field of the processing of the code scanning rule in the present disclosure is not limited.
It should be noted that relevant information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for presentation, analyzed data, etc.) referred to in the present disclosure are information and data that are authorized by the user or sufficiently authorized by various parties. For example, an interface is provided between the system and the relevant user or organization, before obtaining the relevant information, an obtaining request needs to be sent to the user or organization through the interface, and after receiving the consent information fed back by the user or organization, the relevant information is obtained.
The invention can be applied to various software products, control systems and program codes of clients (including but not limited to mobile clients, PCs and the like) of various financial institutions, which are schematically illustrated by taking the software products as examples, and can ensure the stable operation of software programs for realizing the service contents (including but not limited to the service functions of transferring accounts, managing money, fund, paying fees, checking accounts, advertising, recommending and the like) of the financial institutions by scanning the program codes of the software products installed on the mobile clients.
The invention is further illustrated below with reference to examples.
Example one
In accordance with an embodiment of the present invention, there is provided an alternative method embodiment of a method of processing code scan rules, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that illustrated herein.
Fig. 1 is a flowchart of an alternative processing method of a code scanning rule according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
step S101, obtaining a plug-in source code of a plug-in to be deployed from a source code server, and compiling the plug-in source code to obtain a plug-in package of the plug-in to be deployed, wherein the plug-in to be deployed is used for scanning defects and bugs of a program code, and the plug-in comprises a plurality of scanning rules for scanning the scanning program code.
In this embodiment, in order to improve the compiling and packaging efficiency of the source code of the scanning rule, automatic packaging can be realized through a construction script of a production line, the source code is packaged into plug-ins to be deployed on a target server, a task flow is started as required, manual packaging and deployment of plug-in developers are replaced, a single plug-in can be checked, the source code of the plug-ins can be downloaded from the source code server according to the version library information of the plug-in projects, and full downloading and subsequent incremental downloading can be performed for the first time. The version library information of each plug-in can be registered and put in storage before the plug-in is developed, and the plug-in source code of the plug-in to be deployed is downloaded from the source code server.
And S102, analyzing the plug-in package to obtain a plug-in package analysis file, and performing normative check on the plug-in package analysis file through the rule server.
The method comprises the steps of analyzing the content of a plug-in package, obtaining a plug-in package analysis file of the plug-in package, reading the internal attribute of the plug-in from the plug-in package analysis file, wherein the internal attribute can comprise information such as a unique plug-in identifier, a plug-in name, a plug-in version, a SonarQube version supported by the plug-in, a plug-in developer, a plug-in entry class, a compiling dependency JDK (software development kit) version and the like, performing normative check on the content of the plug-in package analysis file through a plug-in specification convention recorded in a rule server according to the attribute of the plug-in content, determining whether the content of the plug-in package analysis file meets the specification convention, wherein the plug-in specification convention can comprise the convention of performing format, naming, ID and the like on code scanning plug-in, a rule base and rule information, and registering and sending notification information under the condition that the scanning rule or the plug-in does not meet the specification convention is checked.
And S103, under the condition that the plug-in package analysis file passes the normative check, carrying out anomaly detection on a plurality of scanning rules in the plug-in package analysis file to obtain a plug-in anomaly detection result, and rejecting the anomaly rules in the plug-in source codes according to the plug-in anomaly detection result to obtain the target plug-in source codes.
Under the condition that the plug-in package analysis file is subjected to normative inspection, abnormality detection can be performed on a plurality of scanning rules in the plug-in package analysis file, the abnormality detection can be a detection process performed through unit testing, abnormal code scanning and the like, and the abnormal rule in the plug-in source codes of the plug-ins to be deployed can be removed according to the plug-in abnormality detection result, so that the target plug-in source codes are obtained.
And step S104, recompiling the source code of the target plug-in to obtain the target plug-in, and deploying the target plug-in to the target server.
The target server may be a server for deploying scanning rule plug-ins, and after removing abnormal rules in plug-in source codes corresponding to plug-ins to be deployed, the obtained target plug-in source codes may be recompiled to obtain target plug-ins, and the target plug-ins are deployed in the target server.
Through the steps, the plug-in source codes of the plug-ins to be deployed are obtained from the source code server and compiled and analyzed, the plug-in package analysis file detection is obtained through the compiling and analyzing by the rule server, the target plug-ins which pass the normative inspection and the abnormal detection are deployed on the target server, the problem that plug-ins are deployed through the manual operation of a plurality of plug-ins, the problem of the plug-ins is not easy to check is solved, the problem that the plug-ins containing a large number of scanning rules are deployed to the server through the manual operation of a plurality of steps in the related technology, repeated rules cannot be found in time, the technical problem that plug-ins conflict is generated after the plug-ins are deployed is solved, and the technical effects of improving the plug-in deployment efficiency and the plug-in problem detection efficiency are achieved.
In order to avoid the situation of plug-in conflict in the process of deploying a plurality of plug-ins simultaneously, the method further comprises the following steps of obtaining plug-in source codes of the plug-ins to be deployed from a source code server, compiling the plug-in source codes and obtaining a plug-in package of the plug-ins to be deployed: determining the number of the plug-ins to be deployed in the plug-in package; and under the condition that a plurality of plug-ins to be deployed exist in the plug-ins to be deployed, analyzing the file according to the plug-in package, and performing conflict check on the plurality of plug-ins to be deployed.
The conflict check may be used to check whether there is a duplicate plugin in the plurality of plugins to be deployed, and may also be used to check whether there is a duplicate scanning rule between the plugins to be deployed and the plugins to be deployed.
When a plurality of plug-ins to be deployed are deployed to a target server at the same time, that is, when the plug-ins to be deployed include a plurality of plug-ins to be deployed, there may be conflicts in different plug-ins or rules in different plug-ins, and therefore, it is necessary to check in advance. The naming convention for the plug-ins and rules may be agreed upon before the rules are developed. Each plug-in to be deployed is classified by a program language, and one plug-in only contains rules of one code language. When a plurality of plugins to be deployed exist, the acquired plugin source codes can include source code version library information of the plurality of plugins, the version libraries of the plugins can be downloaded, and the plugins are downloaded for the first time in full and then in subsequent increments.
In the plug-in source code compiling process, a plurality of processing processes can be started to compile each plug-in source code in parallel, and unit testing and code scanning are carried out. After the compiled target program is packaged into the plug-in package, the plug-in package is read and analyzed to obtain the plug-in package analysis file, the conflict check can be performed on the plurality of plug-ins to be deployed, so that the purpose of performing the conflict check on the plurality of plug-ins to be deployed is achieved, and the technical effect of improving the efficiency of finding plug-in problems in the plug-in deployment process is achieved.
In order to avoid the situation that plug-ins are duplicated in a plurality of plug-ins and rules between the plug-ins are duplicated, in this embodiment, when a plurality of plug-ins to be deployed exist in the plug-ins to be deployed, the conflict check is performed on the plurality of plug-ins to be deployed according to the plug-in package analysis file, and the following contents are further defined: analyzing the file according to the plug-in package, and detecting repeated plug-ins and repeated scanning rules in the plug-ins to be deployed; under the condition that repeated plug-ins exist in a plurality of plug-ins to be deployed, rejecting the repeated plug-ins to be deployed according to the plug-in submission time of the repeated plug-ins; and under the condition that the repeated scanning rules exist in the plurality of plugins to be deployed, carrying out invalidation processing on repeated scanning rule codes corresponding to the repeated scanning rules according to the submission time of the plugins to be deployed to which the repeated scanning rules belong.
In this embodiment, after the compiled object program is packaged into a plug-in package, the plug-in package is read, and is analyzed to obtain a plug-in package analysis file, collision check can be performed on a plurality of plug-ins to be deployed to check whether each plug-in ID is repeated, and if the plug-in IDs (identification numbers) are repeated, the plug-ins submitted later can be kicked off according to the submission time of the plug-ins, and the plug-ins are recorded in the rule server. If repeated rules exist between two plug-ins to be deployed, the implementation program files of the two plug-in rules or the submission time of the plug-ins can be compared, the repeated scanning rule codes in the plug-ins submitted later are subjected to invalidation processing, or the implementation files of the repeated scanning rules in the plug-ins submitted later are annotated, then the modified plug-in source codes can be recompiled into plug-in packages, in the process of modifying the files, the clear conflict condition can be annotated, and the modified content is submitted and pushed to a git (distributed version control system) plug-in version library, so that subsequent developers can know the conflict condition of the plug-ins more clearly, and the technical effect of reducing the conflict rate of the plug-ins deployed in a target server is achieved.
In order to avoid the situation that the plug-ins in the plug-ins to be deployed do not meet the specification, in this embodiment, the following contents are further defined for performing the normative check on the plug-in package analysis file through the rule server: reading a plug-in specification convention in a rule server and maintenance record information for maintaining a plug-in to be deployed; performing first normative check on the plug-in package analysis file according to the plug-in specification convention, and determining whether a scanning rule in the plug-in to be deployed meets the plug-in specification convention to obtain a first normative check result; performing second normative check on the plug-in package analysis file according to a first rule list in the maintenance record information to obtain a second normative check result, wherein the first rule list is used for recording scanning rule data of the plug-ins which are successfully deployed in the target server; and determining whether the plug-in package analysis file passes the normative check or not according to the first normative check result and the second normative check result.
In this embodiment, in order to implement uniform management rule development, a git source code version management platform may be used to perform source code control, each developer uses a git source code version library when developing plug-ins, and each plug-in may correspond to one version library and open a source on the git platform. And the information such as the code scanning plug-in, the rule base, the rule information and the like is subjected to specification agreement, and the specification agreement can be registered in the rule server and maintained in the rule server.
The above-mentioned normative check may include a first normative check and a second normative check, where the first normative check may be used to check whether the plug-in complies with a plug-in specification convention, fig. 2 is a schematic diagram of a plug-in specification convention of an optional code scanning rule according to an embodiment of the present invention, the plug-in specification convention is as shown in fig. 2, whether a version of the plug-in to be deployed in the target server has been successfully deployed or has been successfully deployed in a higher version, and the second normative check may be used to check whether there are new scan rules and whether there is duplication of names of the new scan rules compared with a plug-in to be deployed in a previous version of the plug-in to be deployed.
The first normative check is that after the content of the plug-in package is analyzed to obtain a plug-in package analysis file, the internal attributes of the plug-in package analysis file are read, the internal attributes of the plug-in package can contain information such as a plug-in unique identifier, a plug-in name, a plug-in version, a SonarQube version supported by the plug-in, a plug-in developer, a plug-in entry class, a compiling dependency JDK version and the like, whether the plug-in specification convention is met or not is determined according to comparison between the internal attributes of the plug-in package and the plug-in specification convention, and the stored plug-in information can be read from the rule server and compared. Checking whether the plug-in ID is consistent with the medium (the plug-in ID of the deployed plug-in version), judging whether the plug-in version of the plug-in to be deployed is successfully deployed or not, if the plug-in version of the plug-in to be deployed is successfully deployed and the deployed version is higher than the current version, recording that the plug-in to be deployed is the updated version, and recording the updated version to a rule server to inform a plug-in person in charge.
The second normative check may check the plugin package analysis file according to the scanning rule data of the plugin which has been successfully deployed in the first rule list in the maintenance record information, check whether a new scanning rule exists compared with the plugin which has been deployed in the previous version of the plugin to be deployed, and check whether the naming of the new scanning rule is repeated.
According to the first normative inspection result and the second normative inspection result, whether the plug-in package analysis file passes through normative inspection or not is determined, the plug-in package is prevented from being manually disposed to be inspected, the inspection efficiency is low, the accuracy is poor, and the technical effects of improving the inspection efficiency and the accuracy of the plug-in package normative inspection are achieved.
In order to improve the accuracy of the checking result of the normative check on the plugin to be deployed, in this embodiment, the following contents are further defined to perform a second normative check on the plugin package analysis file according to the first rule list in the maintenance record information: comparing a second rule list of the plug-in package analysis file with a first rule list, determining a newly added rule of the second rule list compared with the first rule list, and recording the newly added rule in a rule server, wherein the newly added rule is the newly added rule of the plug-in to be deployed compared with a plug-in version successfully deployed on a target server on the plug-in to be deployed; judging whether the name of the newly added rule exists in other deployed plug-ins or not according to the rule server; and under the condition that the name of the newly added rule exists in other deployed plug-ins, recording the newly added rule with repeated names in the rule server, and sending notification information to the target object.
In this embodiment, a rule list (corresponding to the second rule list) in the plugin to be deployed may be searched according to the plugin entry class read from the plugin package parsing file, the rule list of the current plugin to be deployed and the rule list read from the rule server (corresponding to the first rule list) are compared, the rule list when the current plugin to be deployed is successfully deployed last time (last version) is compared (corresponding to the first rule list), and a newly added rule added in the version of the current plugin to be deployed is identified. And checking whether the name of the newly added rule in the current plug-in to be deployed exists in other plug-ins or not according to the data of other plug-ins already deployed recorded in the rule service, and if so, recording the name into the rule server and sending notification information to the target object. And the plug-in responsible person is informed, so that the technical effect of improving the accuracy of checking the plug-in problem of the plug-in to be deployed is realized.
In order to avoid the situation of abnormal plug-in and abnormal rule in the plug-in, in this embodiment, the method performs abnormal detection on a plurality of scanning rules in the plug-in package analysis file to obtain a plug-in abnormal detection result, and further includes the following steps: reading a target program type path in a second rule list of the plug-in package analysis file; searching a unit test script in the plug-in package analysis file according to the target program type path, wherein the unit test script is used for performing unit test on the scanning rule in the plug-in to be deployed; performing unit test on the scanning rule in the plug-in package analysis file according to a positive test case and a negative test case in the unit test script to obtain a first abnormity detection result; code scanning is carried out on plug-in source codes of the plug-in package analysis file, and code abnormity detection is carried out on scanning rules in the plug-in to be deployed, so that a second abnormity detection result is obtained; and obtaining an abnormal plug-in detection result according to the first abnormal detection result and the second abnormal detection result.
The above-mentioned anomaly detection may be a detection process performed by unit testing, scanning an anomaly code, and the like, and an anomaly detection result of the plug-in, and may eliminate an anomaly rule in a plug-in source code of the plug-in to be deployed.
Unit testing: reading an implementation program class path (corresponding to the target program class path) in a rule list of the plugin to be deployed, finding a unit test script of a scanning rule in the plugin to be deployed according to a standard of a maven (project corresponding model) project (the implementation class is src/main/ClassNameCheckRule. Java, and the test class is src/test/ClassNameCheckRuterTest. Java), verifying according to positive and negative example code segments (corresponding to the positive test case and the negative test case) of the unit test script, checking whether a problem can be normally checked in the case of violating the scanning rule, and checking whether an example (test case) which does not violate the scanning rule has false alarm to obtain a first abnormal detection result. It should be noted that, if a test script corresponding to a scanning rule cannot be found, or the test script cannot pass through the running process, the test script may be recorded in the rule server, and a plug-in rule responsible person is notified.
And code anomaly detection, namely performing code scanning on plug-in source codes of the plug-ins to be deployed, performing code inspection on the source codes of the scanning rules, registering the source codes to a rule server if high risk problems exist, notifying a plug-in responsible person, and obtaining a second anomaly detection result through the code anomaly detection.
And obtaining the plug-in abnormity detection result according to the first abnormity detection result and the second abnormity detection result, thereby realizing the technical effect of timely finding the plug-in abnormity in the process of the plug-in to be deployed.
In order to reduce the abnormal rate of the abnormal plug-in after being deployed, in this embodiment, before deploying the target plug-in to the target server, the following contents are further included: deploying a target plug-in to a test server in a test environment, and acquiring a first test item and a second test item for testing the target plug-in, wherein the first test item is used for performing regression test on the target plug-in, the second test item is used for performing performance pressure test on the target plug-in, and a test code segment in a unit test script is added in the first test item; performing regression testing on the target plug-in through the first testing project; and performing performance pressure test on the test server by adopting an asynchronous triggering mode through a second test item.
In this embodiment, before the target plug-in is deployed to the target server, the compiled target plug-in is packaged into a plug-in, and the plug-in is deployed to a SonarQube server (corresponding to the test server described above) in the test environment, and the service of the SonarQube server is restarted to validate the target plug-in.
The regression test can automatically generate entity files for the code segments of the positive test case and the negative test case of the test scanning rule in the unit test, and add the entity files to the scanned item (corresponding to the first test item) in order to facilitate the regression test and better simulate the code scanning process. And generating a rule set according to the newly created or modified rule of the version of the target plug-in unit deployed at this time, creating the rule set by calling a server, scanning and pushing the project to be tested, the positive and negative example program codes containing the test rule to a SonarQube server of the test environment by using the created rule set through a SonarQube client. Whether the scanning results of the positive and negative examples (the positive test case and the negative test case in the first test item) are in accordance with the expectation is judged. And if the scanning result does not meet the expectation, recording the scanning result into the rule server, and informing the corresponding plug-in responsible person to obtain the test result of the regression test.
And (3) performing stress test, namely performing scan test on the scan rule in the target plug-in by using a standby large-scale code item (corresponding to the second test item), wherein the stress test time is longer, so that a subsequent flow is not influenced during scanning in an asynchronous triggering mode, and if the total time exceeds 1 hour, the reason of time consumption can be checked by a rule administrator.
After the test environment verification is passed, each tested plug-in to be deployed can be deployed to a server (namely a target server) in the production environment, the server is restarted, the state of the server is checked to be normal, and in the production environment, a task can be pushed to the server through the client to verify whether a code scanning result to be scanned is normal. If the verification fails, the rule administrator is notified for processing.
The target plug-in is tested through the test environment, and the technical effect of reducing the abnormal rate of the plug-in when the plug-in is deployed in the target server is achieved.
In order to deploy the target plug-in to the target server when the scanning result of the plug-in scanning program code is inaccurate after the plug-in is deployed, in this embodiment, the following is further included: recording the abnormal condition of the target server in the process of scanning the program code through the target plug-in; counting the abnormal probability according to the abnormal condition, and judging whether the abnormal probability reaches a preset abnormal probability threshold value; and under the condition that the abnormal probability reaches a preset abnormal probability threshold value, performing offline processing on the target plug-in the target server, and sending notification information to the target object.
The abnormal condition may include a missing report condition or a false report condition in the scanning process of the program code, the missing report condition may be the number of missing report problems in the scanning process of the program code, and the missing report condition may be the number of false report problems in the scanning process of the program code.
After the target plug-in is deployed to the target server, namely after the target plug-in is deployed to the actual production environment, the state of the rule can be updated by collecting abnormal conditions such as false alarm conditions, false negative conditions and the like of the rule. In the running process of the target server, the user can process the scanned problems, and if the scanned problems are false reports or false reports, the user can identify the states of the scanned regular problems in a Sonarqube server (namely the target server). For the problem of identifying false reports or false reports, whether the situation is true or not can be confirmed through the examination and verification of a rule administrator. If the situation is true, the system can record the example of collecting the bug or the false report, automatically generate the corresponding test script, add the test script into the test case of the corresponding plug-in project, and then in the process of packaging and deploying, the automatic test script which is automatically added is verified to pass, and then the subsequent process can be continued.
The false alarm condition and the false alarm condition of the scanning according to the scanning rule can be calculated, and the false alarm rate (corresponding to the abnormal probability) of the scanning rule can be calculated. The false alarm rate can be the ratio of the number of problems which are false-reported by the scanning rule to the number of problems which are scanned, the missing report rate can be the ratio of the problems which are missed by the scanning rule to the problems which are scanned, and if the false alarm rate or the missing report rate exceeds five per thousand, the rule is automatically offline.
In an actual production environment, regular state updating can be performed on the deployed target plug-in, and two triggering conditions can be included under normal conditions: one is that when a plug-in developer submits code, the plug-in developer checks a single plug-in currently developed and packages and deploys the plug-in to a test server. The second is that the rule management personnel triggers the inspection and packaging deployment process of the full amount of plug-ins.
If the false alarm rate and the missing alarm rate are upgraded to be not qualified, such as: if the false alarm rate exceeds a preset false alarm rate threshold value and/or the false alarm rate exceeds a preset false alarm rate threshold value, the plug-in module can be automatically triggered to repackage and deploy the flow, the automatic off-line of the rule is realized, and the plug-in module is informed to a responsible person to process.
When the scanning rules in the plug-ins and the plug-ins have problems, the information of the plug-ins and the information of the rules can be recorded, the rule states of the scanning rules and the states of the plug-ins can be changed to a rule server, if the notice is needed, a principal can be identified as the notice needed, the problems of the plug-ins and the rules of the plug-ins can be assembled into a mail, relevant information is sent to the principal of the plug-ins, and the notice state is set when the notice is successfully completed.
Plug-in information may include, but is not limited to: the name of the plug-in, the version of the plug-in, the effective time of the plug-in, the update time of the plug-in, the loader, the state of the plug-in, whether to inform a responsible person and the like.
The rule information may include, but is not limited to: the method comprises the following steps of plug-in name, plug-in code compiling language, rule base, rule name, rule effective time, rule updating time, responsible person and rule state.
Plug-in status may include, but is not limited to: compilation failures, deployments, plug-in conflicts (which may include the specific plug-in name of the plug-in conflict), and the like.
Rule states may include, but are not limited to: no test script, no unit test script passing, conflict with other plug-in rules, high risk problem exceeding threshold value, high false alarm rate and no unit test script passing.
In this embodiment, an automatic construction module, a rule management module, a plug-in and rule check module, a human role, and a specification convention may also be included to implement the processing method of the code scanning rule of this embodiment, and each module is described below.
1. And automatically constructing a module. The system comprises a Jenkins (an open source software project) scheduling server and an execution machine, and is used for configuring automatic construction and deployment tasks. Based on Jenkins pipeline scripts, the whole full flow of the automatic packing and deploying plug-in is connected in series. Linkage functions including Jenkins with other systems, such as managing custom hooks via git source code, perform tasks under specific circumstances.
2. And a rule management module. The method is used for collecting scanning result information, recording the state of the rule, recording the state during packaging when the rule is packaged, and managing the available rule to prevent plug-ins or rule conflicts. And reminding the responsible person according to the state of the plug-in or the rule.
3. A plug-in and a rule checking module. The plug-in is a carrier of the scanning rule, and the scanning rule is compiled and then packaged into a plug-in package. The basis of this embodiment is to test and scan code scan rules to find problems in advance. The inspection module will inspect the entire plug-in deployment flow for problems. And packaging the source codes of the scanning rules into plug-ins, deploying the rules to a SonarQube server (corresponding to the target service), scanning the codes by using the scanning rules in the plug-ins, generating a report of the scanning result, and uploading the report to the server to analyze and display the rule scanning result.
4. A human role. 1) The rule administrator: and managing the life cycle of the scanning rule and configuring related automatic construction tasks. 2) Plug-in developers: code scanning rules are developed. 3) Application developers: the code applied is scanned using code scanning rules.
5. And (5) specification convention. In order to develop a unified management rule, a git source code version management platform is used for controlling source codes, developers use git source code version libraries when developing plug-ins, each plug-in corresponds to one version library, and sources are opened on the git platform. And carrying out standard convention on information such as a code scanning plug-in, a rule base, rule information and the like.
It should be noted that, in the process of package test deployment, plug-in and rule information may be recorded, and if processing is required, a corresponding responsible person is notified in time. Before the plug-in to be deployed is deployed to an actual production environment, if the plug-in to be deployed has problems, the plug-in deployment process can be stopped, a plug-in manager is informed to process the plug-in, if part of rules of the plug-in have problems, the rules with the problems can be kicked off in a plug-in rule list, the compiling step is returned again, the related implementation classes are kicked off from the compiling list, and the plug-in is recompiled.
Fig. 3 is a first flowchart of optional code scanning rule packing and deployment according to an embodiment of the present invention, a test process of a single plug-in is shown in fig. 2, in a deployment process of a plug-in to be deployed, if a problem is found, notification information may be sent to a corresponding server to notify a corresponding administrator, fig. 4 is a second flowchart of optional code scanning rule packing and deployment according to an embodiment of the present invention, a flow of testing and deploying a plurality of plug-ins is shown in fig. 4, and plug-in fig. 3 and 4 represents a plug-in program.
Through the embodiment, the problem that automatic packaging cannot be achieved through one-key online solution is solved, and online deployment can be completed without manually operating a plurality of deployment steps. The rule check of the plug-in can be preset through the developed plug-in specification, the conflict is prevented in advance, the plug-in can also be checked in the packing and deploying process, and the problem after the plug-in is put into production is prevented. In the process of deploying plug-ins to be deployed on line, plug-ins with problems and relevant rules can be quickly separated out, and available plug-ins can be redeployed. If the whole plug-in deployment flow has problems, the plug-in deployment flow can quickly return to a normal usable state without manual processing. And when the problem occurs in the deployment process, the corresponding responsible person is informed to repair the problem in time, so that the problem can be solved quickly. By uniformly managing the plug-ins and the scanning rules, the states of the plug-ins and the scanning rules can be mastered in real time in the server. The online rule can be dynamically adjusted according to the conditions of false report and missed report of the rule.
Example two
The embodiment of the application also provides a processing device of the code scanning rule, and each implementation unit in the processing device corresponds to each implementation step in the first embodiment.
Fig. 5 is a schematic diagram of an alternative code scanning rule processing apparatus according to an embodiment of the present invention, as shown in fig. 5, including: a compiling unit 51, a first processing unit 52, a second processing unit 53, a third processing unit 54.
Specifically, the compiling unit 51 is configured to obtain a plug-in source code of a plug-in to be deployed from a source code server, and compile the plug-in source code to obtain a plug-in package of the plug-in to be deployed, where the plug-in to be deployed is used for scanning defects and bugs of a program code, and the plug-in includes multiple scanning rules for scanning the scanning program code;
the first processing unit 52 is configured to parse the plug-in package to obtain a plug-in package parsing file, and perform normalization check on the plug-in package parsing file through the rule server;
the second processing unit 53 is configured to, when the plug-in package analysis file passes the normative check, perform anomaly detection on the multiple scanning rules in the plug-in package analysis file to obtain a plug-in package anomaly detection result, and according to the plug-in package anomaly detection result, remove the anomaly rules in the plug-in package source codes to obtain a target plug-in package source code;
and the third processing unit 54 is configured to recompile the source code of the target plug-in to obtain the target plug-in, and deploy the target plug-in to the target server.
In the processing apparatus for a code scanning rule provided in the second embodiment of the present application, a compiling unit 51 may be used to obtain a plug-in source code of a plug-in to be deployed from a source code server, and compile the plug-in source code to obtain a plug-in package of the plug-in to be deployed, where the plug-in to be deployed is used to scan defects and bugs of a program code, and the plug-in includes a plurality of scanning rules for scanning the program code, and then a first processing unit 52 is used to parse the plug-in package to obtain a plug-in package parsing file, and perform a normative check on the plug-in package parsing file through a rule server, and a second processing unit 53 performs an anomaly detection on the plurality of scanning rules in the plug-in package parsing file under the condition of the normative check on the plug-in package parsing file to obtain a plug-in anomaly detection result, and removes an anomaly rule in the plug-in source code according to the plug-in anomaly detection result to obtain a target plug-in source code, and recompile the target plug-in source code to obtain a target plug-in and deploy the target server. In the embodiment, the plug-in source codes of the plug-ins to be deployed are obtained from the source code server and compiled and analyzed through the rule server to obtain the plug-in package analysis file for detection, and the target plug-ins which pass the normative check and the abnormal detection are deployed on the target server, so that the situation that the plug-ins are difficult to detect through the manual operation of the plug-in deployment step is avoided, and the technical effects of improving the plug-in deployment efficiency and the plug-in problem detection efficiency are realized.
Optionally, in the processing apparatus for a code scanning rule provided in the second embodiment of the present application, the processing apparatus for a code scanning rule further includes a determining unit, configured to determine the number of the plug-ins to be deployed in the plug-in package after obtaining the plug-in source code of the plug-ins to be deployed from the source code server and compiling the plug-in source code to obtain the plug-in package of the plug-ins to be deployed; and the checking unit is used for performing conflict check on each plugin package analysis file according to the plugin package analysis file of each plugin to be deployed in the plurality of plugins to be deployed under the condition that the plugins to be deployed comprise the plurality of plugins to be deployed.
Optionally, in the processing apparatus for code scanning rules provided in the second embodiment of the present application, the checking unit includes: the detection subunit is used for detecting repeated plug-ins and repeated scanning rules in the plug-ins to be deployed according to the plug-in package analysis file of each plug-in to be deployed; the removing subunit is used for removing the repeated plug-ins to be deployed according to the plug-in submitting time of the repeated plug-ins under the condition that the repeated plug-ins exist in the plurality of plug-ins to be deployed; the first processing subunit is configured to, when a rescan rule exists in the multiple plugins to be deployed, perform invalidation processing on the rescan rule code corresponding to the rescan rule according to the submission time of the plugin to be deployed to which the rescan rule belongs.
Optionally, in the processing apparatus for code scanning rules provided in the second embodiment of the present application, the first processing unit 52 includes: the first reading subunit is used for reading the plug-in specification convention in the rule server and maintenance record information for maintaining the plug-in to be deployed; the second processing subunit is used for carrying out first normative check on the plug-in package analysis file according to the plug-in specification convention, determining whether a scanning rule in the plug-in to be deployed meets the plug-in specification convention or not and obtaining a first normative check result; the third processing subunit is configured to perform a second normative check on the plug-in package analysis file according to the first rule list in the maintenance record information to obtain a second normative check result, where the first rule list is used to record scanning rule data of a plug-in that has been successfully deployed in the target server; and the determining subunit is used for determining whether the plugin package analysis file passes the normative check or not according to the first normative check result and the second normative check result.
Optionally, in the processing apparatus for code scanning rules provided in the second embodiment of the present application, the third processing subunit includes: the determining module is used for comparing a second rule list of the plug-in package analysis file with the first rule list, determining a newly added rule of the second rule list compared with the first rule list, and recording the newly added rule in the rule server, wherein the newly added rule is the newly added rule of the plug-in to be deployed compared with a plug-in version successfully deployed on a target server on the plug-in to be deployed; the judging module is used for judging whether the name of the newly added rule exists in other deployed plug-ins or not according to the rule server; and the processing module is used for recording the newly added rule with repeated naming in the rule server and sending notification information to the target object under the condition that the naming of the newly added rule exists in other deployed plug-ins.
Optionally, in the processing apparatus for code scanning rules provided in the second embodiment of the present application, the second processing unit 53 includes: the second reading subunit is used for reading a target program type path in a second rule list of the plug-in package analysis file; the searching subunit is used for searching a unit test script in the plug-in package analysis file according to the target program type path, wherein the unit test script is used for performing unit test on the scanning rule in the plug-in to be deployed; the test subunit is used for carrying out unit test on the scanning rule in the plug-in package analysis file according to the positive test case and the negative test case in the unit test script to obtain a first abnormity detection result; the scanning subunit is used for performing code scanning on the plug-in source codes of the plug-in package analysis file and performing code anomaly detection on the scanning rules in the plug-in to be deployed to obtain a second anomaly detection result; and the fourth processing subunit is used for obtaining a plug-in abnormity detection result according to the first abnormity detection result and the second abnormity detection result.
Optionally, in the processing apparatus for code scanning rules provided in the second embodiment of the present application, the processing apparatus for code scanning rules further includes: the deployment unit is used for deploying the target plug-in to a test server in a test environment before deploying the target plug-in to the target server, and acquiring a first test item and a second test item for testing the target plug-in, wherein the first test item is used for performing regression test on the target plug-in, the second test item is used for performing performance pressure test on the target plug-in, and the first test item is added with a test code segment in the unit test script; the first testing unit is used for performing regression testing on the target plug-in through the first testing item; and the second testing unit is used for testing the performance pressure of the testing server in an asynchronous triggering mode through a second testing project.
Optionally, in the processing apparatus for code scanning rules provided in the second embodiment of the present application, the processing apparatus for code scanning rules further includes: the recording unit is used for recording the abnormal condition of the target server in the scanning process of the program code through the target plug-in after the target plug-in is deployed to the target server; the fourth processing unit is used for counting the abnormal probability according to the abnormal condition and judging whether the abnormal probability reaches a preset abnormal probability threshold value or not; and the fifth processing unit is used for performing offline processing on the target plug-in the target server under the condition that the abnormal probability reaches a preset abnormal probability threshold value, and sending notification information to the target object.
The processing apparatus for the code scanning rule may further include a processor and a memory, where the compiling unit 51, the first processing unit 52, the second processing unit 53, the third processing unit 54, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor comprises a kernel, and the kernel calls a corresponding program unit from the memory. The kernel can be set to be one or more than one, the kernel parameters are adjusted, plug-in source codes of plug-ins to be deployed are obtained from a source code server and are compiled and analyzed, plug-in package analysis file detection is obtained through the compiling and analyzing by a rule server, target plug-ins passing through normative inspection and abnormal detection are deployed on a target server, plug-in deployment through manual operation of a plurality of plug-ins is avoided, the situation of plug-ins is not easy to detect, and the technical effects of improving plug-in deployment efficiency and plug-in problem detection efficiency are achieved.
The memory may include volatile memory in a computer readable medium, random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to perform the method of processing the code scanning rule of any one of the above via execution of executable instructions.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, and when the computer program runs, the apparatus where the computer-readable storage medium is located is controlled to execute the processing method of the code scanning rule of any one of the above.
Fig. 6 is a schematic diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 6, an embodiment of the present invention provides an electronic device 60, which includes a processor, a memory, and a program stored in the memory and running on the processor, and when the processor executes the program, the processor implements a processing method of any one of the above-mentioned code scanning rules.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the description of each embodiment has its own emphasis, and reference may be made to the related description of other embodiments for parts that are not described in detail in a certain embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed technical content can be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (11)

1. A method for processing code scanning rules, comprising:
the method comprises the steps of obtaining plug-in source codes of plug-ins to be deployed from a source code server, compiling the plug-in source codes to obtain plug-in packages of the plug-ins to be deployed, wherein the plug-ins to be deployed are used for scanning defects and loopholes of program codes, and the plug-ins comprise a plurality of scanning rules for scanning the scanning program codes;
analyzing the plug-in package to obtain a plug-in package analysis file, and performing normative check on the plug-in package analysis file through a rule server;
performing abnormity detection on a plurality of scanning rules in the plug-in package analysis file under the condition that the plug-in package analysis file passes the normative check to obtain a plug-in abnormity detection result, and eliminating abnormal rules in the plug-in source codes according to the plug-in abnormity detection result to obtain target plug-in source codes;
and recompiling the source code of the target plug-in to obtain a target plug-in, and deploying the target plug-in to a target server.
2. The processing method according to claim 1, wherein after obtaining plug-in source codes of plug-ins to be deployed from a source code server and compiling the plug-in source codes to obtain a plug-in package of the plug-ins to be deployed, the method further comprises:
determining the number of the plug-ins to be deployed in the plug-in package;
and under the condition that a plurality of plug-ins to be deployed exist in the plug-ins to be deployed, analyzing the file according to the plug-in package, and performing conflict check on the plurality of plug-ins to be deployed.
3. The processing method according to claim 2, wherein when there are a plurality of plug-ins to be deployed in the plug-ins to be deployed, performing conflict check on the plurality of plug-ins to be deployed according to the plug-in package parsing file includes:
according to the plug-in package analysis file, detecting repeated plug-ins and repeated scanning rules in the plug-ins to be deployed;
under the condition that the repeated plug-ins exist in the plurality of plug-ins to be deployed, rejecting the repeated plug-ins to be deployed according to the plug-in submission time of the repeated plug-ins;
and under the condition that a repeated scanning rule exists in the plurality of plugins to be deployed, carrying out invalidation processing on repeated scanning rule codes corresponding to the repeated scanning rule according to the submission time of the plugins to be deployed to which the repeated scanning rule belongs.
4. The processing method according to claim 1, wherein the normative checking of the plug-in package parsing file by the rule server comprises:
reading a plug-in specification convention in the rule server and maintaining record information for maintaining the plug-in to be deployed;
performing first normative check on the plug-in package analysis file according to the plug-in specification convention, and determining whether a scanning rule in the plug-in to be deployed meets the plug-in specification convention to obtain a first normative check result;
performing second normative check on the plug-in package analysis file according to a first rule list in the maintenance record information to obtain a second normative check result, wherein the first rule list is used for recording scanning rule data of the plug-ins which are successfully deployed in the target server;
and determining whether the plug-in package analysis file passes the normative check or not according to the first normative check result and the second normative check result.
5. The processing method according to claim 4, wherein performing a second normative check on the plug-in package parsing file according to the first rule list in the maintenance record information comprises:
comparing a second rule list of the plug-in package analysis file with the first rule list, determining a newly added rule of the second rule list compared with the first rule list, and recording the newly added rule in the rule server, wherein the newly added rule is the newly added rule of the plug-in to be deployed compared with a plug-in version successfully deployed on the target server on the plug-in to be deployed;
judging whether the name of the newly added rule exists in other deployed plug-ins or not according to the rule server;
and under the condition that the name of the newly added rule exists in other deployed plug-ins, recording the newly added rule with repeated names in the rule server, and sending notification information to a target object.
6. The processing method according to claim 1, wherein performing exception detection on the plurality of scanning rules in the plug-in package analysis file to obtain a plug-in exception detection result includes:
reading a target program type path in a second rule list of the plug-in package analysis file;
searching a unit test script in the plug-in package analysis file according to the target program type path, wherein the unit test script is used for performing unit test on the scanning rule in the plug-in to be deployed;
performing unit test on the scanning rule in the plug-in package analysis file according to a positive test case and a negative test case in the unit test script to obtain a first anomaly detection result;
code scanning is carried out on the plug-in source codes of the plug-in package analysis file, and code abnormity detection is carried out on the scanning rule in the plug-in to be deployed, so that a second abnormity detection result is obtained;
and obtaining a plug-in abnormity detection result according to the first abnormity detection result and the second abnormity detection result.
7. The process of claim 1, wherein prior to deploying the target plug-in to the target server, comprises:
deploying the target plug-in to a test server of a test environment, and acquiring a first test item and a second test item for testing the target plug-in, wherein the first test item is used for performing regression testing on the target plug-in, the second test item is used for performing performance pressure testing on the target plug-in, and a test code segment in a unit test script is added in the first test item;
performing regression testing on the target plug-in through the first testing project;
and performing performance pressure test on the test server by adopting an asynchronous triggering mode through the second test item.
8. The process of claim 7, wherein after deploying the target plug-in to the target server, the process further comprises:
recording the abnormal condition of the target server in the process of scanning the program code through the target plug-in;
counting the abnormal probability according to the abnormal condition, and judging whether the abnormal probability reaches a preset abnormal probability threshold value;
and under the condition that the abnormal probability reaches the preset abnormal probability threshold value, performing offline processing on the target plug-in the target server, and sending notification information to a target object.
9. An apparatus for processing code scanning rules, comprising:
the system comprises a compiling unit and a judging unit, wherein the compiling unit is used for acquiring a plug-in source code of a plug-in to be deployed from a source code server and compiling the plug-in source code to obtain a plug-in package of the plug-in to be deployed, the plug-in to be deployed is used for scanning defects and loopholes of a program code, and the plug-in comprises a plurality of scanning rules for scanning the scanning program code;
the first processing unit is used for analyzing the plug-in package to obtain a plug-in package analysis file, and performing normative check on the plug-in package analysis file through a rule server;
the second processing unit is used for carrying out abnormity detection on a plurality of scanning rules in the plug-in package analysis file under the condition that the plug-in package analysis file passes the normative check to obtain a plug-in abnormity detection result, and eliminating the abnormity rules in the plug-in source codes according to the plug-in abnormity detection result to obtain a target plug-in source code;
and the third processing unit is used for recompiling the source code of the target plug-in to obtain the target plug-in and deploying the target plug-in to the target server.
10. A computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, and when the computer program runs, the computer-readable storage medium is controlled by an apparatus to execute the processing method of the code scanning rule according to any one of claims 1 to 8.
11. An electronic device comprising one or more processors and memory storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of processing code scanning rules of any of claims 1-8.
CN202211311469.8A 2022-10-25 2022-10-25 Code scanning rule processing method and device, storage medium and electronic equipment Pending CN115543838A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211311469.8A CN115543838A (en) 2022-10-25 2022-10-25 Code scanning rule processing method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211311469.8A CN115543838A (en) 2022-10-25 2022-10-25 Code scanning rule processing method and device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN115543838A true CN115543838A (en) 2022-12-30

Family

ID=84719516

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211311469.8A Pending CN115543838A (en) 2022-10-25 2022-10-25 Code scanning rule processing method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115543838A (en)

Similar Documents

Publication Publication Date Title
Tomassi et al. Bugswarm: Mining and continuously growing a dataset of reproducible failures and fixes
US10824521B2 (en) Generating predictive diagnostics via package update manager
US7757125B2 (en) Defect resolution methodology and data defects quality/risk metric model extension
US8209564B2 (en) Systems and methods for initiating software repairs in conjunction with software package updates
US8954930B2 (en) System and method for reducing test effort by object risk analysis
CN111488578A (en) Continuous vulnerability management for modern applications
EP3616066B1 (en) Human-readable, language-independent stack trace summary generation
US7917897B2 (en) Defect resolution methodology and target assessment process with a software system
Sun et al. Testing configuration changes in context to prevent production failures
US8978015B2 (en) Self validating applications
US9880832B2 (en) Software patch evaluator
US8381036B2 (en) Systems and methods for restoring machine state history related to detected faults in package update process
US9116802B2 (en) Diagnostic notification via package update manager
CN109726107A (en) Test method, device, equipment and storage medium
Nanda et al. Making defect-finding tools work for you
CA2773981C (en) System and method of substituting parameter sets in self-contained mini-applications
US20110178788A1 (en) Predicate Checking for Distributed Systems
CN110704306B (en) Assertion processing method, device, equipment and storage medium in test
Sotiropoulos et al. Practical fault detection in puppet programs
CN111694612A (en) Configuration checking method, device, computer system and storage medium
Panichella et al. Test smells 20 years later: detectability, validity, and reliability
GB2604007A (en) Software upgrade stability recommendations
Hassan et al. As code testing: Characterizing test quality in open source ansible development
Marculescu et al. On the faults found in rest apis by automated test generation
CN110765007A (en) Crash information online analysis method for android application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination