CN116910764A - Component vulnerability restoration method, device, equipment and medium - Google Patents

Component vulnerability restoration method, device, equipment and medium Download PDF

Info

Publication number
CN116910764A
CN116910764A CN202310820545.6A CN202310820545A CN116910764A CN 116910764 A CN116910764 A CN 116910764A CN 202310820545 A CN202310820545 A CN 202310820545A CN 116910764 A CN116910764 A CN 116910764A
Authority
CN
China
Prior art keywords
code
component
calling
codes
word
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310820545.6A
Other languages
Chinese (zh)
Inventor
闫保奇
呼博文
徐浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Original Assignee
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Technology Innovation Center, China Telecom Corp Ltd filed Critical China Telecom Technology Innovation Center
Priority to CN202310820545.6A priority Critical patent/CN116910764A/en
Publication of CN116910764A publication Critical patent/CN116910764A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The application provides a component bug repairing method, device, equipment and medium, which are used for extracting component codes of components with bugs in application program codes and first calling codes of calling components, so as to determine the codes with bugs; acquiring an updated component code of the component and a second call code of the updated call component, namely the updated code; comparing the code with the loopholes with the updated code, correcting the code with the loopholes according to the change information obtained by comparison, and further generating target program codes, thereby improving the efficiency and success rate of component loophole repair.

Description

Component vulnerability restoration method, device, equipment and medium
Technical Field
The present application relates to the field of application security technologies, and in particular, to a method, an apparatus, a device, and a medium for repairing component vulnerabilities.
Background
In the process of developing software for an application, a developer often uses a component of a third party, and along with the higher and higher utilization rate of the component, the safety of the component also needs to be paid attention. Fig. 1a is a schematic diagram of a repair process for component vulnerabilities provided in the prior art. As shown in fig. 1a, the repair process includes: and obtaining the vulnerability information of the component, and obtaining a vulnerability patch package of the component according to the vulnerability information of the component. Firstly, carrying out version upgrading on the component, carrying out file compiling and constructing, and then judging whether the compiling and constructing is successful or not. If yes, the operation is ended. However, as the component after version upgrade is possibly incompatible with the file source code, the compiling and constructing are failed, and then the patching operation is needed to be manually carried out according to the vulnerability patch package, so that the restoration of the component vulnerability is completed. This approach is inefficient and time consuming.
Therefore, there is a need for a component vulnerability restoration method that improves the efficiency and success rate of component vulnerability restoration.
Disclosure of Invention
The application provides a vulnerability restoration method, device, equipment and medium, which are used for improving the efficiency and success rate of component vulnerability restoration.
In a first aspect, the present application provides a component vulnerability restoration method, where the method includes:
extracting component codes of components with loopholes in program codes of the application and calling first calling codes of the components; acquiring updated component codes of the components and updated second calling codes for calling the components;
and generating target program code according to the component code, the first calling code, the updating component code and the second calling code.
In one possible implementation manner, the extracting the component code of the component with the vulnerability in the program code of the application and the first calling code for calling the component include:
generating an abstract syntax tree AST according to the program code;
determining nodes of the components and connection nodes of the nodes in the AST; and determining the first calling code for calling the component according to the connecting node.
In one possible implementation, the generating the object program code according to the program code, the component code and the first call code, and the updating the component code and the second call code includes:
comparing the component code with the first calling code, and updating the component code with the second calling code to obtain code change information;
and generating target program code according to the component code, the first calling code and the change information.
In one possible implementation manner, the generating the object program code according to the component code, the first calling code and the change information includes:
determining the identification corresponding to each word according to each word contained in the component code and the first calling code and the corresponding relation between the preset word and the identification, and obtaining an identification vector corresponding to the component code and the first calling code;
determining the corresponding mark of each word according to each word contained in the change information and the corresponding relation between the preset word and the mark, and obtaining a change word vector corresponding to the change information;
replacing the content of the corresponding mark in the mark vector according to the mark contained in the change word vector;
And obtaining the target program code according to the replaced identification vector and the corresponding relation between the preset word and the identification.
In one possible embodiment, the method further comprises:
simulating to run the target program code, and if the running fails, extracting error reporting information, wherein the error reporting information comprises the position of the code with the running error and the error content;
determining error reporting word vectors corresponding to the error reporting information according to each word contained in the error reporting information and the corresponding relation between the preset words and the marks;
determining the corresponding position in the replaced identification vector according to the identification corresponding to the row contained in the error word vector, and replacing the content of the position according to the error content corresponding identification contained in the error word vector to obtain a corrected identification vector;
and obtaining corrected target program codes according to the corrected identification vectors and the corresponding relation between the preset words and the identifications.
In a second aspect, the present application provides a component vulnerability restoration apparatus, the apparatus comprising:
the extraction module is used for extracting component codes of components with loopholes in application program codes and calling first calling codes of the components; acquiring updated component codes of the components and updated second calling codes for calling the components;
And the generating module is used for generating target program codes according to the component codes, the first calling codes, the updated component codes and the second calling codes.
In a possible implementation manner, the extracting module is specifically configured to generate an abstract syntax tree AST according to the program code; determining nodes of the components and connection nodes of the nodes in the AST; and determining the first calling code for calling the component according to the connecting node.
In a possible implementation manner, the generating module is specifically configured to compare the component code with the first calling code, and update the component code with the second calling code to obtain code change information; and generating target program code according to the component code, the first calling code and the change information.
In a possible implementation manner, the generating module is specifically configured to compare the component code with the first calling code, and update the component code with the second calling code to obtain code change information; and generating target program code according to the component code, the first calling code and the change information.
In a possible implementation manner, the generating module is specifically configured to determine, according to each word included in the component code and the first calling code and a corresponding relationship between a preset word and an identifier, an identifier corresponding to each word, so as to obtain an identifier vector corresponding to the component code and the first calling code; determining the corresponding mark of each word according to each word contained in the change information and the corresponding relation between the preset word and the mark, and obtaining a change word vector corresponding to the change information; replacing the content of the corresponding mark in the mark vector according to the mark contained in the change word vector; and obtaining the target program code according to the replaced identification vector and the corresponding relation between the preset word and the identification.
In a possible implementation manner, the generating module is further configured to simulate running the target program code, and if the running fails, extract error reporting information, where the error reporting information includes a location where the running error code is located and an error content; determining error reporting word vectors corresponding to the error reporting information according to each word contained in the error reporting information and the corresponding relation between the preset words and the marks; determining the corresponding position in the replaced identification vector according to the identification corresponding to the row contained in the error word vector, and replacing the content of the position according to the error content corresponding identification contained in the error word vector to obtain a corrected identification vector; and obtaining corrected target program codes according to the corrected identification vectors and the corresponding relation between the preset words and the identifications.
In a third aspect, the application provides an electronic device comprising at least a processor and a memory, the processor being arranged to implement the steps of any of the methods described above when executing a computer program stored in the memory.
In a fourth aspect, the application also provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of any of the methods described above.
In the embodiment of the application, the component codes of the components with the loopholes and the first calling codes of the calling components in the program codes of the application are extracted, so that the codes with the loopholes are determined; acquiring an updated component code of the component and a second call code of the updated call component, namely the updated code; comparing the code with the loopholes with the updated code, correcting the code with the loopholes according to the change information obtained by comparison, and further generating target program codes, thereby improving the efficiency and success rate of component loophole repair.
Drawings
In order to more clearly illustrate the embodiments of the present application or the implementation of the related art, the drawings that are required for the embodiments or the related art description will be briefly described, and it is apparent that the drawings in the following description are some embodiments of the present application and that other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1a is a schematic diagram of a repair process for component vulnerabilities provided in the prior art;
FIG. 1b is a schematic diagram illustrating a component vulnerability restoration process according to some embodiments of the present application;
FIG. 2 is a diagram illustrating a comparison of component updates according to some embodiments of the present application;
fig. 3a is a schematic structural diagram of an NMT according to some embodiments of the present application;
fig. 3b is a schematic diagram illustrating a process of NMT generation object code according to some embodiments of the present application;
FIG. 4 is a schematic diagram illustrating another component vulnerability restoration process according to some embodiments of the present application;
FIG. 5 is a schematic diagram illustrating a component vulnerability restoration apparatus according to some embodiments of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to some embodiments of the present application.
Detailed Description
For the purpose of promoting an understanding of the principles and advantages of the application, reference will now be made in detail to the drawings and specific examples, some but not all of which are illustrated in the accompanying drawings. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that the brief description of the terminology in the present application is for the purpose of facilitating understanding of the embodiments described below only and is not intended to limit the embodiments of the present application. Unless otherwise indicated, these terms should be construed in their ordinary and customary meaning.
The terms first, second, third and the like in the description and in the claims and in the above-described figures are used for distinguishing between similar or similar objects or entities and not necessarily for describing a particular sequential or chronological order, unless otherwise indicated. It is to be understood that the terms so used are interchangeable under appropriate circumstances.
The terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a product or apparatus that comprises a list of elements is not necessarily limited to all elements explicitly listed, but may include other elements not expressly listed or inherent to such product or apparatus.
The term "module" refers to any known or later developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware or/and software code that is capable of performing the function associated with that element.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.
The application provides a component bug repairing method, device, equipment and medium, wherein component codes of components with bugs in application program codes and first calling codes for calling the components are extracted in the method; acquiring updated component codes of the components and updated second calling codes for calling the components; and generating target program codes according to the program codes, the component codes, the first calling codes, the updating component codes and the second calling codes.
Example 1:
FIG. 1b is a schematic diagram illustrating a process for repairing a component vulnerability according to some embodiments of the present application, as shown in FIG. 1b, the process includes the following steps:
S101: component codes of components with loopholes in program codes of the application are extracted, and first calling codes of the components are called.
The component bug fix method provided by the embodiment of the application is applied to electronic equipment, and the electronic equipment can be mobile phones, PCs, tablet computers, servers and other equipment.
In the process of developing software for applications, developers often use components of a third party, and along with the higher and higher utilization rate of the components, the safety of the components also needs to be paid attention. The prior art aims at the solution of component loopholes generally by firstly acquiring the loophole information of a component, downloading and installing a loophole patch package according to the loophole information of the component, upgrading the version of the component, compiling and constructing a file, and then judging whether the compiling and constructing are successful or not by using a security audit tool. If yes, the operation is ended. However, as the component after version upgrade is possibly incompatible with the file source code, the compiling and constructing are failed, that is, the security audit tool-tip program cannot run smoothly or the bug repair is failed, the patching operation is needed to be manually performed according to the bug patch package, the efficiency of the seed way is low, the consumed time is long, the online time of the product can be prolonged, the improvement of the repair efficiency of the component bug is not facilitated, and the accuracy and pertinence of the component bug repair are not high enough.
Based on this, in order to improve the efficiency of component bug repair, in the embodiment of the present application, in order to repair a bug of a component called in a program code of an application, first, component codes of a component having a bug in the program code of the application are extracted, and a calling code that calls the component, that is, a first calling code.
Specifically, for example, the program code of the application may be first analyzed to determine the component in which the vulnerability exists, the identification of the component, such as the name of the component, may be determined, and then the component code of the component in the program code is searched for based on the identification of the component. Since the component code of the component is called in the program code, the identity of the calling function that called the component can be determined by analyzing the component code in the program code, thereby extracting the first calling code that called the component.
S102: and acquiring updated component codes of the components and updated second calling codes for calling the components.
Because the third party platform for developing the component updates the component code of the component with the vulnerability and provides the related use cases and the updated document of the updated component, wherein the related use cases are updated calling codes for calling the component, and the updated document possibly marks the specific content of the updating of the component code.
The component code of the component is updated, but the corresponding identifier is also the identifier of the original component, so that the updated component code of the identified component can be searched based on the identifier of the component, and the call code for replacing the updated component can be obtained according to the content recorded in the related use case, so as to obtain the second call code.
S103: and generating target program code according to the component code, the first calling code, the updating component code and the second calling code.
The code with the loopholes formed by the component code and the first calling code can be compared with the updated code formed by the updated component code and the second calling code to obtain the change information of the code, wherein the change information comprises the code position with the change and the change content, and the specific change code position can be the row of the changed code in the code of the component or the row of the changed code in the calling code. And further, according to the code position and the changed content of the code with the changed code in the changed information of the code, correspondingly correcting the content of the code at the corresponding position in the component code and the first calling code, and generating the target program code.
Extracting component codes of components of a third party with vulnerabilities by analyzing application program codes, namely source codes, and acquiring first calling codes for calling the components, and abstracting the component codes and the first calling codes, wherein the extracted component codes and the first calling codes can be called as vulnerability code sequences; the updated component code of the updated component of the component, the information such as the use case and the open source document of the updated component of the component and the like are obtained, the updated second calling code for calling the component is obtained, the updated component code and the second calling code can be called as a new version code sequence, and the updated content of the code in the new version code sequence can be marked. And comparing the contents of the bug code sequence and the new version code sequence to obtain the change information of the code, and fitting and generating the target program code according to the change information and the bug code sequence. According to the method, vulnerability comparison repair is carried out from a source code level, real-time repair of component vulnerabilities can be carried out, and the problems of low component vulnerability repair efficiency and weak pertinence are solved.
In the embodiment of the application, the component codes of the components with the loopholes and the first calling codes of the calling components in the program codes of the application are extracted, so that the codes with the loopholes are determined; acquiring an updated component code of the component and a second call code of the updated call component, namely the updated code; comparing the code with the loopholes with the updated code, correcting the code with the loopholes according to the change information obtained by comparison, and further generating target program codes, thereby improving the efficiency and success rate of component loophole repair.
Example 2:
in order to further improve the repair efficiency of the bug component, in the embodiment of the present application, the extracting the component code of the component having the bug in the program code of the application and the first call code for calling the component include:
generating an Abstract Syntax Tree (AST) from the program code;
determining nodes of the components and connection nodes of the nodes in the AST; and determining the first calling code for calling the component according to the connecting node.
Because the application program code is generally more and relatively complex, the time consumed in determining the first call code of the call component is long, and in order to further improve the repair efficiency of the bug component, in the embodiment of the application, an abstract syntax tree (Abstract Syntax Tree, AST) corresponding to the program code can be generated according to the program code. Specifically, the process of generating an AST based on program codes is the prior art, and will not be described herein.
Since the program code includes component codes of the components and includes calling functions for calling the components, specifically, each component and the calling function correspond to nodes in the AST of the program code, that is, nodes of the component and nodes of the calling function. Therefore, the connection node of the node can be determined according to the node corresponding to the component with the bug in the AST, and the connection node of the node corresponding to the component, namely the node of the calling function for calling the component corresponding to the node, can determine the calling function for calling the component according to the connection node, thereby determining the first calling code of the calling function in the program code according to the calling function, greatly saving the time for determining the first calling code, and improving the efficiency of repairing the bug of the component.
In one possible implementation, since the program code may include a plurality of files, each file includes a sub-program code of the program code, and an AST is generated only for a program code of one file, and cannot be generated across files. Thus, a program dependency graph may also be generated from program code. Specifically, the process of generating the program dependency graph based on the program code is the prior art, and will not be described herein. According to the program dependency graph, connection relations among a plurality of ASTs generated according to the program codes can be determined, and further nodes of components in the ASTs and connection nodes of the nodes are more comprehensively determined, so that a first calling code for calling the components is determined according to the connection nodes.
In the embodiment of the application, the AST is generated according to the program codes, the connection node of the node is determined according to the node of the component in the AST, and the code for calling the component, namely the first calling code, is further determined according to the connection node, so that the time for determining the first calling code is greatly saved, and the efficiency of repairing the loopholes of the component is improved.
Example 3:
in order to improve the success rate of component bug fixes, in the above embodiments, in the embodiment of the present application, generating object program code according to the component code and the first calling code, and the updated component code and the second calling code includes:
Comparing the component code with the first calling code, and updating the component code with the second calling code to obtain code change information;
and generating target program code according to the component code, the first calling code and the change information.
Since the component code and the first calling code may not be in one-to-one correspondence with the content of the updated component code and the second calling code, for example, the content of the component code and the first calling code may be more than the updated component code and the second calling code. Therefore, if the updated component code and the second calling code with relatively less content are directly adopted to replace the component code and the first calling code with relatively more content and vulnerability, the part of the content, which is more than the updated component code and the second calling code, in the code content before replacement is missing, and the program code is wrongly reported.
Based on the above, in order to improve the success rate of component bug fixes, the code with bug composed of the component code and the first calling code may be compared with the updated code composed of the updated component code and the second calling code to obtain the change information of the code, including the code position with change and the content of change.
FIG. 2 is a schematic diagram of a process for comparing component updates according to some embodiments of the present application, as shown in FIG. 2, the process includes the following steps:
s201: code for which a vulnerability exists is compared with updated code.
The code with the loopholes comprises component codes and first calling codes, and the updated code comprises updated component codes and second calling codes.
S202: judging whether the function in the updated code changes relative to the code with the loopholes or not: if the function is obsolete, executing S203a; if there is a function content update, then S203b is performed; if the function has not changed, S203c is performed.
S203a: find the substitution function.
S203b: and updating the function content.
S203c: the content of the function is unchanged.
And obtaining the change information of the code according to the comparison result, and correspondingly correcting the contents of the codes at the corresponding positions in the component code and the first calling code according to the code position and the changed contents of the code with the change in the change information of the code, so as to generate the target program code.
In the embodiment of the application, the change information of the code is obtained by comparing the component code with the updated component code and comparing the first calling code with the second calling code; and generating target program codes according to the component codes, the first calling codes and the change information, thereby further improving the success rate of component bug repair.
Example 4:
in order to further improve the success rate of component bug fixes, in the embodiment of the present application, generating object program code according to the component code, the first calling code, and the change information includes:
determining the identification corresponding to each word according to each word contained in the component code and the first calling code and the corresponding relation between the preset word and the identification, and obtaining an identification vector corresponding to the component code and the first calling code;
determining the corresponding mark of each word according to each word contained in the change information and the corresponding relation between the preset word and the mark, and obtaining a change word vector corresponding to the change information;
replacing the content of the corresponding mark in the mark vector according to the mark contained in the change word vector;
and obtaining the target program code according to the replaced identification vector and the corresponding relation between the preset word and the identification.
To further increase the success rate of component bug fixes, target program code is generated using a neural network machine translator (Neural Machine Tranlation, NMT). Fig. 3a is a schematic structural diagram of an NMT according to some embodiments of the present application. As shown in fig. 3a, the NMT contains an encoder, an attention mechanism and a decoder. Fig. 3b is a schematic diagram of a procedure for NMT generation object code according to some embodiments of the present application. As shown in fig. 3b, the process comprises the steps of:
S301: and performing discrete code and low-dimensional mapping on the component codes and the first calling codes by using an encoder to obtain context word vectors corresponding to the component codes.
The discrete codes extract each word contained in the component codes and the first calling codes, and the low-dimensional mapping determines the corresponding identifier of each word according to the corresponding relationship between each word contained in the component codes and the first calling codes and the preset word and identifier, so as to obtain the identifier vector corresponding to the component codes and the first calling codes, namely the context word vector. In particular, the discrete code and low-dimensional mapping process may refer to the prior art, and will not be described in detail herein.
S302: and acquiring the feature codes corresponding to the change information.
The code with the loopholes formed by the component code and the first calling code can be compared with the updated code formed by the updated component code and the second calling code, so that the change information of the code is obtained, wherein the change information comprises the content of the change of the code. And determining the mark corresponding to each word according to each word contained in the change information and the corresponding relation between the preset word and the mark, and obtaining a change word vector corresponding to the change information. Specifically, the content of the change included in the change information specifically includes a code before the change and a code after the change, and according to the change information, an identifier corresponding to the code before the change and an identifier corresponding to the corresponding code after the change can be obtained. Thus, the variant word vector contains the identification before the variant and the corresponding identification after the variant. And obtaining the feature codes corresponding to the change information, namely the feature codes before the change and the corresponding feature codes after the change, according to the marks contained in the change word vector.
S303: the attention mechanism replaces the content correspondingly identified in the context word vector according to the feature code.
The attention mechanism can search the identifier corresponding to the feature code before the change in the context word vector according to the feature code, replace the identifier with the corresponding feature code after the change, and obtain the replaced context word vector. Specifically, the search process may be a row-by-row search in the order of each row contained in the context word vector.
S304: and reversely mapping the replaced context word vector by adopting a decoder to obtain the target program code.
Replacing the content of the corresponding mark in the mark vector by using a decoder according to the mark contained in the change word vector; and obtaining the target program code according to the replaced identification vector and the corresponding relation between the preset word and the identification. It should be noted that the identification vector after replacement may contain more or less content than the identification vector before replacement.
Based on AST of the program code and the program dependency graph, namely code abstract content, and the comparison result of the code change information, namely the code, the NMT is utilized to generate a target program code, namely the bug component repair code sequence in real time, so that the repair efficiency is improved.
And performing reverse mapping corresponding to the low-dimensional mapping on the replaced context word vector by using the decoder according to the replaced identification vector and the corresponding relation between the preset word and the identification to obtain the target program code.
In the embodiment of the application, the NMT is utilized to determine the corresponding identifier of each word contained in the component code and the first calling code according to the corresponding relation between the preset word and the identifier, so as to obtain an identifier vector, and the corresponding identifier of each word contained in the change information is determined, so as to obtain a change word vector; and replacing the content of the corresponding identifier in the identifier vector according to the identifier contained in the variable word vector, and reversely mapping the replaced identifier vector by adopting a decoder to obtain the target program code, thereby further improving the success rate of component bug repair.
Example 5:
in order to further improve the success rate of component bug fixes, in the embodiments of the present application, the method further includes:
simulating to run the target program code, and if the running fails, extracting error reporting information, wherein the error reporting information comprises the position of the code with the running error and the error content;
Determining the corresponding mark of each word according to each word contained in the error reporting information and the corresponding relation between the preset word and the mark, and obtaining an error reporting word vector corresponding to the error reporting information;
determining the corresponding position in the replaced identification vector according to the identification corresponding to the row contained in the error word vector, and replacing the content of the position according to the error content corresponding identification contained in the error word vector to obtain a corrected identification vector;
and obtaining corrected target program codes according to the corrected identification vectors and the corresponding relation between the preset words and the identifications.
In order to further improve the success rate of component bug fixes, after the target program code is generated, the target program code can be simulated to be operated, and if the operation fails, error reporting information is extracted. Wherein the error information includes the position of the code with error and the error content. Each word contained in the error information can be determined according to the position of the code with the error and the content of the error.
And generating corrected target program codes by using NMT according to the target program codes and the error reporting information. Specifically, the decoder in the NMT determines the identifier corresponding to each word according to each word included in the error reporting information and the corresponding relation between the preset word and the identifier, so as to obtain the error reporting word vector corresponding to the error reporting information. And obtaining the feature code corresponding to the error reporting information, namely the feature code corresponding to the code with the error according to the mark contained in the error reporting word vector.
In order to further improve the efficiency of component bug repair, in the embodiment of the present application, for each error content included in the error word vector, corrected content corresponding to the error content may be stored in advance. The attention mechanism may determine, according to the identifier corresponding to the line included in the error word vector, a corresponding position in the replaced identifier vector. And determining the error content according to the error content corresponding identification contained in the error word vector, and replacing the content at the position according to the prestored corrected content corresponding to the error content to obtain a corrected identification vector.
And obtaining corrected target program codes according to the corrected identification vectors and the corresponding relation between the preset words and the identifications. That is, the corrected identification vector is reversely mapped by a decoder to obtain corrected target program code.
In the embodiment of the application, if the simulation operation of the target program code fails, according to the extracted error reporting information, an error reporting word vector corresponding to the error reporting information is determined by using NMT according to the corresponding relation between the preset word and the mark, and the mark vector is corrected according to the error reporting word vector, so as to obtain a corrected mark vector; and obtaining corrected target program codes according to the corrected identification vectors and the corresponding relation between the preset words and the identifications, and further improving the success rate of component bug repair.
The following describes a specific example of the repair process of the component vulnerability provided by the present application.
FIG. 4 is a schematic diagram illustrating another exemplary process for component vulnerability restoration according to some embodiments of the present application. As shown in fig. 4, the process includes the steps of:
s401: component codes of components with loopholes in program codes of the application are extracted, and first calling codes of the components are called.
Namely, component codes with loopholes in the program codes are obtained, and call relation extraction of the components with the loopholes is performed. The program codes can be analyzed by constructing AST tree and program dependency graph of the program codes, and the calling relation of the components is obtained according to the component codes with holes, so that irrelevant paths and sentences are reduced, the complexity of subsequent analysis is reduced, and preparation is made for subsequent steps.
S402: and acquiring the updated component code of the piece and the second call code of the updated call component.
The method comprises the steps of obtaining new version component codes, namely updating component codes of updating components, corresponding to components with vulnerabilities, and collecting relevant use cases and updating documents of the updating components. And determining a second call code for calling the component after updating according to the related use case and the updated document, marking the updating content of the component, and generating a new version component call sequence according to the updated component code and the updated second call code for calling the component.
S403: the component invokes an information code abstraction versus a call sequence.
Component codes of components with vulnerabilities and first calling codes of the components are subjected to code abstraction to generate a vulnerability component code sequence. And comparing the code sequence of the vulnerability component with the call sequence of the new version component, and extracting and integrating the updating content of the component to obtain the change information of the code.
S404: and generating target program codes.
And obtaining the change information of the code according to the comparison result of the code sequence of the vulnerability component and the call sequence of the new version component, and generating the component code of the component with the vulnerability and the component update sequence of the first call code of the call component. Fitting the generated component updating sequence with the vulnerability component code sequence to obtain a vulnerability component updating calling code sequence, namely a target program code sequence, and further obtaining target program code.
S405: performing simulation operation on the target program code and outputting an operation result, and ending the flow if the operation is successful; if the operation fails, extracting error reporting information, and regenerating the target program code according to the error reporting information.
Example 6:
based on the same technical concept, the embodiment of the present application further provides a component vulnerability restoration device, and fig. 5 is a schematic structural diagram of a component vulnerability restoration device provided by some embodiments of the present application, as shown in fig. 5, where the device includes:
The extraction module 501 extracts component codes of components with loopholes in program codes of an application and first calling codes for calling the components; acquiring updated component codes of the components and updated second calling codes for calling the components;
the generating module 502 is configured to generate object program code according to the component code and the first calling code, and the updated component code and the second calling code.
In a possible implementation manner, the extracting module 501 is specifically configured to generate an abstract syntax tree AST according to the program code; determining nodes of the components and connection nodes of the nodes in the AST; and determining the first calling code for calling the component according to the connecting node.
In a possible implementation manner, the generating module 502 is specifically configured to compare the component code with the first calling code, and update the component code with the second calling code to obtain code change information; and generating target program code according to the component code, the first calling code and the change information.
In a possible implementation manner, the generating module 502 is specifically configured to compare the component code with the first calling code, and update the component code with the second calling code to obtain code change information; and generating target program code according to the component code, the first calling code and the change information.
In a possible implementation manner, the generating module 502 is specifically configured to determine, according to each word included in the component code and the first calling code and a corresponding relationship between a preset word and an identifier, an identifier corresponding to each word, so as to obtain an identifier vector corresponding to the component code and the first calling code; determining the corresponding mark of each word according to each word contained in the change information and the corresponding relation between the preset word and the mark, and obtaining a change word vector corresponding to the change information; replacing the content of the corresponding mark in the mark vector according to the mark contained in the change word vector; and obtaining the target program code according to the replaced identification vector and the corresponding relation between the preset word and the identification.
In a possible implementation manner, the generating module 502 is further configured to simulate running the target program code, and if the running fails, extract error reporting information, where the error reporting information includes a location where the code with the running error is located and an error content; determining error reporting word vectors corresponding to the error reporting information according to each word contained in the error reporting information and the corresponding relation between the preset words and the marks; determining the corresponding position in the replaced identification vector according to the identification corresponding to the row contained in the error word vector, and replacing the content of the position according to the error content corresponding identification contained in the error word vector to obtain a corrected identification vector; and obtaining corrected target program codes according to the corrected identification vectors and the corresponding relation between the preset words and the identifications.
Example 7:
based on the same technical concept, on the basis of the above embodiments, an electronic device is further provided in the embodiments of the present application, and fig. 6 is a schematic structural diagram of an electronic device provided in some embodiments of the present application. As shown in fig. 6, the electronic device includes: processor 601, communication interface 602, memory 603 and communication bus 604, wherein processor 601, communication interface 602, memory 603 complete the communication each other through communication bus 604;
the memory 603 has stored therein a computer program which, when executed by the processor 601, causes the processor 601 to perform the steps of:
extracting component codes of components with loopholes in program codes of the application and calling first calling codes of the components; acquiring updated component codes of the components and updated second calling codes for calling the components;
and generating target program code according to the component code, the first calling code, the updating component code and the second calling code.
In a possible implementation, the processor 601 is further configured to:
generating an abstract syntax tree AST according to the program code;
Determining nodes of the components and connection nodes of the nodes in the AST; and determining the first calling code for calling the component according to the connecting node.
In a possible implementation, the processor 601 is further configured to:
comparing the component code with the first calling code, and updating the component code with the second calling code to obtain code change information;
and generating target program code according to the component code, the first calling code and the change information.
In a possible implementation, the processor 601 is further configured to:
determining the identification corresponding to each word according to each word contained in the component code and the first calling code and the corresponding relation between the preset word and the identification, and obtaining an identification vector corresponding to the component code and the first calling code;
determining the corresponding mark of each word according to each word contained in the change information and the corresponding relation between the preset word and the mark, and obtaining a change word vector corresponding to the change information;
replacing the content of the corresponding mark in the mark vector according to the mark contained in the change word vector;
And obtaining the target program code according to the replaced identification vector and the corresponding relation between the preset word and the identification.
In a possible implementation, the processor 601 is further configured to:
simulating to run the target program code, and if the running fails, extracting error reporting information, wherein the error reporting information comprises the position of the code with the running error and the error content;
determining error reporting word vectors corresponding to the error reporting information according to each word contained in the error reporting information and the corresponding relation between the preset words and the marks;
determining the corresponding position in the replaced identification vector according to the identification corresponding to the row contained in the error word vector, and replacing the content of the position according to the error content corresponding identification contained in the error word vector to obtain a corrected identification vector;
and obtaining corrected target program codes according to the corrected identification vectors and the corresponding relation between the preset words and the identifications.
Because the principle of solving the problem of the electronic device is similar to that of the component bug repair method, the implementation of the electronic device can be referred to the implementation of the method, and the repetition is omitted.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 602 is used for communication between the electronic device and other devices described above.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit, a network processor (Network Processor, NP), etc.; but also digital instruction processors (Digital Signal Processing, DSP), application specific integrated circuits, field programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
Based on the same technical concept, the embodiment of the application provides a computer readable storage medium, wherein a computer program executable by an electronic device is stored in the computer readable storage medium, and when the program runs on the electronic device, the electronic device is caused to execute the steps of the component bug repair method.
The computer readable storage medium may be any available medium or data storage device that can be accessed by a processor in an electronic device, including but not limited to magnetic memories such as floppy disks, hard disks, magnetic tapes, magneto-optical disks (MO), etc., optical memories such as CD, DVD, BD, HVD, etc., and semiconductor memories such as ROM, EPROM, EEPROM, nonvolatile memories (NAND FLASH), solid State Disks (SSD), etc.
In the embodiment of the application, the component codes of the components with the loopholes and the first calling codes of the calling components in the program codes of the application are extracted, so that the codes with the loopholes are determined; acquiring an updated component code of the component and a second call code of the updated call component, namely the updated code; comparing the code with the loopholes with the updated code, correcting the code with the loopholes according to the change information obtained by comparison, and further generating target program codes, thereby improving the efficiency and success rate of component loophole repair.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (10)

1. A method for component vulnerability remediation, the method comprising:
extracting component codes of components with loopholes in program codes of the application and calling first calling codes of the components; acquiring updated component codes of the components and updated second calling codes for calling the components;
and generating target program code according to the component code, the first calling code, the updating component code and the second calling code.
2. The method of claim 1, wherein extracting component code of a component of the application for which a vulnerability exists in the program code and first call code for calling the component comprise:
generating an abstract syntax tree AST according to the program code;
determining nodes of the components and connection nodes of the nodes in the AST; and determining the first calling code for calling the component according to the connecting node.
3. The method of claim 1, wherein generating object program code from the program code, the component code and the first call code, and the updated component code and the second call code comprises:
Comparing the component code with the first calling code, and updating the component code with the second calling code to obtain code change information;
and generating target program code according to the component code, the first calling code and the change information.
4. The method of claim 3, wherein generating object code from the component code and the first call code and the change information comprises:
determining the identification corresponding to each word according to each word contained in the component code and the first calling code and the corresponding relation between the preset word and the identification, and obtaining an identification vector corresponding to the component code and the first calling code;
determining the corresponding mark of each word according to each word contained in the change information and the corresponding relation between the preset word and the mark, and obtaining a change word vector corresponding to the change information;
replacing the content of the corresponding mark in the mark vector according to the mark contained in the change word vector;
and obtaining the target program code according to the replaced identification vector and the corresponding relation between the preset word and the identification.
5. The method according to claim 1 or 4, characterized in that the method further comprises:
Simulating to run the target program code, and if the running fails, extracting error reporting information, wherein the error reporting information comprises the position of the code with the running error and the error content;
determining error reporting word vectors corresponding to the error reporting information according to each word contained in the error reporting information and the corresponding relation between the preset words and the marks;
determining the corresponding position in the replaced identification vector according to the identification corresponding to the row contained in the error word vector, and replacing the content of the position according to the error content corresponding identification contained in the error word vector to obtain a corrected identification vector;
and obtaining corrected target program codes according to the corrected identification vectors and the corresponding relation between the preset words and the identifications.
6. A component vulnerability restoration apparatus, the apparatus comprising:
the extraction module is used for extracting component codes of components with loopholes in application program codes and calling first calling codes of the components; acquiring updated component codes of the components and updated second calling codes for calling the components;
and the generating module is used for generating target program codes according to the component codes, the first calling codes, the updated component codes and the second calling codes.
7. The apparatus of claim 6, wherein the extraction module is specifically configured to generate an abstract syntax tree AST according to the program code; determining nodes of the components and connection nodes of the nodes in the AST; and determining the first calling code for calling the component according to the connecting node.
8. The apparatus of claim 6, wherein the generating module is specifically configured to compare the component code with the first calling code and the updated component code with the second calling code to obtain code change information; and generating target program code according to the component code, the first calling code and the change information.
9. An electronic device comprising at least a processor and a memory, the processor being adapted to implement the steps of the method according to any of claims 1-5 when executing a computer program stored in the memory.
10. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the steps of the method according to any of claims 1-5.
CN202310820545.6A 2023-07-05 2023-07-05 Component vulnerability restoration method, device, equipment and medium Pending CN116910764A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310820545.6A CN116910764A (en) 2023-07-05 2023-07-05 Component vulnerability restoration method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310820545.6A CN116910764A (en) 2023-07-05 2023-07-05 Component vulnerability restoration method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN116910764A true CN116910764A (en) 2023-10-20

Family

ID=88367584

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310820545.6A Pending CN116910764A (en) 2023-07-05 2023-07-05 Component vulnerability restoration method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116910764A (en)

Similar Documents

Publication Publication Date Title
US20140201727A1 (en) Updating firmware compatibility data
US9063819B2 (en) Extensible patch management
US11113050B2 (en) Application architecture generation
CN109726099A (en) A kind of application gray scale dissemination method, device and equipment
US11748245B2 (en) Object-oriented regression-candidate filter
CN107844313B (en) Method and device for upgrading SDK version in Android
CN106815049B (en) Method and device for upgrading feature library
CN109977008B (en) Method and terminal for making JS code depended on by application program compatible with native library
CN106293798B (en) Self-repairing method and system of electronic device and server
EP3447635A1 (en) Application architecture generation
CN112702195A (en) Gateway configuration method, electronic device and computer readable storage medium
KR20090065742A (en) Apparatus and method for developing software
US20170123950A1 (en) Non-monotonic eventual convergence for desired state configuration
CN110659022B (en) Method for automatically calling Python script based on Java
CN117215558A (en) Visual software development method, device, equipment and medium for android
CN107943504A (en) The dynamic update method of software module in a kind of embedded system
CN116910764A (en) Component vulnerability restoration method, device, equipment and medium
CN112016095B (en) Method and device for verifying loopholes and electronic equipment
CN110096873A (en) It is derived by the automatic bait that patch converts
CN113568834A (en) SDK code compatibility detection method, device, computer equipment and medium
CN113626108A (en) Method, device, equipment and storage medium for assisted configuration of webpack
CN112612474A (en) Product transplanting method and device, storage medium and electronic equipment
CN113515452A (en) Automatic test method and system for application, electronic equipment and storage medium
CN111488275A (en) UI automation test method and device, storage medium and electronic equipment
US11740895B2 (en) Generation of software program repair explanations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination