CN115758389A

CN115758389A - Vulnerability processing result checking method and device, electronic equipment and storage medium

Info

Publication number: CN115758389A
Application number: CN202211542197.2A
Authority: CN
Inventors: 张睿轩; 周芙蓉; 阳骁尧; 邹为; 夏伟
Original assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Current assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Priority date: 2022-12-02
Filing date: 2022-12-02
Publication date: 2023-03-07

Abstract

The invention discloses a vulnerability processing result checking method and device, electronic equipment and a storage medium. The invention relates to the field of artificial intelligence. The method comprises the following steps: acquiring a vulnerability scanning result obtained by scanning the service code by a vulnerability scanning system; acquiring vulnerability scanning results of operation and maintenance users, and processing the vulnerability scanning results to obtain vulnerability processing information corresponding to the vulnerability scanning results; verifying the vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repairing and verifying result; and when the bug fixing verification result is verification failure, sending repairing information to the operation and maintenance user so that the operation and maintenance user processes the bug scanning result corresponding to the repairing information. The technical scheme of the invention improves the efficiency of verifying the vulnerability processing result.

Description

Vulnerability processing result checking method and device, electronic equipment and storage medium

Technical Field

The embodiment of the invention relates to the field of artificial intelligence, in particular to a vulnerability processing result checking method and device, electronic equipment and a storage medium.

Background

Vulnerability scanning of code is particularly important for applications and systems.

The code is usually scanned by a vulnerability scanning system, and when a security vulnerability is scanned, the vulnerability scanning system generates a vulnerability scanning result. And the operation and maintenance user processes the vulnerability scanning result to generate corresponding vulnerability processing information. In order to ensure the security of the application and the system, the vulnerability processing information also needs to be checked.

At present, the verification of vulnerability processing information mainly depends on manual work. However, the manual verification is very labor intensive and processing inefficient.

Disclosure of Invention

The embodiment of the invention provides a method and a device for verifying a vulnerability processing result, electronic equipment and a storage medium, which realize the automation of the verification of the vulnerability processing result and improve the efficiency of the verification of the vulnerability processing result.

In a first aspect, an embodiment of the present invention provides a method for verifying a result of vulnerability processing, including:

and acquiring a vulnerability scanning result obtained by scanning the service code by the vulnerability scanning system.

And acquiring the operation and maintenance user to process the bug scanning result to obtain bug processing information corresponding to the bug scanning result, wherein the bug processing information comprises a bug processing state.

Verifying the vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repairing and verifying result; the verification includes at least one of: normative verification, correctness verification and repair result verification.

And when the bug fixing verification result is verification failure, sending repairing information to the operation and maintenance user so that the operation and maintenance user processes the bug scanning result corresponding to the repairing information.

In a second aspect, an embodiment of the present invention further provides a device for verifying a result of vulnerability processing, including:

and the vulnerability scanning result acquisition module is used for acquiring a vulnerability scanning result obtained by scanning the service code by the vulnerability scanning system.

And the vulnerability processing information acquisition module is used for acquiring the vulnerability scanning result processed by the operation and maintenance user to obtain vulnerability processing information corresponding to the vulnerability scanning result, wherein the vulnerability processing information comprises a result obtained after the vulnerability code is repaired and a vulnerability processing state.

The vulnerability processing information checking module is used for checking the vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repairing and checking result; the verification includes at least one of: normative verification, correctness verification and repair result verification.

And the repair information sending module is used for sending repair information to the operation and maintenance user when the bug repair verification result is a verification failure, so that the operation and maintenance user can process the bug scanning result corresponding to the repair information.

In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program that is stored in the memory and is executable on the processor, where the processor implements the vulnerability processing result verification method according to any one of the embodiments of the present invention when executing the computer program.

In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the vulnerability processing result verification method according to any of the embodiments of the present invention.

In a fifth aspect, an embodiment of the present invention further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the vulnerability processing result verification method according to any of the embodiments of the present invention.

According to the technical scheme of the embodiment of the invention, a vulnerability scanning result obtained by scanning the vulnerability scanning system aiming at the service code is obtained; acquiring vulnerability scanning results of operation and maintenance users, and processing the vulnerability scanning results to obtain vulnerability processing information corresponding to the vulnerability scanning results; verifying the vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repairing and verifying result; and when the bug fixing verification result is the verification failure, sending the repairing information to the operation and maintenance user so that the operation and maintenance user processes the bug scanning result corresponding to the repairing information, thereby realizing the automation of the bug processing result verification and improving the efficiency of the bug processing result verification.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.

Fig. 1 is a flowchart of a vulnerability processing result verification method according to an embodiment of the present invention;

fig. 2 is a flowchart of a vulnerability processing result verification method according to an embodiment of the present invention;

fig. 3 is a flowchart of a vulnerability processing result verification method according to an embodiment of the present invention;

fig. 4 is a scene diagram of a vulnerability processing result verification method according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a vulnerability processing result verification apparatus according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of an electronic device suitable for the vulnerability processing result verification method provided in the embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present invention, the terms "first", "second", and the like are used only for distinguishing the description, and are not construed as indicating or implying relative importance. In the technical scheme of the embodiment of the invention, the data acquisition, storage, use, processing and the like all conform to relevant regulations of national laws and regulations.

Fig. 1 is a flowchart of a vulnerability processing result verification method according to an embodiment of the present invention. The method can be executed by a vulnerability processing result verification method and device, the vulnerability processing result verification device can be realized in a hardware and/or software mode, and the vulnerability processing result verification device can be configured in electronic equipment bearing a vulnerability processing result verification function, particularly in a client.

Referring to fig. 1, the vulnerability processing result verification method includes:

s110, acquiring a vulnerability scanning result obtained by scanning the vulnerability scanning system aiming at the service code.

The service code may be code required for the service system to operate. And scanning the service codes through the vulnerability scanning system, detecting whether the service system has a vulnerability, and outputting a vulnerability scanning result if the vulnerability scanning system detects that the service system has the vulnerability. The vulnerability scanning result may be a result obtained after the vulnerability scanning system scans the service code. The vulnerability scanning result may include a vulnerability code and vulnerability information corresponding to the vulnerability code.

And S120, acquiring the vulnerability scanning result, and processing the vulnerability scanning result by the operation and maintenance user to obtain vulnerability processing information corresponding to the vulnerability scanning result, wherein the vulnerability processing information comprises a vulnerability processing state.

After the vulnerability scanning result is obtained, the operation and maintenance user can process the vulnerability scanning result to obtain vulnerability processing information corresponding to the vulnerability scanning result. The vulnerability processing information may be information obtained by processing a vulnerability scanning result. Wherein the vulnerability processing information may include vulnerability processing status. For example, the vulnerability handling status may include a status type and a reason for the status type, etc.

S130, verifying the vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repairing and verifying result; the verification includes at least one of: normative verification, correctness verification and repair result verification.

The bug fix verification result is used for verifying whether the bug is solved.

The normative detection is used for detecting whether the content of the vulnerability processing state meets the specifications. Optionally, the normative detection may include normative detection on a data format of the vulnerability processing state and/or content of the vulnerability processing state. For example, normative detection may include detecting whether the contents of the vulnerability processing state conform to a data specification. Specifically, the vulnerability processing state can be detected through the first verification submodel, and whether the vulnerability processing state meets the normative or not is determined. Optionally, the verification model may comprise a first verification submodel. Optionally, the first syndrome model may also be a model for performing normalization detection independently.

Correctness detection may be used to detect whether the vulnerability processing state is correct. Illustratively, the vulnerability processing state may include state a. If the vulnerability processing state is marked as state A, the correctness detection actually detects whether the vulnerability processing state is state A. Specifically, the result of the repaired bug code can be subjected to bug detection through the second checking sub-model, so as to determine whether the bug processing state is correct. Optionally, the verification model may comprise a second verification submodel. Alternatively, the second calibration model may be a model for independently performing correctness checking.

The fix result detection may be used to detect whether the problem code has been fixed. Specifically, vulnerability detection can be performed on the result of vulnerability code restoration through the third verification sub-model, and whether vulnerability codes are restored or not is determined. Optionally, the verification model may include a third verification submodel. Optionally, the third syndrome model may also be a model for independently detecting the repair result.

By embodying the verification to include at least one of: the normalization verification, the correctness verification and the repair result verification realize the verification of the vulnerability processing information more pertinently, and the flexibility of the verification of the vulnerability processing information is improved.

And S140, when the bug fixing verification result is verification failure, sending repairing information to the operation and maintenance user so that the operation and maintenance user can process the bug scanning result corresponding to the repairing information.

The repairation information may be information for reprocessing the bug scanning result. The users of the vulnerability processing information can be operation and maintenance personnel who process vulnerability scanning results and generate vulnerability processing information.

Specifically, if the bug fixing verification result is that the verification fails, the bug fixing information is sent to the operation and maintenance user who generates the bug processing information. And after receiving the repairation information, the operation and maintenance user processes the bug scanning result again and generates bug processing information again so as to realize that the operation and maintenance user processes the bug scanning result corresponding to the repairation information.

According to the technical scheme of the embodiment of the invention, the vulnerability scanning result obtained by scanning the service code by the vulnerability scanning system is obtained, the operation and maintenance user is obtained to process the vulnerability scanning result to obtain the vulnerability processing information corresponding to the vulnerability scanning result, wherein the vulnerability processing information comprises a vulnerability processing state, and the vulnerability processing information corresponding to the vulnerability scanning result is verified according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repairing and verifying result, and the verification comprises at least one of the following items: and when the bug fixing verification result is verification failure, sending repairing information to the operation and maintenance user so that the operation and maintenance user processes the bug scanning result corresponding to the repairing information. By automatically checking the vulnerability processing information, the automation of the vulnerability processing result checking is completed, the efficiency of the vulnerability processing result checking is improved, and the safety and the stability of the system are ensured.

In an optional embodiment of the present invention, the verifying includes normative verifying, and the verifying the vulnerability handling state includes: and carrying out standardized detection on the data format and the content of the vulnerability processing state.

The data format of the vulnerability processing state may be the format of each item of content of the vulnerability processing state. Optionally, the data format may include a data type and a content format. The content of the vulnerability processing state may include mandatory elements in the various items of content. Each fill-necessary element contains a corresponding attribute value.

For example, assume that the state types of the vulnerability processing state include state type X and state type Y. The contents of the vulnerability processing state include a state type, a reason for the state type and remarks. The data format of the state type is numerical value, and the data format of the marking reason and remark is character. The essential elements in each item of the vulnerability processing state are the state type and the reason of the state type. The attribute values in the content of the state type may include: the value "1" and the value "2". If the state type is the state type X, the content of the corresponding state type is a numerical value of '1'; if the state type is the state type Y, the content of the corresponding state type is the value "2". The attribute values in the content of the reason for the status type may include: the bug codes, the processed information and the results of the bug code after repair.

The data format of the vulnerability processing state is subjected to standardized detection, and whether the data format of the state type is a numerical value, whether the data format of the mark reason is a character or not and whether the data format of the remark is a character or not can be detected. If the data format is detected to be other data format, the standardized detection of the data format of the vulnerability processing state is not passed.

The standardized detection of the content of the vulnerability processing state can be used for detecting whether the content of the vulnerability processing state lacks necessary content. Whether the essential elements in each content of the vulnerability processing state are filled in and whether the attribute values in the essential elements are filled in can be detected. And if the essential elements are not filled in, or the essential elements are filled in but the corresponding attribute values are not filled in, determining that the content of the vulnerability processing state lacks necessary content, and failing to detect the normativity of the vulnerability processing state.

The data format and the content of the vulnerability processing state are subjected to standardized detection, the normalization of the vulnerability processing state in the aspects of the data format and the content is detected, the normalization detection of the vulnerability processing state is realized, and the normalization of the vulnerability processing state is ensured.

In an optional embodiment of the present invention, the checking includes correctness checking, and the checking of the vulnerability handling state includes: carrying out vulnerability detection on a false alarm problem code corresponding to a false alarm state in a vulnerability processing state; and determining whether the bug scanning result corresponding to the false alarm problem code is a false alarm result.

The false positive state may be a state where the problem code in the vulnerability scan result does not have a vulnerability. The state type of the vulnerability handling state comprises a false positive state. The false positive problem code may be the result of the processing of the missing hole code in the false positive state. The false positive result may be a verification result that confirms that the false positive state is correct.

Specifically, the false alarm problem codes corresponding to the false alarm state can be detected, whether the characteristics of the loophole corresponding to the missed-alarm scanning result exist in the false alarm problem codes or not is detected, if the characteristics of the loophole corresponding to the missed-alarm scanning result exist, the loophole detection result is the existence of the loophole, and the loophole scanning result can be understood as the false alarm result; if the characteristics of the vulnerability corresponding to the vulnerability scanning result do not exist, the vulnerability detection result is that the vulnerability does not exist, and the vulnerability scanning result is not a false report result.

According to the scheme, the vulnerability detection is carried out on the false alarm problem codes corresponding to the false alarm state in the vulnerability processing state, whether the vulnerability scanning result corresponding to the false alarm problem codes is the false alarm result or not is determined, the correctness of the false alarm state in the vulnerability processing state is verified, the secondary verification of vulnerability processing information is realized, the false judgment of the false alarm state and the omission of a real vulnerability are avoided, and the accuracy of vulnerability processing is further improved.

In an optional embodiment of the present invention, the performing vulnerability detection on a problem code corresponding to a false alarm state in a vulnerability processing state, and determining whether a vulnerability scanning result corresponding to the false alarm problem code is a false alarm result, includes: acquiring a false alarm problem code and a false alarm context corresponding to a false alarm state in the vulnerability processing information; detecting whether the false-positive problem code and the false-positive context have the characteristics of a bug scanning result corresponding to the false-positive problem code; if so, determining a vulnerability scanning result corresponding to the false alarm problem code as a vulnerability detection result; and if the false alarm problem code does not exist, determining the bug scanning result of the false alarm problem code as a false alarm result.

The false positive context may be context information of a false positive problem code. The characteristics of the false positive scanning result may be characteristics corresponding to the vulnerability determined by the vulnerability scanning result. And if the characteristics of the scanning result which is not reported exist, determining that a bug exists in the false alarm problem code. Optionally, the vulnerability scanning result may be characterized by a partial code segment of the problem code in the vulnerability scanning result. For example, the characteristics of the vulnerability scanning result may include: a close code segment in a finish block of a problem code corresponding to an Unreleased resource vulnerability, a globally filtered code segment in a false alarm context corresponding to a Cross-Site Scripting vulnerability, or a code segment of character escape in the false alarm context of the Cross-Site Scripting vulnerability.

Specifically, the second check sub-model may be used to detect the characteristics of the false positive problem code and the bug in the false positive context corresponding to whether the bug scanning result exists. If the false-positive problem code exists, determining that the bug scanning result of the false-positive problem code is not a false-positive result, and understanding that the false-positive problem code has a bug; if the false-positive problem code does not exist, determining the bug scanning result of the false-positive problem code as a false-positive result, and understanding that the false-positive problem code does not have a bug.

According to the scheme, the false alarm problem codes and the false alarm context corresponding to the false alarm state in the vulnerability processing state are obtained, so that the code range required to be detected is enlarged, and the comprehensiveness of correctness detection is improved; by detecting whether the characteristics of the bug alarm result corresponding to the bug alarm problem code exist in the bug alarm problem code and the false alarm context, if yes, the bug alarm result corresponding to the bug alarm problem code is determined to be the bug detection result, and if not, the bug alarm result corresponding to the bug alarm problem code is determined to be the false alarm result.

In an optional embodiment of the present invention, the verifying the vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repair verification result specifically includes: inputting the vulnerability scanning result and the corresponding vulnerability processing information into a pre-trained verification model to obtain a vulnerability repairing verification result; the verification model is obtained based on training of a training sample, and the training sample comprises a vulnerability scanning result of the sample code, vulnerability processing information corresponding to the vulnerability scanning result of the sample code and a vulnerability repairing verification result of the vulnerability scanning result of the sample code.

Verifying the model may include: linear regression models, logistic regression models, decision tree models, perceptron models, convolutional neural network models, or the like.

The calibration model can be obtained by obtaining a training sample, inputting the training sample into an untrained model and training the model. Wherein, the training samples may include: the vulnerability scanning result of the sample code, the vulnerability processing information corresponding to the vulnerability scanning result of the sample code and the vulnerability repairing and checking result of the vulnerability scanning result of the sample code. The sample code may be a bug code corresponding to the bug processing information that is manually verified. The bug fixing and checking result of the bug scanning result of the sample code may be a result of manually performing fixing and checking on the bug processing information.

Specifically, when the vulnerability processing information is verified, the vulnerability scanning result and the corresponding vulnerability processing information can be input into a pre-trained verification model, and the verification model verifies the vulnerability processing information to obtain a vulnerability repairing verification result.

According to the method and the device, the vulnerability scanning result and the corresponding vulnerability processing information are input into the pre-trained verification model to obtain the vulnerability repairing verification result, and the vulnerability processing information corresponding to the vulnerability scanning result is directly verified through the verification model, so that the accuracy of the verification of the vulnerability processing result is improved, and the efficiency of the verification of the vulnerability processing result is further improved.

In an optional embodiment of the present invention, the bug scanning result and the corresponding bug processing information are input to a pre-trained verification model to obtain a bug fixing verification result, which is specifically as follows: acquiring the operation performance of a service system for operating a service code, and determining service operation constraint information of the service code; inputting the vulnerability scanning result, the corresponding vulnerability processing information and the service operation constraint information of the service code into a pre-trained verification model to obtain a vulnerability repairing verification result; the training samples also include business execution constraint information for the sample code.

The operational performance may be a performance parameter of the operation of the business system in which the business code is located. The service operation constraint information may be constraint condition information of the service system when the service code is operated.

The vulnerability scanning result of the sample code, vulnerability processing information corresponding to the vulnerability scanning result of the sample code, the vulnerability repairing and checking result of the sample code and the service operation constraint information of the sample code can be input into an untrained model, and the model is trained to obtain a checking model.

Specifically, when the vulnerability processing information is verified, the vulnerability scanning result, the vulnerability processing information corresponding to the vulnerability scanning result and the service operation constraint information of the service code can be input into a pre-trained verification model, and the verification model verifies the vulnerability processing information to obtain a vulnerability repairing verification result.

According to the scheme, the business operation constraint information of the business system is introduced, the business operation constraint information of the business system is also used as the input information of the verification model, the operation performance of the business system is considered, and the accuracy of the verification model for bug fixing verification is further improved.

In an optional embodiment of the invention, the method further comprises: when the bug fixing verification result is successful, acquiring a false alarm problem code corresponding to a false alarm state in a bug processing state; detecting the accuracy of the alternative vulnerability scanning software according to the false alarm problem codes; screening to obtain target vulnerability scanning software according to each accuracy detection result; and optimizing the vulnerability scanning system according to the information related to the target vulnerability scanning software and the information related to the false alarm problem codes.

The vulnerability scanning system can comprise a plurality of vulnerability scanning software. Vulnerability scanning software has limitations in the vulnerability scanning process, and false reports of vulnerability scanning results may be generated. Accuracy detection results may include accuracy and inaccuracy. The alternative vulnerability scanning software can be all software which can carry out vulnerability scanning in the vulnerability scanning system. The target vulnerability scanning software may be vulnerability scanning software with accuracy for false positive problem code scanning. The information associated with the target vulnerability scanning software may include identification information of the target vulnerability scanning software. The identification information of the target vulnerability scanning software can uniquely determine the target vulnerability scanning software. The information associated with the false positive problem code may include the false positive problem code and a false positive context.

Specifically, when the bug fixing verification result is successful verification, a false alarm problem code is obtained; the false alarm problem codes can be detected through the alternative vulnerability scanning software, and the accuracy detection result of each alternative vulnerability scanning software is determined according to the detection result of the alternative vulnerability scanning software. If the detection result shows that no bug exists, the accuracy detection result of the alternative bug scanning software is accurate; and if the detection result is that the vulnerability exists, the accuracy detection result of the alternative vulnerability scanning result is inaccurate. And determining the alternative vulnerability scanning software with the accurate detection result as the target vulnerability scanning software. The mapping relation between the information related to the target vulnerability scanning software and the information related to the false alarm problem codes can be established and stored in a vulnerability scanning system. When the vulnerability scanning system scans the vulnerability of the service code which is the same as or similar to the false alarm problem code, the missing transmission scanning system can automatically select accurate vulnerability scanning software to scan the service code.

According to the scheme, when the bug fixing verification result is successful, the accuracy of the alternative bug scanning software is verified by utilizing the false alarm problem codes, the target bug scanning software is screened according to the accuracy verification result, the bug scanning system is optimized according to the information related to the target bug scanning software and the information related to the false alarm problem codes, the accuracy of the bug scanning system is improved by utilizing the false alarm problem codes corresponding to the bug fixing verification result, and the capability of the bug scanning system for resisting bugs is further improved.

Fig. 2 is a flowchart of a vulnerability processing result verification method according to an embodiment of the present invention. On the basis of the foregoing embodiment, after obtaining the bug fix verification result, the present embodiment further adds: acquiring the operation performance of a service system for operating a service code, and determining service operation constraint information of the service code; acquiring a problem code corresponding to a vulnerability scanning result which fails to be verified; and when the problem codes corresponding to the vulnerability scanning results which fail to be verified meet the service operation constraint information, correcting the vulnerability repairing and verifying results of the vulnerability scanning results which fail to be verified into successful verification.

Referring to fig. 2, the vulnerability processing result verification method includes:

s210, acquiring a vulnerability scanning result obtained by scanning the vulnerability scanning system aiming at the service code.

S220, acquiring the vulnerability scanning result, and processing the vulnerability scanning result by the operation and maintenance user to obtain vulnerability processing information corresponding to the vulnerability scanning result, wherein the vulnerability processing information comprises a vulnerability processing state.

S230, verifying the vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repairing and verifying result; the verification includes at least one of: normative verification, correctness verification and repair result verification.

And S240, when the bug fixing verification result is that the verification fails, sending repairing information to the operation and maintenance user so that the operation and maintenance user can process the bug scanning result corresponding to the repairing information.

S250, obtaining the operation performance of the service system for operating the service code, and determining the service operation constraint information of the service code.

The operational performance may be a performance parameter of the operation of the business system in which the business code is located. The service operation constraint information may be constraint condition information of the service system when the service code is operated. For example, the service operation constraint information may include information such as an occupied space of a code to be serviced and an operation speed of a service system. For example, the service operation constraint information may be that the occupied space of the service code is less than 100MB.

Specifically, the condition that the service system needs to meet in terms of operation performance can be judged according to the operation performance of the service system, and then the service operation constraint information is determined.

And S260, acquiring a problem code corresponding to the vulnerability scanning result which fails to be verified.

The problem code may be a code obtained after the operation and maintenance user processes the vulnerability scanning result. Optionally, the problem codes may include false positive problem codes and repair problem codes.

Specifically, the bug fixing scanning result can be obtained as a problem code corresponding to the bug scanning result with failed verification.

S270, when the problem codes corresponding to the vulnerability scanning results which fail to be verified meet the business operation constraint information, correcting the vulnerability repairing and verifying results of the vulnerability scanning results which fail to be verified into successful verification.

Specifically, if the problem code corresponding to the bug scanning result which fails in the verification meets the service operation constraint information, the problem code can be understood to meet the requirements of the service system on the service code, and therefore, the bug fixing verification result of the bug scanning result which fails in the verification can be corrected to be successful in the verification.

Optionally, if the problem code is a false-positive problem code, and when the false-positive problem code corresponding to the vulnerability scanning result that fails to be verified meets the service operation constraint information, the false-positive problem code is considered to be a false positive indeed, the vulnerability code corresponding to the vulnerability scanning result does not have a vulnerability, and the verification failure is corrected to be verification success.

Optionally, if the problem code is a repair problem code, when the repair problem code corresponding to the bug scanning result that fails to be verified meets the service operation constraint information, the repair problem code is considered to be repaired according to the repair mode required by the service system, and it can be understood that the repair problem code has been completely repaired, so that the use requirement of the service system can be met, and the verification failure is corrected to be successful.

In an optional embodiment of the present invention, when the problem code corresponding to the successfully verified bug scanning result does not satisfy the service operation constraint information, the bug fixing verification result of the successfully verified bug scanning result is modified to be verification failure.

Specifically, if the problem code corresponding to the successfully verified bug scanning result does not meet the service operation constraint information, it can be understood that the problem code does not meet the requirements of the service system for the service code, and therefore, the bug fixing verification result of the successfully verified bug scanning result can be corrected to be verification failure.

Optionally, if the problem code is a false-positive problem code, when the false-positive problem code corresponding to the successfully verified bug scanning result does not satisfy the service operation constraint information, the false-positive problem code is not a false positive, it can be understood that the bug code corresponding to the bug scanning result has a bug, and the successful verification is corrected to be a verification failure.

Optionally, if the problem code is a repair problem code, when the repair problem code corresponding to the successfully verified bug scanning result does not satisfy the service operation constraint information, the repair problem code is not repaired according to the repair mode required by the service system, it can be understood that the repair problem code is not modified, the use requirement of the service system cannot be met, and the successfully verified bug is modified into a verification failure.

According to the technical scheme of the embodiment of the invention, the operation performance of the service system for operating the service codes is obtained, the service operation constraint information of the service codes is determined, the problem codes corresponding to the vulnerability scanning results which fail to be verified are obtained, when the problem codes corresponding to the vulnerability scanning results which fail to be verified meet the service operation constraint information, the vulnerability repairing verification results of the vulnerability scanning results which fail to be verified are corrected to be successful in verification, the service operation constraint information is introduced, the vulnerability repairing verification results are rechecked by using the service operation constraint information, the actual requirements of the service system on vulnerability processing are considered, the vulnerability processing result verification is more pointed, and the adaptability of the vulnerability processing result verification and the service system is improved.

In the present invention, reference may be made to the description of the foregoing embodiments for details not described in the embodiments.

Fig. 3 is a flowchart of a vulnerability processing result verification method according to an embodiment of the present invention. On the basis of the foregoing embodiment, the embodiment implements verification as repair result verification, and verifies the problem code corresponding to the bug scanning result, which is implemented as: acquiring a repair problem code corresponding to an rectification state in the vulnerability processing state; and detecting whether the repair problem code is rectified.

Referring to fig. 3, the vulnerability processing result verification method includes:

s310, acquiring a vulnerability scanning result obtained by scanning the vulnerability scanning system aiming at the service code.

S320, acquiring the vulnerability scanning result, and processing the vulnerability scanning result by the operation and maintenance user to obtain vulnerability processing information corresponding to the vulnerability scanning result, wherein the vulnerability processing information comprises a vulnerability processing state.

S330, acquiring a repair problem code corresponding to the rectification state in the bug processing state according to the bug scanning result and the corresponding bug processing information, and detecting whether the repair problem code is rectified to obtain a bug repair checking result; the verification comprises repairing result verification.

The rectification state can be used for representing that the problem codes corresponding to the bug scanning result have bugs, and the problem codes are rectified. The fix-up problem code may be the result of processing the corresponding bug code in the trued state.

Specifically, whether the repaired problem code contains the characteristics of the bug corresponding to the bug scanning result or not can be detected, and if the repaired problem code contains the characteristics of the bug corresponding to the bug scanning result, the repaired problem code still has the bug and is not rectified; if the complex problem code does not contain the characteristics of the bug corresponding to the bug scanning result, the bug does not exist in the repair problem code, and the repair problem code is rectified and modified.

And S340, when the bug fixing verification result is that the verification fails, sending repairing information to the operation and maintenance user so that the operation and maintenance user can process the bug scanning result corresponding to the repairing information.

According to the technical scheme of the embodiment of the invention, the problem repairing codes are detected by acquiring the problem repairing codes corresponding to the corrected state in the bug processing state, whether the problem repairing codes are corrected or not is determined, the detection of the repairing result of the problem repairing codes is realized, and the detection efficiency of the bug processing information is improved.

In an optional embodiment of the present invention, detecting whether the repair problem code is modified is embodied as: acquiring a bug type of a repair problem code from a bug scanning result; inquiring target characteristics corresponding to the bug types of the repair problem codes in a bug database; and detecting whether target characteristics exist in the repair problem codes and the repair context, wherein the target characteristics comprise repair characteristics and/or vulnerability characteristics.

The vulnerability database is used for storing target characteristics of different vulnerability types. Specifically, the target characteristics corresponding to the vulnerability type in the vulnerability database can be queried according to the vulnerability type. Optionally, the vulnerability database may also be used as input information of the verification model or the third verification sub-model.

The repair context may be context information for repairing problem code. The target features may include fix features and/or vulnerability features. The repairing characteristics can be characteristics of codes obtained by repairing the bug codes, namely characteristics of repairing problem codes. The vulnerability characteristics may be characteristics of the existence of the vulnerability code.

Optionally, according to vulnerability information in the vulnerability scanning result, vulnerability characteristics corresponding to the repair problem codes are determined, the repair problem codes and the repair context are detected, whether vulnerability characteristics exist is judged, if yes, the repair problem codes are not modified, and the vulnerabilities are not repaired; if no bug features exist, the fix problem code is rectified.

Optionally, the repair characteristics corresponding to the repair problem codes may be determined according to the vulnerability information in the vulnerability scanning result and the corresponding vulnerability processing information. Detecting the repair problem codes and the repair context, judging whether repair characteristics exist or not, and if the repair characteristics exist, modifying the repair problem codes; if the repair characteristics do not exist, the repair problem code is not rectified, and the bug is not repaired.

Optionally, the vulnerability characteristics and the repair characteristics corresponding to the repair problem codes may be determined according to the vulnerability information and the corresponding vulnerability processing information in the vulnerability scanning result. And detecting the repair problem codes and the repair context, and judging whether one of vulnerability characteristics and repair characteristics exists. The judgment mode according to the vulnerability characteristics and the repair characteristics is the same as the mode.

According to the scheme, the target characteristics are quickly inquired through the vulnerability database, the speed of detecting the repairing result is further increased, and the efficiency of verifying the vulnerability processing information is further increased; the method and the device have the advantages that whether target features exist in the repaired problem codes and the repaired contexts or not is detected, the target features are embodied into the repaired features and/or the bug features, the repaired features and/or the bug features are detected, the condition that the repaired problem codes are rectified and modified is detected, and the efficiency of bug processing information verification is further improved.

In an optional embodiment of the present invention, after obtaining the bug fix verification result, the method further includes: when the bug fixing verification result is successful, acquiring a bug type, a bug code and a fixing problem code corresponding to the rectification state in the bug processing state; in a vulnerability database, inquiring the repair characteristics and vulnerability characteristics of the vulnerability type corresponding to the rectification state; updating the vulnerability characteristics of the vulnerability type corresponding to the rectification state according to the vulnerability code corresponding to the rectification state; and updating the repairing characteristics of the bug types corresponding to the repairing problem codes according to the repairing problem codes corresponding to the correcting state.

The bug codes and the repair problem codes are results before and after processing the bug codes respectively.

Specifically, when the bug fix verification result is that verification is successful, it can be understood that the fix problem code has been modified. At this time, the bug type, bug code and repair problem code corresponding to the rectification state can be obtained. In the vulnerability database, the repair characteristics and vulnerability characteristics corresponding to the vulnerability type can be inquired according to the vulnerability type corresponding to the rectification state. And updating the vulnerability characteristics of the vulnerability type according to the characteristics of the vulnerability codes corresponding to the rectification state. And updating the repairing characteristics of the bug type according to the characteristics of the repairing problem codes corresponding to the correcting state, thereby realizing the updating of the bug database.

According to the scheme, after the bug fixing verification result is successful, the bug type, the bug code and the fixing problem code corresponding to the rectification state in the bug processing state are obtained; in a vulnerability database, inquiring the repair characteristics and vulnerability characteristics of the vulnerability type corresponding to the rectification state; updating the vulnerability characteristics of the vulnerability types corresponding to the rectification state according to the vulnerability codes corresponding to the rectification state; and updating the repair features of the bug types corresponding to the rectification state according to the repair problem codes corresponding to the rectification state, so that the bug database is updated, data in the bug database are increased, and the accuracy of detecting the target features according to the bug database is improved.

In an optional embodiment of the present invention, detecting whether target features exist in the repair problem code and the repair context further comprises: when the vulnerability type is empty, sending an adjustment and modification detection request to a manual processing module so that an operation and maintenance user can detect whether the repaired problem code is adjusted and modified; or calling a bug scanning system to carry out bug repairing scanning on the repaired problem codes to obtain bug repairing scanning results, and detecting whether bugs exist in the repaired problem codes.

The vulnerability type is null, and it can be understood that no corresponding vulnerability type is queried in the vulnerability database. The operation and maintenance user can be an operation and maintenance person who performs rectification detection on the repair problem codes. The vulnerability scanning system can be a system for detecting vulnerabilities of the business codes and generating vulnerability scanning results. The bug fixing scanning result refers to a result obtained by detecting bugs of the bug fixing codes.

Specifically, when the vulnerability type is empty, an adjustment detection request can be sent to a user by using a manual processing module, and the operation and maintenance user detects the repaired problem code; and calling a bug scanning system to scan the repaired problem codes to obtain a bug repair scanning result. If the bug repairing scanning result indicates that no bug exists, the repairing problem code is modified; and if the bug repairing scanning result indicates that a bug exists, the repairing problem code is not finished.

After the operation and maintenance user or the bug scanning system detects the repaired problem codes, if the bug repair verification result is verification success, the bug codes, the features corresponding to the bug codes, the repaired problem codes and the features corresponding to the repaired problem codes are added to a bug database.

According to the scheme, when the vulnerability type is empty, an adjustment and modification detection request is sent to the manual processing module, so that an operation and maintenance user can detect whether the repaired problem code is adjusted and modified; or calling a bug scanning system to carry out bug repairing scanning on the repaired problem codes to obtain bug repairing scanning results, and detecting whether bugs exist in the repaired problem codes or not; through manpower and a vulnerability scanning system, detection of repairing problem codes is achieved when vulnerability types are empty, and fault tolerance of verification of vulnerability processing information is improved.

In an optional embodiment of the present invention, querying, in a vulnerability database, a target feature corresponding to a vulnerability type of a fix problem code includes: acquiring service operation constraint information of a service code; and according to the business operation constraint information, inquiring target characteristics corresponding to the bug type of the repair problem code in a bug database.

Specifically, when the target feature corresponding to the bug type of the repair problem code is queried in the bug database, the service operation constraint information of the service code may be obtained, and the target feature corresponding to the bug type of the repair problem code queried in the bug database is further screened through the service operation constraint information, so as to obtain the target feature meeting the service operation constraint information.

According to the scheme, the service operation constraint information of the service codes is obtained, the target characteristics corresponding to the bug types of the repair problem codes are inquired in the bug database according to the service operation constraint information, the target characteristics corresponding to the bug types are further screened according to the service operation constraint information, the repair problem codes and the repair context are detected according to the screened target characteristics, and the efficiency of detection of the repair result is further improved.

Fig. 4 is a scene diagram of a vulnerability processing result verification method according to an embodiment of the present invention. Referring to fig. 4, the vulnerability processing result verification method includes:

and step I, obtaining a scanning result.

As shown in fig. 4, a vulnerability scanning result generated by the vulnerability scanning system is obtained.

And II, identifying an auditing behavior and an auditing flow.

As shown in FIG. 4, the audit behavior may include marking the vulnerability scanning results as a vulnerability processing status and generating post-vulnerability code fix results. The audit flow may include a few times the results of the vulnerability scan.

Step III, learning and analyzing.

As shown in fig. 4, the vulnerability types in the false alarm state can be classified manually, and the characteristics of vulnerability scanning results corresponding to the vulnerability types can be identified to analyze the false alarm state; the repeated reasons of the flow audit can be analyzed manually, the normative problem of the bug processing state and the problem that the repair problem codes are not completely changed are analyzed, the data format which does not meet the normative detection and the content of the bug processing state are determined, and the bug characteristics of the repair problem codes which are not completely changed are determined; and meanwhile, the repairing characteristics of the repairing problem codes which are completely rectified and corrected are analyzed. And inputting the vulnerability scanning result and the corresponding vulnerability processing information into the model, training the model, and correcting the model according to the repair and verification result of the vulnerability processing information manually until the verification model is obtained through training.

Wherein, the vulnerability type may include: SQL (Structured Query Language) injection class, password management class, and cross-site scripting attack class.

And IV, automatic auditing.

As shown in fig. 4, according to the trained verification model, the automatic audit of the vulnerability processing information in the above embodiment may be implemented.

According to the scheme, the repairing and checking results of the vulnerability processing information are analyzed and learned, so that the training of the checking model is realized, and the automatic auditing process of the vulnerability processing information is realized through the checking model.

In the present invention, reference may be made to the description of the foregoing embodiments, which are not detailed.

Fig. 5 is a schematic structural diagram of a vulnerability processing result verification apparatus according to an embodiment of the present invention. The method and the device for verifying the vulnerability processing result are applicable to the condition that the vulnerability processing result is verified without human intervention, the device can execute the vulnerability processing result verification method, the device can be realized in a hardware and/or software mode, and the vulnerability processing result verification device can be configured in electronic equipment, particularly in a client side.

Referring to fig. 5, the apparatus for verifying the result of vulnerability processing includes: the vulnerability scanning result obtaining module 510, the vulnerability processing information obtaining module 520, the vulnerability processing information verifying module 530 and the repairing information sending module 540. Wherein, the first and the second end of the pipe are connected with each other,

a vulnerability scanning result obtaining module 510, configured to obtain a vulnerability scanning result obtained by scanning the service code by the vulnerability scanning system;

the vulnerability processing information acquisition module 520 is configured to acquire vulnerability scanning results processed by the operation and maintenance user to obtain vulnerability processing information corresponding to the vulnerability scanning results, where the vulnerability processing information includes results after vulnerability code repair and vulnerability processing states;

a vulnerability scanning information verification module 530, configured to scan vulnerability scanning results and corresponding vulnerability processing information to obtain vulnerability repairing verification results; the verification includes at least one of: checking normalization, correctness and repair result;

and a repainting information sending module 540, configured to send the repainting information to the operation and maintenance user when the bug fixing verification result is a verification failure, so that the operation and maintenance user processes the bug scanning result corresponding to the repainting information.

In an optional embodiment of the present invention, after obtaining the bug fix verification result, the apparatus further includes: the operation performance acquisition module is used for acquiring the operation performance of a service system for operating the service codes and determining operation constraint information of the service codes; the problem code acquisition module is used for acquiring a problem code corresponding to a vulnerability scanning result which fails to be verified; and the bug fixing and checking result modifying module is used for modifying the bug fixing and checking result of the bug scanning result which fails to be checked into successful checking when the problem code corresponding to the bug scanning result which fails to be checked meets the service operation constraint information.

In an optional embodiment of the present invention, the checking includes a normative checking, and the vulnerability handling information checking module 530 includes: and the standardized detection unit is used for carrying out standardized detection on the data format and the content of the vulnerability processing state.

In an optional embodiment of the present invention, the checking includes correctness checking, and the vulnerability processing information checking module 530 includes: and the false alarm result determining unit is used for carrying out bug detection on the false alarm problem codes corresponding to the false alarm state in the bug processing state and determining whether the bug scanning result corresponding to the false alarm problem codes is the false alarm result.

In an optional embodiment of the invention, the false positive result determination unit comprises: the false alarm problem code acquisition subunit is used for acquiring a false alarm problem code and a false alarm context corresponding to a false alarm state in the vulnerability processing information; the false-alarm problem code detection subunit is used for detecting whether the false-alarm problem code and the false-alarm context have the characteristics of a bug scanning result corresponding to the false-alarm problem code; the vulnerability detection result determining subunit is used for determining a vulnerability scanning result corresponding to the false alarm problem code as a vulnerability detection result if the vulnerability scanning result exists; and the false report result determining subunit is used for determining the bug scanning result of the false report problem code as a false report result if the bug scanning result does not exist.

In an optional embodiment of the present invention, the checking includes checking the repair result, and the vulnerability processing information checking module 530 includes: the bug fixing device comprises a bug fixing code acquisition unit, a bug fixing code processing unit and a bug fixing code processing unit, wherein the bug fixing code acquisition unit is used for acquiring a bug fixing code corresponding to an altered state in a bug processing state; and the repair problem code detection unit is used for detecting whether the repair problem code is rectified or not.

In an alternative embodiment of the present invention, a fix problem code detection unit includes: the bug type obtaining subunit is used for obtaining the bug type of the repair problem code from the bug scanning result; the target characteristic query subunit is used for querying a target characteristic corresponding to the bug type of the repair problem code in a bug database; and the target feature detection subunit is used for detecting whether target features exist in the repair problem codes and the repair context or not, wherein the target features comprise repair features and/or vulnerability features.

In an optional embodiment of the present invention, after the target feature detection subunit obtains the bug fix verification result, the target feature detection subunit is further specifically configured to: when the bug fixing verification result is successful, acquiring a bug type, a bug code and a fixing problem code corresponding to the rectification state in the bug processing state; in a vulnerability database, inquiring the repair characteristics and vulnerability characteristics of the vulnerability type corresponding to the rectification state; updating the vulnerability characteristics of the vulnerability types corresponding to the rectification state according to the vulnerability codes corresponding to the rectification state; and updating the repair characteristics of the bug type corresponding to the rectification state according to the repair problem codes corresponding to the rectification state.

In an optional embodiment of the present invention, the target feature querying subunit is specifically configured to: acquiring service operation constraint information of a service code; and according to the business operation constraint information, inquiring target characteristics corresponding to the bug type of the repair problem code in a bug database.

In an optional embodiment of the present invention, the vulnerability information verification module 530 includes: the verification model verification unit is used for inputting the vulnerability scanning result and the corresponding vulnerability processing information into a pre-trained verification model to obtain a vulnerability repair verification result; the verification model is obtained based on training of a training sample, and the training sample comprises a vulnerability scanning result of the sample code, vulnerability processing information corresponding to the vulnerability scanning result of the sample code and a vulnerability repairing verification result of the vulnerability scanning result of the sample code.

In an optional embodiment of the present invention, the verification model verification unit is specifically configured to: acquiring the operation performance of a service system for operating a service code, and determining service operation constraint information of the service code; inputting the vulnerability scanning result, the corresponding vulnerability processing information and the operation constraint information of the service code into a pre-trained verification model to obtain a vulnerability repairing verification result; the training samples also include business execution constraint information for the sample code.

In an optional embodiment of the invention, the apparatus further comprises: the false alarm problem code acquisition module is used for acquiring a false alarm problem code corresponding to a false alarm state in the bug processing state when the bug fixing and checking result is that the checking is successful; the alternative vulnerability scanning software detection module is used for detecting the accuracy of alternative vulnerability scanning software according to the false alarm problem codes; the target vulnerability scanning software screening module is used for screening target vulnerability scanning software according to each accuracy detection result; and the vulnerability scanning system optimization module is used for optimizing the vulnerability scanning system according to the information related to the target vulnerability scanning software and the information related to the false alarm problem codes.

The vulnerability processing result verification device provided by the embodiment of the invention can execute the vulnerability processing result verification method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.

Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. FIG. 6 illustrates a block diagram of an exemplary device suitable for use to implement embodiments of the present invention. The device shown in fig. 6 is only an example and should not bring any limitation to the function and the scope of use of the embodiments of the present invention.

As shown in FIG. 6, electronic device 12 is embodied in the form of a general purpose computing device. The components of electronic device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.

Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.

Electronic device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by electronic device 12 and includes both volatile and nonvolatile media, removable and non-removable media.

The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory (cache 32). The electronic device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 6, and commonly referred to as a "hard drive"). Although not shown in FIG. 6, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. System memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.

A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in system memory 28, such program modules 42 including but not limited to an operating system, one or more application programs, other program modules, and program data, each of which or some combination of which may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of embodiments described herein.

Electronic device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with electronic device 12, and/or with any devices (e.g., network card, modem, etc.) that enable electronic device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the electronic device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown, the network adapter 20 communicates with other modules of the electronic device 12 via the bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with electronic device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, to name a few.

The processing unit 16 executes various functional applications and data processing by running a program stored in the system memory 28, for example, to implement the vulnerability processing result verification method provided by the embodiment of the present invention.

The embodiment of the present invention further provides a computer-readable storage medium, on which a computer program (or referred to as a computer-executable instruction) is stored, where the computer program is used to execute the vulnerability processing result verification method provided by the embodiment of the present invention when the computer program is executed by a processor.

Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Computer program code for carrying out operations for embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, or a conventional procedural programming language such as the "C" language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

The embodiment of the present invention further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the method for verifying the result of vulnerability processing provided in any embodiment of the present invention is implemented.

Computer program product in implementing the computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. Those skilled in the art will appreciate that the present invention is not limited to the particular embodiments described herein, and that various obvious changes, rearrangements and substitutions will now be apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims

1. A vulnerability processing result verification method is characterized by comprising the following steps:

acquiring a vulnerability scanning result obtained by scanning the service code by a vulnerability scanning system;

acquiring operation and maintenance users to process the vulnerability scanning result to obtain vulnerability processing information corresponding to the vulnerability scanning result, wherein the vulnerability processing information comprises a vulnerability processing state;

verifying the vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repairing verification result; the verification includes at least one of: checking normalization, correctness and repair result;

and when the bug repairing verification result is verification failure, sending repairing information to the operation and maintenance user so that the operation and maintenance user processes the bug scanning result corresponding to the repairing information.

2. The method of claim 1, after obtaining the bug fix verification result, further comprising:

acquiring the operation performance of a service system for operating the service code, and determining service operation constraint information of the service code;

acquiring a problem code corresponding to a vulnerability scanning result which fails to be verified;

and when the problem code corresponding to the vulnerability scanning result which fails to be verified meets the service operation constraint information, correcting the vulnerability repairing and verifying result of the vulnerability scanning result which fails to be verified into verification success.

3. The method of claim 1, wherein the verifying comprises normative verifying, and wherein the verifying the vulnerability handling state comprises:

and carrying out standardized detection on the data format and the content of the vulnerability processing state.

4. The method of claim 1, wherein the checking comprises correctness checking, and wherein the checking the vulnerability handling status comprises:

and carrying out vulnerability detection on the false alarm problem codes corresponding to the false alarm state in the vulnerability processing state, and determining whether the vulnerability scanning result corresponding to the false alarm problem codes is the false alarm result.

5. The method of claim 4, wherein the performing vulnerability detection on the false positive problem codes corresponding to the false positive state in the vulnerability processing state to determine whether the vulnerability scanning result corresponding to the false positive problem codes is a false positive result comprises:

acquiring a false alarm problem code and a false alarm context corresponding to a false alarm state in the vulnerability processing information;

detecting whether the false-positive problem code and the false-positive context have the characteristics of a bug scanning result corresponding to the false-positive problem code;

if so, determining a vulnerability scanning result corresponding to the false alarm problem code as a vulnerability detection result;

and if the false alarm problem code does not exist, determining that the bug scanning result of the false alarm problem code is a false alarm result.

6. The method of claim 1, wherein the checking comprises checking the repair result, and checking the problem code corresponding to the bug scanning result comprises:

acquiring a repair problem code corresponding to the rectification state in the vulnerability processing state;

detecting whether the repair problem code is rectified.

7. The method of claim 6, wherein the detecting whether the fix-up problem code is rectified comprises:

acquiring the bug type of the repair problem code from the bug scanning result;

inquiring target characteristics corresponding to the bug types of the repair problem codes in a bug database;

and detecting whether target characteristics exist in the repair problem codes and the repair context, wherein the target characteristics comprise repair characteristics and/or vulnerability characteristics.

8. The method of claim 7, after obtaining the bug fix verification result, further comprising:

when the bug fixing verification result is successful, acquiring a bug type, a bug code and a fixing problem code corresponding to the rectification state in the bug processing state;

in the vulnerability database, inquiring the repair characteristics and vulnerability characteristics of the vulnerability type corresponding to the rectification state;

updating the vulnerability characteristics of the vulnerability types corresponding to the rectification state according to the vulnerability codes corresponding to the rectification state;

and updating the repair characteristics of the vulnerability types corresponding to the rectification state according to the repair problem codes corresponding to the rectification state.

9. The method of claim 7, wherein querying the vulnerability database for target features corresponding to the vulnerability type of the fix issue code comprises:

acquiring service operation constraint information of the service code;

and inquiring target characteristics corresponding to the bug types of the repair problem codes in a bug database according to the service operation constraint information.

10. The method according to claim 1, wherein the verifying vulnerability processing information corresponding to the vulnerability scanning result according to the vulnerability scanning result and the corresponding vulnerability processing information to obtain a vulnerability repair verification result comprises:

inputting the vulnerability scanning result and the corresponding vulnerability processing information into a pre-trained verification model to obtain a vulnerability repairing verification result; the verification model is obtained based on training of a training sample, and the training sample comprises a vulnerability scanning result of a sample code, vulnerability processing information corresponding to the vulnerability scanning result of the sample code and a vulnerability repairing verification result of the vulnerability scanning result of the sample code.

11. The method of claim 10, wherein the inputting the vulnerability scanning results and the corresponding vulnerability processing information into a pre-trained verification model to obtain vulnerability fix verification results comprises:

inputting vulnerability processing information corresponding to the vulnerability scanning result and service operation constraint information of the service codes into a pre-trained verification model to obtain a vulnerability repairing verification result; the training sample also includes business operation constraint information of the sample code.

12. The method of claim 1, further comprising:

when the bug fixing verification result is successful, acquiring a false alarm problem code corresponding to a false alarm state in the bug processing state;

detecting the accuracy of the alternative vulnerability scanning software according to the false alarm problem codes;

screening to obtain target vulnerability scanning software according to each accuracy detection result;

and optimizing the vulnerability scanning system according to the information related to the target vulnerability scanning software and the information related to the false alarm problem codes.

13. The utility model provides a loophole processing result verifying attachment which characterized in that includes:

the vulnerability scanning result acquisition module is used for acquiring vulnerability scanning results obtained by scanning the service codes by the vulnerability scanning system;

the vulnerability scanning module is used for scanning a vulnerability scanning result according to the vulnerability scanning information, and acquiring vulnerability scanning information corresponding to the vulnerability scanning result;

the vulnerability scanning module is used for scanning vulnerability scanning results and corresponding vulnerability processing information according to the vulnerability scanning results and the corresponding vulnerability processing information; the verification includes at least one of: checking the normalization, the correctness and the repair result;

and the repair information sending module is used for sending repair information to the operation and maintenance user when the bug repair verification result is a verification failure, so that the operation and maintenance user processes the bug scanning result corresponding to the repair information.

14. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program implements the vulnerability processing result verification method of any of claims 1-12.

15. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the vulnerability processing result verification method according to any of claims 1-12.

16. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the vulnerability processing result verification method of any of claims 1-12.