CN117290855A - Open source component vulnerability detection method, system, server and storage medium - Google Patents
Open source component vulnerability detection method, system, server and storage medium Download PDFInfo
- Publication number
- CN117290855A CN117290855A CN202311305905.5A CN202311305905A CN117290855A CN 117290855 A CN117290855 A CN 117290855A CN 202311305905 A CN202311305905 A CN 202311305905A CN 117290855 A CN117290855 A CN 117290855A
- Authority
- CN
- China
- Prior art keywords
- open source
- vulnerability
- source component
- component
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 18
- 238000000034 method Methods 0.000 claims abstract description 34
- 230000008439 repair process Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 abstract description 13
- 230000018109 developmental process Effects 0.000 description 26
- 238000011161 development Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000008140 language development Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides an open source component vulnerability detection method, a system server and a storage medium, wherein the method comprises the following steps: acquiring element information of all open source components and vulnerability information corresponding to the element information one by one, and generating a component vulnerability database comprising vulnerability information; obtaining a characteristic file of the open source component every time a new open source component is introduced, and obtaining a graphical open source component map based on the characteristic file; judging whether all open source components in the open source component map have vulnerabilities or not based on the component vulnerability database; if the loophole exists, acquiring a loophole open source component with the loophole, acquiring a repairing open source component of the loophole open source component in a component loophole database based on element information of the loophole open source component, positioning the position of the loophole open source component, and replacing the open source component by the repairing open source component. The method and the device can efficiently, accurately and cheaply solve the safety problem of software development in the software writing process.
Description
Technical Field
The application relates to the technical field of internet, in particular to a method, a system, a server and a storage medium for detecting loopholes of open source components.
Background
Software development is an indispensable technical process in the technical field of the internet, however, most of existing software is assembled and not developed. It is estimated that 80% -90% of each software is composed of open source components. The open source component, namely a third party component applicable to the development of software application programs, is often widely used in the software development process due to the characteristics of openness, multiple components, convenience and the like. Specifically, in the software development process, a software developer can perform software development through a preset open source component to accelerate the development process and reduce the development cost. Therefore, the open source component increasingly becomes an important working foundation for the development of internet technology.
The open source component is often obtained by searching or independently developing in a community, so that the safety of the open source component is often unknown, the safety of software development is further influenced, and the component and risk analysis of the open source component introduced in the development become the mainstream technology for solving the safety of the component at present. At present, vulnerability detection is performed on open source components in a project only in the stage of testing and publishing the project, however, the repair of the risk of the open source components discovered at this time already causes code rework and construction period delay, which not only increases the development cost of the project, but also cannot mobilize the initiative of developers about safety in the project.
Disclosure of Invention
According to the method, after the open source component is introduced each time, a new graphical open source component map is obtained, and then the safety problem of the newly introduced open source component can be accurately and comprehensively known based on the established component vulnerability database, and the newly introduced open source component is correspondingly repaired, so that the safety problem of software development is effectively, accurately and low-cost solved in the software writing process.
In a first aspect, the present embodiment provides a method for detecting a vulnerability of an open source component, where the method includes:
acquiring element information of all open source components and vulnerability information corresponding to the element information one by one, and generating a component vulnerability database comprising the vulnerability information;
obtaining a characteristic file of the open source component every time a new source component is introduced, and obtaining a graphical open source component map based on the characteristic file;
judging whether all open source components in the open source component map have vulnerabilities or not based on the component vulnerability database;
if a vulnerability exists, acquiring a vulnerability open source component with the vulnerability, acquiring a repair open source component of the vulnerability open source component in the component vulnerability database based on element information of the vulnerability open source component, positioning the position of the vulnerability open source component, and replacing the vulnerability open source component by using the repair open source component.
In some of these embodiments, the generating a component vulnerability database comprising the vulnerability information comprises:
obtaining element information and vulnerability information of all open source components and repairing open source components capable of repairing the vulnerability information in all storage spaces related to the vulnerability information;
and matching the element information, the vulnerability information and the repairing open source assembly, and generating an assembly vulnerability database according to the successfully matched element information, vulnerability information and repairing open source assembly.
In some of these embodiments, the obtaining a graphical open source component map based on the profile includes:
obtaining a dependency analysis command, and obtaining a dependency relation tree representing all open source components based on the dependency analysis command, wherein the dependency relation tree comprises a direct open source component and an indirect open source component;
and graphically constructing an open source component map according to the dependency tree.
In some embodiments, the determining whether all open source components in the open source component graph have vulnerabilities includes:
acquiring element information of the open source component in the open source component map, judging whether the component vulnerability database at least comprises one piece of element information, and if yes, judging that the open source component has a vulnerability; otherwise, the open source component is not subject to vulnerabilities.
In some embodiments, the obtaining the repair open source component of the vulnerability open source component in the component vulnerability database includes:
and acquiring the name of the vulnerability open source component, and acquiring the repairing open source component which has the same name and the latest version number from the component vulnerability database based on the name.
In some of these embodiments, the method further comprises:
and acquiring element information, vulnerability information and a repairing open-source assembly capable of repairing the vulnerability information from all websites related to the vulnerability information at preset intervals so as to update the assembly vulnerability database.
In a second aspect, the present embodiment provides an open source component vulnerability detection system, where the system includes a database module, a generation module, and a repair module; wherein,
the database module is used for acquiring element information of all open source components and vulnerability information corresponding to the element information one by one and generating a component vulnerability database comprising the vulnerability information;
the generating module is used for acquiring a characteristic file of the open source assembly every time a new open source assembly is introduced, and acquiring a graphical open source assembly map based on the characteristic file;
the repair module is used for judging whether all open source components in the open source component map have vulnerabilities or not based on the component vulnerability database; if a vulnerability exists, acquiring a vulnerability open source component with the vulnerability, acquiring a repair open source component of the vulnerability open source component in the component vulnerability database based on element information of the vulnerability open source component, positioning the position of the vulnerability open source component, and replacing the vulnerability open source component by using the repair open source component.
In some embodiments, the generating module is further configured to obtain a dependency analysis command, and obtain a dependency tree characterizing all the open source components based on the dependency analysis command, where the dependency tree includes a direct open source component and an indirect open source component;
and graphically constructing an open source component map according to the dependency tree.
In a third aspect, embodiments of the present application provide a server, where the server includes: a processor and a memory, wherein the memory stores a computer program capable of running on the processor, and the computer program realizes the open source component vulnerability detection method according to the first aspect when executed by the processor.
In a fourth aspect, an embodiment of the present application provides a storage medium having stored thereon a computer program executable on a processor, where the computer program when executed by the processor implements an open source component vulnerability detection method according to the first aspect.
By adopting the method, the element information, the vulnerability information and the related repairing open source components of the open source component are collected based on the existing vulnerability information website, and the three information are matched to obtain a one-to-one correspondence relationship, so that a component vulnerability database is generated to provide component vulnerability query service for the open source component, and the related information of the open source component can be obtained only through the component vulnerability database without searching information through a plurality of websites.
And after a new open source component is introduced, a graphical open source component map is obtained through a corresponding characteristic file, the relation among the open source components is intuitively and clearly imaged by the open source component map, and then the safety problem of the newly introduced open source component can be accurately and comprehensively known based on the established component vulnerability database, so that the initiative of a scheduling developer on safety in projects is realized.
In addition, after the vulnerability open source assembly is obtained, a corresponding repair open source assembly can be obtained in the assembly vulnerability database based on element information and positioned at a corresponding position, and the open source assembly with the vulnerability originally exists is replaced by the repair open source assembly, so that the safety problem of software development is effectively, accurately and low-cost solved in the software writing process.
Drawings
Fig. 1 is a flowchart of a method for detecting a vulnerability of an open source component according to this embodiment.
Fig. 2 is a logic schematic diagram of open source component vulnerability detection according to this embodiment.
Fig. 3 is a framework diagram of an open source component vulnerability detection system provided in this embodiment.
Fig. 4 is a block diagram of the structure of the server provided in the present embodiment.
Detailed Description
For a clearer understanding of the objects, technical solutions and advantages of the present application, the present application is described and illustrated below with reference to the accompanying drawings and examples. However, it will be apparent to one of ordinary skill in the art that the present application may be practiced without these details. It will be apparent to those having ordinary skill in the art that various changes can be made to the embodiments disclosed herein and that the general principles defined herein may be applied to other embodiments and applications without departing from the principles and scope of the present application. Thus, the present application is not limited to the embodiments shown, but is to be accorded the widest scope consistent with the scope claimed herein.
Embodiments of the present application are described in further detail below with reference to the drawings attached hereto.
The development of a java project comprises the steps of project starting, demand investigation, system design, program development, testing, trial use, training, maintenance and the like. In the process of program development, intelliJ IDEA is one of the best java development tools known in the industry, is called IDEA for short, is an integrated environment for java language development, and aims to improve the productivity of developers to the greatest extent. By providing smart code to accomplish static code analysis and reconstruction, routine and repetitive tasks can be performed, as well as other plug-ins and positioning functions.
Fig. 1 is a flowchart of open source component vulnerability detection provided in this embodiment. As shown in fig. 1, the method comprises the steps of:
step S101, element information of all open source components and vulnerability information corresponding to the element information one by one are obtained, and a component vulnerability database comprising the vulnerability information is generated.
In the process of program development, a java project can involve a plurality of open source components, wherein the open source components are all open source components of the project, and element information of the open source components comprises names, manufacturers, version numbers, release times and version licenses of the open source components, and the element information of the open source components can be obtained from websites or public warehouses. For example, one open source component is named Thymeleaf-spring5, manufacturer Thymeleaf, version number 3.0.11.RELEASE, release time 202111, and version license Apache-2.0.
The vulnerability information comprises a vulnerability number and vulnerability details, and can also be obtained from a website. For example, an open source component named as a thymeleaf-spring5, wherein the loophole number in the loophole information is TCSEC-2021-43466, the loophole detail is that the thymeleaf-spring5 is an open source modern server-side java template engine suitable for Web and independent environments, the open source component has security loopholes, and the loopholes are derived from special elements in the network system or products which are incorrectly filtered in the process of constructing executable commands by external input data.
These open source components have the item directly imported, or the item indirectly imported through the directly imported open source components, and a component vulnerability database including vulnerability information is generated based on all open source components. For example, the Thymeleaf-spring5 is an open source component directly introduced by an item, and another open source component attoparser is also referred to in the open source component of the Thymeleaf-spring5, so that the attoparser is an indirect open source component.
Wherein generating a component vulnerability database comprising vulnerability information comprises: element information, vulnerability information of all open source components and repairing open source components capable of repairing the vulnerability information are obtained in all storage spaces related to the vulnerability information; and matching the element information, the vulnerability information and the repairing open source assembly, and generating an assembly vulnerability database according to the successfully matched element information, vulnerability information and the repairing open source assembly.
The repairing open source component capable of repairing the vulnerability information is an upgrade patch provided by a manufacturer for the vulnerability, a link is arranged in a related storage space, and a corresponding installation package can be downloaded through the link to obtain the repairing open source component. The storage space related to the vulnerability information may be CVE, CNNVD, CNVD, a security guest, an international famous security company Offensive Security, etc., and the corresponding storage space may be selected according to actual needs, where the storage space related to the vulnerability information is not limited further.
After the element information, the vulnerability information and the restoration open source assembly are obtained, the element information, the vulnerability information and the restoration open source assembly are independent individuals, the element information, the vulnerability information and the restoration open source assembly are required to be matched, the connection between the element information, the restoration open source assembly and the restoration open source assembly is established, so that the open source assembly information with complete specifications is formed, and an assembly vulnerability database is generated by all the open source assembly information with complete specifications. Compared with the existing vulnerability database, the component vulnerability database in the embodiment stores component details, vulnerability details and repair suggestions at the same time. When detecting the loopholes of the open source components, the detection and repair requirements can be met only by using the component loophole database in the embodiment. For example, the element information representing the Thymeleaf-spring5, the vulnerability information representing the Thymeleaf-spring5 and the repairing open source component representing the Thymeleaf-spring5 are open source component information of a complete specification.
In addition, when information is acquired from all storage spaces related to the vulnerability information, the level of the vulnerability information is acquired, and meanwhile, the level of the vulnerability information is stored in a component vulnerability database, so that the importance of the vulnerability information can be conveniently known. Wherein the vulnerability level of each open source component can be identified with different color icons.
It should be noted that, in this embodiment, since the vulnerability of any one open source component cannot be unchanged, it is necessary to update the component vulnerability database to ensure that the latest vulnerability existing in the open source component can be detected in time. For example, the component of the thymeleaf-spring5 is not loophole when the component is obtained initially, but after a period of time, the component of the thymeleaf-spring5 is found to have a loophole, the loophole number is TCSEC-2021-43466, however, the loophole TCSEC-2021-43466 does not exist in the previous component loophole database, so that the component loophole database needs to be updated. The method comprises the steps that element information, vulnerability information and a repairing open source assembly capable of repairing the vulnerability information are obtained from all websites related to the vulnerability information at preset time intervals, so that an assembly vulnerability database is updated.
Step S102, each time a new open source component is introduced, a characteristic file of the open source component is obtained, and a graphical open source component map is obtained based on the characteristic file.
In the project development process, new open source components are required to be continuously introduced, corresponding feature files are introduced each time a new open source component is introduced, and the feature files introduced by different open source components are different. In the development environment of IDEA, corresponding development tools can be used for carrying out traversal inquiry on files in projects to obtain feature files introduced by an open source component. For example, traversing the query operation on the files in the project may be implemented using any one of PreVisitDirectory (), postVisitDirectory (), and VisitFile (), without limiting the method used herein.
The method for obtaining the graphical open source component map based on the feature file comprises the following steps: obtaining a dependency analysis command, and obtaining a dependency tree representing all open source components based on the dependency analysis command, wherein the dependency tree comprises a direct open source component and an indirect open source component; and graphically constructing an open source component map according to the dependency tree.
The dependency analysis commands are commands in the IDEA development environment, and can be acquired at will in the IDEA development environment. Each open source component has its own fixed profile, so that by analyzing these profiles using dependency analysis instructions, dependencies between open source components can be obtained. For example, the feature file of the Thymeleaf-spring5 open source component is A, the feature file of the attoparser open source component is B, and the feature file B is found to be stored under the catalog of the feature file A through analysis, namely the Thymeleaf-spring5 open source component needs to refer to the attoparser open source component, and the Thymeleaf-spring5 open source component and the attoparser open source component have a dependency relationship.
The dependency analysis instruction can be used for obtaining the dependency relationship among all the open source components which are already introduced in the project, so that a dependency relationship tree for representing all the open source components which are already introduced can be obtained through the dependency relationship, and the open source components of the upper layer in the dependency relationship tree need to refer to the open source components of the lower layer. The top-level open source component in the dependency tree is a direct open source component, and other open source components are indirect open source components.
After the dependency relationship among all the open source components in the project is obtained, the dependency relationship among the open source components can be patterned through the plug-in capability of the IDEA development environment to construct an open source component map, wherein the open source component map is composed of nodes with the same number as the open source components, and each node represents one introduced direct open source component or indirect open source component. The open source components related to the project and the relation among the open source components can be clearly known by looking at the open source component map. The relevant plug-in may be a database plug-in or a LiveEdit plug-in, and the relevant plug-in is not limited in any way. After a new open source component is introduced, the graphical open source component map changes, and nodes in the open source component map are increased to obtain a new open source component map.
Step S103, judging whether all open source components in the open source component map have vulnerabilities or not based on the component vulnerability database; if the loophole exists, acquiring a loophole open source component with the loophole, acquiring a repair open source component of the loophole open source component in a component loophole database based on element information of the loophole open source component, positioning the position of the loophole open source component, and replacing the loophole open source component by the repair open source component.
After the component vulnerability database is generated, providing query service by the component vulnerability database, obtaining a new open source component map after introducing one open source component every time, obtaining element information of all open source components in the map, and judging whether the component vulnerability database at least comprises one element information or not, if yes, the newly introduced open source components have vulnerabilities; if not, the newly introduced open source component has no loopholes. When one open source component is introduced, the open source component itself is introduced as one direct open source component, and a plurality of other open source components cited by the open source component are also introduced, wherein the other open source components are indirect open source components. Therefore, the open source component map has both direct open source components and indirect open source components.
If it is to be determined whether the newly introduced open source component has a vulnerability, it is necessary to detect whether the open source component itself has a vulnerability, and whether other indirect open source components referenced by the open source component also have vulnerabilities. Even if the element information of the open source component does not have a vulnerability, other indirect open source components referenced by the open source component can make the open source component unsafe once the vulnerability exists, and potential vulnerabilities exist.
Because the element information includes the name and the version number of the open source component, the element information corresponding to the different version numbers of the open source component is also different. The version number of the open source component can be known clearly through the element information, and the element information can represent the currently used version number of the open source component. Other indirect open source components referenced by the open source component can be clearly known through the open source component map, and element information of the other indirect open source components is also acquired. Element information of the open source assembly and element information of other indirect open source assemblies which are cited are matched with an assembly loophole database, and at least one element information in the assembly loophole database indicates that the open source assembly is a loophole and the open source assembly with the loophole needs to be repaired; and if the component vulnerability database does not have the element information, indicating that the newly introduced open source component does not have the vulnerability. Through the query service of the component vulnerability database, whether the open source component has the vulnerability or not can be rapidly and accurately obtained.
The method for obtaining the repairing open source component of the vulnerability open source component in the component vulnerability database comprises the following steps: and acquiring the names of the vulnerability open source components, and acquiring the repairing open source components which have the same names and the latest version numbers from the component vulnerability database based on the names.
When the direct open source component has a bug, the name of the direct open source component is obtained, then all version numbers with the same name are obtained in a component bug database, element information corresponding to the latest version number is found from all version numbers, and the repair open source component matched with the element information can replace the open source component with the bug originally.
When a vulnerability exists in an indirect open source component, the repair open source component can be obtained in two ways. In the first mode, a direct open source component referring to the indirect open source component can be found, then whether the direct open source component is an open source component with the latest version number is judged, if so, the mode is indicated that the repair open source component cannot be found; if not, the open source component with the latest version number can be found first, then the indirect open source component referenced by the open source component with the latest version number is used for replacing the indirect open source component with the original vulnerability, and the indirect open source component with the latest version is the repair open source component. Each leaky component can look up specific leak details, provide a safe version of the open source component, and obtain a repair open source component from upgrade patches in a component leak database.
In the second mode, directly through the indirect open source component with the bug, the latest version of the indirect open source component is directly searched in the upgrade patch, and the indirect open source component with the bug is replaced by the indirect open source component with the latest version, and the indirect open source component with the latest version is the repair open source component.
In addition, after the repairing open source components are obtained, the repairing open source components are required to be used for re-obtaining the dependency relationships among the open source components, and reconstructing the dependency relationship tree and the open source component map.
After the repairing open source component is found, the repairing open source component can be positioned to the position of the open source component with the loopholes introduced through a matching algorithm, and the repairing open source component is used for replacing the open source component with the loopholes, wherein the characteristic file has related files indicating the position of the open source component, such as pom, xml, and the like, and the position of the loopholes open source component is positioned through GAV.
Fig. 2 is a logic schematic diagram of open source component vulnerability detection according to this embodiment. As shown in fig. 2, on the one hand, element information, vulnerability information and related repairing open source components of an open source component are collected based on an existing vulnerability information website, and the three information are matched to obtain a one-to-one correspondence, so that a component vulnerability database is generated to provide component vulnerability query service for the open source component; on the other hand, after a new open source component is introduced, in an IDEA development environment, the characteristic files related to the newly introduced open source component are found out through traversing and inquiring the files of the project, the dependency analysis command is executed, the dependency relation tree of the open source component is analyzed, and the dependency relation among the open source components can be intuitively and clearly known through the IDEA plug-in capability and the graphical construction of the open source component map. Then, acquiring an open source component map corresponding to the newly introduced open source component through a component vulnerability database query service, judging the vulnerability conditions of all open source components in the open source component map, checking specific vulnerability details by each open source component with a vulnerability through a component vulnerability database, and providing a repairing open source component of a safe version of the open source component at an upgrade patch. The safety problem of the newly introduced open source assembly can be accurately and comprehensively known, and the initiative of the developer on safety in projects is scheduled. Then, the dependency relationships among the open source components are re-acquired by using the repairing open source components, and the dependency relationship tree and the open source component map are reconstructed. And finally, obtaining a corresponding repairing open source component in the component vulnerability database based on the element information, positioning the repairing open source component to a corresponding position, and replacing the open source component with the original vulnerability by using the repairing open source component, so that the safety problem of software development is effectively, accurately and low-cost solved in the software writing process.
Fig. 3 is a framework diagram of an open source component vulnerability detection system provided in this embodiment. As shown in fig. 3, the open source component vulnerability detection system includes a database module, a generation module, and a repair module.
The database module is used for acquiring the element information of all the open source components and the vulnerability information corresponding to the element information one by one and generating a component vulnerability database comprising the vulnerability information; the generating module is used for acquiring a characteristic file of the open source assembly every time a new open source assembly is introduced, and acquiring a graphical open source assembly map based on the characteristic file; the repairing module is used for judging whether all the open source components in the open source component map have loopholes or not based on the component loophole database; if the loophole exists, acquiring a loophole open source component with the loophole, acquiring a repairing open source component of the loophole open source component in a component loophole database based on element information of the loophole open source component, positioning the position of the open source component, and replacing the loophole open source component by the repairing open source component.
The generation module is further used for acquiring a dependency analysis command, and acquiring a dependency relation tree representing all open source components based on the dependency analysis command, wherein the dependency relation tree comprises a direct open source component and an indirect open source component; and graphically constructing an open source component map according to the dependency tree.
Fig. 4 is a block diagram of the structure of the server provided in the present embodiment. As shown in fig. 4, the server includes a processor 41 and a memory 42, where the memory 42 stores a computer program 43 that can run on the processor 41, and the computer program 43 implements an open source component vulnerability detection method provided in the embodiments of the present application when executed by the processor.
Memory 42 may be, but is not limited to, a ROM or other type of static storage device, a random access memory, or other type of dynamic storage device, that can store static information and instructions, or an electrically erasable programmable read-only memory, a read-only or other optical disk storage, an optical disk storage (including compact disks, laser disks, optical disks, digital versatile disks, blu-ray disks, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium capable of carrying or storing desired program code in the form of instructions or data structures and capable of being accessed by a computer. Memory 42 may be an internal storage unit in some embodiments.
The processor 41 may be a central processor, a general purpose processor, a data signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. For running program code or process data stored in the memory 42.
The processor 41 and the memory 42 are connected by a bus. A bus may include a path that communicates information between the components. The bus may be a peripheral component interconnect standard bus or an extended industry standard architecture bus, etc. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 4, but not only one bus or one type of bus.
Fig. 4 shows only a server having a memory 42, a processor 41, and a bus, it will be understood by those skilled in the art that the architecture shown in fig. 4 is not limiting of the server, but rather is a bus architecture, a star architecture, a server may include more or less components than those shown, or some components may be combined, or a different arrangement of components may be utilized. It is also within the scope of protection to use other electronic devices now known or later developed, and is incorporated herein by reference.
The present application provides a computer readable storage medium having a computer program stored thereon, which when run on a computer, causes the computer to perform the relevant content of the foregoing method embodiments.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein.
The foregoing is only a partial embodiment of the present application, and it should be noted that, for a person skilled in the art, several improvements and modifications can be made without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (10)
1. An open source component vulnerability detection method, comprising:
acquiring element information of all open source components and vulnerability information corresponding to the element information one by one, and generating a component vulnerability database comprising the vulnerability information;
obtaining a characteristic file of the open source component every time a new open source component is introduced, and obtaining a graphical open source component map based on the characteristic file;
judging whether all open source components in the open source component map have vulnerabilities or not based on the component vulnerability database;
if a vulnerability exists, acquiring a vulnerability open source component with the vulnerability, acquiring a repair open source component of the vulnerability open source component in the component vulnerability database based on element information of the vulnerability open source component, positioning the position of the vulnerability open source component, and replacing the vulnerability open source component by using the repair open source component.
2. The method of claim 1, wherein the generating a component vulnerability database comprising the vulnerability information comprises:
obtaining element information and vulnerability information of all open source components and repairing open source components capable of repairing the vulnerability information in all storage spaces related to the vulnerability information;
and matching the element information, the vulnerability information and the repairing open source assembly, and generating an assembly vulnerability database according to the successfully matched element information, vulnerability information and repairing open source assembly.
3. The method of claim 1, wherein the obtaining a graphical open source component map based on the profile comprises:
obtaining a dependency analysis command, and obtaining a dependency relation tree representing all open source components based on the dependency analysis command, wherein the dependency relation tree comprises a direct open source component and an indirect open source component;
and graphically constructing an open source component map according to the dependency tree.
4. The method of claim 3, wherein the determining whether all open source components in the open source component graph have vulnerabilities comprises:
acquiring element information of all open source components in the open source component map, judging whether the component vulnerability database at least comprises one piece of element information, and if yes, judging that the open source components have vulnerabilities; otherwise, the open source component is not subject to vulnerabilities.
5. The method of claim 4, wherein the obtaining the fix open source component of the vulnerability open source component in the component vulnerability database comprises:
and acquiring the name of the vulnerability open source component, and acquiring the repairing open source component which has the same name and the latest version number from the component vulnerability database based on the name.
6. The method according to claim 2, wherein the method further comprises:
and acquiring element information, vulnerability information and a repairing open-source assembly capable of repairing the vulnerability information from all websites related to the vulnerability information at preset intervals so as to update the assembly vulnerability database.
7. The system is characterized by comprising a database module, a generation module and a repair module; wherein,
the database module is used for acquiring element information of all open source components and vulnerability information corresponding to the element information one by one and generating a component vulnerability database comprising the vulnerability information;
the generating module is used for acquiring a characteristic file of the open source assembly every time a new open source assembly is introduced, and acquiring a graphical open source assembly map based on the characteristic file;
the repair module is used for judging whether all open source components in the open source component map have vulnerabilities or not based on the component vulnerability database; if a vulnerability exists, acquiring a vulnerability open source component with the vulnerability, acquiring a repair open source component of the vulnerability open source component in the component vulnerability database based on element information of the vulnerability open source component, positioning the position of the vulnerability open source component, and replacing the vulnerability open source component by using the repair open source component.
8. The system of claim 7, wherein the generation module is further configured to obtain a dependency analysis command, obtain a dependency tree characterizing all of the open source components based on the dependency analysis command, wherein the dependency tree includes a direct open source component and an indirect open source component;
and graphically constructing an open source component map according to the dependency tree.
9. A server, the server comprising: a processor and a memory, the memory having stored thereon a computer program executable on the processor, the computer program when executed by the processor implementing an open source component vulnerability detection method as claimed in any one of claims 1 to 6.
10. A computer readable storage medium having stored thereon a computer program executable on a processor, wherein the computer program when executed by the processor implements a source component vulnerability detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311305905.5A CN117290855A (en) | 2023-10-10 | 2023-10-10 | Open source component vulnerability detection method, system, server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311305905.5A CN117290855A (en) | 2023-10-10 | 2023-10-10 | Open source component vulnerability detection method, system, server and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117290855A true CN117290855A (en) | 2023-12-26 |
Family
ID=89244306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311305905.5A Pending CN117290855A (en) | 2023-10-10 | 2023-10-10 | Open source component vulnerability detection method, system, server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117290855A (en) |
-
2023
- 2023-10-10 CN CN202311305905.5A patent/CN117290855A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Horton et al. | Dockerizeme: Automatic inference of environment dependencies for python code snippets | |
| KR101989802B1 (en) | Method for performing test using test case and apparatus for the same | |
| US9098636B2 (en) | White-box testing systems and/or methods in web applications | |
| US9824223B2 (en) | System and method for automated remedying of security vulnerabilities | |
| US8930930B2 (en) | Updating a computer system | |
| Barbour et al. | An empirical study of faults in late propagation clone genealogies | |
| US8516464B2 (en) | Computer system and method for resolving dependencies in a computer system | |
| US9880832B2 (en) | Software patch evaluator | |
| EP3234851B1 (en) | A system and method for facilitating static analysis of software applications | |
| JP2014503910A (en) | Visualize code clone notifications and architecture changes | |
| US9405906B1 (en) | System and method for enhancing static analysis of software applications | |
| US20220198003A1 (en) | Detecting added functionality in open source package | |
| Latendresse et al. | Not all dependencies are equal: An empirical study on production dependencies in npm | |
| US20070169036A1 (en) | Incremental type inferencing engine | |
| WO2023223148A1 (en) | Techniques for identifying and validating security control steps in software development pipelines | |
| US9116713B1 (en) | System and method for expression evaluation in a distributed networking environment | |
| Eshkevari et al. | Identifying and locating interference issues in php applications: The case of wordpress | |
| Kulkarni et al. | Perils of opportunistically reusing software module | |
| CN117290855A (en) | Open source component vulnerability detection method, system, server and storage medium | |
| Letarte et al. | Security model evolution of PHP web applications | |
| Di Ruscio et al. | Simulating upgrades of complex systems: The case of Free and Open Source Software | |
| Di Ruscio et al. | A model‐driven approach to detect faults in FOSS systems | |
| US20240378299A1 (en) | Techniques for identifying and validating security control steps in software development pipelines | |
| US8812458B2 (en) | Adaptive methodology for updating solution building block architectures and associated tooling | |
| Chang et al. | Discovering programming rules and violations by mining interprocedural dependences |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |