CN117932613A

CN117932613A - Method and device for analyzing vulnerability influence range by code traceability and electronic equipment

Info

Publication number: CN117932613A
Application number: CN202311827050.2A
Authority: CN
Inventors: 柯竣林; 万振华; 王颉; 李华; 董燕
Original assignee: Seczone Technology Co Ltd
Current assignee: Seczone Technology Co Ltd
Priority date: 2023-12-27
Filing date: 2023-12-27
Publication date: 2024-04-26

Abstract

The invention relates to a vulnerability analysis technology, and discloses a method, a device and electronic equipment for code traceability vulnerability influence range analysis, wherein the method comprises the following steps: respectively obtaining a vulnerability information set, a component version information set and a component source code information set according to a preset target component list; selecting vulnerability information in the vulnerability information set one by one as target vulnerability information, and screening component source code information corresponding to the target vulnerability information from the component source code information set to serve as target vulnerability source code information; performing code tracing matching on the target vulnerability source code information and the target vulnerability information to obtain matching component information, and collecting all the matching component information into a matching component information set; and generating vulnerability influence range information according to the matching component information set and the component version information set. By means of the code traceability analysis and influence range standardization representation, accuracy of vulnerability influence range analysis can be improved.

Description

Method and device for analyzing vulnerability influence range by code traceability and electronic equipment

Technical Field

The invention relates to the technical field of vulnerability analysis, in particular to a method, a device and electronic equipment for analyzing vulnerability influence range by code traceability.

Background

Modern software is typically composed of many components, libraries and frameworks, which may come from different vendors, are nested in a system, and each component may generate vulnerabilities, which may affect the overall software ecosystem, thus requiring vulnerability impact scope analysis.

The existing vulnerability impact range analysis method is mostly an analysis method based on a user vulnerability report, namely, the impact range analysis is carried out according to the vulnerability report submitted by a user, but due to the fact that sources and quality of the vulnerability report are uneven, the condition of missing report and false report can occur, the accuracy of the vulnerability analysis is affected, and the accuracy of the vulnerability impact range analysis is lower.

Disclosure of Invention

The invention provides a method, a device and electronic equipment for analyzing a vulnerability influence range by code traceability, and mainly aims to solve the problem of lower accuracy in vulnerability influence range analysis.

In order to achieve the above object, the method for tracing and analyzing the vulnerability impact range by using the code provided by the invention comprises the following steps: respectively obtaining a vulnerability information set, a component version information set and a component source code information set according to a preset target component list; selecting vulnerability information in the vulnerability information set one by one as target vulnerability information, and screening component source code information corresponding to the target vulnerability information from the component source code information set to serve as target vulnerability source code information; performing code tracing matching on the target vulnerability source code information and the target vulnerability information to obtain matching component information, and collecting all the matching component information into a matching component information set; and generating vulnerability influence range information according to the matched component information set and the component version information set.

In order to solve the above problems, the present invention further provides a device for code traceability analysis of vulnerability impact range, where the device includes: the data acquisition module is used for respectively acquiring a vulnerability information set, a component version information set and a component source code information set according to a preset target component list; the vulnerability matching module is used for selecting vulnerability information in the vulnerability information set one by one as target vulnerability information, and screening component source code information corresponding to the target vulnerability information from the component source code information set to serve as target vulnerability source code information; the tracing matching module is used for carrying out code tracing matching on the target vulnerability source code information and the target vulnerability information to obtain matching component information, and collecting all the matching component information into a matching component information set; and the information generation module is used for generating vulnerability influence range information according to the matched component information set and the component version information set.

In order to solve the above problems, the present invention also provides an electronic device including:

At least one processor; and

A memory communicatively coupled to the at least one processor; wherein,

The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of code traceability vulnerability scope analysis described above.

According to the embodiment of the invention, the vulnerability information set, the component version information set and the component source code information set are respectively obtained according to the preset target component list, so that the information such as the repair record information, the source code and the like corresponding to the components needing to be subjected to vulnerability analysis and the respective version numbers of the components can be obtained, the comprehensiveness of vulnerability analysis is improved, the accuracy of vulnerability analysis is further improved, the component source code information corresponding to the target vulnerability information is screened out from the component source code information set to serve as the target vulnerability source code information, the names and the corresponding version ranges of the component source codes corresponding to the target vulnerability information can be determined, the source codes of the components corresponding to the target vulnerability information can be more accurately matched, the accuracy of vulnerability analysis is improved, the component numbers and the corresponding version ranges of the component source codes influenced in the component source code information set can be accurately matched, the accuracy of vulnerability analysis is improved, and the accuracy of vulnerability analysis is further improved by generating the influence range information according to the component version numbers and the standard vulnerability information sets and the influence range specification. Therefore, the method, the device and the electronic equipment for analyzing the vulnerability influence range by tracing the code can solve the problem of lower accuracy in the process of analyzing the vulnerability influence range.

Drawings

FIG. 1 is a flowchart illustrating a method for tracing a code to analyze vulnerability impact scope according to an embodiment of the present invention;

FIG. 2 is a flow chart illustrating the extraction of a vulnerability information set according to an embodiment of the present invention;

FIG. 3 is a flowchart illustrating a process of creating an operation bar page according to an embodiment of the present invention;

FIG. 4 is a functional block diagram of an apparatus for code traceability vulnerability analysis according to an embodiment of the present invention;

Fig. 5 is a schematic structural diagram of an electronic device for implementing a method for analyzing a vulnerability impact range by tracing a code according to an embodiment of the present invention.

The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.

Detailed Description

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.

The embodiment of the application provides a method for tracing and analyzing a vulnerability influence range by codes. The execution subject of the method for analyzing the vulnerability impact range by the code traceability includes, but is not limited to, at least one of a server, a terminal and the like capable of being configured to execute the method provided by the embodiment of the application. In other words, the method of analyzing the vulnerability impact scope by tracing the code may be performed by software or hardware installed in a terminal device or a server device, and the software may be a blockchain platform. The service side includes, but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. The server may be an independent server, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.

Referring to fig. 1, a flow chart of a method for tracing and analyzing vulnerability impact scope by using codes according to an embodiment of the invention is shown. In this embodiment, the method for tracing and analyzing the vulnerability impact range by the code includes:

s1, respectively obtaining a vulnerability information set, a component version information set and a component source code information set according to a preset target component list.

In the embodiment of the invention, the target component list refers to a list containing all the names of the components needing to be subjected to vulnerability analysis, and the target component list can be obtained by carrying out component ecological analysis on the software needing to be subjected to vulnerability analysis; each piece of vulnerability information in the vulnerability information set comprises component information influenced by the vulnerability, version range information corresponding to the component information, vulnerability repair codes and submission records corresponding to the vulnerability repair codes; the component information refers to name information of the vulnerability influencing component, the version range information refers to the range of the version number of the vulnerability influencing component, the vulnerability repairing code refers to repaired code corresponding to the vulnerability influencing component, and the submitting record comprises vulnerability description, repairing measures, associated problems, test information and the like.

In detail, each component version information in the component version information set includes information such as a name, a version number, and a release time of the component; each component source code information in the component source code information set includes name information of the component, component source code, a storage path of the component source code, and Version Tag (Version Tag) of the component source code.

In the embodiment of the invention, a vulnerability information set, a component version information set and a component source code information set are respectively obtained according to a preset target component list, and the method comprises the following steps: extracting a vulnerability information set from a preset vulnerability platform according to a preset target component list; extracting a component version information set from a preset information platform according to a target component list; and extracting a component source code information set from a preset code platform according to the target component list.

In detail, the vulnerability platform may be a vulnerability feedback platform such as a general vulnerability disclosure platform (Common Vulnerabilities and Exposures, CVE for short) or Snyk; the information platform can be a component information management warehouse such as MAVEN or Node package management tools (Node PACKAGE MANAGER, NPM for short) and the like; the code platform may be an open source code community platform such as Github or Gitlab.

In the embodiment of the present invention, referring to fig. 2, extracting a vulnerability information set from a preset vulnerability platform according to a preset target component list includes:

s21, carrying out webpage analysis on a preset vulnerability platform to obtain a vulnerability webpage document;

S22, element labeling is carried out on the vulnerability web page document, and a web page element document is obtained;

S23, performing text semantic analysis on the webpage element document to obtain a webpage semantic document;

s24, performing component information matching on the webpage semantic document according to a preset target component list to obtain a vulnerability information set.

In detail, a preset vulnerability platform can be subjected to webpage analysis by using webpage analysis tools such as Beautiful Soup or lxml to obtain a vulnerability webpage document, element labeling can be performed on the vulnerability webpage document by using element selectors such as a CSS selector or XPath to obtain a webpage element document, and text semantic analysis can be performed on the webpage element document by using BERT, GPT or XLNet to obtain a webpage semantic document; the vulnerability web page document comprises information such as a title, links, text and the like of a vulnerability platform, the web page element document comprises data such as data attributes and data types corresponding to elements in the vulnerability web page document, and the web page semantic document comprises element semantic information of the elements in the vulnerability web page document, such as description of a vulnerability, solution of the vulnerability, names and ranges of components affected by the vulnerability and the like.

Specifically, component information matching is performed on the webpage semantic document according to a preset target component list, a vulnerability information set is obtained by selecting component names in the target component list one by one as target component names, component information, version range information, vulnerability restoration codes and code submission records corresponding to the target component names are respectively screened out from the webpage semantic document by using methods such as regular expressions or element selectors, the component information, the version range information, the vulnerability restoration codes and the code submission records are collected into target vulnerability information, and all target vulnerability information is collected into a vulnerability information set.

In the embodiment of the invention, the method for extracting the component version information set from the preset information platform according to the target component list and the method for extracting the component source code information set from the preset code platform according to the target component list are consistent with the method for extracting the vulnerability information set from the preset vulnerability platform according to the preset target component list in the step S1.

In the embodiment of the invention, the vulnerability information set, the component version information set and the component source code information set are respectively obtained according to the preset target component list, so that the components needing to be subjected to vulnerability analysis and the information such as the repair record information, the source code and the like corresponding to the version numbers of the components can be obtained, the comprehensiveness of vulnerability analysis is improved, and the accuracy of vulnerability analysis is further improved.

S2, selecting the vulnerability information in the vulnerability information set one by one as target vulnerability information, and screening component source code information corresponding to the target vulnerability information from the component source code information set to serve as target vulnerability source code information.

In the embodiment of the invention, selecting the vulnerability information in the vulnerability information set one by one as the target vulnerability information means that a vulnerability information queue corresponding to the vulnerability information set is generated, and a dequeue algorithm of the utilization queue selects the vulnerability information in the vulnerability information queue one by one as the target vulnerability information.

In the embodiment of the invention, component source code information corresponding to target vulnerability information is screened out from the component source code information set to be used as target vulnerability source code information, and the method comprises the following steps: extracting target vulnerability component information and target component version information from the target vulnerability information; screening component source code information corresponding to target vulnerability component information from the component source code information set to serve as target component source code information; and screening component source code information corresponding to the target component version information from the target component source code information to serve as target vulnerability source code information.

In detail, the target vulnerability component information refers to information corresponding to a component name to which the vulnerability belongs, for example, the target vulnerability component information of the component act is exact, and the target component version information refers to information about an influence version range of the component recorded in the target vulnerability information, for example, 1.23.0, where the filtering may be performed according to an information composition structure and a partitioner of the target vulnerability component information, for example, when the partitioner of the target vulnerability component information is "-", a part before "-" is taken as the target vulnerability component information, and a part after "-" is taken as the target component version information.

Specifically, screening component source code information corresponding to target vulnerability component information from the component source code information set as target component source code information means that name information of components of each component source code information in the component source code information set is matched by utilizing the target vulnerability component information, the component source code information obtained by matching is used as target component source code information, component source code information corresponding to target component version information is screened from the target component source code information and is used as target vulnerability source code information, the target component version information is matched with version labels corresponding to the target component source code information, and the component source code information obtained by matching is used as target vulnerability source code information.

In the embodiment of the invention, the component source code information corresponding to the target vulnerability information is screened out from the component source code information set to serve as the target vulnerability source code information, so that the name and the corresponding version range of the component source code corresponding to the target vulnerability information can be determined, the source code of the component corresponding to the target vulnerability information can be more accurately matched, and the accuracy of vulnerability analysis is improved.

And S3, performing code tracing matching on the target vulnerability source code information and the target vulnerability information to obtain matching component information, and collecting all the matching component information into a matching component information set.

In the embodiment of the invention, the matching component information refers to the components which have repaired the vulnerability and Version Tag (Version Tag) information of the corresponding Version.

In the embodiment of the invention, code tracing matching is carried out on the target vulnerability source code information and the target vulnerability information to obtain matching component information, and the method comprises the following steps: extracting a target source code path from target vulnerability source code information; obtaining a target vulnerability source code according to the target source code path; extracting a target repair code from the target vulnerability information; and performing code tracing matching on the target vulnerability source code and the target repair code to obtain matching component information.

In detail, the target source code path refers to a storage path of component source codes in target vulnerability source code information, and the target repair code refers to vulnerability repair codes in target vulnerability information; the method can be used for extracting a target source code path from target vulnerability source code information and extracting a target repair code from the target vulnerability information by utilizing a keyword matching or structure matching method.

Specifically, performing code tracing matching on the target vulnerability source code and the target repair code to obtain matching component information, including: performing dependency tracing on the target vulnerability source codes to obtain tracing source code dependencies; performing version check on the target vulnerability source code according to the tracing source code dependency to obtain tracing source version dependency; performing contrast scanning on the target vulnerability source codes according to the target repair codes to obtain matched vulnerability source codes; and extracting matching component information corresponding to the matching vulnerability source codes from the traceable version dependency.

In the embodiment of the invention, the dependence tracing of the target vulnerability source code can be realized by utilizing the package. Json file of the npm or yarn library to analyze the target vulnerability source code, so as to obtain tracing source code dependence, the version inspection can be performed on the target vulnerability source code according to the tracing source code dependence by utilizing the git log and other version output commands, so as to obtain tracing version dependence, and the comparison scanning can be performed on the target vulnerability source code according to the target repair code by utilizing a software composition analysis component (Software Composition Analysis, SCA for short) so as to obtain the matched vulnerability source code.

In detail, the tracing source code dependence refers to a component and a version label corresponding to the target vulnerability source code, the tracing version dependence refers to the checked component and version label corresponding to the target vulnerability source code, the matching vulnerability source code refers to a part of source codes corresponding to the target repair code in the target vulnerability source code, and the matching component information refers to the name of the component and the corresponding version label corresponding to the matching vulnerability source code.

In the embodiment of the invention, the matching component information is obtained by carrying out code tracing matching on the target vulnerability source code information and the target vulnerability information, so that the component numbers and the corresponding version ranges of the affected component source codes in the component source code information set can be accurately matched, and the accuracy of vulnerability analysis is improved.

And S4, generating vulnerability influence range information according to the matched component information set and the component version information set.

In the embodiment of the invention, the vulnerability influence range information refers to vulnerability codes, vulnerability influence component lists and normalized component version interval ranges of system components to be displayed.

In the embodiment of the present invention, referring to fig. 3, generating vulnerability impact range information according to a matching component information set and a component version information set includes:

s31, selecting matching component information in the matching component information set one by one as target matching component information, and screening component version information corresponding to the target matching component information from the component version information set to serve as target component version information;

S32, performing version name matching on the target matching component information according to the target component version information to obtain target primary range information;

s33, performing interval normalization operation on the target primary range information to obtain a target influence range;

s34, collecting all target influence ranges into vulnerability influence range information.

In detail, screening component version information corresponding to the target matching component information from the component version information set as target component version information means extracting name information of the component from the target matching component information, and screening component version information corresponding to the name information from the component version information set as target component version information.

Specifically, performing version name matching on the target matching component information according to the target component version information to obtain target primary scope information refers to extracting a component version format from the target component version information, and performing format updating on version labels in the target matching component information according to the component version format to obtain target primary scope information, for example, when the version labels in the target matching component information are v1.2.0 and the component version format in the target component version information is S1.2.0, the prefix V of the version labels in the target matching component information needs to be replaced by S.

In detail, performing interval normalization operation on the target primary range information to obtain a target influence range, including: screening a target primary component name from the target primary range information, and a target version information group corresponding to the target primary component name; version ascending sorting is carried out on the target version information group to obtain a target version information sequence; dividing the interval of the target version information sequence to obtain a target version interval range; and collecting the target primary component name and the target version interval range into a target influence range.

Specifically, the target primary component name refers to the name of the corresponding component in the target primary scope information, and the target version information group contains all affected component version numbers corresponding to the target primary component name.

In detail, dividing the target version information sequence into intervals to obtain a target version interval range refers to dividing the target version information into a plurality of version intervals according to the interrupted version number, and representing the version intervals by using interval standardization symbols to obtain the target version interval range, for example, when the target version information sequence is {1.0.0,1.1.0,1.2.0,1.4.0,1.5.0}, and all target versions corresponding to the target primary component name are {1.0.0,1.1.0,1.2.0,1.3.0,1.4.0,1.5.0}, the interrupted version number is 1.3.0, and can be represented by [1.0.0,1.3.0 ] and (1.3.0,1.5.0 ], wherein brackets ([ ]) represent that the influence range relates to the corresponding version, and brackets (()) represent that the influence range does not relate to the corresponding version.

Specifically, aggregating all the target influence ranges into vulnerability influence range information refers to ranking and numbering vulnerabilities in all the target influence ranges, aggregating all the target primary component names in all the target influence ranges into an influence component list, and taking all the target version interval ranges in all the target influence ranges as interval ranges of all the target primary component names in the influence component list.

In detail, after the interval normalization operation is performed on the target primary range information to obtain the target influence range, the method further comprises the step of performing visual display on the target influence range.

In the embodiment of the invention, the vulnerability influence range information is generated according to the matched component information set and the component version information set, so that the influence range can be identified by using a standard component version number and a standard and concise interval representation method, and the accuracy and intuitiveness of influence range analysis are improved.

Fig. 4 is a functional block diagram of an apparatus for code traceability analysis of vulnerability impact range according to an embodiment of the present invention.

The device 400 for analyzing the vulnerability influence range by tracing the code can be installed in electronic equipment. Depending on the implementation function, the device 400 for tracing and analyzing the vulnerability impact range by the code may include a data acquisition module 401, a vulnerability matching module 402, a tracing matching module 403, and an information generation module 404. The module of the invention, which may also be referred to as a unit, refers to a series of computer program segments, which are stored in the memory of the electronic device, capable of being executed by the processor of the electronic device and of performing a fixed function.

In the present embodiment, the functions concerning the respective modules/units are as follows:

the data acquisition module 401 is configured to acquire a vulnerability information set, a component version information set and a component source code information set according to a preset target component list;

The vulnerability matching module 402 is configured to select vulnerability information in the vulnerability information set one by one as target vulnerability information, and screen component source code information corresponding to the target vulnerability information from the component source code information set as target vulnerability source code information;

The tracing matching module 403 is configured to perform code tracing matching on the target vulnerability source code information and the target vulnerability information to obtain matching component information, and aggregate all the matching component information into a matching component information set;

The information generating module 404 is configured to generate vulnerability impact range information according to the matching component information set and the component version information set.

In detail, each module in the device 400 for analyzing the vulnerability impact range by tracing the code in the embodiment of the present invention adopts the same technical means as the method for analyzing the vulnerability impact range by tracing the code in fig. 1, and can generate the same technical effects, which are not described herein.

The electronic device 501 may include a processor 510, a memory 511, a communication bus 512, and a communication interface 513, and may also include computer programs stored in the memory 511 and executable on the processor 510, such as programs for code traceability analysis of vulnerability impact ranges.

The processor 510 may be formed by an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be formed by a plurality of integrated circuits packaged with the same function or different functions, including one or more central processing units (Central Processing unit, CPU), a microprocessor, a digital processing chip, a combination of a graphics processor and various control chips, etc. The processor 510 is a Control Unit (Control Unit) of the electronic device, connects various components of the entire electronic device using various interfaces and lines, and executes various functions of the electronic device and processes data by running or executing programs or modules stored in the memory 511 (e.g., programs that execute code to trace out vulnerability impact ranges, etc.), and calling data stored in the memory 511.

The memory 511 includes at least one type of readable storage medium including flash memory, a removable hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, etc. The memory 511 may be an internal storage element of the electronic device in some embodiments, such as a removable hard disk of the electronic device. The memory 511 may also be an external storage device of the electronic device in other embodiments, such as a plug-in mobile hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD), etc. that are provided on the electronic device. Further, the memory 511 may also include both internal storage elements of the electronic device and external storage devices. The memory 511 may be used to store not only application software installed in an electronic device and various types of data, such as code of a program for traceability analysis of vulnerability impact range, but also temporarily store data that has been output or is to be output.

The communication bus 512 may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, or the like. The bus may be classified as an address bus, a data bus, a control bus, etc. The bus is arranged to enable connected communication between the memory 511 and the at least one processor 510 or the like.

The communication interface 513 is used for communication between the electronic device and other devices, including a network interface and a user interface. Optionally, the network interface may include a wired interface and/or a wireless interface (e.g., WI-FI interface, bluetooth interface, etc.), typically used to establish a communication connection between the electronic device and other electronic devices. The user interface may be a Display (Display), an input unit such as a Keyboard (Keyboard), or alternatively a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch, or the like. The display may also be referred to as a display screen or display unit, as appropriate, for displaying information processed in the electronic device and for displaying a visual user interface.

Only an electronic device having components is shown, and it will be understood by those skilled in the art that the structures shown in the figures do not constitute limitations on the electronic device, and may include fewer or more components than shown, or may combine certain components, or a different arrangement of components.

For example, although not shown, the electronic device may further include a power source (such as a battery) for powering the respective components, and the power source may be logically connected to the at least one processor 510 through a power management device, so as to perform functions of charge management, discharge management, and power consumption management through the power management device. The power supply may also include one or more of any of a direct current or alternating current power supply, recharging device, power failure detection circuit, power converter or inverter, power status indicator, etc. The electronic device may also include various sensors, bluetooth modules, wi-Fi modules, etc., which are not described in detail herein.

It should be understood that the examples are for illustrative purposes only and are not limited to this configuration in the scope of the patent application.

In particular, the specific implementation method of the above instruction by the processor 510 may refer to the description of the relevant steps in the corresponding embodiment of the drawings, which is not repeated herein.

Further, the modules/units integrated by the electronic device 501 may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as a stand alone product. The computer readable storage medium may be volatile or nonvolatile. For example, the computer readable medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM).

Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.

Claims

1. A method for code traceability analysis of vulnerability impact range, the method comprising:

respectively obtaining a vulnerability information set, a component version information set and a component source code information set according to a preset target component list;

Selecting vulnerability information in the vulnerability information set one by one as target vulnerability information, and screening component source code information corresponding to the target vulnerability information from the component source code information set to serve as target vulnerability source code information;

performing code tracing matching on the target vulnerability source code information and the target vulnerability information to obtain matching component information, and collecting all the matching component information into a matching component information set;

and generating vulnerability influence range information according to the matching component information set and the component version information set.

2. The method for analyzing vulnerability impact scope according to claim 1, wherein the obtaining the vulnerability information set, the component version information set and the component source code information set according to the preset target component list includes:

extracting a vulnerability information set from a preset vulnerability platform according to a preset target component list;

Extracting a component version information set from a preset information platform according to the target component list;

and extracting a component source code information set from a preset code platform according to the target component list.

3. The method for code traceability analysis of vulnerability impact range according to claim 2, wherein extracting the vulnerability information set from the preset vulnerability platform according to the preset target component list comprises:

Carrying out webpage analysis on a preset vulnerability platform to obtain a vulnerability webpage document;

Element labeling is carried out on the vulnerability web page document, and a web page element document is obtained;

Performing text semantic analysis on the webpage element document to obtain a webpage semantic document;

and carrying out component information matching on the webpage semantic document according to a preset target component list to obtain a vulnerability information set.

4. The method of claim 1, wherein the screening component source code information corresponding to the target vulnerability information from the component source code information set as target vulnerability source code information comprises:

extracting target vulnerability component information and target component version information from the target vulnerability information;

component source code information corresponding to the target vulnerability component information is screened out from the component source code information set to serve as target component source code information;

and screening component source code information corresponding to the target component version information from the target component source code information to serve as target vulnerability source code information.

5. The method of claim 1, wherein performing code traceability matching on the target vulnerability source code information and the target vulnerability information to obtain matching component information comprises:

Extracting a target source code path from the target vulnerability source code information;

obtaining a target vulnerability source code according to the target source code path;

extracting a target repair code from the target vulnerability information;

and performing code tracing matching on the target vulnerability source code and the target repair code to obtain matching component information.

6. The method for code traceability analysis of vulnerability impact range according to claim 5, wherein performing code traceability matching on the target vulnerability source code and the target repair code to obtain matching component information comprises:

performing dependency tracing on the target vulnerability source codes to obtain tracing source code dependencies;

Performing version check on the target vulnerability source code according to the tracing source code dependency to obtain tracing version dependency;

performing contrast scanning on the target vulnerability source codes according to the target repair codes to obtain matched vulnerability source codes;

and extracting matching component information corresponding to the matching vulnerability source code from the traceable version dependency.

7. The method for code traceability analysis of vulnerability impact scope according to claim 1, wherein the generating vulnerability impact scope information according to the matching component information set and the component version information set comprises:

Selecting matching component information in the matching component information set one by one as target matching component information, and screening component version information corresponding to the target matching component information from the component version information set to serve as target component version information;

Performing version name matching on the target matching component information according to the target component version information to obtain target primary range information;

performing interval standardization operation on the target primary range information to obtain a target influence range;

And collecting all target influence ranges into vulnerability influence range information.

8. The method for tracing analysis of vulnerability impact range by code according to claim 7, wherein performing interval normalization operation on the target primary range information to obtain a target impact range comprises:

screening a target primary component name and a target version information group corresponding to the target primary component name from the target primary range information;

Version ascending sorting is carried out on the target version information group to obtain a target version information sequence;

dividing the target version information sequence into intervals to obtain a target version interval range;

and collecting the target primary component name and the target version interval range into a target influence range.

9. An apparatus for code traceability analysis of vulnerability impact range, the apparatus comprising:

The data acquisition module is used for respectively acquiring a vulnerability information set, a component version information set and a component source code information set according to a preset target component list;

The vulnerability matching module is used for selecting vulnerability information in the vulnerability information set one by one as target vulnerability information, and screening component source code information corresponding to the target vulnerability information from the component source code information set to serve as target vulnerability source code information;

the tracing matching module is used for performing code tracing matching on the target vulnerability source code information and the target vulnerability information to obtain matching component information, and collecting all the matching component information into a matching component information set;

And the information generation module is used for generating vulnerability influence range information according to the matched component information set and the component version information set.

10. An electronic device, the electronic device comprising:

At least one processor; and

A memory communicatively coupled to the at least one processor; wherein,

The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of code trace source vulnerability analysis scope of any one of claims 1 to 8.