CN118194298A - Software bill of materials generation method, management platform and computer equipment - Google Patents
Software bill of materials generation method, management platform and computer equipment Download PDFInfo
- Publication number
- CN118194298A CN118194298A CN202410379763.5A CN202410379763A CN118194298A CN 118194298 A CN118194298 A CN 118194298A CN 202410379763 A CN202410379763 A CN 202410379763A CN 118194298 A CN118194298 A CN 118194298A
- Authority
- CN
- China
- Prior art keywords
- software
- materials
- bill
- plug
- version information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 239000000463 material Substances 0.000 title claims abstract description 231
- 238000000034 method Methods 0.000 title claims abstract description 55
- 238000013507 mapping Methods 0.000 claims abstract description 117
- 238000012502 risk assessment Methods 0.000 claims abstract description 53
- 238000004458 analytical method Methods 0.000 claims description 17
- 230000008859 change Effects 0.000 claims description 10
- 238000007726 management method Methods 0.000 abstract description 98
- 230000004044 response Effects 0.000 abstract description 11
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000004590 computer program Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 6
- 238000004519 manufacturing process Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000012827 research and development Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000002716 delivery method Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The present disclosure relates to the field of computer technologies, and in particular, to a method for generating a software bill of materials, a management platform, and a computer device. The method for generating the software bill of materials comprises the following steps: integrating a software bill of materials plug-in a software development tool; configuring mapping rules and a scanning engine for the software bill of materials plug-in; receiving a scanning instruction aiming at item codes in the software development tool; calling the software bill of materials plug-in to analyze software components of project codes in a software development tool according to mapping rules and a scanning engine, so as to obtain a software bill of materials of the project codes; sending a risk analysis request to a safety operation platform; and receiving a risk analysis result fed back by the safety operation platform, wherein the risk analysis result comprises a risk component and a corresponding solution thereof. The embodiment of the specification can form the SBOM in a software development stage, so that vulnerability restoration and security event response capability can be improved.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method for generating a software bill of materials, a management platform, and a computer device.
Background
With the increasing use of open source applications in the software development process, open source applications in fact gradually become the core infrastructure for software development, and mixed source software development has also become the main software development delivery method for modern applications.
The software supply chain is open-sourced, so that all links affecting the software full supply chain are inevitably affected by open-source application. Especially the security problem of open source applications will directly affect the security of the corresponding software supply chain employing the open source applications. In addition to the open source application security deficiency caused by the negligence of the open source application developer, there may be an open source application security deficiency deliberately reserved by an illegitimate developer, and even an abnormal behavior code containing hidden malicious functions, which is forged by a malicious attacker, is deliberately uploaded to an upstream open source code hosting platform, so as to implement a targeted software supply chain attack. The safety problems in the open source application greatly increase the potential safety hazard of the software supply chain, and the safety form is more severe.
Software bill of materials (SBOM) can improve software supply chain transparency, reduce software security risks and overall costs. In the prior art, after an issued application program is deployed to a production service, an independent SBOM tool is adopted to analyze the application program in the production service, so as to obtain a corresponding SBOM. Because the application can only acquire its SBOM after being deployed to the production business, it cannot efficiently locate and respond to vulnerability issues.
Disclosure of Invention
The embodiment of the specification provides a method for generating a software bill of materials, a management platform and computer equipment, which are used for forming an SBOM in a software development stage, so that vulnerability restoration and security event response capability can be improved.
The embodiment of the specification provides a method for generating a software bill of materials, which comprises the following steps:
integrating a software bill of materials plug-in a software development tool;
Configuring mapping rules and a scanning engine for the software bill of materials plug-in;
Receiving a scanning instruction aiming at item codes in the software development tool;
Calling the software bill of materials plug-in to analyze software components of project codes in a software development tool according to mapping rules and a scanning engine, so as to obtain a software bill of materials of the project codes;
sending a risk analysis request to a safety operation platform, wherein the risk analysis request comprises the software bill of materials;
And receiving a risk analysis result fed back by the safety operation platform, wherein the risk analysis result comprises a risk component in the project code and a corresponding solution, and the risk analysis result is obtained by carrying out risk analysis on the software bill of materials.
The embodiment of the specification provides a method for generating a software bill of materials, which comprises the following steps:
acquiring a software bill of materials plug-in and a corresponding scanning engine;
receiving a mapping rule input by a business person based on a rule template;
The method comprises the steps of sending a software bill of materials plug-in, a scanning engine and a mapping rule to terminal equipment, enabling the terminal equipment to integrate the software bill of materials plug-in a software development tool, configuring the mapping rule and the scanning engine for the software bill of materials plug-in, receiving a scanning instruction aiming at project codes in the software development tool, and calling the software bill of materials plug-in to analyze the software components of the project codes in the software development tool according to the mapping rule and the scanning engine, so as to obtain a software bill of the project codes; sending a risk analysis request to a safety operation platform, wherein the risk analysis request comprises the software bill of materials; and receiving a risk analysis result fed back by the safety operation platform, wherein the risk analysis result comprises a risk component in the project code and a corresponding solution, and the risk analysis result is obtained by carrying out risk analysis on the software bill of materials.
The embodiment of the specification also provides management of a software bill of materials plug-in, which comprises the following steps:
the plug-in management module is used for managing software bill of materials plug-ins which can be integrated in the software development tool;
The rule management module is used for managing the mapping rule of the software bill of materials plug-in;
the scanning engine management module is used for managing the scanning engine of the software bill of materials plug-in;
The software bill of materials of the project codes can be obtained by carrying out software component analysis on the project codes in the software development tool according to the mapping rules and the scanning engine by calling the software bill of materials plug-in; and carrying out risk analysis on the software bill of materials to obtain a risk analysis result, wherein the risk analysis result comprises a risk component of the project code and a corresponding solution.
The embodiment of the specification also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the method for generating the software bill of materials when executing the computer program.
The embodiments of the present specification also provide a computer readable storage medium storing a computer program which, when executed by a processor, implements the method for generating a software bill of materials described above.
The embodiments of the present specification also provide a computer program product comprising a computer program which, when executed by a processor, implements the method for generating a software bill of materials described above.
According to the technical scheme, the software bill of materials plug-in can be integrated in a software development tool; configuring mapping rules and a scanning engine for the software bill of materials plug-in; receiving a scanning instruction aiming at item codes in the software development tool; and calling the software bill of materials plug-in to analyze software components of project codes in the software development tool according to the mapping rules and the scanning engine, so as to obtain a software bill of materials of the project codes. By integrating the software bill of materials plug-in the software development tool and configuring the corresponding mapping rules and the scanning engine, the software bill of materials of project codes can be generated in the software development stage. In addition, the software bill of materials can be generated according to the generation strategy indicated by the user. And the personalized generation of a software bill of materials according to the needs is realized. In addition, by sending a risk analysis request to the secure operation platform, risk analysis can be performed on the project code in a software development stage, and a risk analysis result of the project code is obtained. The risk analysis results include risk components in the project code and their corresponding solutions. And the vulnerability restoration and security event response capabilities in the software development stage are greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present description or the solutions in the prior art, the drawings that are required for the embodiments or the description of the prior art will be briefly described, the drawings in the following description are only some embodiments described in the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a software bill of materials generation method according to an embodiment of the present disclosure;
FIG. 2 is a schematic functional structure diagram of a card management platform according to an embodiment of the present disclosure;
FIG. 3 is a schematic functional structure of a software bill of materials plug-in according to an embodiment of the present disclosure;
FIG. 4 is a flowchart of a software bill of materials generation method according to an embodiment of the present disclosure;
FIG. 5 is a flowchart of a software bill of materials generation method according to an embodiment of the present disclosure;
fig. 6 is a schematic functional structure diagram of a software bill of materials generating device according to an embodiment of the present disclosure;
fig. 7 is a schematic functional structure diagram of a software bill of materials generating apparatus according to an embodiment of the present disclosure.
Detailed Description
The technical solutions of the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is apparent that the described embodiments are only some embodiments of the present specification, not all embodiments. The specific embodiments described herein are to be considered in an illustrative rather than a restrictive sense. All other embodiments derived by a person of ordinary skill in the art based on the described embodiments of the present disclosure fall within the scope of the present disclosure. In addition, relational terms such as "first" and "second", and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
Software supply chain security begins with visibility to critical links. The software bill of materials SBOM is one of the core technologies for the management of the software supply chain, can contain various key information of application programs, can trace back the original supply chain of the software through the information, greatly improves the understanding of developers on the security risk of the software, helps enterprises to improve the efficiency in the process of analyzing the network security risk, managing loopholes and responding to emergency, and plays an important role in the security management of the software supply chain.
Generating SBOMs and quickly acquiring their information has become critical for quick localization analysis and to address emerging vulnerabilities and attacks. Governments and industries have increasingly recognized the importance of SBOM for software network security. For software suppliers, building SBOMs promotes software supply chain transparency, and can help enterprise organizations to fully understand the component situation of each application software, thereby locating and responding to vulnerability issues more efficiently. In addition, the standard standardization of SBOM is also beneficial to friendly collaboration among organizations, and further the customer trust level is improved. For the purchasing party, the interested product information, such as baseline component information or license information, can be clearly and intuitively seen. For operators, SBOM increases the visibility of the software and its components, helping them verify the state of the software before they produce business.
In the prior art, after an issued application program is deployed to a production service, an independent SBOM tool is adopted to analyze the application program in the production service, so as to obtain a corresponding SBOM. Because the application can only acquire its SBOM after being deployed to the production business, it cannot efficiently locate and respond to vulnerability issues.
Please refer to fig. 1. The embodiment of the specification provides a method for generating a software bill of materials. According to the method, the software bill of materials plug-in is integrated in the software development tool, so that the SBOM meeting the service requirement can be obtained in the software development stage, and the vulnerability restoration and security event response capability can be improved. The method may comprise the following steps.
Step 11: the plug-in management platform acquires a software bill of materials plug-in, a scanning engine and mapping rules.
Step 12: and the plug-in management platform sends the software bill of materials plug-in, the scanning engine and the mapping rule to the terminal equipment.
Step 13: the terminal device receives the software bill of materials plug-in, the scanning engine and the mapping rule.
Step 14: and integrating a software bill of materials plug-in the software development tool by the terminal equipment, and configuring a mapping rule and a scanning engine for the software bill of materials plug-in.
Step 15: and the terminal equipment receives a scanning instruction aiming at the project codes in the software development tool, and invokes a software bill of materials plug-in to analyze the software components of the project codes in the software development tool according to the mapping rule and the scanning engine so as to obtain the software bill of materials of the project codes.
In some embodiments, the plug-in management platform may run on a server. The server may be a background-oriented device including, but not limited to, a single server, a server cluster containing multiple servers, and the like. Please refer to fig. 2. The support system of the plug-in management platform can comprise a deployment platform, a data platform and the like. The support system may provide an operating environment for the plug-in management platform. The plug-in management platform may include a plurality of plug-in management modules, rule management modules, scan engine management modules, asset management modules. The plug-in management module is used for managing software bill of materials plug-ins which can be integrated in the software development tool. The software development tool is used for providing a development environment of software. The software bill of materials plug-in is used for generating a software bill of materials (SBOM). The software bill of materials plug-in can be a program written by an application program interface which operates under the software development tool and follows a certain specification. For example, the software development tool may include IDE (integrated development environment) software. The software bill of materials plug-in may include an IDE plug-in. The IDE plug-in can be a program written in compliance with an IDE open SDK, runs by depending on an IDE environment and is an important supplement to IDE functions. The software bill of materials plug-in supports the functions of a user to configure scanning setting on the IDE side, trigger scanning by one key and generate an SBOM file. The plug-in management module specifically supports the management capability of the software bill of materials plug-in, including but not limited to plug-in downloading, plug-in updating, and the like. The rule management module is used for managing the mapping rule of the software bill of materials plug-in. The mapping rules are used to normalize and structurally convert project codes into data structures that meet the requirements of a particular SBOM format. For example, components are referenced in the project code, which may include open source components. Different SBOM formats have different data structures and field requirements. The component information of the open source component can be converted into a file conforming to a specific SBOM format by the mapping rule, for example, a name, version, vendor, license information, hash value, relationship with other components, and the like of the component are determined. The rule management module specifically supports management capabilities of the mapping rules, including, but not limited to, management of rule templates, updating of the mapping rules, generation of the mapping rules, manual creation of the mapping rules, and the like. The scan engine management module is used for managing the scan engine of the software bill of materials plug-in. The scan engine may be a software tool for identifying and collecting components in project code (e.g., open source components, third party software packages, frameworks, etc.) and their details, and generating a SBOM-compliant manifest file (e.g., including component names, versions, licenses, vendor information, etc.). The scan engine includes a language adapter so that third party open source component identification of multiple development languages can be supported. The scan engine also includes an article scanner so that binary article identification can be supported. The scan engine also includes a mirror scanner so that mirror identification can be supported. The scan engine also includes an SBOM converter so that generation of corresponding file content according to SBOM rules may be supported. The scan engine also includes unified memory so that storage of data during the scan process can be supported. The asset management module is used for managing the components. The components may include open source components, self-grinding components, business components, and the like. The components can be cited in a software project, which is beneficial to improving development efficiency.
In some embodiments, a user may enter one or more of a software bill of materials plug-in, a scan engine, and mapping rules at the plug-in management platform. The plug-in management platform may receive one or more of a software bill of materials plug-in, a scan engine, a mapping rule. Or other devices may send one or more of a software bill of materials plug-in, a scan engine, mapping rules to the plug-in management platform. The plug-in management platform may receive one or more of a software bill of materials plug-in, a scan engine, a mapping rule. In some examples of scenarios, the plug-in management platform may provide a rule template. The user may input mapping rules based on the rule templates. The plug-in management platform may receive mapping rules entered by the user based on the rule templates. Thereby enabling the user to manually create the mapping rules. In other examples of scenarios, the plug-in management platform may also generate the corresponding mapping rules in compliance with a standard format, which may include SPDX standard formats, and the like.
In some embodiments, the plug-in management platform may provide a plug-in version information set. The plug-in version information set may include one or more version information of a software bill of materials plug-in. The version information of the software bill of materials plug-in may include a version number, a version release time, etc. of the software bill of materials plug-in. Each version of the software bill of materials plug-in may correspond to an update policy. The update strategy is used for indicating the update mode of the software bill of materials plug-in version. The update means may include forced update and autonomous update. The forced update means that the plug-in management platform forces version update to the software bill of materials plug-in. The autonomous update indicates whether the terminal device autonomously selects whether to update the version of the software bill of materials plug-in. For example, the update policy may include an update manner parameter. And when the value of the updating mode parameter is a first numerical value, the forced updating is indicated. And when the value of the updating mode parameter is a second numerical value, the updating mode parameter represents autonomous updating. Of course the update policy may also be used to indicate a version update address of the software bill of materials plug-in. For example, the update policy may include a version download address.
The plug-in management platform may send a software bill of materials plug-in to the terminal device. The terminal device may receive a software bill of materials plug-in, and may integrate the software bill of materials plug-in into the software development tool.
The business personnel can specify the recommended version information of the software bill of materials plugin in the plugin management platform. Or after the plug-in management platform obtains the latest version of the software bill of materials plug-in, the latest version can be determined to be recommended version information of the software bill of materials plug-in. The recommended version information may be selected from the plug-in version information set.
The plug-in management platform may push recommended version information (hereinafter referred to as first recommended version information) to the terminal device. The terminal equipment can receive first recommended version information; the local version information (hereinafter referred to as first local version information) of the software bill of materials plug-in can be detected; under the condition that the first recommended version information is the same as the first local version information, the pushed first recommended version information can be ignored; and under the condition that the first recommended version information is different from the first local version information, the software bill of materials plug-in can be updated into a version corresponding to the first recommended version information. For example, the terminal device may send a download request to the plug-in management platform, where the download request includes the first recommended version information. And after receiving the downloading request, the plug-in management platform can send a software bill of materials plug-in corresponding to the first recommended version information to the terminal equipment. The terminal device can receive and install the software bill of materials plug-in corresponding to the first recommended version information.
Or the terminal equipment can also detect the first local version information of the software bill of materials plug-in the software development tool after the software development tool is started; a version information query request (hereinafter referred to as a first version information query request) may be transmitted to the plug-in management platform. The plug-in management platform can receive a first version information query request; the first recommended version information of the software bill of materials plug-in and the corresponding update strategy (hereinafter referred to as a first update strategy) can be obtained; the first recommended version information and the first update policy may be sent to the terminal device. The terminal device may receive the first recommended version information and the first update policy. The terminal device may ignore the first recommended version information and the first update policy under the same condition that the first recommended version information is the same as the first local version information. The terminal device may execute a first update policy on the condition that the first recommended version information is different from the first local version information. Specifically, the terminal device may read the update manner from the first update policy. If the update mode is forced update, the terminal device may update the software bill of materials plug-in to a version corresponding to the first recommended version information. If the update mode is autonomous update, the terminal device may display the first prompt information. The first prompt message is used for prompting the version of the update software bill of materials plug-in. So that the user can update the software bill of materials plug-in when needed. Of course, if the update mode is autonomous update, the terminal device may also calculate update time according to the first local version information and the first recommended version information, if the update time meets a time-consuming condition, update the software bill of materials plug-in into a version corresponding to the first recommended version information, and if the update time does not meet the time-consuming condition, display first prompt information, where the first prompt information is used to prompt updating the version of the software bill of materials plug-in. For example, the first local version information may be compared with the first recommended version information to obtain a first version difference degree between the first local version information and the first recommended version information; the update time may be calculated based on the first version difference level. For example, when the first version difference degree is different by N version numbers, the update time consuming NT may be calculated. T represents the update time consumption corresponding to a single version number. The time consuming conditions may include: the update time is less than or equal to the threshold.
Therefore, the plug-in management platform can realize the management and control of the software bill of materials plug-in the terminal equipment.
In some embodiments, a user may input mapping rules at the plug-in management platform based on a rule template. Or the plug-in management platform may also automatically generate mapping rules following a standard format. The plug-in management platform may send mapping rules to the terminal device. The terminal device may receive the mapping rule and may configure the mapping rule for the software bill of materials plug-in. In addition, after the plug-in management platform obtains the new mapping rule, a mapping rule change message can also be sent to the terminal device. The terminal equipment can receive a mapping rule change message sent by a plug-in management platform; in response to receiving the mapping rule change message, a mapping rule acquisition request may be sent to the plug-in management platform. The plug-in management platform can receive a mapping rule acquisition request; a new mapping rule may be obtained; the new mapping rule may be sent to the terminal device. The terminal device may receive the new mapping rule.
Therefore, the plug-in management platform can realize management and control of mapping rules in the terminal equipment.
In some embodiments, the plug-in management platform may provide a scan engine version information set. The scan engine version information set may include one or more version information of the scan engine. The version information of the scan engine may include a version number of the scan engine, a version release time, etc. Different versions of the scan engine may run on different versions of the software bill of materials plugin. The scan engine version supported by the different versions of the software bill of materials plug-in may be different. Each version of the scan engine may also correspond to one version of the software bill of materials plug-in. Each version of the scan engine may also correspond to an update policy. The update strategy is used for indicating an update mode. The update means may include forced update and autonomous update. The forced update represents a version update of the scan engine forced by the plug-in management platform. The autonomous update indicates whether the terminal device autonomously selects whether to update the version of the scan engine. For example, the update policy may include an update mode parameter. And when the value of the updating mode parameter is a first numerical value, the forced updating is indicated. And when the value of the updating mode parameter is a second numerical value, the updating mode parameter represents autonomous updating. Of course, the update policy may also be used to indicate the version update address of the scan engine. For example, the update policy may include a version download address.
The plug-in management platform may send a scan engine to the terminal device. The terminal device may receive a scan engine and may configure the scan engine for the software bill of materials plug-in. In addition, the terminal device can also detect the first local version information of the software bill of materials plug-in and the second local version information of the scanning engine after starting the software development tool; a version information query request (hereinafter referred to as a second version information query request) may be transmitted to the plug-in management platform. The second version information query request may include the first local version information. The plug-in management platform can receive a second version information query request; version information matched with the first local version information can be selected from the scanning engine version information set to serve as second recommended version information; the second recommended version information may be transmitted to the terminal device. The terminal device may receive the second recommended version information. The terminal device may ignore the second recommended version information under the same condition that the second recommended version information is the same as the second local version information. Under the condition that the second recommended version information is different from the second local version information, the terminal device can update the scanning engine to a version corresponding to the second recommended version information. Further, the plug-in management platform may further obtain an update policy (hereinafter referred to as a second update policy) corresponding to the second recommended version information; a second update policy may be sent to the terminal device. The terminal device may receive a second update policy. The terminal device may ignore the second recommended version information and the second update policy under the same condition that the second recommended version information is the same as the second local version information. And under the condition that the second recommended version information is different from the second local version information, the terminal equipment can read the updating mode from the second updating strategy. If the updating mode is forced updating, the terminal device can update the scanning engine to the version corresponding to the second recommended version information. If the update mode is autonomous update, the terminal device may display the second prompt information. The second prompt message is used for prompting updating of the version of the scan engine. The user may update the scan engine as needed.
Thus, the plug-in management platform can realize the management and control of the scanning engine in the terminal equipment.
In some embodiments, the plug-in management platform may provide a set of components. The set of components may include one or more components. The components include open source components, self-lapping components, business components, and the like. The components may be referenced in a software project to improve development efficiency. Each component may correspond to component attribute information. The component attribute information may include component identification, version, license, vendor information, and the like. The component attribute information may be used in generating a software bill of materials.
In some embodiments, after obtaining the software bill of materials plugin, the scan engine, and the mapping rule, the terminal device may integrate the software bill of materials plugin into the software development tool; mapping rules and scan engines may be configured for software bill of materials plugins.
In some embodiments, the terminal device may provide a selection interface. Multiple codes in the software development tool may be included in the selection interface for selection. The plurality of codes may belong to the same item of software. The code may include source code written in the software development tool. One or more components may be referenced in the code. The user may select one or more codes in the selection interface for component analysis. The terminal device may determine an item code selected by a user among the plurality of codes; a scan instruction for the project code by a user may be received. And responding to the received scanning instruction, the terminal equipment can call the software bill of materials plug-in to analyze software components of project codes in the software development tool according to the mapping rule and the scanning engine, so as to obtain a software bill of materials of the project codes. Specifically, the terminal device performs software component analysis on project codes in a software development tool through a scanning engine. In the process of software component analysis, the terminal equipment can acquire component attribute information of components in the project codes from an asset management module; and converting according to the component attribute information and the mapping rule to obtain the software bill of materials.
The terminal equipment can analyze the software components of the project codes according to the scanning engine, and can map analysis results into a software bill of materials of the project codes according to a generation strategy indicated by a user in a mapping rule. The generation strategy is used for representing the generation mode of the software bill of materials. Thus, the software bill of materials can be generated according to the generation requirements of users. Thereby realizing personalized on-demand generation of the software bill of materials.
For example, one or more components in the project code may be identified through software component analysis. The generation policy may include a filter list that may include one or more trust components therein. The trusted components in the filtered list may be removed from the analysis results and a software bill of materials for the project code may be generated from the components remaining in the analysis results. The filter list may be set by a user. For another example, one or more components in the project code may be identified through software component analysis. The generating policy may include a filter list that may include one or more filter file directories. Components located under the filter file directory may be removed from the analysis results and a software bill of materials of the project code may be generated from the components remaining in the analysis results. The filter file directory may be set by a user.
In some examples of scenarios, please refer to fig. 3. The software bill of materials plug-in may include a user view, underlying logic, local storage, and the like. A user can select an item code in a software development tool, and can set a management platform address, sbom file export paths and export formats in a user view; after the management platform address is set, the network connectivity can be tested, and the subsequent operation can be executed if the connection is successful. For example clicking a scan button to send a scan instruction to the management platform. After receiving the scanning instruction, the trigger can firstly judge whether a scanning engine exists under the plug-in work directory. If not, a download request of the scan engine may be sent to the plug-in management platform. The plug-in management platform may send a scan engine to the terminal device. The terminal device may receive and install a scan engine. If the version information exists, the trigger can detect the version information of the scanning engine, a management platform version inquiry interface can be called to compare the version information and the version information of the scanning engine, and if the version information is not matched with the version information, the latest version of the scanning engine is downloaded. Specific procedures can be found in the foregoing description, and are not repeated here. The scanner can analyze the project code to obtain components in the project code, and can acquire component attribute information of the components in the project code from the asset management module; and converting according to the component attribute information and the mapping rule to obtain the software bill of materials. The monitor can monitor the mapping rule of the management and control platform continuously, and can update the local file corresponding to the mapping rule after receiving the mapping rule change information.
In some embodiments, the terminal device may send a software bill of materials and item codes to a secure operating platform. The security operation platform can count the received software bill of materials into a software bill of materials set, and takes the item codes as the item codes corresponding to the software bill of materials in the software bill of materials set. The software bill of materials in the software bill of materials set may correspond to item codes. The secure operation platform can receive risk prompt information of the target component. For example, risk prompt information of a target component pushed by an open source knowledge base may be received. The safety operation platform can select a target software bill of materials influenced by a target component in the software bill of materials set; the item code corresponding to the selected target software bill of materials can be used as a risk item code; the risk prompt information may be sent to the terminal device corresponding to the risk item code, or the risk prompt information may be displayed, where the risk prompt information is used to prompt the risk item code. In this way, by interfacing with the secure operation platform, after the secure operation platform receives the risk prompt information of the target component, the secure operation platform analyzes whether the target component affects the project code through the software physical list, and if so, the secure operation platform sends the risk prompt information to the terminal device corresponding to the project code. Therefore, operators can clearly know the component list and the basic information used in the application program, and timely know the risk.
In some embodiments, the terminal device may send a risk analysis request to a secure operation platform, where the risk analysis request may include the software bill of materials. Component names, versions, licenses, vendor information, etc. in the project code may be included in the software bill of materials. The secure operation platform may be provided with a set of risky components. The set of risk components may include one or more risk components. In this way, the security operation platform can perform risk analysis on the software bill of materials according to the risk assembly set to obtain a risk analysis result; the risk analysis result may be fed back to the terminal device. The terminal equipment can receive the risk analysis result and can display the risk analysis result. The risk analysis results may include risk-free, risk. In the case of risk, the risk analysis results may also include risk components in the software bill of materials. Thereby facilitating the research and development personnel to discover the loopholes in time and accurately locate the loopholes.
Further, in the set of risk components, each risk component may also correspond to a risk level. The risk level is used to represent the risk severity of the risk component. The higher the risk level, the greater the risk severity. The lower the risk level, the less the risk severity. In this way, the risk analysis result sent by the secure operation platform may further include a risk level of the risk component. Thereby facilitating the developer to know the severity of the risk so as to take corresponding measures.
Further, in the set of risk components, each risk component may also correspond to a solution. The solution may include patches, security configurations, reconstructed code programs, and the like. Patches may cover vulnerabilities and provide repair measures. Security configuration may reduce the risk of vulnerabilities by changing the default settings of the software or adding security options. Code reconstruction can redesign components to repair vulnerabilities and improve maintainability of the components. In this way, the risk analysis result sent by the secure operation platform can also include a solution of the risk component. Thereby facilitating the research and development personnel to solve the loopholes in time.
According to the method for generating the software bill of materials, which is disclosed by the embodiment of the specification, the plug-in management platform can acquire the plug-in of the software bill of materials, the scanning engine and the mapping rule; the software bill of materials plugins, scan engines, and mapping rules may be sent to the terminal device. The terminal equipment can receive the software bill of materials plug-in, the scanning engine and the mapping rule; a software bill of materials plug-in may be integrated in a software development tool for which mapping rules and scan engines are configured. The terminal equipment can receive a scanning instruction aiming at project codes in the software development tool, and call a software bill of materials plug-in to analyze software components of the project codes in the software development tool according to the mapping rule and the scanning engine, so as to obtain a software bill of materials of the project codes. By integrating the software bill of materials plug-in the software development tool and configuring the corresponding mapping rules and the scanning engine, the software bill of materials of project codes can be generated in the software development stage. And the vulnerability restoration and security event response capabilities in the software development stage are greatly improved. In addition, the plug-in module management platform can also manage the plug-in module, the mapping rule, the scanning engine and the like of the software bill of materials, so that the generation process of the software bill of materials is managed.
Please refer to fig. 4. The embodiment of the specification provides a method for generating a software bill of materials. According to the method, the software bill of materials plug-in is integrated in the software development tool, so that the SBOM meeting the service requirement can be obtained in the software development stage, and the vulnerability restoration and security event response capability can be improved. The method can be applied to the terminal equipment and comprises the following steps.
Step 21: integrating a software bill of materials plug-in a software development tool.
Step 22: and configuring mapping rules and a scanning engine for the software bill of materials plug-in.
Step 23: a scan instruction for project code in the software development tool is received.
Step 24: and calling the software bill of materials plug-in to analyze software components of project codes in the software development tool according to the mapping rules and the scanning engine, so as to obtain a software bill of materials of the project codes.
In some embodiments, the terminal device may receive a mapping rule change message sent by a plugin management platform; a mapping rule acquisition request can be sent to the plug-in management platform in response to the received mapping rule change message; the mapping rule fed back by the plug-in management platform can be received; mapping rules may be configured for the software bill of materials plugin. Therefore, the mapping rule in the software bill of materials plugin is managed through the plugin management platform.
In some embodiments, the terminal device may detect first local version information of the software bill of materials plug-in and second local version information of the scan engine; a version information inquiry request can be sent to a plug-in management platform, wherein the request comprises first local version information; the recommended version information matched with the first local version information of the scanning engine fed back by the plug-in management platform can be received; the second local version information may be compared with the recommended version information; if the version information is different, the scan engine can be updated to the version corresponding to the recommended version information. Therefore, the scanning engine is managed through the plug-in management platform.
In some embodiments, the terminal device may provide a selection interface comprising a plurality of codes in a software development tool for selection; determining an item code selected by a user among the plurality of codes; a scan instruction for the project code by a user may be received. And responding to the received scanning instruction, the terminal equipment can call the software bill of materials plug-in to analyze software components of project codes in the software development tool according to the mapping rule and the scanning engine, so as to obtain a software bill of materials of the project codes.
In some embodiments, the terminal device may send a risk analysis request to a secure operation platform, where the risk analysis request includes the software bill of materials; and receiving a risk analysis result fed back by the safety operation platform, wherein the risk analysis result comprises a risk component in the software bill of materials, and the risk component is obtained by carrying out risk analysis on the software bill of materials. Therefore, business personnel can know risks and vulnerabilities in time by interfacing with the secure operation platform.
The method for generating the software bill of materials in the embodiment of the specification can integrate the software bill of materials plug-in a software development tool; configuring mapping rules and a scanning engine for the software bill of materials plug-in; receiving a scanning instruction aiming at item codes in the software development tool; and calling the software bill of materials plug-in to analyze software components of project codes in the software development tool according to the mapping rules and the scanning engine, so as to obtain a software bill of materials of the project codes. By integrating the software bill of materials plug-in the software development tool and configuring the corresponding mapping rules and the scanning engine, the software bill of materials of project codes can be generated in the software development stage. Vulnerability restoration and security event response capabilities at the software development stage are improved.
Please refer to fig. 5. The embodiment of the specification provides a method for generating a software bill of materials. According to the method, the software bill of materials plug-in is integrated in the software development tool, so that the SBOM meeting the service requirement can be obtained in the software development stage, and the vulnerability restoration and security event response capability can be improved. The method can be applied to a plug-in management platform and comprises the following steps.
Step 31: and acquiring a software bill of materials plug-in and a corresponding scanning engine.
Step 32: mapping rules input by business personnel based on the rule templates are received.
Step 33: the method comprises the steps of sending a software bill of materials plug-in, a scanning engine and a mapping rule to terminal equipment, enabling the terminal equipment to integrate the software bill of materials plug-in a software development tool, configuring the mapping rule and the scanning engine for the software bill of materials plug-in, receiving a scanning instruction aiming at project codes in the software development tool, calling the software bill of materials plug-in, and analyzing the software components of the project codes in the software development tool according to the mapping rule and the scanning engine to obtain a software bill of the project codes.
In some embodiments, the plug-in management platform may receive a version query request sent by a terminal device; the recommended version information of the scan engine may be sent to the terminal device, so that the terminal device updates the scan engine to a version corresponding to the recommended version information under the condition that the local version information of the scan engine is different from the recommended version information. After detecting that the service personnel input the mapping rule, the plug-in management platform can send a mapping rule change message to the terminal equipment; a mapping rule acquisition request sent by the terminal equipment based on the mapping rule change message can be received; the mapping rules may be sent to the terminal device.
The method for generating the software bill of materials in the embodiment of the specification can integrate the software bill of materials plug-in a software development tool; configuring mapping rules and a scanning engine for the software bill of materials plug-in; receiving a scanning instruction aiming at item codes in the software development tool; and calling the software bill of materials plug-in to analyze software components of project codes in the software development tool according to the mapping rules and the scanning engine, so as to obtain a software bill of materials of the project codes. By integrating the software bill of materials plug-in the software development tool and configuring the corresponding mapping rules and the scanning engine, the software bill of materials of project codes can be generated in the software development stage. Vulnerability restoration and security event response capabilities at the software development stage are improved.
Please refer to fig. 2. The embodiment of the specification also provides a management platform of the software bill of materials plug-in. The management platform may include a plurality of plug-in management modules, rule management modules, scan engine management modules, asset management modules. The plug-in management module is used for managing software bill of materials plug-ins which can be integrated in the software development tool; the rule management module is used for managing the mapping rule of the software bill of materials plug-in; the scanning engine management module is used for managing the scanning engine of the software bill of materials plug-in; the asset management module is used for managing components capable of being referenced in the software project.
Please refer to fig. 6. The embodiment of the specification also provides a device for generating the software bill of materials, which comprises the following units.
An integration unit 41 for integrating the software bill of materials plugin in the software development tool;
a configuration unit 42, configured to configure mapping rules and a scan engine for the software bill of materials plugin;
a receiving unit 43 for receiving a scanning instruction for an item code in the software development tool;
and the calling unit 44 is used for calling the software bill of materials plug-in to analyze software components of project codes in the software development tool according to the mapping rules and the scanning engine, so as to obtain a software bill of materials of the project codes.
Please refer to fig. 7. The embodiment of the specification also provides another device for generating the software bill of materials, which comprises the following units.
An obtaining unit 51, configured to obtain a software bill of materials plug-in and a corresponding scan engine;
a receiving unit 52, configured to receive a mapping rule input by a service person based on the rule template;
And the sending unit 53 is configured to send a software bill of materials plug-in, a scan engine and a mapping rule to the terminal device, so that the terminal device integrates the software bill of materials plug-in the software development tool, configures the mapping rule and the scan engine for the software bill of materials plug-in, receives a scan instruction for the project code in the software development tool, and invokes the software bill of materials plug-in to perform software component analysis on the project code in the software development tool according to the mapping rule and the scan engine, thereby obtaining a software bill of the project code.
The embodiment of the specification also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the method for generating the software bill of materials when executing the computer program.
The embodiments of the present specification also provide a computer readable storage medium storing a computer program which, when executed by a processor, implements the method for generating a software bill of materials described above.
The embodiments of the present specification also provide a computer program product comprising a computer program which, when executed by a processor, implements the method for generating a software bill of materials described above.
Those skilled in the art will appreciate that the present description may be provided as a method, system, or computer program product. The description may thus take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present description is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. The computer may be a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Each functional unit in the embodiments of the present disclosure may be integrated in one processing unit, or each functional unit may exist alone physically, or two or more functional units may be integrated in one processing unit.
Those skilled in the art will appreciate that the descriptions of various embodiments are provided herein with respect to each of the embodiments, and that reference may be made to the relevant descriptions of other embodiments for parts of one embodiment that are not described in detail. In addition, it will be appreciated that those skilled in the art, upon reading the present specification, may conceive of any combination of some or all of the embodiments set forth herein without any inventive effort, and that such combination is within the scope of the disclosure and protection of the present specification.
Although the present specification is depicted by way of example, it will be appreciated by those skilled in the art that the above examples are merely intended to aid in understanding the core ideas of the present specification. Those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover such modifications and variations as fall within the true spirit of this present description.
Claims (11)
1. A method for generating a software bill of materials, comprising:
integrating a software bill of materials plug-in a software development tool;
Configuring mapping rules and a scanning engine for the software bill of materials plug-in;
Receiving a scanning instruction aiming at item codes in the software development tool;
Calling the software bill of materials plug-in to analyze the software components of the project codes according to a scanning engine, and mapping the analysis result into a software bill of materials of the project codes according to a generation strategy indicated by a user in a mapping rule;
sending a risk analysis request to a safety operation platform, wherein the risk analysis request comprises the software bill of materials;
And receiving a risk analysis result fed back by the safety operation platform, wherein the risk analysis result comprises a risk component in the project code and a corresponding solution, and the risk analysis result is obtained by carrying out risk analysis on the software bill of materials.
2. The method according to claim 1, wherein the method further comprises:
detecting first local version information of a software bill of materials plug-in a software development tool;
sending a first version information query request to a plug-in management platform;
Receiving first recommended version information and a first updating strategy of a software bill of materials plug-in sent by a plug-in management platform;
and if the first recommended version information is different from the first local version information, executing a first updating strategy.
3. The method according to claim 1, wherein the method further comprises:
receiving a mapping rule change message sent by a plug-in management platform;
responding to the received mapping rule changing message, and sending a mapping rule obtaining request to a plug-in management platform;
receiving a mapping rule fed back by a plug-in management platform;
and updating the mapping rule of the software bill of materials plug-in according to the received mapping rule.
4. The method according to claim 1, wherein the method further comprises:
Detecting first local version information of a software bill of materials plug-in and second local version information of a scanning engine;
sending a second version information query request to a plugin management platform, wherein the request comprises first local version information;
Receiving second recommended version information, which is fed back by the plug-in management platform, of the scanning engine and is matched with the first local version information;
Comparing the second local version information with the second recommended version information;
And if the version information is different, updating the scanning engine to the version corresponding to the second recommended version information.
5. The method of claim 1, wherein the step of receiving a scan instruction comprises:
Providing a selection interface comprising a plurality of codes in a software development tool for selection;
Determining an item code selected by a user among the plurality of codes;
and receiving a scanning instruction of a user for the project code.
6. The method according to claim 1, wherein the method further comprises:
The method comprises the steps of sending item codes to a safety operation platform, enabling the safety operation platform to count software bill of materials into a software bill of materials set, taking the item codes as item codes corresponding to the software bill of materials in the software bill of materials set, after risk prompt information of a target component is received, selecting a target software bill of materials influenced by the target component in the software bill of materials set, taking the item codes corresponding to the target software bill of materials as risk item codes, and sending risk prompt information to terminal equipment corresponding to the risk item codes, wherein the risk prompt information is used for prompting the risk item codes.
7. A method for generating a software bill of materials, comprising:
acquiring a software bill of materials plug-in and a corresponding scanning engine;
receiving a mapping rule input by a business person based on a rule template;
The method comprises the steps of sending a software bill of materials plug-in, a scanning engine and a mapping rule to terminal equipment, enabling the terminal equipment to integrate the software bill of materials plug-in a software development tool, configuring the mapping rule and the scanning engine for the software bill of materials plug-in, receiving a scanning instruction aiming at project codes in the software development tool, calling the software bill of materials plug-in, analyzing software components of the project codes according to the scanning engine, and mapping analysis results into software bill of the project codes according to a generation strategy indicated by a user in the mapping rule; sending a risk analysis request to a safety operation platform, wherein the risk analysis request comprises the software bill of materials; and receiving a risk analysis result fed back by the safety operation platform, wherein the risk analysis result comprises a risk component in the project code and a corresponding solution, and the risk analysis result is obtained by carrying out risk analysis on the software bill of materials.
8. The method of claim 7, wherein the step of transmitting the scan engine and the mapping rule comprises:
receiving a version inquiry request sent by terminal equipment;
The method comprises the steps of sending recommended version information of a scanning engine to terminal equipment, so that the terminal equipment updates the scanning engine to a version corresponding to the recommended version information under the condition that the local version information of the scanning engine is different from the recommended version information;
After detecting that the service personnel inputs the mapping rule, sending a mapping rule changing message to the terminal equipment;
receiving a mapping rule acquisition request sent by the terminal equipment based on the mapping rule change message;
and sending the mapping rule to the terminal equipment.
9. A management platform for a software bill of materials plug-in, comprising:
the plug-in management module is used for managing software bill of materials plug-ins which can be integrated in the software development tool;
The rule management module is used for managing the mapping rule of the software bill of materials plug-in;
the scanning engine management module is used for managing the scanning engine of the software bill of materials plug-in;
The software bill of materials plug-in is called, so that software component analysis can be carried out on project codes in a software development tool according to a scanning engine, and analysis results are mapped into software bill of materials of the project codes according to a generation strategy indicated by a user in a mapping rule; and carrying out risk analysis on the software bill of materials to obtain a risk analysis result, wherein the risk analysis result comprises a risk component of the project code and a corresponding solution.
10. The management platform of claim 9, further comprising:
An asset management module for managing components that can be referenced in a software project.
11. A computer device, comprising:
a processor; a memory for storing processor-executable instructions;
The processor implements the method of any of claims 1-8 by executing the instructions.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410379763.5A CN118194298A (en) | 2024-03-29 | 2024-03-29 | Software bill of materials generation method, management platform and computer equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410379763.5A CN118194298A (en) | 2024-03-29 | 2024-03-29 | Software bill of materials generation method, management platform and computer equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN118194298A true CN118194298A (en) | 2024-06-14 |
Family
ID=91394409
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410379763.5A Pending CN118194298A (en) | 2024-03-29 | 2024-03-29 | Software bill of materials generation method, management platform and computer equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN118194298A (en) |
-
2024
- 2024-03-29 CN CN202410379763.5A patent/CN118194298A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10498597B2 (en) | Deploying and monitoring multiplatform cloud-based infrastructures | |
US8161473B2 (en) | Dynamic software fingerprinting | |
US8051298B1 (en) | Integrated fingerprinting in configuration audit and management | |
CN107896244B (en) | Version file distribution method, client and server | |
TW200837558A (en) | Objective assessment of application crashes from a customer environment | |
US11846972B2 (en) | Method and apparatus for generating software test reports | |
CN111563015B (en) | Data monitoring method and device, computer readable medium and terminal equipment | |
US10891357B2 (en) | Managing the display of hidden proprietary software code to authorized licensed users | |
CN110688285A (en) | Method and device for processing abnormal classification of business system, computer equipment and storage medium | |
CN112738138B (en) | Cloud security hosting method, device, equipment and storage medium | |
CN112667638B (en) | Dynamic report generation method and device, terminal equipment and readable storage medium | |
EP2130164A1 (en) | A method and system for populating a software catalogue with related product information | |
CN111614628B (en) | Kernel reinforcement system and method, cloud server, client, electronic device and storage medium | |
US20240048446A1 (en) | Systems and methods for identifying and determining third party compliance | |
WO2021135257A1 (en) | Vulnerability processing method and related device | |
WO2023151397A1 (en) | Application program deployment method and apparatus, device, and medium | |
CN116760682A (en) | Log acquisition and filtration method, device, equipment and medium | |
CN118194298A (en) | Software bill of materials generation method, management platform and computer equipment | |
CN114546410A (en) | Code optimization method based on design mode and related equipment | |
CN114049100A (en) | Wisdom government affairs integration platform based on letter creates environment | |
CN112817603A (en) | Application program processing method and device, electronic equipment, system and storage medium | |
Gamba | " Do Android Dream of Electric Sheep?" On Privacy in the Android Supply Chain | |
CN112784272B (en) | Application processing method, device, electronic equipment, system and storage medium | |
US20240127263A1 (en) | Guidance Rule-Based Compliance Management | |
US20240289119A1 (en) | Advanced identity onboarding |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |