CN116610583A - SCA tool maturity evaluation method, SCA tool maturity evaluation device, SCA tool maturity evaluation equipment, SCA tool maturity evaluation medium and SCA tool maturity evaluation product - Google Patents

SCA tool maturity evaluation method, SCA tool maturity evaluation device, SCA tool maturity evaluation equipment, SCA tool maturity evaluation medium and SCA tool maturity evaluation product Download PDF

Info

Publication number
CN116610583A
CN116610583A CN202310648067.5A CN202310648067A CN116610583A CN 116610583 A CN116610583 A CN 116610583A CN 202310648067 A CN202310648067 A CN 202310648067A CN 116610583 A CN116610583 A CN 116610583A
Authority
CN
China
Prior art keywords
evaluation
maturity
level
sca
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310648067.5A
Other languages
Chinese (zh)
Inventor
安辉
曾凯
耿少羽
邹晓鸥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310648067.5A priority Critical patent/CN116610583A/en
Publication of CN116610583A publication Critical patent/CN116610583A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to a SCA tool maturity evaluation method, apparatus, computer device, storage medium and computer program product. The method comprises the following steps: acquiring a plurality of evaluation indexes aiming at the SCA tool, wherein each evaluation index comprises a plurality of sub-evaluation indexes, and the evaluation indexes are used for evaluating the detection capability of the SCA tool on software; dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index; and detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade. According to the method provided by the application, whether the currently used SCA tool of the enterprise can meet the requirement of the enterprise for software detection can be determined through the maturity scoring value of the SCA tool, and the evaluation index which cannot meet the requirement can be determined through the grade corresponding to each sub evaluation index, so that the enterprise is guided to update the SCA tool.

Description

SCA tool maturity evaluation method, SCA tool maturity evaluation device, SCA tool maturity evaluation equipment, SCA tool maturity evaluation medium and SCA tool maturity evaluation product
Technical Field
The application relates to the technical field of software detection, in particular to a SCA tool maturity evaluation method, a SCA tool maturity evaluation device, SCA tool maturity evaluation computer equipment, SCA tool maturity evaluation storage medium and SCA tool maturity evaluation computer program product.
Background
The SCA tool (Software Composition Analysis, software component analysis tool) is used for analyzing the application program in the software development process to detect whether the open source component has a known vulnerability and whether the open source component has business software or a third party product which needs proper authorization permission, so that the third party open source component used in the software can be rapidly and accurately identified, then potential security vulnerability and license information in the software can be identified through the association analysis technology, the associated risk is comprehensively judged, the associated risk restoration suggestion is given, and finally the enterprise is enabled to form comprehensive and continuous security operation on the internal software asset by depending on the SBOM material bill clearing capability.
Because of the large number of SCA tools, it is important to choose what SCA tools to use the open source software safely by the development team during the software development lifecycle. Currently, the industry lacks a comparison and evaluation method for SCA tools, and cannot determine whether the SCA tools currently used by an enterprise can meet the analysis requirements of the enterprise for software.
Disclosure of Invention
In view of the foregoing, there is a need for a method, apparatus, computer device, computer readable storage medium, and computer program product for evaluating the maturity of a SCA tool that can determine whether the SCA tool used by an enterprise can meet the needs of the enterprise for software analysis.
In a first aspect, the present application provides a method for evaluating the maturity of a SCA tool, the method comprising:
acquiring multiple evaluation indexes aiming at an SCA tool, wherein each evaluation index comprises multiple sub-evaluation indexes, and the evaluation indexes are used for evaluating the detection capability of the SCA tool to software, and comprise detection configuration, a detection range of open source software, detection accuracy of the open source software, early warning capability, integrated deployment capability and a detection range of an open source component information knowledge base;
dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index;
and detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade.
In one embodiment, said scoring the maturity of the SCA tools based on said evaluation level comprises:
sequentially determining the first target index number of the sub-evaluation indexes corresponding to each evaluation level in the detection result according to the sequence from small to large of the detection capability corresponding to each evaluation level;
for each evaluation level, determining the sum of the first target index number of the evaluation level and the first target index number of all evaluation levels with detection capability smaller than the evaluation level as the second target index number of the evaluation level;
determining a reference index number of each evaluation level based on the total number of sub-evaluation indexes and the order;
and scoring the maturity of the SCA tool based on the second target index number and the reference index number.
In one embodiment, the determining the number of reference indicators for each rating level based on the total number of sub-rating indicators and the order includes:
determining the sequence number of each evaluation level;
and determining the product of the total number and the sequence number as the number of the reference indexes of the corresponding evaluation level.
In one embodiment, said scoring the maturity of the SCA tools based on said second target number of indicators and said reference number of indicators comprises:
Determining a maturity score corresponding to each evaluation level based on a ratio between the second target index number and the reference index number for each evaluation level;
judging whether the maturity scores corresponding to each evaluation level reach a preset score value in sequence according to the sequence, and determining the last evaluation level in the sequence among the evaluation levels with all the maturity scores reaching the preset score value as a target evaluation level;
and determining a maturity score of the SCA tool based on the target evaluation level and the maturity score of the target evaluation level.
In one embodiment, the determining the maturity score of the SCA tool based on the target rating level and the maturity score of the target rating level comprises:
and determining the sum of the maturity scores of the target evaluation grades, the maturity scores of the evaluation grades before the corresponding order of the target evaluation grades and the maturity scores of the second preset number of evaluation grades after the corresponding order of the target evaluation grades as the maturity score of the SCA tool.
In one embodiment, the determining the evaluation level corresponding to each seed evaluation index in the detection result includes:
And comparing corresponding result data in the detection result with an evaluation range corresponding to each evaluation level aiming at each sub-evaluation index, and determining the evaluation level corresponding to the evaluation range as the evaluation level corresponding to the sub-evaluation index if the result data is matched with the evaluation range.
In a second aspect, the present application also provides an SCA tool maturity evaluation apparatus, the apparatus comprising:
the system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring various evaluation indexes aiming at an SCA tool, each evaluation index comprises various sub-evaluation indexes, the evaluation indexes are used for evaluating the detection capability of the SCA tool on software, and the evaluation indexes comprise detection configuration, the detection range of the open source software, the detection accuracy of the open source software, early warning capability, integrated deployment capability and the detection range of an open source component information knowledge base;
the dividing module is used for dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index;
the detection module is used for detecting the target software by using the SCA tool, determining the evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the method of any of the embodiments described above when the computer program is executed by the processor.
In a fourth aspect, the present application also provides a computer-readable storage medium. A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of any of the embodiments described above.
In a fifth aspect, the present application also provides a computer program product. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of the embodiments described above.
The SCA tool maturity evaluation method, the SCA tool maturity evaluation device, the SCA tool maturity evaluation computer device, the SCA tool maturity evaluation storage medium and the SCA tool maturity evaluation computer program product acquire various evaluation indexes aiming at the SCA tool, wherein each evaluation index comprises various sub-evaluation indexes, the evaluation indexes are used for evaluating the detection capability of the SCA tool on software, and the evaluation indexes comprise detection configuration, the detection range of the SCA tool on the open source software, the detection accuracy of the SCA tool on the open source software, early warning capability, integrated deployment capability and the detection range of the SCA tool on an open source component information knowledge base; dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index; and detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade. According to the method provided by the application, whether the currently used SCA tool of the enterprise can meet the requirement of the enterprise for software detection can be determined through the maturity scoring value of the SCA tool, and the evaluation index which cannot meet the requirement can be determined through the grade corresponding to each sub evaluation index, so that the enterprise is guided to update the SCA tool.
Drawings
FIG. 1 is a flow diagram of a SCA tool maturity evaluation method according to one embodiment;
FIG. 2 is a flow chart of a method for determining the number of reference indicators in one embodiment;
FIG. 3 is a block diagram of the SCA tool maturity evaluation apparatus in one embodiment;
fig. 4 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
In one embodiment, as shown in fig. 1, a method for evaluating maturity of a SCA tool is provided, and this embodiment is applied to a terminal for illustration by using the method, it is understood that the method may also be applied to a server, and may also be applied to a system including the terminal and the server, and implemented through interaction between the terminal and the server. In this embodiment, the method includes the steps of:
s102, acquiring various evaluation indexes aiming at the SCA tool, wherein each evaluation index comprises various sub-evaluation indexes, and the evaluation indexes are used for evaluating the detection capability of the SCA tool to software, and comprise detection configuration, the detection range of the open source software, the detection accuracy of the open source software, early warning capability, integrated deployment capability and the detection range of the open source component information knowledge base.
The open source component information knowledge base is used for storing an open source component, an open source code, an open source vulnerability, a permission protocol and a vulnerability restoration guide, wherein the vulnerability restoration guide is an online check positioning function provided by a vulnerability official and manufacturer, and the open source component information knowledge base can also store other data, and the application is not limited in particular.
The SCA tool maturity evaluation method provided by the application is used for evaluating 4 kinds of safety capabilities of the SCA tool, wherein the 4 kinds of safety capabilities comprise: controllability, security, compliance, and integrity, wherein the capability characteristics of the 4 security capabilities are shown in table 1.
Table 1:
the 4 kinds of safety capability can be refined into 6 kinds of evaluation indexes, and each kind of evaluation index comprises a plurality of kinds of sub-evaluation indexes. For example, the detection configuration may include an identification technology, an identification mode, a programming language, an identification package manager, and an identification license of the SCA tool, the detection range of the open source software may include an open source component, an open source vulnerability, a license protocol, and a security audit, the detection accuracy of the open source software may include an open source component detection rate, an open source component detection accuracy, a code segment detection rate, a vulnerability detection rate, and a license protocol detection rate, the early warning capability may include real-time early warning and policy early warning, the integrated deployment capability may include continuous integration and continuous deployment, and the detection range of the open source component information repository may include an open source component, a code segment, an open source vulnerability, a license protocol stored in the open source component information repository, and an update frequency and update deployment of the open source component information repository.
S104, dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index.
Wherein the evaluation level is used to represent the level corresponding to each seed evaluation index of the SCA tool, as shown in table 2, each seed evaluation index may be divided into 3 levels, including: the detection capability of each evaluation level is sequentially improved from the L1 level to the L3 level, and the division manner of the sub-evaluation index may be other, which is not particularly limited in the embodiment of the present application.
Table 2:
s106, detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade.
After determining the evaluation grade corresponding to each seed evaluation index in the detection result, sorting the evaluation grades based on the evaluation capability corresponding to each evaluation grade, determining the maturity grade of each evaluation grade according to the sorting result and the evaluation grade corresponding to each seed evaluation index, and determining the maturity grade of the SCA tool based on the maturity grade of each evaluation grade.
In the SCA tool maturity evaluation method, a plurality of evaluation indexes aiming at the SCA tool are obtained, each evaluation index comprises a plurality of sub-evaluation indexes, the evaluation indexes are used for evaluating the detection capability of the SCA tool for software, and each evaluation index comprises detection configuration, a detection range of open source software, detection accuracy of the open source software, early warning capability, integrated deployment capability and a detection range of an open source component information knowledge base; dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index; and detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade. According to the method provided by the application, whether the currently used SCA tool of the enterprise can meet the requirement of the enterprise for software detection can be determined through the maturity scoring value of the SCA tool, and the evaluation index which cannot meet the requirement can be determined through the grade corresponding to each sub evaluation index, so that the enterprise is guided to update the SCA tool.
In some embodiments, scoring the maturity of the SCA tools based on the rating level comprises: sequentially determining the first target index number of the sub-evaluation indexes corresponding to each evaluation level in the detection result according to the sequence from small to large of the detection capability corresponding to each evaluation level; for each evaluation level, determining the sum of the first target index number of the evaluation level and the first target index number of all the evaluation levels with detection capability smaller than the evaluation level as the second target index number of the evaluation level; determining the number of reference indexes of each evaluation level based on the total number and the sequence of the sub-evaluation indexes; the maturity of the SCA tools is scored based on the second target number of indicators and the reference number of indicators.
Wherein the total number of the sub-evaluation indexes refers to the number of all the sub-evaluation indexes included in all the evaluation indexes.
In the step, the maturity of the SCA tool is scored based on the second target index number and the reference index number, so that the detection capability of the SCA tool can be determined more accurately through the maturity scoring, and whether the SCA tool can meet the requirements of enterprises can be judged.
In some embodiments, as shown in fig. 2, determining the number of reference indicators for each rating level based on the total number and order of sub-rating indicators includes:
s202, determining the sequence number of each evaluation level.
The sequential numbers are sequentially given from small to large in order of detectability, and each evaluation level is sequentially given a sequential number from small to large in accordance with a preset rule, for example, sequential numbers of 1, 2, and 3 are sequentially given to the evaluation levels L1, L2, and L3.
S204, determining the product of the total number and the sequence number as the reference index number of the corresponding evaluation level.
Since the order numbers of the evaluation levels are determined in the order of the detection capability, the number of reference indices obtained in this step is also increasing with the increase in the order numbers of the evaluation levels.
In the step, the number of the reference indexes is determined based on the sequence numbers, so that the subsequent scoring of the maturity of the SCA tool can be facilitated.
In some embodiments, scoring the maturity of the SCA tools based on the second target index number and the baseline index number comprises: determining a maturity score corresponding to each evaluation level based on a ratio between the second target index number and the reference index number for each evaluation level; sequentially judging whether the maturity scores corresponding to each evaluation level reach a preset score value or not according to the sequence, and determining the last evaluation level in the sequence among the evaluation levels with all the maturity scores reaching the preset score value as a target evaluation level; the maturity score of the SCA tools is determined based on the target rating level and the maturity score of the target rating level.
For example, the total number of the sub-evaluation indexes is 24, the sequence numbers corresponding to the evaluation grades L1, L2 and L3 are sequentially 1, 2 and 3, the corresponding reference index numbers are sequentially 24, 48 and 72, and according to the detection result, the maturity scores corresponding to the L1 to L3 are sequentially 1.00, 0.73 and 0.54, and the preset score value is 1.00, so that the L1 is the target evaluation grade.
In the step, the maturity score of each evaluation level is determined firstly, and then the maturity score of the SCA tool is determined according to the maturity score of each evaluation level, so that the advantages and disadvantages of the SCA tool capability can be determined more accurately, and the subsequent leak detection and defect repair of the SCA tool are facilitated.
In some embodiments, determining the maturity score of the SCA tools based on the target rating level and the maturity score of the target rating level comprises: and determining the sum of the maturity scores of the target evaluation grades, the maturity scores of the evaluation grades before the corresponding order of the target evaluation grades and the maturity scores of the second preset number of evaluation grades after the corresponding order of the target evaluation grades as the maturity score of the SCA tool.
For example, the maturity scores corresponding to L1 to L3 are sequentially 1.00, 0.73 and 0.54, and the second preset number is 1, and the maturity score of the SCA tool is 1.73.
In the step, the maturity score of the SCA tool is determined according to the target evaluation level and the maturity scores of a plurality of evaluation levels before and after the target evaluation level, so that the capability judgment of the SCA tool is more accurate.
In some embodiments, determining the evaluation level corresponding to each seed evaluation index in the detection result includes: and comparing corresponding result data in the detection result with an evaluation range corresponding to each evaluation level aiming at each sub-evaluation index, and determining the evaluation level corresponding to the evaluation range as the evaluation level corresponding to the sub-evaluation index if the result data is matched with the evaluation range.
Wherein the evaluation ranges of each evaluation level corresponding to each seed evaluation index are shown in tables 3 to 8.
Table 3:
table 4:
table 5:
table 6:
table 7:
/>
table 8:
in the step, based on the matching relation between the result data and the evaluation range, the evaluation grade corresponding to the sub-evaluation index is determined, so that the determined evaluation grade is more accurate.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
In one embodiment, another SCA tool maturity evaluation method is provided, and the method is used for evaluating the capability item conformity of each SCA tool, identifying the existing and the not existing evaluation index items of the safety capability items, evaluating the overall maturity level of the tool, helping enterprises to quickly compare and position the SCA capability level, providing diagnosis problems and leak detection and defect repair for the enterprises, and helping the follow-up targeted optimization improvement. For each level of each capability requirement item, the capability evaluation level of the cost level can be reached only by meeting the requirement of the present level and all the evaluation index requirements lower than the level, and so on. The method comprises the following steps:
(1) Capability item coincidence degree calculation: the number of index requirement items of the maturity level of the capability requirement items is calculated, namely, the number of the achieved index requirement items accounts for the number of the total index requirement items of the level, and two decimal places are reserved and the index requirement items which are not involved are removed during calculation.
(2) Capacity maturity level determination: based on the capability item compliance, the capability maturity level of the capability requirement item is determined from low to high from the L1 level, and the capability maturity level finally determined and the capability item compliance of all low levels are required to reach 100%.
(3) Ability maturity score: and judging the capability item coincidence degree of the current level as an integer part of the evaluation score, and judging the capability item coincidence degree of the next level as a decimal part.
Based on the same inventive concept, the embodiment of the application also provides an SCA tool maturity evaluation device for realizing the SCA tool maturity evaluation method. The implementation scheme of the solution provided by the device is similar to the implementation scheme described in the method, so the specific limitation in the embodiments of the device for evaluating the maturity of one or more SCA tools provided below can be referred to the limitation of the method for evaluating the maturity of the SCA tools hereinabove, and will not be repeated here.
In one embodiment, as shown in fig. 3, there is provided an SCA tool maturity evaluation apparatus comprising: an acquisition module 301, a division module 302 and a detection module 303, wherein:
the acquiring module 301 is configured to acquire multiple evaluation indexes for the SCA tool, where each evaluation index includes multiple sub-evaluation indexes, and the evaluation indexes are used to evaluate the detection capability of the SCA tool for software, and the evaluation indexes include detection configuration, a detection range for open source software, a detection accuracy for open source software, an early warning capability, an integrated deployment capability, and a detection range for an open source component information knowledge base.
The dividing module 302 is configured to divide each seed evaluation index into a first preset number of evaluation levels based on the detection capability corresponding to each seed evaluation index.
The detection module 303 is configured to detect the target software by using the SCA tool, determine an evaluation level corresponding to each seed evaluation index in the detection result, and score the maturity of the SCA tool based on the evaluation level.
In some embodiments, detection module 303 includes:
and the first determining unit is used for sequentially determining the first target index number of the sub-evaluation indexes corresponding to each evaluation grade in the detection result according to the sequence from small to large of the detection capability corresponding to each evaluation grade.
A second determining unit configured to determine, for each evaluation level, a sum of a first target index number of the evaluation level and a first target index number of all evaluation levels having a detection capability smaller than the evaluation level as a second target index number of the evaluation level.
And a third determining unit for determining the number of reference indexes of each evaluation level based on the total number of sub-evaluation indexes and the order.
And the scoring unit is used for scoring the maturity of the SCA tool based on the second target index number and the reference index number.
In some embodiments, the third determining unit is further configured to: determining the sequence number of each evaluation level; and determining the product of the total number and the sequence number as the number of the reference indexes of the corresponding evaluation level.
In some embodiments, the scoring unit comprises:
and the first determining subunit is used for determining the maturity score corresponding to each evaluation grade based on the ratio between the second target index number and the reference index number of each evaluation grade.
And the judging subunit is used for sequentially judging whether the maturity scores corresponding to each evaluation level reach a preset score value according to the sequence, and determining the last evaluation level in the sequence among the evaluation levels with all the maturity scores reaching the preset score value as a target evaluation level.
And a second determination subunit configured to determine a maturity score of the SCA tool based on the target rating level and the maturity score of the target rating level.
In some embodiments, the second determining subunit is further configured to: and determining the sum of the maturity scores of the target evaluation grades, the maturity scores of the evaluation grades before the corresponding order of the target evaluation grades and the maturity scores of the second preset number of evaluation grades after the corresponding order of the target evaluation grades as the maturity score of the SCA tool.
In some embodiments, the detection module 303 is further configured to: and comparing corresponding result data in the detection result with an evaluation range corresponding to each evaluation level aiming at each sub-evaluation index, and determining the evaluation level corresponding to the evaluation range as the evaluation level corresponding to the sub-evaluation index if the result data is matched with the evaluation range.
The modules in the SCA tool maturity evaluation apparatus described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 4. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a SCA tool maturity evaluation method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 4 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of: acquiring multiple evaluation indexes aiming at an SCA tool, wherein each evaluation index comprises multiple sub-evaluation indexes, and the evaluation indexes are used for evaluating the detection capability of the SCA tool to software, and comprise detection configuration, a detection range of open source software, detection accuracy of the open source software, early warning capability, integrated deployment capability and a detection range of an open source component information knowledge base; dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index; and detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade.
In one embodiment, scoring the maturity of the SCA tools based on the rating level as implemented by the processor when executing the computer program comprises: sequentially determining the first target index number of the sub-evaluation indexes corresponding to each evaluation level in the detection result according to the sequence from small to large of the detection capability corresponding to each evaluation level; for each evaluation level, determining the sum of the first target index number of the evaluation level and the first target index number of all evaluation levels with detection capability smaller than the evaluation level as the second target index number of the evaluation level; determining a reference index number of each evaluation level based on the total number of sub-evaluation indexes and the order; and scoring the maturity of the SCA tool based on the second target index number and the reference index number.
In one embodiment, determining the number of reference indicators for each rating level based on the total number of sub-rating indicators and the order implemented when the processor executes the computer program comprises: determining the sequence number of each evaluation level; and determining the product of the total number and the sequence number as the number of the reference indexes of the corresponding evaluation level.
In one embodiment, scoring the maturity of the SCA tools based on the second target number of indicators and the reference number of indicators implemented when the processor executes the computer program comprises: determining a maturity score corresponding to each evaluation level based on a ratio between the second target index number and the reference index number for each evaluation level; judging whether the maturity scores corresponding to each evaluation level reach a preset score value in sequence according to the sequence, and determining the last evaluation level in the sequence among the evaluation levels with all the maturity scores reaching the preset score value as a target evaluation level; and determining a maturity score of the SCA tool based on the target evaluation level and the maturity score of the target evaluation level.
In one embodiment, determining the maturity score of the SCA tools based on the target rating level and the maturity score of the target rating level implemented when the processor executes the computer program comprises: and determining the sum of the maturity scores of the target evaluation grades, the maturity scores of the evaluation grades before the corresponding order of the target evaluation grades and the maturity scores of the second preset number of evaluation grades after the corresponding order of the target evaluation grades as the maturity score of the SCA tool.
In one embodiment, determining the evaluation level corresponding to each seed evaluation index in the detection result implemented when the processor executes the computer program includes: and comparing corresponding result data in the detection result with an evaluation range corresponding to each evaluation level aiming at each sub-evaluation index, and determining the evaluation level corresponding to the evaluation range as the evaluation level corresponding to the sub-evaluation index if the result data is matched with the evaluation range.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: acquiring multiple evaluation indexes aiming at an SCA tool, wherein each evaluation index comprises multiple sub-evaluation indexes, and the evaluation indexes are used for evaluating the detection capability of the SCA tool to software, and comprise detection configuration, a detection range of open source software, detection accuracy of the open source software, early warning capability, integrated deployment capability and a detection range of an open source component information knowledge base; dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index; and detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade.
In one embodiment, scoring the maturity of the SCA tools based on the rating level as implemented by the computer program when executed by the processor comprises: sequentially determining the first target index number of the sub-evaluation indexes corresponding to each evaluation level in the detection result according to the sequence from small to large of the detection capability corresponding to each evaluation level; for each evaluation level, determining the sum of the first target index number of the evaluation level and the first target index number of all evaluation levels with detection capability smaller than the evaluation level as the second target index number of the evaluation level; determining a reference index number of each evaluation level based on the total number of sub-evaluation indexes and the order; and scoring the maturity of the SCA tool based on the second target index number and the reference index number.
In one embodiment, determining the number of reference indicators for each rating level based on the total number of sub-rating indicators and the order implemented when the computer program is executed by the processor comprises: determining the sequence number of each evaluation level; and determining the product of the total number and the sequence number as the number of the reference indexes of the corresponding evaluation level.
In one embodiment, scoring the maturity of the SCA tools based on the second target number of indicators and the reference number of indicators implemented when the computer program is executed by the processor comprises: determining a maturity score corresponding to each evaluation level based on a ratio between the second target index number and the reference index number for each evaluation level; judging whether the maturity scores corresponding to each evaluation level reach a preset score value in sequence according to the sequence, and determining the last evaluation level in the sequence among the evaluation levels with all the maturity scores reaching the preset score value as a target evaluation level; and determining a maturity score of the SCA tool based on the target evaluation level and the maturity score of the target evaluation level.
In one embodiment, determining the maturity score of the SCA tools based on the target rating level and the maturity score of the target rating level implemented when the computer program is executed by the processor comprises: and determining the sum of the maturity scores of the target evaluation grades, the maturity scores of the evaluation grades before the corresponding order of the target evaluation grades and the maturity scores of the second preset number of evaluation grades after the corresponding order of the target evaluation grades as the maturity score of the SCA tool.
In one embodiment, determining the evaluation level corresponding to each seed evaluation index in the detection result, which is implemented when the computer program is executed by the processor, includes: and comparing corresponding result data in the detection result with an evaluation range corresponding to each evaluation level aiming at each sub-evaluation index, and determining the evaluation level corresponding to the evaluation range as the evaluation level corresponding to the sub-evaluation index if the result data is matched with the evaluation range.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of: acquiring multiple evaluation indexes aiming at an SCA tool, wherein each evaluation index comprises multiple sub-evaluation indexes, and the evaluation indexes are used for evaluating the detection capability of the SCA tool to software, and comprise detection configuration, a detection range of open source software, detection accuracy of the open source software, early warning capability, integrated deployment capability and a detection range of an open source component information knowledge base; dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index; and detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade.
In one embodiment, scoring the maturity of the SCA tools based on the rating level as implemented by the computer program when executed by the processor comprises: sequentially determining the first target index number of the sub-evaluation indexes corresponding to each evaluation level in the detection result according to the sequence from small to large of the detection capability corresponding to each evaluation level; for each evaluation level, determining the sum of the first target index number of the evaluation level and the first target index number of all evaluation levels with detection capability smaller than the evaluation level as the second target index number of the evaluation level; determining a reference index number of each evaluation level based on the total number of sub-evaluation indexes and the order; and scoring the maturity of the SCA tool based on the second target index number and the reference index number.
In one embodiment, determining the number of reference indicators for each rating level based on the total number of sub-rating indicators and the order implemented when the computer program is executed by the processor comprises: determining the sequence number of each evaluation level; and determining the product of the total number and the sequence number as the number of the reference indexes of the corresponding evaluation level.
In one embodiment, scoring the maturity of the SCA tools based on the second target number of indicators and the reference number of indicators implemented when the computer program is executed by the processor comprises: determining a maturity score corresponding to each evaluation level based on a ratio between the second target index number and the reference index number for each evaluation level; judging whether the maturity scores corresponding to each evaluation level reach a preset score value in sequence according to the sequence, and determining the last evaluation level in the sequence among the evaluation levels with all the maturity scores reaching the preset score value as a target evaluation level; and determining a maturity score of the SCA tool based on the target evaluation level and the maturity score of the target evaluation level.
In one embodiment, determining the maturity score of the SCA tools based on the target rating level and the maturity score of the target rating level implemented when the computer program is executed by the processor comprises: and determining the sum of the maturity scores of the target evaluation grades, the maturity scores of the evaluation grades before the corresponding order of the target evaluation grades and the maturity scores of the second preset number of evaluation grades after the corresponding order of the target evaluation grades as the maturity score of the SCA tool.
In one embodiment, determining the evaluation level corresponding to each seed evaluation index in the detection result, which is implemented when the computer program is executed by the processor, includes: and comparing corresponding result data in the detection result with an evaluation range corresponding to each evaluation level aiming at each sub-evaluation index, and determining the evaluation level corresponding to the evaluation range as the evaluation level corresponding to the sub-evaluation index if the result data is matched with the evaluation range.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1. A method for evaluating the maturity of a SCA tool, the method comprising:
acquiring multiple evaluation indexes aiming at an SCA tool, wherein each evaluation index comprises multiple sub-evaluation indexes, and the evaluation indexes are used for evaluating the detection capability of the SCA tool to software, and comprise detection configuration, a detection range of open source software, detection accuracy of the open source software, early warning capability, integrated deployment capability and a detection range of an open source component information knowledge base;
Dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index;
and detecting target software by using the SCA tool, determining an evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade.
2. The method of claim 1, wherein scoring the maturity of the SCA tools based on the rating level comprises:
sequentially determining the first target index number of the sub-evaluation indexes corresponding to each evaluation level in the detection result according to the sequence from small to large of the detection capability corresponding to each evaluation level;
for each evaluation level, determining the sum of the first target index number of the evaluation level and the first target index number of all evaluation levels with detection capability smaller than the evaluation level as the second target index number of the evaluation level;
determining a reference index number of each evaluation level based on the total number of sub-evaluation indexes and the order;
and scoring the maturity of the SCA tool based on the second target index number and the reference index number.
3. The method of claim 2, wherein the determining the number of reference indicators for each rating level based on the total number of sub-rating indicators and the order comprises:
determining the sequence number of each evaluation level;
and determining the product of the total number and the sequence number as the number of the reference indexes of the corresponding evaluation level.
4. The method of claim 2, wherein scoring the maturity of the SCA tools based on the second target number of indicators and the reference number of indicators comprises:
determining a maturity score corresponding to each evaluation level based on a ratio between the second target index number and the reference index number for each evaluation level;
judging whether the maturity scores corresponding to each evaluation level reach a preset score value in sequence according to the sequence, and determining the last evaluation level in the sequence among the evaluation levels with all the maturity scores reaching the preset score value as a target evaluation level;
and determining a maturity score of the SCA tool based on the target evaluation level and the maturity score of the target evaluation level.
5. The method of claim 4, wherein the determining a maturity score for the SCA tool based on the target rating level and a maturity score for the target rating level comprises:
And determining the sum of the maturity scores of the target evaluation grades, the maturity scores of the evaluation grades before the corresponding order of the target evaluation grades and the maturity scores of the second preset number of evaluation grades after the corresponding order of the target evaluation grades as the maturity score of the SCA tool.
6. The method according to claim 1, wherein determining the evaluation level corresponding to each seed evaluation index in the detection result includes:
and comparing corresponding result data in the detection result with an evaluation range corresponding to each evaluation level aiming at each sub-evaluation index, and determining the evaluation level corresponding to the evaluation range as the evaluation level corresponding to the sub-evaluation index if the result data is matched with the evaluation range.
7. An SCA tool maturity evaluation apparatus, comprising:
the system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring various evaluation indexes aiming at an SCA tool, each evaluation index comprises various sub-evaluation indexes, the evaluation indexes are used for evaluating the detection capability of the SCA tool on software, and the evaluation indexes comprise detection configuration, the detection range of the open source software, the detection accuracy of the open source software, early warning capability, integrated deployment capability and the detection range of an open source component information knowledge base;
The dividing module is used for dividing each seed evaluation index into a first preset number of evaluation grades based on the detection capability corresponding to each seed evaluation index;
the detection module is used for detecting the target software by using the SCA tool, determining the evaluation grade corresponding to each seed evaluation index in the detection result, and scoring the maturity of the SCA tool based on the evaluation grade.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
CN202310648067.5A 2023-06-02 2023-06-02 SCA tool maturity evaluation method, SCA tool maturity evaluation device, SCA tool maturity evaluation equipment, SCA tool maturity evaluation medium and SCA tool maturity evaluation product Pending CN116610583A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310648067.5A CN116610583A (en) 2023-06-02 2023-06-02 SCA tool maturity evaluation method, SCA tool maturity evaluation device, SCA tool maturity evaluation equipment, SCA tool maturity evaluation medium and SCA tool maturity evaluation product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310648067.5A CN116610583A (en) 2023-06-02 2023-06-02 SCA tool maturity evaluation method, SCA tool maturity evaluation device, SCA tool maturity evaluation equipment, SCA tool maturity evaluation medium and SCA tool maturity evaluation product

Publications (1)

Publication Number Publication Date
CN116610583A true CN116610583A (en) 2023-08-18

Family

ID=87674491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310648067.5A Pending CN116610583A (en) 2023-06-02 2023-06-02 SCA tool maturity evaluation method, SCA tool maturity evaluation device, SCA tool maturity evaluation equipment, SCA tool maturity evaluation medium and SCA tool maturity evaluation product

Country Status (1)

Country Link
CN (1) CN116610583A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117112449A (en) * 2023-10-19 2023-11-24 深圳市华傲数据技术有限公司 Maturity assessment method, device, equipment and medium of data management tool

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117112449A (en) * 2023-10-19 2023-11-24 深圳市华傲数据技术有限公司 Maturity assessment method, device, equipment and medium of data management tool
CN117112449B (en) * 2023-10-19 2024-04-09 深圳市华傲数据技术有限公司 Maturity assessment method, device, equipment and medium of data management tool

Similar Documents

Publication Publication Date Title
US8615516B2 (en) Grouping similar values for a specific attribute type of an entity to determine relevance and best values
EP2866168B1 (en) Calibration of strategies for fraud detection
US20170221075A1 (en) Fraud inspection framework
CN116610583A (en) SCA tool maturity evaluation method, SCA tool maturity evaluation device, SCA tool maturity evaluation equipment, SCA tool maturity evaluation medium and SCA tool maturity evaluation product
CN112100167A (en) Quality inspection method and device for ecological protection red line data
CN110942314A (en) Abnormal account supervision method and device
CN115018625A (en) Credit fusion report generation method, device, equipment and storage medium
CN111190986B (en) Map data comparison method and device
Yeh et al. Predicting failure of P2P lending platforms through machine learning: The case in China
CN117827895A (en) Index data processing method and device and computer equipment
CN117349358B (en) Data matching and merging method and system based on distributed graph processing framework
CN117455386A (en) Resource auditing method and device, computer equipment and storage medium thereof
CN115718701A (en) Program testing method, program testing device, computer equipment and storage medium
WO2015145802A1 (en) Asset management system and asset management method
CN117853217A (en) Financial default rate prediction method, device and equipment for protecting data privacy
CN116645039A (en) Method and device for evaluating health degree of commodity category
CN118171213A (en) Abnormality detection method, abnormality detection device, computer device, and storage medium
CN118154300A (en) Mortgage parameter processing method, mortgage parameter processing device, computer equipment and storage medium
CN116862296A (en) User qualification checking method, device, computer equipment and storage medium
CN117932332A (en) Training method of resource transfer strategy model and resource transfer method
CN118152291A (en) Interface coverage rate statistical method, device, storage medium and computer equipment
CN116342070A (en) Method and device for processing vehicle suspension data, computer equipment and storage medium
CN116893830A (en) Application system updating method, device, equipment, storage medium and program product
CN117648112A (en) Code checking method and device for Gaussian database and computer equipment
CN118095958A (en) Service level determining method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination