CN117633807A

CN117633807A - Vulnerability prompting method, device, equipment and storage medium

Info

Publication number: CN117633807A
Application number: CN202311520450.9A
Authority: CN
Inventors: 齐睿
Original assignee: Zhejiang eCommerce Bank Co Ltd
Current assignee: Zhejiang eCommerce Bank Co Ltd
Priority date: 2023-11-14
Filing date: 2023-11-14
Publication date: 2024-03-01

Abstract

The specification discloses a vulnerability prompting method, device, equipment and storage medium, wherein the method comprises the following steps: responding to completing the writing of any function in a code writing application, and performing vulnerability scanning on local codes corresponding to the function through a vulnerability scanning plug-in of the code writing application to determine whether vulnerabilities exist in the local codes; and displaying vulnerability prompting information through the vulnerability scanning plug-in when the vulnerability exists in the local code, wherein the vulnerability prompting information is used for prompting that the vulnerability exists in the local code.

Description

Vulnerability prompting method, device, equipment and storage medium

Technical Field

The embodiment of the specification relates to the technical field of computers, in particular to a vulnerability prompting method, device, equipment and storage medium.

Background

With the increasing popularization of network security concepts, security reinforcement and vulnerability management in the development process of network systems are more and more important for large enterprises, and more manpower and resources are input at the same time.

In the related technology, the code is often subjected to vulnerability scanning after being submitted to a code release platform, at the moment, system functions are often developed, the code is often required to be changed greatly for repairing the vulnerability, and the vulnerability repairing cost is high.

Disclosure of Invention

The embodiment of the specification provides a vulnerability prompting method, device, equipment and storage medium, which can reduce the cost of vulnerability restoration, and the technical scheme is as follows:

in one aspect, a vulnerability prompting method is provided, the method includes:

responding to completing the writing of any function in a code writing application, and performing vulnerability scanning on local codes corresponding to the function through a vulnerability scanning plug-in of the code writing application to determine whether vulnerabilities exist in the local codes;

and displaying vulnerability prompting information through the vulnerability scanning plug-in when the vulnerability exists in the local code, wherein the vulnerability prompting information is used for prompting that the vulnerability exists in the local code.

In one aspect, a vulnerability prompting device is provided, the device includes:

the vulnerability scanning module is used for responding to the completion of the compiling of any function in the code compiling application, and carrying out vulnerability scanning on the local code corresponding to the function through a vulnerability scanning plug-in of the code compiling application so as to determine whether a vulnerability exists in the local code;

the vulnerability prompting module is used for displaying vulnerability prompting information through the vulnerability scanning plug-in when the vulnerability exists in the local code, and the vulnerability prompting information is used for prompting that the vulnerability exists in the local code.

In a possible implementation manner, the vulnerability scanning module is used for calling the vulnerability scanning plug-in response to completing the writing of any function in the code writing application; and performing vulnerability scanning on the local code based on a stored scanning rule by the vulnerability scanning plug-in.

In one possible embodiment, the apparatus further comprises:

and the first synchronization module is used for synchronizing the scanning rules stored in the vulnerability scanning plug-in with the scanning rules stored in the plug-in server, wherein the plug-in server is a server corresponding to the vulnerability scanning plug-in.

In a possible implementation manner, the vulnerability prompting module is configured to display, by using the vulnerability scanning plug-in, a vulnerability prompting popup when a vulnerability exists in the local code, where the vulnerability prompting popup includes the vulnerability prompting information, and the vulnerability prompting information includes a vulnerability location and a vulnerability repair suggestion, where the vulnerability location is used to indicate a location of the vulnerability in the local code, and the vulnerability repair suggestion includes a repair code.

In one possible embodiment, the apparatus further comprises:

and the replacing module is used for replacing codes corresponding to the loopholes in the local codes by the repair codes in response to the confirming operation of the loophole repair suggestion on the loophole prompt popup window.

In one possible embodiment, the apparatus further comprises:

the second synchronization module is used for synchronizing the repair scheme stored in the vulnerability scanning plug-in with the repair scheme stored in the plug-in server, the plug-in server is a server corresponding to the vulnerability scanning plug-in, and the repair scheme is used for generating a repair code.

In one possible embodiment, the apparatus further comprises:

the submitting module is used for responding to code submitting operation of the global code in the code writing application, and performing vulnerability scanning on the global code through the vulnerability scanning plug-in unit so as to determine whether the vulnerability exists in the global code; displaying vulnerability prompting information through the vulnerability scanning plug-in when the vulnerability exists in the global code, wherein the vulnerability prompting information is used for prompting that the vulnerability exists in the global code; and submitting the global code to a code release platform under the condition that no loopholes exist in the global code.

In one possible implementation, the submitting module is configured to send, in response to a code submitting operation to a global code in the code writing application, the global code to the vulnerability scanning plugin through a code submitting tool of the code writing application; and performing vulnerability scanning on the global code based on a stored scanning rule by the vulnerability scanning plug-in.

In one possible embodiment, the apparatus further comprises:

and the uploading module is used for uploading the vulnerability scanning result and the target object identifier to a plug-in server through the vulnerability scanning plug-in, so that the plug-in server updates the code security ranking of the target object identifier object, wherein the target object identifier is an object identifier for logging in the code writing application, and the plug-in server is a server corresponding to the vulnerability scanning plug-in.

In one aspect, a computer device is provided that includes one or more processors and one or more memories having at least one computer program stored therein, the computer program loaded and executed by the one or more processors to implement the vulnerability prompting method.

In one aspect, a computer readable storage medium having at least one computer program stored therein is provided, the computer program being loaded and executed by a processor to implement the vulnerability prompting method.

In one aspect, a computer program product or computer program is provided, the computer program product or computer program comprising program code, the program code being stored in a computer readable storage medium, the program code being read from the computer readable storage medium by a processor of a computer device, the program code being executed by the processor, causing the computer device to perform the above-described vulnerability prompting method.

According to the technical scheme provided by the embodiment of the specification, in response to completing the writing of any function in the code writing application, the vulnerability scanning plug-in of the code writing application performs vulnerability scanning on the local code corresponding to the function, so that whether the vulnerability exists in the local code or not is determined, namely, real-time local hole scanning can be realized by utilizing the vulnerability scanning plug-in. Under the condition that the loopholes exist in the local code, the loophole prompt information is displayed through the loophole scanning plug-in unit and used for prompting the existence of the loopholes in the local code, so that the local hole scanning with the function as granularity is realized, the loopholes in the code can be reminded in the code writing stage, the loophole scanning efficiency is improved, and the cost of loophole restoration is reduced.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present description, the following description will briefly explain the drawings needed in the description of the embodiments, and it is obvious that the drawings in the following description are only some embodiments of the present description, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of an implementation environment of a vulnerability prompting method according to an embodiment of the present disclosure;

FIG. 2 is a flowchart of a vulnerability prompting method according to an embodiment of the present disclosure;

FIG. 3 is a flowchart of another vulnerability prompting method provided by an embodiment of the present disclosure;

FIG. 4 is a flowchart of yet another vulnerability prompting method provided by an embodiment of the present disclosure;

fig. 5 is a schematic structural diagram of a vulnerability prompting device according to an embodiment of the present disclosure;

fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present disclosure.

Detailed Description

For the purposes of clarity, technical solutions and advantages of the present specification, the following description will describe embodiments of the present specification in further detail with reference to the accompanying drawings.

The terms "first," "second," and the like in this specification are used for distinguishing between similar elements or items having substantially the same function and function, and it should be understood that there is no logical or chronological dependency between the terms "first," "second," and "n," and that there is no limitation on the number and order of execution.

First, terms related to embodiments of the present specification will be explained.

Code writing application: also known as program development applications or code programming applications, the internet industry is widely used to implement system or application development tools using some programming language, such as PyCharm, IDEA, eclipse, etc.

Vulnerability: because the use of functions, or logic for certain programming languages is not appropriate or strict, resulting in code that is used by an attacker to make a security attack.

Programming a software plug-in: the method belongs to code programming software, and optimizes or modifies the functions of the code programming software by a pluggable mode.

Vulnerability scanning plug-in: a programming software plug-in for vulnerability scanning of code.

Functional function: local code that implements a particular function.

Code release platform: the codes are aggregated to form a complete functional system.

Having described terms to which embodiments of the present specification relate, reference will now be made to the context in which embodiments of the present specification are implemented.

Fig. 1 is a schematic diagram of an implementation environment of a vulnerability prompting method provided in an embodiment of the present disclosure, and referring to fig. 1, the implementation environment may include a terminal 110, a plug-in server 120, and a code publishing platform 140.

The terminal 110 is connected to the add-in server 120 and the code distribution platform 140 through a wireless network or a wired network. Optionally, the terminal 110 is a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc., but is not limited thereto. The terminal 110 installs and runs an application supporting vulnerability hints, the application is installed with a vulnerability scanning plug-in, and the vulnerability scanning plug-in can scan vulnerabilities in the code.

The plug-in server 120 is an independent physical server, or a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, a distribution network (Content Delivery Network, CDN), and basic cloud computing services such as big data and an artificial intelligence platform. Plug-in server 120 provides background services for vulnerability scanning plug-ins in applications running on terminal 110.

The code delivery platform 140 is an independent physical server, or a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, a delivery network (Content Delivery Network, CDN), basic cloud computing services such as big data and an artificial intelligence platform. The code distribution platform 140 is used for collecting codes uploaded by the terminal 110 and summarizing the collected codes to generate an application program realizing a specific function.

Those skilled in the art will recognize that the number of terminals may be greater or lesser. Such as only one terminal, or tens or hundreds, or more, other terminals are also included in the implementation environment. The number of terminals and the type of devices are not limited in the embodiment of the present specification.

After the implementation environment of the embodiments of the present specification is introduced, the application scenario of the embodiments of the present specification will be described below.

The technical scheme provided by the embodiment of the specification can be applied to the process of writing codes by using the code writing application by a developer, and by adopting the technical scheme provided by the embodiment of the specification, the code writing application is provided with the vulnerability scanning plug-in, and the vulnerability scanning plug-in can perform vulnerability scanning on the codes written by the code writing application, so that vulnerabilities in the codes are found. And responding to the completion of the writing of any function in the code writing application, and performing vulnerability scanning on a local code corresponding to the function through a vulnerability scanning plug-in of the code writing application to determine whether a vulnerability exists in the local code, wherein the local code is the code constituting the function. And displaying vulnerability prompting information through the vulnerability scanning plug-in when the vulnerability exists in the local code, wherein the vulnerability prompting information is used for prompting that the vulnerability exists in the local code. A developer can know that the loopholes exist in the local code through the loophole prompt information, so that the loopholes in the local code are repaired in time.

After the implementation environment and the application scenario of the embodiments of the present disclosure are described, the vulnerability prompting method provided by the embodiments of the present disclosure is described below, referring to fig. 2, taking the execution subject as an example of a terminal, where the method includes the following steps.

202. And responding to the completion of the writing of any function in the code writing application, and performing vulnerability scanning on the local code corresponding to the function by the terminal through a vulnerability scanning plug-in of the code writing application so as to determine whether the vulnerability exists in the local code.

Wherein the code writing application is used to write code, which a technician can write code implementing a specific function. The vulnerability scanning plug-in is installed in the code writing application and can perform vulnerability scanning on codes written in the code writing application. A function is the smallest set of code that implements the function, i.e., the local code. The writing of the function is completed, namely written codes can realize the corresponding function of the function. The local code is a concept relative to the global code, the global code refers to the complete code which is finally submitted to the code release platform, and the local code is an integral part of the global code.

204. And under the condition that the local code has the loopholes, the terminal displays the loophole prompt information through the loophole scanning plug-in unit, wherein the loophole prompt information is used for prompting that the local code has the loopholes.

The loopholes are codes with potential safety hazards, and the existence of the loopholes in the local codes indicates that the local codes have potential safety hazards. The vulnerability prompting information is used for prompting that the vulnerability exists in the local code, and a technician can know that the vulnerability exists in the local code through the vulnerability prompting information.

The steps 202 and 204 are simple descriptions of the vulnerability presentation method provided in the embodiment of the present disclosure, and the vulnerability presentation method provided in the embodiment of the present disclosure will be described more clearly with reference to fig. 3, taking the execution subject as an example, and the method includes the following steps.

302. The terminal initializes a vulnerability scanning plug-in of a code writing application.

Wherein the code writing application is used to write code, which a technician can write code implementing a specific function. The code writing application provides a plurality of code writing tools, and the code writing efficiency can be improved by using the code writing tools. The vulnerability scanning plug-in is installed (integrated) in the code writing application and can perform vulnerability scanning on codes written in the code writing application. Initializing the vulnerability scanning plug-in for updating the scanning rule used by the vulnerability scanning plug-in when performing vulnerability scanning, so that the scanning rule of the vulnerability scanning plug-in is kept in the latest state, and the vulnerability scanning plug-in can scan the latest discovered vulnerability. In some embodiments, the vulnerability scanning plugin is serviced by a plugin server, the vulnerability scanning plugin is capable of data interaction with the plugin server, and the plugin server participates in an initialization process of the vulnerability scanning plugin.

In some embodiments, the vulnerability scanning plug-in can provide the repairing code of the vulnerability under the condition that whether the vulnerability exists in the code is determined in addition to performing vulnerability scanning on the code to determine whether the vulnerability exists in the code. In this case, the initializing process is performed on the vulnerability scanning plugin, so that the vulnerability scanning plugin is used for updating a repairing scheme used when the vulnerability scanning plugin generates repairing codes in addition to the scanning rule used when the vulnerability scanning plugin performs vulnerability scanning.

In some embodiments, the terminal initializes the vulnerability scanning plug-in when the code writing application is started, or the terminal initializes the vulnerability scanning plug-in when the vulnerability scanning plug-in is invoked, which is not limited in this description. In addition, the terminal initializes the vulnerability scanning plugin in response to the vulnerability scanning plugin being installed in the code writing application. Since the vulnerability scanning plug-in is installed in the code writing application, the code writing application remains in a startup state when the vulnerability scanning plug-in is initialized.

In one possible implementation manner, the terminal synchronizes the scanning rule stored in the vulnerability scanning plug-in with the scanning rule stored in the plug-in server, where the plug-in server is a server corresponding to the vulnerability scanning plug-in.

The scanning rules stored in the vulnerability scanning plug-in are scanning rules obtained by initializing the vulnerability scanning plug-in a round or are scanning rules carried by the vulnerability scanning plug-in during installation. The scan rule stored on the add-in server is the most current scan rule. Scanning rules refer to rules for conducting vulnerability scanning, which are also referred to as vulnerability scanning rules. The scanning rules include a plurality of sub-scanning rules, different sub-scanning rules being used to scan different types of vulnerabilities, i.e. a set of the plurality of sub-scanning rules. In some embodiments, the scan rules stored on the add-in server are uploaded by security personnel who maintain the scan rules stored on the add-in server, including updating existing scan rules, uploading new scan rules, and deleting existing scan rules. Synchronization is such that the scan rules stored by the vulnerability scanning plug-in are the same as the scan rules stored by the plug-in server.

In the embodiment, the scanning rules stored in the vulnerability scanning plugin can be updated through the scanning rules stored in the plugin server, so that the scanning rules stored in the vulnerability scanning plugin are kept up to date, and the vulnerability scanning capability of the vulnerability scanning plugin is improved.

The above embodiments are described below by way of several examples.

In example 1, the terminal obtains the latest scanning rule from the plug-in server, and the latest scanning rule is the scanning rule stored in the plug-in server. The terminal adopts the latest scanning rule to replace the scanning rule stored in the vulnerability scanning plug-in unit so as to realize the synchronization of the scanning rules of the vulnerability scanning plug-in unit and the plug-in unit server.

In the embodiment, the scanning rules stored in the vulnerability scanning plugin are replaced by the scanning rules stored in the plugin server, so that the synchronization of the scanning rules is realized, and the integrity of the scanning rules stored in the scanning plugin is ensured.

Example 2, the terminal compares the scanning rule stored in the vulnerability scanning plug-in with the scanning rule stored in the plug-in server. The terminal acquires rule updating information from the plug-in server, wherein the rule updating information comprises different scanning rules stored by the plug-in server and the vulnerability scanning plug-in. And the terminal updates the scanning rules stored in the vulnerability scanning plug-in by adopting the rule updating information so as to realize the synchronization of the scanning rules of the vulnerability scanning plug-in and the plug-in server.

In the embodiment, the rule updating information is used for realizing the synchronization of the scanning rules, and the rule synchronization efficiency is high.

And 3, the terminal determines the version number of the scanning rule stored in the vulnerability scanning plug-in. And the terminal queries in the plug-in server based on the version number to obtain a rule update package corresponding to the version number. And updating the scanning rules stored in the vulnerability scanning plug-in by the terminal by adopting the rule updating package so as to realize the synchronization of the scanning rules of the vulnerability scanning plug-in and the plug-in server.

In the embodiment, the rule updating package is queried through the version number, and the rule updating package is used for realizing the synchronization of the scanning rule, so that the efficiency is higher.

In the foregoing embodiments, the initialization of the vulnerability scanning plugin is described by taking as an example that the scanning rule stored in the vulnerability scanning plugin is synchronized with the plugin server, and in other possible embodiments, the initialization further includes synchronization of the repair scheme, which includes the following steps.

In one possible implementation manner, the terminal synchronizes a repair scheme stored in the vulnerability scanning plug-in with a repair scheme stored in a plug-in server, where the plug-in server is a server corresponding to the vulnerability scanning plug-in, and the repair scheme is used for generating a repair code.

The repairing scheme stored by the vulnerability scanning plugin is a repairing scheme obtained by initializing the vulnerability scanning plugin in a round or is a repairing scheme carried by the vulnerability scanning plugin during installation. The repair scheme stored on the plug-in server is the most current repair scheme. The repair scheme is used for generating repair codes for repairing the loopholes when the loopholes are scanned out. In some embodiments, the repair schema stored on the plug-in server is uploaded by security personnel who maintain the repair schema stored on the plug-in server, including updating existing repair schemas, uploading new repair schemas, and deleting existing repair schemas. Synchronization is to make the repair scheme of the vulnerability scanning plug-in store the same as that of the plug-in server store.

Under the implementation mode, the repairing scheme stored in the vulnerability scanning plugin can be updated through the repairing scheme stored in the plugin server, so that the repairing scheme stored in the vulnerability scanning plugin is kept up to date, and the capability of the vulnerability scanning plugin for generating repairing codes is improved.

The above embodiments are described below by way of several examples.

In example 1, the terminal obtains the latest repair scheme from the plug-in server, and the latest repair scheme is the repair scheme stored in the plug-in server. The terminal adopts the latest repairing scheme to replace the repairing scheme stored in the vulnerability scanning plug-in unit so as to realize the synchronization of the repairing schemes of the vulnerability scanning plug-in unit and the plug-in unit server.

Under the implementation mode, the repairing scheme stored on the plug-in server is used for replacing the repairing scheme stored in the vulnerability scanning plug-in to realize the synchronization of the repairing scheme, so that the integrity of the repairing scheme stored in the scanning plug-in is ensured.

And 2, comparing the repair scheme stored in the vulnerability scanning plug-in with the repair scheme stored in the plug-in server by the terminal. The terminal acquires scheme update information from the plug-in server, wherein the scheme update information comprises different repair schemes stored by the plug-in server and the vulnerability scanning plug-in. And the terminal updates the repairing scheme stored in the vulnerability scanning plug-in by adopting the scheme updating information so as to realize the synchronization of the repairing schemes of the vulnerability scanning plug-in and the plug-in server.

In the embodiment, the synchronization of the repair scheme is realized through scheme updating information, and the efficiency of the synchronization of the repair scheme is higher.

And 3, the terminal determines the version number of the repair scheme stored by the vulnerability scanning plug-in. And the terminal queries in the plug-in server based on the version number to obtain a scheme update package corresponding to the version number. The terminal updates the repairing scheme stored in the vulnerability scanning plug-in by adopting the scheme updating package so as to realize the synchronization of the repairing schemes of the vulnerability scanning plug-in and the plug-in server.

In the embodiment, the scheme update package is queried through the version number, and the scheme update package is used for realizing the synchronization of the repair scheme, so that the efficiency is higher.

The two embodiments may be performed separately or simultaneously during the initialization process, which is not limited by the embodiment of the present disclosure.

304. And responding to the completion of the writing of any function in the code writing application, and performing vulnerability scanning on the local code corresponding to the function by the terminal through a vulnerability scanning plug-in of the code writing application so as to determine whether the vulnerability exists in the local code.

Wherein a function is the smallest set of codes that implement the function, i.e., the local code. The writing of the function is completed, namely written codes can realize the corresponding function of the function. The local code is a concept relative to the global code, the global code refers to the complete code which is finally submitted to the code release platform, and the local code is an integral part of the global code.

In one possible implementation, the terminal invokes the vulnerability scanning plugin in response to completing the authoring of any functional function in the code authoring application. And performing vulnerability scanning on the local code by the vulnerability scanning plug-in based on the stored scanning rules to determine whether the vulnerability exists in the local code.

Under the implementation mode, under the condition that the compiling of any function is completed in the code compiling application, a vulnerability scanning plug-in is called, vulnerability scanning is carried out on local codes corresponding to the function based on a stored scanning rule, vulnerability scanning with function granularity is achieved, and the vulnerability scanning with function granularity means that the vulnerability scanning plug-in executes vulnerability scanning once every time the compiling of one function is completed.

For example, in response to completing the authoring of any function in the code authoring application, the terminal invokes the vulnerability scanning plugin. And analyzing the local code by the vulnerability scanning plug-in to obtain an analysis representation of the local code. The parsed representation is analyzed by the vulnerability scanning plug-in based on the scanning rules to determine whether a vulnerability exists in the local code.

For example, in response to completing the writing of any function in the code writing application, the terminal invokes the vulnerability scanning plugin. The local code is parsed by the vulnerability scanning plug-in to obtain an abstract syntax tree (AST, abstract Syntax Tree) or intermediate representation (IR, intermediate Representation) of the local code. At least one of static analysis, which refers to analyzing code without executing the code to identify potential vulnerabilities, and dynamic analysis, which refers to executing the code at runtime and detecting vulnerabilities by analyzing its behavior, is performed on the abstract syntax tree or intermediate representation of the local code by the vulnerability scanning plug-in based on the scanning rules to determine whether vulnerabilities exist in the local code.

Wherein the scanning rules are used to implement at least one of the static analysis and the dynamic analysis described above. The static analysis includes at least one of parsing, control flow analysis, data flow analysis, and model detection. Syntax analysis is used for checking whether the code accords with the syntax rules of the programming language; control flow analysis is used to analyze the execution path of the code to detect possible defects; data flow analysis is used to track the use of variables in code to detect possible vulnerabilities; model detection is used to formally verify the code to determine whether certain security attributes are met. The dynamic analysis includes at least one of input validation, symbol execution, and ambiguity testing. Input verification is used to simulate attacker input to test the response of the code. Symbolic execution is used to execute code by symbolizing variables and attempting to generate all possible inputs and paths. Fuzzy testing is used to test code using random or semi-random inputs in an attempt to trigger vulnerabilities.

Optionally, after step 304, the terminal performs the following steps 306 or 308 according to the actual situation, which is not limited in this embodiment of the present disclosure.

306. And under the condition that the local code has the loopholes, the terminal displays the loophole prompt information through the loophole scanning plug-in unit, wherein the loophole prompt information is used for prompting that the local code has the loopholes.

In a possible implementation manner, in the case that a bug exists in the local code, the terminal displays a bug prompt pop window through the bug scanning plug-in, wherein the bug prompt pop window comprises the bug prompt information, and the bug prompt information comprises a bug position.

The vulnerability prompting popup window is displayed on an application interface of the code writing application. In some embodiments, the vulnerability prompting popup window is displayed in the middle of the application interface, so that a more striking prompting effect is achieved. Of course, the vulnerability prompting popup may also be displayed at other positions of the application interface, which is not limited in the embodiments of the present disclosure. Vulnerability location refers to the location of a vulnerability in the local code.

Under the implementation mode, when the loophole exists in the local code, the loophole prompt popup window is displayed, the display form of the popup window is more striking, a technician can know the loophole existing in the function just written and the position of the loophole through the loophole prompt popup window, the loophole is facilitated to be repaired by the technician, and the man-machine interaction efficiency is higher.

In some embodiments, on the basis of the foregoing embodiments, in response to a click operation on the vulnerability prompting popup, the terminal closes the vulnerability prompting popup and highlights a portion of the local code corresponding to the vulnerability, where highlighting includes highlighting.

Under the implementation mode, the part corresponding to the loophole in the local code can be rapidly positioned by clicking the loophole prompt popup window, and the efficiency of repairing the loophole by technicians is improved.

In a possible implementation manner, in the case that a bug exists in the local code, the terminal displays a bug prompt popup through the bug scanning plug-in, the bug prompt popup includes the bug prompt information, the bug prompt information includes a bug position and a bug repair suggestion, the bug position is used for indicating a position of the bug in the local code, and the bug repair suggestion includes a repair code.

The bug repairing method comprises the steps of enabling a user to read a bug, and enabling the user to read the bug.

Under the embodiment, when the loophole exists in the local code, the loophole prompt popup window is displayed, the display form of the popup window is more striking, a technician can know the position where the loophole exists and the loophole repairing suggestion of the function just written through the loophole prompt popup window, the loophole repairing by the technician is facilitated, and the efficiency of man-machine interaction is higher.

For example, in the case that a bug exists in the local code, the terminal generates, through the bug scanning plug-in, a bug repair code based on a bug repair scheme stored by the bug scanning plug-in and the scanned bug, where the bug repair code is used for repairing the bug. And the terminal generates the bug repair suggestion based on the bug repair code through the bug scanning plug-in. The terminal displays a vulnerability prompting popup window through the vulnerability scanning plug-in, wherein the vulnerability prompting popup window comprises vulnerability prompting information, and the vulnerability prompting information comprises a vulnerability position and a vulnerability repair suggestion.

In some embodiments, based on the foregoing embodiments, in response to a confirmation operation on the bug fix suggestion on the bug prompt pop window, the code corresponding to the bug in the local code is replaced with the fix code.

In the embodiment, the part corresponding to the bug in the local code can be replaced by the repair code by executing the confirmation operation on the bug repair suggestion, so that the bug is repaired, and the bug repair efficiency is higher.

308. And under the condition that the local code does not have the loophole, the terminal does not display the loophole prompt information.

The vulnerability prompting information is not displayed, which means that the process of writing codes through the code writing application is not affected, namely, the vulnerability scanning plug-in is noninductive under the condition that the local codes do not have vulnerabilities.

Optionally, after the above steps 306 or 308, the terminal can also perform the following step 310.

310. In response to a code submission operation on the global code in the code writing application, the terminal submits the global code to the code release platform.

The global code refers to a complete code finally submitted to a code release platform, and the code release platform is used for collecting codes uploaded by a terminal and summarizing the collected codes to generate an application program for realizing a specific function. It should be noted that, the code distribution platform can collect codes uploaded by a plurality of terminals. The code commit operation is used to commit the global code to the code release platform. In some embodiments, the code submission operation includes a click operation on a code submission control in the code writing application.

In one possible implementation, in response to a code submission operation to a global code in the code writing application, the terminal performs vulnerability scanning on the global code through the vulnerability scanning plug-in to determine whether a vulnerability exists in the global code. And under the condition that the global code has the loopholes, the terminal displays the loophole prompt information through the loophole scanning plug-in unit, wherein the loophole prompt information is used for prompting that the global code has the loopholes. And under the condition that the loopholes do not exist in the global code, the terminal submits the global code to the code release platform.

In the implementation mode, before the global code is submitted to the code release platform, vulnerability scanning is conducted on the global code again, and vulnerability prompting information is displayed to remind technicians of restoring vulnerabilities under the condition that vulnerabilities exist in the global code; under the condition that the bug does not exist in the global code, the global code is submitted to the code release platform, so that the probability of the bug existing in the global code is reduced, and the bug repairing efficiency is improved.

In order to more clearly describe the above embodiments, the above embodiments will be described below in sections.

And the first part is used for responding to code submitting operation of the global code in the code writing application, and the terminal carries out vulnerability scanning on the global code through the vulnerability scanning plug-in unit so as to determine whether the vulnerability exists in the global code.

In one possible implementation, in response to a code submission operation to global code in the code writing application, the terminal sends the global code to the vulnerability scanning plug-in through a code submission tool of the code writing application. And performing vulnerability scanning on the global code by the vulnerability scanning plug-in based on the stored scanning rules to determine whether the vulnerability exists in the global code.

For example, in response to a click operation on a code submission control in the code writing application, the terminal sends the global code to the vulnerability scanning plugin through a code submission tool of the code writing application. And analyzing the global code by the vulnerability scanning plug-in to obtain an analysis representation of the global code. The parsed representation is analyzed by the vulnerability scanning plug-in based on the scanning rules to determine whether a vulnerability exists in the global code.

For example, in response to a click operation on a code submission control in the code writing application, the terminal sends the global code to the vulnerability scanning plugin through a code submission tool of the code writing application. And analyzing the global code by the vulnerability scanning plug-in to obtain an abstract syntax tree or an intermediate representation of the global code. At least one of static analysis and dynamic analysis is performed on the abstract syntax tree or intermediate representation of the global code by the vulnerability scanning plug-in based on the scanning rules to determine whether a vulnerability exists in the global code.

And the second part is used for displaying vulnerability prompting information through the vulnerability scanning plug-in when the vulnerability exists in the global code by the terminal, wherein the vulnerability prompting information is used for prompting that the vulnerability exists in the global code.

In a possible implementation manner, under the condition that a bug exists in the global code, the terminal displays a bug prompt popup window through the bug scanning plug-in, wherein the bug prompt popup window comprises the bug prompt information, and the bug prompt information comprises a bug position.

Under the embodiment, when the loophole exists in the global code, the loophole prompt popup window is displayed, the display form of the popup window is more striking, and a technician can know the loophole existing in the function just written and the position of the loophole through the loophole prompt popup window, so that the loophole can be repaired by the technician, and the efficiency of man-machine interaction is higher.

In some embodiments, on the basis of the foregoing embodiments, in response to a click operation on the vulnerability prompting popup, the terminal closes the vulnerability prompting popup and highlights a portion corresponding to the vulnerability in the global code, where highlighting includes highlighting.

Under the implementation mode, the part corresponding to the loophole in the global code can be rapidly positioned by clicking the loophole prompt popup window, and the efficiency of repairing the loophole by technicians is improved.

In a possible implementation manner, in the case that a bug exists in the global code, the terminal displays a bug prompt popup through the bug scanning plug-in, the bug prompt popup includes the bug prompt information, the bug prompt information includes a bug position and a bug repair suggestion, the bug position is used for indicating a position of the bug in the global code, and the bug repair suggestion includes a repair code.

Under the embodiment, when the loophole exists in the global code, the loophole prompt popup window is displayed, the display form of the popup window is more striking, a technician can know the position where the loophole exists and the loophole repairing suggestion of the function just written through the loophole prompt popup window, the loophole repairing by the technician is facilitated, and the efficiency of man-machine interaction is higher.

For example, in the case that a bug exists in the global code, the terminal generates, through the bug scanning plug-in, a bug repair code based on a bug repair scheme stored by the bug scanning plug-in and the scanned bug, where the bug repair code is used for repairing the bug. And the terminal generates the bug repair suggestion based on the bug repair code through the bug scanning plug-in. The terminal displays a vulnerability prompting popup window through the vulnerability scanning plug-in, wherein the vulnerability prompting popup window comprises vulnerability prompting information, and the vulnerability prompting information comprises a vulnerability position and a vulnerability repair suggestion.

In some embodiments, based on the foregoing embodiments, in response to a confirmation operation on the bug fix suggestion on the bug hint window, the code corresponding to the bug in the global code is replaced with the fix code.

Under the implementation mode, the bug repairing suggestion can adopt the repairing code to replace the part corresponding to the bug in the total code by executing the confirming operation, thereby realizing the bug repairing, and having higher bug repairing efficiency.

And the third part, under the condition that the loopholes do not exist in the global code, the terminal submits the global code to the code release platform.

In one possible implementation, in the event that no vulnerability exists in the global code, the terminal submits the global code to the code distribution platform through a code submission tool of the code writing application.

Optionally, the terminal can also perform the following steps.

In one possible implementation manner, the terminal uploads the vulnerability scanning result and the target object identifier to the plug-in server through the vulnerability scanning plug-in, so that the plug-in server updates the code security ranking of the target object identifier object, the target object identifier is an object identifier for logging in the code writing application, and the plug-in server is a server corresponding to the vulnerability scanning plug-in.

The vulnerability scanning result can be a result of performing vulnerability scanning on the local code or a result of performing vulnerability scanning on the global code, and the vulnerability scanning result comprises the number of vulnerabilities and the vulnerability types. The target object is an object of the application written by using the code, and the target object is identified as an account number or an identity of the target object. The code security ranking is used to reflect how many vulnerabilities are in the written code, the fewer vulnerabilities are in the written code, the higher the code security ranking. The more vulnerabilities in the written code, the lower the security ranking. In this case, security training may be organized periodically for objects with lower security ranks.

In one possible implementation manner, the terminal scores the local code and the global code through the vulnerability scanning plugin to obtain a security score, wherein the security score is related to the number and types of vulnerabilities in the local code and the global code. And the terminal uploads the security score and the target object identification to a plug-in server through the vulnerability scanning plug-in, so that the plug-in server updates the code security ranking of the target object identification object.

The above steps 302-310 will be described below in connection with fig. 4.

Referring to FIG. 4, a code writing application 401 includes a vulnerability scanning plug-in 4011 and a code submission tool 4012. Security personnel issue scanning rules and vulnerability restoration schemes to the plug-in server 402. The terminal synchronizes the vulnerability scanning plug-in 4011 with the scanning rules and vulnerability restoration schemes stored on the plug-in server 402. In response to completing the writing of any function in the code writing application 401, the terminal performs vulnerability scanning on the local code a corresponding to the function through the vulnerability scanning plug-in 4011 to determine whether a vulnerability exists in the local code a. In response to a code submission operation for global code B in the code writing application 401, the terminal sends the global code B to the vulnerability scanning plug-in 4011 through a code submission tool 4012, and vulnerability scanning is performed on the global code B through the vulnerability scanning plug-in 4011 to determine whether a vulnerability exists in the global code B. In the case where there is no vulnerability in the global code B, the terminal submits the global code B to the code release platform 403 through the code submission tool 4012.

All the above optional solutions may be combined arbitrarily to form an optional embodiment of the present specification, which is not described herein.

In other words, the technical scheme provided by the embodiment of the specification innovatively integrates the security scanning capability into the code writing application of the technical staff, so that risks and vulnerabilities in the codes can be found earlier and more timely, the technical staff can repair the risks in time, the working cost and the risks are reduced, multiple purposes are achieved, and meanwhile, the security staff can be better trained in terms of security consciousness according to the daily code development condition of the technical staff.

Fig. 5 is a schematic structural diagram of a vulnerability prompting device provided in an embodiment of the present disclosure, referring to fig. 5, the device includes: vulnerability scanning module 501 and vulnerability prompting module 502.

The vulnerability scanning module 501 is configured to respond to completing the writing of any function in the code writing application, and perform vulnerability scanning on a local code corresponding to the function through a vulnerability scanning plug-in of the code writing application, so as to determine whether a vulnerability exists in the local code.

The vulnerability prompting module 502 is configured to display vulnerability prompting information through the vulnerability scanning plug-in when a vulnerability exists in the local code, where the vulnerability prompting information is used to prompt that a vulnerability exists in the local code.

In one possible implementation, the vulnerability scanning module 501 is configured to invoke the vulnerability scanning plug-in response to completing the writing of any function in the code writing application. Vulnerability scanning is performed on the local code by the vulnerability scanning plug-in based on stored scanning rules.

In one possible embodiment, the apparatus further comprises:

In a possible implementation manner, the vulnerability prompting module 502 is configured to display, by using the vulnerability scanning plug-in, a vulnerability prompting popup when a vulnerability exists in the local code, where the vulnerability prompting popup includes the vulnerability prompting information, and the vulnerability prompting information includes a vulnerability location and a vulnerability repair suggestion, where the vulnerability location is used to indicate a location of a vulnerability in the local code, and the vulnerability repair suggestion includes a repair code.

In one possible embodiment, the apparatus further comprises:

and the replacing module is used for replacing the code corresponding to the bug in the local code by the repairing code in response to the confirmation operation of the bug repairing suggestion on the bug prompting popup.

In one possible embodiment, the apparatus further comprises:

and the submitting module is used for responding to code submitting operation of the global code in the code writing application, and performing vulnerability scanning on the global code through the vulnerability scanning plug-in so as to determine whether the vulnerability exists in the global code. And displaying vulnerability prompting information through the vulnerability scanning plug-in when the vulnerability exists in the global code, wherein the vulnerability prompting information is used for prompting that the vulnerability exists in the global code. And submitting the global code to a code release platform in the condition that the loopholes do not exist in the global code.

In one possible implementation, the commit module is configured to send the global code to the vulnerability scanning plugin through a code commit tool of the code writing application in response to a code commit operation on the global code in the code writing application. Vulnerability scanning is performed on the global code by the vulnerability scanning plug-in based on stored scanning rules.

In one possible embodiment, the apparatus further comprises:

It should be noted that: in the vulnerability prompting apparatus provided in the foregoing embodiment, only the division of the functional modules is used for illustration, and in practical application, the functional allocation may be completed by different functional modules according to needs, that is, the internal structure of the computer device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the vulnerability presentation device provided in the above embodiment and the vulnerability presentation method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which is not described herein again.

The embodiments of the present specification provide a computer device for performing the above method, where the computer device may be implemented as a terminal, and the structure of the terminal is described below:

fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present disclosure. The terminal 600 may be: smart phones, tablet computers, notebook computers or desktop computers. Terminal 600 may also be referred to by other names of user devices, portable terminals, laptop terminals, desktop terminals, etc.

In general, the terminal 600 includes: one or more processors 601 and one or more memories 602.

Processor 601 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 601 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 601 may also include a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 601 may integrate a GPU (Graphics Processing Unit, image processor) for rendering and drawing of content required to be displayed by the display screen. In some embodiments, the processor 601 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.

The memory 602 may include one or more computer-readable storage media, which may be non-transitory. The memory 602 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 602 is used to store at least one computer program for execution by processor 601 to implement the vulnerability hints method provided by the method embodiments in the present specification.

In some embodiments, the terminal 600 may further optionally include: a peripheral interface 603, and at least one peripheral. The processor 601, memory 602, and peripheral interface 603 may be connected by a bus or signal line. The individual peripheral devices may be connected to the peripheral device interface 603 via buses, signal lines or a circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 604, a display 605, a camera assembly 606, audio circuitry 607, and a power supply 608.

Peripheral interface 603 may be used to connect at least one Input/Output (I/O) related peripheral to processor 601 and memory 602. In some embodiments, the processor 601, memory 602, and peripheral interface 603 are integrated on the same chip or circuit board; in some other embodiments, either or both of the processor 601, memory 602, and peripheral interface 603 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.

The Radio Frequency circuit 604 is configured to receive and transmit RF (Radio Frequency) signals, also known as electromagnetic signals. The radio frequency circuit 604 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 604 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 604 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth.

The display screen 605 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 605 is a touch display, the display 605 also has the ability to collect touch signals at or above the surface of the display 605. The touch signal may be input as a control signal to the processor 601 for processing. At this point, the display 605 may also be used to provide virtual buttons and/or virtual keyboards, also referred to as soft buttons and/or soft keyboards.

The camera assembly 606 is used to capture images or video. Optionally, the camera assembly 606 includes a front camera and a rear camera. Typically, the front camera is disposed on the front panel of the terminal and the rear camera is disposed on the rear surface of the terminal.

The audio circuit 607 may include a microphone and a speaker. The microphone is used for collecting sound waves of users and environments, converting the sound waves into electric signals, and inputting the electric signals to the processor 601 for processing, or inputting the electric signals to the radio frequency circuit 604 for voice communication.

The power supply 608 is used to power the various components in the terminal 600. The power source 608 may be alternating current, direct current, disposable or rechargeable.

In some embodiments, the terminal 600 further includes one or more sensors 609. The one or more sensors 609 include, but are not limited to: acceleration sensor 610, gyroscope sensor 611, pressure sensor 612, optical sensor 613, and proximity sensor 614.

The acceleration sensor 610 may detect the magnitudes of accelerations on three coordinate axes of the coordinate system established with the terminal 600.

The gyro sensor 611 may be used to collect 3D motion of the user on the terminal 600 in cooperation with the acceleration sensor 610, and the gyro sensor 611 may be used to collect the body direction and the rotation angle of the terminal 600.

The pressure sensor 612 may be disposed at a side frame of the terminal 600 and/or at a lower layer of the display 605. When the pressure sensor 612 is disposed at a side frame of the terminal 600, a grip signal of the user to the terminal 600 may be detected, and the processor 601 performs a left-right hand recognition or a shortcut operation according to the grip signal collected by the pressure sensor 612. When the pressure sensor 612 is disposed at the lower layer of the display screen 605, the processor 601 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 605.

The optical sensor 613 is used to collect the intensity of ambient light. In one embodiment, processor 601 may control the display brightness of display 605 based on the intensity of ambient light collected by optical sensor 613.

The proximity sensor 614 is used to collect the distance between the user and the front of the terminal 600.

Those skilled in the art will appreciate that the structure shown in fig. 6 is not limiting of the terminal 600 and may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.

In an exemplary embodiment, a computer readable storage medium, e.g. a memory comprising a computer program, executable by a processor to perform the vulnerability prompting method of the above embodiment is also provided. For example, the computer readable storage medium may be Read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), compact disc Read-Only Memory (CD-ROM), magnetic tape, floppy disk, optical data storage device, and the like.

In an exemplary embodiment, a computer program product or a computer program is also provided, which comprises a program code, which is stored in a computer readable storage medium, from which the processor of the computer device reads the program code, which is executed by the processor, such that the computer device performs the above-mentioned vulnerability prompting method.

In some embodiments, the computer program according to the embodiments of the present specification may be deployed to be executed on one computer device or on a plurality of computer devices located at one site, or on a plurality of computer devices distributed at a plurality of sites and interconnected by a communication network, where the plurality of computer devices distributed at a plurality of sites and interconnected by a communication network may constitute a blockchain system.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the above storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The foregoing description of the preferred embodiments is merely exemplary in nature and is not intended to limit the invention, thus, any modification, equivalent replacement, improvement, or the like that comes within the spirit and principles of the present invention are intended to be included in the scope of the present invention.

Claims

1. A vulnerability prompting method, the method comprising:

2. The method of claim 1, wherein responding to completing the writing of any function in a code writing application, performing vulnerability scanning on local codes corresponding to the function through a vulnerability scanning plug-in of the code writing application comprises:

calling the vulnerability scanning plugin in response to completing writing of any function in a code writing application;

and performing vulnerability scanning on the local code based on a stored scanning rule by the vulnerability scanning plug-in.

3. The method of claim 2, the method further comprising, prior to invoking the vulnerability scanning plug-in response to completing the writing of any function in the code writing application:

and synchronizing the scanning rules stored by the vulnerability scanning plug-in with the scanning rules stored on a plug-in server, wherein the plug-in server is a server corresponding to the vulnerability scanning plug-in.

4. The method of claim 1, wherein the displaying, by the vulnerability scanning plug-in, vulnerability hints information in the case where a vulnerability exists in the local code comprises:

And under the condition that the local code has the loophole, displaying a loophole prompt popup through the loophole scanning plug-in, wherein the loophole prompt popup comprises the loophole prompt information, the loophole prompt information comprises a loophole position and a loophole repair suggestion, the loophole position is used for indicating the position of the loophole in the local code, and the loophole repair suggestion comprises a repair code.

5. The method of claim 4, wherein, in the case where a bug exists in the local code, after displaying a bug hint window by the bug scan plug-in, the method further comprises:

and in response to the confirming operation of the bug repairing suggestion on the bug prompt popup, replacing codes corresponding to the bug in the local codes with the repairing codes.

6. The method of claim 4, wherein the method further comprises, in the case of a vulnerability in the local code, before displaying a vulnerability hint window by the vulnerability scanning plug-in:

and synchronizing the repair scheme stored by the vulnerability scanning plug-in with the repair scheme stored on a plug-in server, wherein the plug-in server is a server corresponding to the vulnerability scanning plug-in, and the repair scheme is used for generating a repair code.

7. The method of claim 1, the method further comprising:

responding to code submitting operation of global codes in the code writing application, and performing vulnerability scanning on the global codes through the vulnerability scanning plugin so as to determine whether vulnerabilities exist in the global codes;

displaying vulnerability prompting information through the vulnerability scanning plug-in when the vulnerability exists in the global code, wherein the vulnerability prompting information is used for prompting that the vulnerability exists in the global code;

and submitting the global code to a code release platform under the condition that no loopholes exist in the global code.

8. The method of claim 7, the vulnerability scanning of global code by the vulnerability scanning plug-in response to a code submission operation of global code in the code writing application comprising:

in response to a code submission operation on global code in the code writing application, sending the global code to the vulnerability scanning plugin through a code submission tool of the code writing application;

and performing vulnerability scanning on the global code based on a stored scanning rule by the vulnerability scanning plug-in.

9. The method of claim 1, wherein after performing vulnerability scanning on the local code corresponding to the function by the vulnerability scanning plug-in of the code writing application in response to completing writing of any function in the code writing application, the method further comprises:

and uploading a vulnerability scanning result and a target object identifier to a plug-in server through the vulnerability scanning plug-in, so that the plug-in server updates the code security ranking of the target object identifier object, wherein the target object identifier is an object identifier for logging in the code writing application, and the plug-in server is a server corresponding to the vulnerability scanning plug-in.

10. A vulnerability prompting apparatus, the apparatus comprising:

11. A computer device comprising one or more processors and one or more memories, the one or more memories having stored therein at least one computer program loaded and executed by the one or more processors to implement the vulnerability prompting method of any of claims 1-9.

12. A computer readable storage medium having stored therein at least one computer program that is loaded and executed by a processor to implement the vulnerability prompting method of any one of claims 1-9.

13. A computer program product comprising a computer program which when executed by a processor implements the vulnerability prompting method of any one of claims 1 to 9.