KR102666486B1 - Method and system for managing source code - Google Patents

Abstract

The present disclosure provides a source code management method performed by at least one processor. The method includes receiving software source code associated with a first source code repository from a user terminal, performing a security check on the received software source code, and a first set of security discovered through the security check. It includes storing issues in association with a first source code repository and transmitting a security report on a first set of security issues associated with the first source code repository to a user terminal.

Description

Source code management method and system {METHOD AND SYSTEM FOR MANAGING SOURCE CODE}

This disclosure relates to a source code management method and system. Specifically, it relates to a source code management method and system that performs a security check on source code at the development stage to detect vulnerabilities and track detected security issues. .

DevOps methodology is a methodology for IT development and operation. Specifically, it can refer to a methodology for carrying out IT development projects by repeating the development and execution of software and the development of improved software based on feedback. there is. The DevOps methodology is known to have the advantage of shortening development time and increasing completeness by linking the development and operation stages. As the importance of IT security has recently been emphasized, an increasing number of companies are applying the DevSecOps methodology that links security to the DevOps methodology.

In general, IT development has roles divided into a development organization, an operation organization, and a security organization, making it difficult to perform security checks on source code during the development process. Additionally, in the case of the security check check function for source code provided through existing development collaboration systems, security checks are performed after compilation of the development project is completed, so security vulnerabilities in source code generated during the development process are detected. And there is a problem that it is difficult to track and manage it.

The present disclosure provides a source code management method, a computer program stored in a recording medium, and a device (system) to solve the above problems.

The present disclosure may be implemented in various ways, including as a method, device (system), or computer program stored in a readable storage medium.

A source code management method according to an embodiment of the present disclosure includes receiving software source code associated with a first source code repository from a user terminal, performing a security check on the received software source code, and performing a security check on the received software source code. storing the discovered first set of security issues in association with the first source code repository and transmitting a security report on the first set of security issues associated with the first source code repository to the user terminal.

According to one embodiment of the present disclosure, a computer program stored in a computer-readable recording medium is provided to execute a source code management method on a computer.

According to one embodiment of the present disclosure, a source code management system is provided. The source code management system includes a communication module, a memory, and at least one processor connected to the memory and configured to execute at least one computer-readable program included in the memory, wherein the at least one program is stored in a source code repository from a user terminal. Receive software source code associated with the software source code, perform a security check on the received software source code, store the set of security issues found through the security check in association with the source code repository, and store the set of security issues associated with the source code repository. Contains commands for transmitting a security report to the user terminal.

According to some embodiments of the present disclosure, when performing an update/upload of source code to a source code repository, a user can take action by performing a security check before compiling the source code, thereby efficiently managing the development project. You can.

According to some embodiments of the present disclosure, security issues discovered through security inspection can be tracked and managed, so that early action can be taken without missing security vulnerabilities in software source code, thereby preventing IT security incidents in advance.

According to some embodiments of the present disclosure, by receiving security issue statistical data associated with one or more source code repositories associated with a user, frequent security issues can be easily identified.

The effects of the present disclosure are not limited to the effects mentioned above, and other effects not mentioned are clear to a person skilled in the art (referred to as “a person skilled in the art”) in the technical field to which this disclosure pertains from the description of the claims. It will be understandable.

Embodiments of the present disclosure will be described with reference to the accompanying drawings described below, in which like reference numerals indicate like elements, but are not limited thereto.
Figure 1 shows the configuration of a source code management system according to an embodiment of the present disclosure.
Figure 2 is a schematic diagram showing a configuration in which an information processing system is connected to communicate with a plurality of user terminals in order to manage software source code according to an embodiment of the present disclosure.
Figure 3 is a block diagram showing the internal configuration of a user terminal and information processing system 230 according to an embodiment of the present disclosure.
Figure 4 is a block diagram showing the detailed configuration of a second system according to an embodiment of the present disclosure.
Figure 5 shows an example of a user interface for checking a list of issues for a plurality of projects related to a user according to an embodiment of the present disclosure.
Figure 6 shows an example of a security report for one security issue discovered through a security check according to an embodiment of the present disclosure.
Figure 7 shows an example of a user action item for one security issue discovered through a security check according to an embodiment of the present disclosure.
Figure 8 shows an example of statistical data on security issues according to an embodiment of the present disclosure.
Figure 9 is a flowchart showing a source code management method according to an embodiment of the present disclosure.

Hereinafter, specific details for implementing the present disclosure will be described in detail with reference to the attached drawings. However, in the following description, detailed descriptions of well-known functions or configurations will be omitted if there is a risk of unnecessarily obscuring the gist of the present disclosure.

In the accompanying drawings, identical or corresponding components are given the same reference numerals. Additionally, in the description of the following embodiments, overlapping descriptions of identical or corresponding components may be omitted. However, even if descriptions of components are omitted, it is not intended that such components are not included in any embodiment.

Advantages and features of the disclosed embodiments and methods for achieving them will become clear by referring to the embodiments described below in conjunction with the accompanying drawings. However, the present disclosure is not limited to the embodiments disclosed below and may be implemented in various different forms. The present embodiments are merely provided to ensure that the present disclosure is complete and that the present disclosure does not convey the scope of the invention to those skilled in the art. It is provided only for complete information.

Terms used in this specification will be briefly described, and the disclosed embodiments will be described in detail. The terms used in this specification are general terms that are currently widely used as much as possible while considering the functions in the present disclosure, but this may vary depending on the intention or precedent of a technician working in the related field, the emergence of new technology, etc. In addition, in certain cases, there are terms arbitrarily selected by the applicant, and in this case, the meaning will be described in detail in the description of the relevant invention. Accordingly, the terms used in this disclosure should be defined based on the meaning of the term and the overall content of the present disclosure, rather than simply the name of the term.

In this specification, singular expressions include plural expressions, unless the context clearly specifies the singular. Additionally, plural expressions include singular expressions, unless the context clearly specifies plurality. When it is said that a certain part includes a certain element throughout the specification, this does not mean excluding other elements, but may further include other elements, unless specifically stated to the contrary.

Additionally, the term 'module' or 'unit' used in the specification refers to a software or hardware component, and the 'module' or 'unit' performs certain roles. However, 'module' or 'unit' is not limited to software or hardware. A 'module' or 'unit' may be configured to reside on an addressable storage medium and may be configured to run on one or more processors. Thus, as an example, a 'module' or 'part' refers to components such as software components, object-oriented software components, class components and task components, processes, functions and properties. , procedures, subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays, or variables. Components and 'modules' or 'parts' may be combined into smaller components and 'modules' or 'parts' or further components and 'modules' or 'parts'. Could be further separated.

According to an embodiment of the present disclosure, a 'module' or 'unit' may be implemented with a processor and memory. 'Processor' should be interpreted broadly to include general-purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, etc. In some contexts, 'processor' may refer to an application-specific integrated circuit (ASIC), programmable logic device (PLD), field programmable gate array (FPGA), etc. 'Processor' refers to a combination of processing devices, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in combination with a DSP core, or any other such combination of configurations. You may. Additionally, 'memory' should be interpreted broadly to include any electronic component capable of storing electronic information. 'Memory' refers to random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erasable-programmable read-only memory (EPROM), May also refer to various types of processor-readable media, such as electrically erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, etc. A memory is said to be in electronic communication with a processor if the processor can read information from and/or write information to the memory. The memory integrated into the processor is in electronic communication with the processor.

In the present disclosure, 'system' may include at least one of a server device and a cloud device, but is not limited thereto. For example, a system may consist of one or more server devices. As another example, a system may consist of one or more cloud devices. As another example, the system may be operated with a server device and a cloud device configured together.

In this disclosure, 'static security check' refers to checking source code for potential security vulnerabilities inherent therein. For example, it may refer to examining security vulnerabilities associated with the source code itself, APIs (application programming interfaces) called by the source code, open source libraries associated with the source code, etc. Additionally, 'dynamic security inspection' may refer to examining software vulnerabilities by approaching it in a manner used by attackers (e.g., hackers).

In this disclosure, 'sensitive information' may include information such as personal information, payment information, or password. In addition, 'detection of sensitive information leakage by source code' refers to whether part of the software source code includes code that attempts to access databases related to sensitive information such as personal information, payment information, or padwords, or whether processing sensitive information. It may include detecting compliance with coding guidelines for source code, etc.

In the present disclosure, 'each of a plurality of A' or 'each of a plurality of A' may refer to each of all components included in a plurality of A, or may refer to each of some components included in a plurality of A. .

Figure 1 shows the configuration of a source code management system 120 according to an embodiment of the present disclosure. The source code management system 120 may receive the software source code 112 from the user terminal 110 and perform a security check on the received software source code. Here, software source code 112 may be associated with a specific source code repository. The source code management system 120 may generate a security report 150 for security issues discovered through a security check on the received software source code 112 and provide the security report 150 to the user terminal 110. Additionally or alternatively, the source code management system 120 may register the generated security report 150 in the source code management system 120 and transmit a registration notification message of the security report 150 to the user terminal 110. You can. In this case, the user can check the registration notification message of the security report 150 and access the source code management system 120 to check the security report 150.

As shown, the source code management system 120 may include a first system 130 that performs a security check on the source code and a second system 140 that manages security issues discovered through the security check. there is. In FIG. 1, the first system 130 and the second system 140 are shown as separately configured elements, but they are not limited to this and may be configured as one system.

According to one embodiment, the first system 130 may receive the software source code 112 from the user terminal 110 and perform a security check. For example, the first system 130 may receive software source code 112 uploaded to the source code management system 120 or a separate system and perform a security check. In another example, when an IDE plug-in (Integrated Development Environment-Plugin) operates, the first system 130 may receive the software source code 112 from the user terminal 110 and perform a security check. According to one embodiment, the first system 130 may include a static security check unit 132 and/or a dynamic security check unit 134. The first system 130 may perform a static security check and/or a dynamic security check on the software source code 112 using the static security check unit 132 and/or the dynamic security check unit 134.

According to one embodiment, the static security check unit 132 may be configured to perform a static security check on the software source code 112. Here, the static security check may be performed before compilation of the software source code 112. For example, the static security check unit 132 may check code vulnerabilities through static analysis of the software source code 112. Here, the code vulnerability check may include checking whether coding is based on a secure coding guide, whether there are errors in the source code, etc. Additionally or alternatively, the static security check unit 132 may detect leakage of sensitive information by the software source code 112. Additionally or alternatively, the static security checker 132 may detect open source libraries associated with the software source code 112 that have known security vulnerabilities.

According to one embodiment, the dynamic security check unit 134 may perform a dynamic security check on software source code. Here, dynamic security checking may be performed after compilation of source code. For example, the dynamic security check unit 134 may use a test server to perform a simulated security check in the operating state of the software source code.

The first system 130 may transmit the security issue 136 discovered through a security check of the software source code 112 to the second system 140. According to one embodiment, the second system 140 may be configured to track and manage security issues 136 discovered through security inspection. Specifically, the second system 140 may store security issues discovered through a security check in association with the corresponding source code repository. Additionally, the second system 140 may receive an action plan associated with a security issue from the user terminal and store the received action plan in association with the security issue. Additionally, the second system 140 may generate security issue statistical data associated with a specific source code repository and provide it to the user terminal 110 as a security report 150. Additionally or alternatively, the second system 140 may register the security report 150 in the source code management system 120 and transmit a registration notification message of the security report 150 to the user terminal 110.

In addition, the second system 140 generates security issue statistical data associated with a plurality of source code repositories associated with a plurality of source code repositories associated with the user terminal 110 and provides it to the user terminal 110 as a security report 150. can do. The detailed configuration of the second system 140 will be described in detail later with reference to FIG. 4 .

According to one embodiment, the source code management system 120 may provide a security report 150 on one or more security issues associated with a specific source code repository to the user terminal 110. Additionally or alternatively, the source code management system 120 may register the security report 150 in the source code management system 120 and transmit a registration notification message of the security report 150 to the user terminal 110. . Here, the security report 150 may include information such as priority and vulnerability type for each of one or more security issues. Additionally, security report 150 may include information related to solutions to some (or all) of one or more security issues. An example of information included in the security report 150 about security issues will be described in detail later with reference to FIG. 6 .

Figure 1 shows that the security report 150 is provided from the source code management system 120 to the user terminal 110, but is not limited thereto, and the security report 150 is provided by the first system 130 and/or It may be provided from the second system 140 to the user terminal 110. Additionally or alternatively, the security report 150 may be registered in the first system 130 and/or the second system 140, and a registration notification message of the security report 150 may be provided to the user terminal 110. there is. Through this configuration, when users update/upload source code to the source code repository, they can track and manage security issues discovered through security checks to take early action without missing security vulnerabilities in the software source code. This allows IT security incidents to be prevented in advance.

Figure 2 is a schematic diagram showing a configuration in which an information processing system is connected to communicate with a plurality of user terminals in order to manage software source code according to an embodiment of the present disclosure. Information processing system 230 may include a source code management system. In one embodiment, information processing system 230 includes one or more server devices and/or databases capable of storing, serving, and executing computer executable programs (e.g., downloadable applications) and data associated with source code management services; Alternatively, it may include one or more distributed computing devices and/or distributed databases based on cloud computing services. For example, the information processing system 230 may include separate systems (eg, servers) for source code management services. Source code management services provided by the information processing system 230 may be provided to users through web applications, web browsers, etc. installed on each of the plurality of user terminals 210_1, 210_2, and 210_3.

A plurality of user terminals 210_1, 210_2, and 210_3 may communicate with the information processing system 230 through the network 220. The network 220 may be configured to enable communication between a plurality of user terminals 210_1, 210_2, and 210_3 and the information processing system 230. Depending on the installation environment, the network 220 may be, for example, a wired network such as Ethernet, a wired home network (Power Line Communication), a telephone line communication device, and RS-serial communication, a mobile communication network, a wireless LAN (WLAN), It may consist of wireless networks such as Wi-Fi, Bluetooth, and ZigBee, or a combination thereof. The communication method is not limited, and includes communication methods that utilize communication networks that the network 220 may include (e.g., mobile communication networks, wired Internet, wireless Internet, broadcasting networks, satellite networks, etc.) as well as user terminals (210_1, 210_2, 210_3) ) may also include short-range wireless communication between

In Figure 2, the mobile phone terminal 210_1, tablet terminal 210_2, and PC terminal 210_3 are shown as examples of user terminals, but they are not limited thereto, and the user terminals 210_1, 210_2, and 210_3 use wired and/or wireless communication. This can be any capable computing device. For example, user terminals include smartphones, mobile phones, navigation devices, computers, laptops, digital broadcasting terminals, PDAs (Personal Digital Assistants), PMPs (Portable Multimedia Players), tablet PCs, game consoles, and wearable devices ( It may include wearable devices, IoT (internet of things) devices, VR (virtual reality) devices, AR (augmented reality) devices, etc. In addition, in Figure 2, three user terminals (210_1, 210_2, 210_3) are shown as communicating with the information processing system 230 through the network 220, but this is not limited to this, and a different number of user terminals are connected to the network ( It may be configured to communicate with the information processing system 230 through 220).

Figure 3 is a block diagram showing the internal configuration of the user terminal 210 and the information processing system 230 according to an embodiment of the present disclosure. The user terminal 210 may refer to any computing device capable of executing applications, web browsers, etc. and capable of wired/wireless communication, for example, the mobile phone terminal 210_1, tablet terminal 210_2 of FIG. 2, It may include a PC terminal (210_3), etc. As shown, the user terminal 210 may include a memory 312, a processor 314, a communication module 316, and an input/output interface 318. Similarly, information processing system 230 may include memory 332, processor 334, communication module 336, and input/output interface 338. As shown in FIG. 3, the user terminal 210 and the information processing system 230 are configured to communicate information and/or data through the network 220 using respective communication modules 316 and 336. It can be. Additionally, the input/output device 320 may be configured to input information and/or data to the user terminal 210 through the input/output interface 318 or to output information and/or data generated from the user terminal 210.

Memories 312 and 332 may include any non-transitory computer-readable recording medium. According to one embodiment, the memories 312 and 332 are non-perishable mass storage devices such as random access memory (RAM), read only memory (ROM), disk drive, solid state drive (SSD), and flash memory. It may include a (permanent mass storage device). As another example, non-perishable mass storage devices such as ROM, SSD, flash memory, disk drive, etc. may be included in the user terminal 210 or the information processing system 230 as a separate persistent storage device that is distinct from memory. Additionally, an operating system and at least one program code may be stored in the memories 312 and 332.

These software components may be loaded from a computer-readable recording medium separate from the memories 312 and 332. This separate computer-readable recording medium may include a recording medium directly connectable to the user terminal 210 and the information processing system 230, for example, a floppy drive, disk, tape, DVD/CD- It may include computer-readable recording media such as ROM drives and memory cards. As another example, software components may be loaded into the memories 312 and 332 through the communication modules 316 and 336 rather than computer-readable recording media. For example, at least one program is loaded into memory 312, 332 based on a computer program installed by files provided over the network 220 by developers or a file distribution system that distributes installation files for applications. It can be.

The processors 314 and 334 may be configured to process instructions of a computer program by performing basic arithmetic, logic, and input/output operations. Instructions may be provided to the processors 314 and 334 by memories 312 and 332 or communication modules 316 and 336. For example, processors 314 and 334 may be configured to execute received instructions according to program codes stored in recording devices such as memories 312 and 332.

The communication modules 316 and 336 may provide a configuration or function for the user terminal 210 and the information processing system 230 to communicate with each other through the network 220, and may provide a configuration or function for the user terminal 210 and/or information processing. The system 230 may provide a configuration or function for communicating with other user terminals or other systems (for example, a separate cloud system, etc.). For example, the request or data (e.g., software source code commit request, software source code, etc.) generated by the processor 314 of the user terminal 210 according to the program code stored in a recording device such as memory 312, etc. It may be transmitted to the information processing system 230 through the network 220 under the control of the communication module 316. Conversely, a control signal or command provided under the control of the processor 334 of the information processing system 230 is transmitted through the communication module 316 of the user terminal 210 through the communication module 336 and the network 220. It may be received by the user terminal 210. For example, the user terminal 210 may receive a security report about security issues associated with software source code from the information processing system 230. Additionally or alternatively, the user terminal 210 may receive a security report registration notification message from the information processing system 230.

The input/output interface 318 may be a means for interfacing with the input/output device 320. As an example, input devices may include devices such as cameras, keyboards, microphones, mice, etc., including audio sensors and/or image sensors, and output devices may include devices such as displays, speakers, haptic feedback devices, etc. You can. As another example, the input/output interface 318 may be a means for interfacing with a device that has components or functions for performing input and output, such as a touch screen, integrated into one. In FIG. 3 , the input/output device 320 is shown not to be included in the user terminal 210, but the present invention is not limited to this and may be configured as a single device with the user terminal 210. Additionally, the input/output interface 338 of the information processing system 230 may be connected to the information processing system 230 or means for interfacing with a device (not shown) for input or output that the information processing system 230 may include. It can be. In FIG. 3, the input/output interfaces 318 and 338 are shown as elements configured separately from the processors 314 and 334, but the present invention is not limited thereto, and the input/output interfaces 318 and 338 may be configured to be included in the processors 314 and 334. there is.

The user terminal 210 and information processing system 230 may include more components than those in FIG. 3 . However, there is no need to clearly show most prior art components. In one embodiment, the user terminal 210 may be implemented to include at least some of the input/output devices 320 described above. Additionally, the user terminal 210 may further include other components such as a transceiver, a global positioning system (GPS) module, a camera, various sensors, and a database. For example, if the user terminal 210 is a smartphone, it may include components generally included in a smartphone, such as an acceleration sensor, a gyro sensor, a microphone module, a camera module, and various physical devices. Various components such as buttons, buttons using a touch panel, input/output ports, and vibrators for vibration may be implemented to be further included in the user terminal 210.

Figure 4 is a block diagram showing the detailed configuration of the second system 140 according to an embodiment of the present disclosure. The second system 140 may be configured to track and manage security issues discovered through security inspection in conjunction with the first system (eg, 130 in FIG. 1). To this end, the second system 140 may include an issue tracking server 410, a statistics server 420, a DB server 430, and a file server 440.

According to one embodiment, the issue tracking server 410 may be linked with the first system (eg, 130 in FIG. 1) to track security issues discovered through a security check in real time. For example, the issue tracking server 410 may generate progress, priority information, or vulnerability type information for discovered security issues. In this case, the issue tracking server 410 may determine progress information on the discovered security issue as either a new issue or a re-discovered issue. Additionally, the issue tracking server 410 may determine priority information for the discovered security issue as one of high, medium, or low. Here, priority information may be predefined in response to the type of security issue. In addition, the issue tracking server 410 divides the vulnerability type information for discovered security issues into code vulnerability, sensitive data leakage, open source library vulnerability, and dynamic security vulnerability. It can be judged separately. Here, the vulnerability type can be predefined in response to the type of security issue and is not limited to the above-mentioned types. Although FIG. 4 shows one issue tracking server 410, the present invention is not limited thereto, and the second system 140 may include a plurality of issue tracking servers 410. Previously, the issue tracking server 410 was described as generating progress status, priority information, and vulnerability type information, but the issue is not limited to this, and the issue tracking server 410 may receive such information from the first system.

According to one embodiment, the statistics server 420 may process statistical data about one or more security issues discovered through a security check. For example, when receiving a request for statistics on security issues associated with a specific source code repository from a user terminal, the statistics server 420 may generate statistical data on one or more security issues associated with the corresponding source code repository and transmit it to the user terminal. there is. In another example, when receiving a request for statistics on security issues associated with a plurality of source code repositories from a user terminal, the statistics server 420 generates statistical data on one or more security issues associated with a plurality of source code repositories and sends it to the user terminal. Can be transmitted. Examples of statistical data are described in detail below with reference to FIG. 8. 4 illustrates that the second system 140 includes one statistics server 420, but the present invention is not limited thereto, and the second system 140 may include a plurality of statistics servers 420.

According to one embodiment, the DB server 430 may store/manage data related to one or more security issues discovered through a security check. For example, the DB server 430 may store priority information about security issues, vulnerability type information, etc. in association with the corresponding security issue. In another example, the DB server 430 may create a user work item by storing an action plan associated with a security issue received from a user terminal. Figure 4 shows that the second system 140 includes one DB server 430, but is not limited thereto. For example, the DB server 430 may include a master server and a slave server, the issue tracking server 410 is linked to the master server, and the statistics server 420 is a slave server. It can be configured to interoperate with . If necessary, the DB server 430 may be composed of multiple master servers and multiple slave servers.

According to one embodiment, the file server 440 may store/manage files associated with one or more security issues discovered through a security check. For example, if there is a file attached to one or more security issues discovered through a security check, the file server 440 may store the file.

In FIG. 4 , one second system 140 is shown, but the present invention is not limited thereto, and a plurality of second systems 140 may be used. In this case, a lobe balancer (load balancer) may be additionally used to distribute incoming traffic to the plurality of second systems 140.

The internal configuration of the second system 140 shown in FIG. 4 is only an example, and in some embodiments, other configurations other than the internal configuration shown may be additionally included, some configurations may be omitted, and some processes may be performed in different configurations or configurations. Can be performed by an external system. In addition, although the internal components of the second system 140 are described in FIG. 4 by dividing them by function, this does not necessarily mean that the components are physically divided.

FIG. 5 shows an example of a user interface 500 for checking a list of issues and user work items 520 for a plurality of projects related to a user according to an embodiment of the present disclosure. According to one embodiment, the user interface 500 may be displayed on the display of the user terminal. As shown, the user interface 500 is used to check security issues or user work items (To-do) associated with security issues for a plurality of projects (or a plurality of source code repositories) related to the user. It may include an issue tab 510. Here, projects can be matched 1:1 with source code repositories. In addition, the security issue may refer to a security issue discovered through a security check by the first system (e.g., 130 in FIG. 1), and the user action item is associated with the discovered security issue and represents an action plan received from the user. It can refer to information created based on

According to one embodiment, when the user selects the security issue tab 510 included in the user interface 500, the user terminal displays a list of issues and user work items 520 for a plurality of projects related to the user. You can. Here, the issue and user work item list 520 may include a security issue list including one or more security issues and/or a user work item list including one or more user work items.

Issue and user work item list 520 may include information about security issues and/or user work items. For example, as shown, the issue and user work item list 520 includes registration number, project information, type (e.g., security issue or user work item), progress, and priority. ), title (subject), update date (updated), related task (parent task), and information on vulnerability type (vulnerability type) may be included. Here, progress can be displayed separately according to security issues or user action items. For example, for security issues, progress includes information about new issue, re-detected issue, resolved issue, or ignored issue. can do. Additionally, in the case of a user work item, the progress status may include information of either a ready status or a completed status. Additionally, related tasks may indicate information about security issues associated with user work items. For example, as shown, the user action item (To-do) registered as '#50' is a user action item created based on the user's action plan related to the security issue registered as '#49'. Therefore, information such as 'security issue #49' can be included in related tasks.

In Figure 5, the security issue list and the user work item list are shown together, but the present invention is not limited to this, and the security issue list or the user work item list may be displayed separately through user input that filters the list. In addition, Figure 5 shows that security issues and user work items of all projects associated with the user are displayed in the issue and user work item list 520, but the scope is not limited to this, and the issue and user work item list 520 displays security issues and user work items associated with a single or multiple projects selected by the user. Security issues and/or user action items may be flagged.

Figure 6 shows an example of a security report 600 for one security issue discovered through a security check according to an embodiment of the present disclosure. According to one embodiment, the security report 600 may be displayed on the display of the user terminal. As shown, the security report 600 includes a title 610 of the security issue (e.g., 'SQL Injection'), information 620 related to the security issue, information 630 related to a solution to the security issue, and It may include task information 640 related to the security issue and security issue information 650 related to the security issue.

Information 620 related to the security issue includes the progress of the security issue (status), priority (priority), assignee (assignee), discovered date (detected datetime), rediscovered date (redetected datetime), and vulnerability type (vulnerability type). ) may include. Here, the progress may be one of a new issue, a re-discovered issue, a resolved issue, or an ignored issue. Additionally, the priority may be one of high, medium, or low. Additionally, the vulnerability type may be one of source code vulnerability, sensitive data leakage, open source library vulnerability, and dynamic security vulnerability.

Information 630 related to the solution to the security issue includes a description of the vulnerability related to the security issue (e.g., 'DB data leakage, tampering possible'), information about the source code related to the security issue, and information on the security issue. It may include information on response measures. In this case, information on response measures to the security issue may be predefined in relation to the type of security issue, or may be provided in conjunction with the response plan registered to the previously resolved security issue.

Task information 640 associated with the corresponding security issue may include user action items created based on an action plan input by the user related to the corresponding security issue. For example, the user can establish an action plan (or action plan) by referring to information 630 related to the solution to the security issue, register it in the system, and create a security report 600. You can check user task information related to the security issue. Additionally, the security issue information 650 associated with the corresponding security issue may include other security issue information associated with the corresponding security issue among a plurality of security issues included in the source code repository (or project).

According to one embodiment, a user can edit any one of the information 620 related to a security issue by selecting a graphic object 660 for editing. For example, if the user has solved the security issue, he or she clicks the graphic object 660 for editing to check the progress of the security issue included in the information related to the security issue from 'New Issue' to 'Resolved'. It can be changed to ‘issue’.

Figure 7 shows an example of a user action item 700 for one security issue discovered through a security check according to an embodiment of the present disclosure. According to one embodiment, user work item 700 may be displayed on the display of the user terminal. As shown, the user work item 700 may include a related task 710 (eg, 'security issue #49') and information 720 about an action plan for the security issue.

Information 720 about the action plan for the security issue includes the security issue's progress (status), priority (priority), assignee, work start date (start date), work deadline date (due date), It may include information related to progress (% done), estimated work time (estimated time), and solutions to security issues. Here, the progress may include information about a new issue, a re-discovered issue, a resolved issue, or an ignored issue. Additionally, the priority may include information of high, medium, or low. In one embodiment, information related to a solution to a security issue may include information entered by a user or information on a predefined solution related to the security issue.

Figure 8 shows an example of statistical data 800 on security issues according to an embodiment of the present disclosure. According to one embodiment, statistical data 800 about security issues may be displayed on the display of the user terminal. As shown, statistical data 800 about security issues includes information 810 about statistical scope, statistical data 820 about progress, statistical data 830 about priority, and statistical data about vulnerability types. It may include (840) and time series statistical data (850) about progress.

Here, information 810 about the statistical range includes the number of projects (or source code repositories) associated with the user (e.g., '# of Total Projects': 6) and the number of security issues associated with the projects (e.g., '# of Total Issues': 29) may be included. In addition, statistical data on progress (820), statistical data on priorities (830), statistical data on vulnerability types (840), and time series statistical data on progress (850) provide information on statistical scope (810). ) can display statistical data generated based on the total security issues associated with one or more projects included in the project.

Statistical data 820 about progress may include statistical information based on the progress of security issues included in the project. For example, the statistical data 820 about the progress may include new issues, re-detected issues, resolved issues, or ignored issues ( It may include rate information of ignored issues. Additionally, statistical data 830 about priorities may include statistical information based on the priorities of security issues included in the project. For example, the statistical data 830 about priority may include information on the ratio of high, medium, or low priority of security issues included in the project. Additionally, statistical data 840 about vulnerability types may include statistical information based on the vulnerability types of security issues included in the project. For example, statistical data 840 for vulnerability types may include information on the percentage of security issues such as source code vulnerability, sensitive data leakage, or open source library vulnerability. there is. In addition, time series statistical data 850 on progress is time series statistical data based on the progress of security issues detected in projects over a certain period of time (e.g., '2020-04-17' ~ '2020-07-30'). It can be included.

In Figure 8, an example of providing the user with statistical data on security issues associated with multiple projects (or source code repositories) associated with the user is shown, but the scope is not limited to this, and the user may provide statistical data on security issues for one project. Upon request, statistical data on security issues for a single project can be provided.

Figure 9 is a flowchart showing a source code management method 900 according to an embodiment of the present disclosure. Method 900 may be performed by at least one processor of a source code management system (or information processing system). According to one embodiment, the method 900 may be initiated by the processor receiving software source code associated with a source code repository (eg, a first source code repository) from a user terminal (S910).

Afterwards, the processor may perform a security check on the received software source code (S920). Here, the security check for the software source code may include a static security check and a dynamic security check for the software source code. Here, the static security check may be performed before compilation of the software source code, and the dynamic security check may be performed after compilation of the software source code. For example, processors can check for code vulnerabilities through static analysis of software source code. Additionally or alternatively, the processor may detect leakage of sensitive information by software source code. Additionally or alternatively, the processor may detect open source libraries associated with the software source code that have known security vulnerabilities.

In one embodiment, the processor may perform dynamic security checks on software source code. For example, the processor may use a test server to perform a simulated security check in the operating state of the software source code. Here, the test server may include, but is not limited to, a web server or an application server.

Thereafter, the processor may store the set of security issues (e.g., the first set of security issues) discovered through the security check in association with the source code repository (e.g., the first source code repository) (S930). . Additionally, the processor may transmit a security report on a set of security issues (a first set of security issues) associated with a source code repository (eg, a first source code repository) to the user terminal (S940). Additionally or alternatively, the processor may register the security report in the source code management system and transmit a registration notification message of the security report to the user terminal. In one embodiment, the security report may include priority information or vulnerability type information for each security issue in the first set. In another embodiment, the security report may include information associated with a solution to a first security issue in the first set of security issues.

According to one embodiment, the processor may receive an action plan associated with a second security issue among the first set of security issues from the user terminal. The processor may then create a user action item by storing the received action plan in association with the second security issue. Here, the action plan may include a task start date and a task deadline date, and may further include progress rate information according to the user's task. In one embodiment, the processor may receive a request to complete processing of the second security issue from the user terminal. In this case, the processor may change the progress status of the second security issue to a resolved security issue.

According to one embodiment, the processor may receive a security issue statistics request associated with the first source code repository from the user terminal. In this case, the processor may transmit statistical data about a first set of security issues associated with the first source code repository to the user terminal. In another embodiment, the processor may receive a request for security issue statistics associated with the first source code repository and the second source code repository from the user terminal. In this case, the processor may transmit statistical data about a first set of security issues associated with the first source code repository and a second set of security issues associated with the second source code repository to the user terminal. Here, the statistical data may include statistics based on at least one of progress, priority, or vulnerability type.

According to one embodiment, the processor may receive a request for a list of security issues associated with the first source code repository and the second source code repository from the user terminal. In this case, the processor may transmit a security issue list including a first set of security issues associated with the first source code repository and a second set of security issues associated with the second source code repository to the user terminal. Additionally or alternatively, the processor may receive a user work item list request associated with the first source code repository and the second source code repository from the user terminal. In this case, the processor may transmit a user work item list to the user terminal, including a first set of user work items associated with a first set of security issues and a second set of user work items associated with a second set of security issues. . Here, the second set of security issues may be security issues associated with the second source code repository.

The flowchart shown in FIG. 9 and the above description are only examples and may be implemented differently in some embodiments. For example, in some embodiments, the order of each step may be changed, some steps may be performed repeatedly, some steps may be omitted, or some steps may be added.

The above-described method may be provided as a computer program stored in a computer-readable recording medium for execution on a computer. Media may be used to continuously store executable programs on a computer, or may be temporarily stored for execution or download. Additionally, the medium may be a variety of recording or storage means in the form of a single or several pieces of hardware combined. It is not limited to a medium directly connected to a computer system and may be distributed over a network. Examples of media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical recording media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, and There may be something configured to store program instructions, including ROM, RAM, flash memory, etc. Additionally, examples of other media include recording or storage media managed by app stores that distribute applications, sites or servers that supply or distribute various other software, etc.

The methods, operations, or techniques of this disclosure may be implemented by various means. For example, these techniques may be implemented in hardware, firmware, software, or a combination thereof. Those skilled in the art will understand that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented in electronic hardware, computer software, or combinations of both. To clearly illustrate this interchange of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the specific application and design requirements imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementations should not be interpreted as causing a departure from the scope of the present disclosure.

In a hardware implementation, the processing units used to perform the techniques may include one or more ASICs, DSPs, digital signal processing devices (DSPDs), programmable logic devices (PLDs). ), field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, electronic devices, and other electronic units designed to perform the functions described in this disclosure. , a computer, or a combination thereof.

Accordingly, the various illustrative logical blocks, modules, and circuits described in connection with this disclosure may be general-purpose processors, DSPs, ASICs, FPGAs or other programmable logic devices, discrete gate or transistor logic, discrete hardware components, or It may be implemented or performed as any combination of those designed to perform the functions described in. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, such as a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other configuration.

For firmware and/or software implementations, techniques include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), and PROM ( on computer-readable media such as programmable read-only memory (EPROM), electrically erasable PROM (EEPROM), flash memory, compact disc (CD), magnetic or optical data storage devices, etc. It may also be implemented as stored instructions. Instructions may be executable by one or more processors and may cause the processor(s) to perform certain aspects of the functionality described in this disclosure.

When implemented in software, the techniques may be stored on a computer-readable medium as one or more instructions or code. Storage media may be media that can be accessed by a computer. By way of non-limiting example, such computer readable media includes RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices may be used and any other media that can be accessed by a computer. can do.

For example, as used herein, disk and disk include CD, laser disk, optical disk, digital versatile disc (DVD), floppy disk, and Blu-ray disk, where disks ) usually reproduce data magnetically, while discs reproduce data optically using a laser. Combinations of the above should also be included within the scope of computer-readable media.

A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known. An exemplary storage medium may be coupled to the processor such that the processor may read information from or write information to the storage medium. Alternatively, the storage medium may be integrated into the processor. The processor and storage medium may reside within an ASIC. ASIC may exist within the user terminal. Alternatively, the processor and storage medium may exist as separate components in the user terminal.

Although the above-described embodiments have been described as utilizing aspects of the presently disclosed subject matter in one or more standalone computer systems, the disclosure is not limited thereto and may also be implemented in conjunction with any computing environment, such as a network or distributed computing environment. . Furthermore, aspects of the subject matter of this disclosure may be implemented in multiple processing chips or devices, and storage may be similarly effected across the multiple devices. These devices may include PCs, network servers, and portable devices.

Although the present disclosure has been described in relation to some embodiments in this specification, various modifications and changes may be made without departing from the scope of the present disclosure as can be understood by a person skilled in the art to which the invention pertains. Additionally, such modifications and changes should be considered to fall within the scope of the claims appended hereto.

110: user terminal
120: Source code management system
130: first system
140: second system
150: Security report

Claims (20)

In a source code management method performed by at least one processor,
Receiving first software source code associated with a first source code repository from a user terminal;
Receiving second software source code associated with a second source code repository from the user terminal, wherein the first source code repository is different from the second source code repository, and the first software source code is linked to the second software source code. Different from code - ;
performing a security check on each of the received first and second software source codes;
storing a first set of security issues discovered through the security check in association with the first source code repository to track and manage them;
storing a second set of security issues discovered through the security check in association with the second source code repository to track and manage them;
transmitting a security report on a first set of security issues associated with the first source code repository and a second set of security issues associated with the second source code repository to the user terminal;
Receiving a first action plan associated with a first security issue among the first set of security issues from the user terminal;
creating a first user work item by storing the received first action plan in association with the first security issue;
Receiving a second action plan associated with a second security issue among the second set of security issues from the user terminal;
creating a second user work item by storing the received second action plan in association with the second security issue;
Receiving a request to complete processing of the first security issue from the user terminal;
changing the progress status of the first security issue to a resolved security issue;
Receiving total security issue statistics requests associated with the first source code repository and the second source code repository from the user terminal; and
Transmitting to the user terminal overall statistical data on all security issues, including a first set of security issues associated with the first source code repository and a second set of security issues associated with the second source code repository.
Including,
The second security issue is related to the first security issue,
The security report for the second security issue includes information about the first security issue associated with the second security issue,
The overall statistical data on all security issues includes time series data of ratios by type of vulnerability associated with all security issues and proportions by type of progress related to all security issues. According to paragraph 1,
The step of performing the security check is,
performing a static security check on each of the first and second software source codes; and
performing a dynamic security check on each of the first and second software source codes.
Source code management method, including. According to paragraph 2,
The step of performing the static security check is,
Inspecting code vulnerabilities through static analysis of each of the first and second software source codes.
Source code management method, including. According to paragraph 2,
The step of performing the static security check is,
Detecting leakage of sensitive information by each of the first and second software source codes
Source code management method, including. According to paragraph 2,
The step of performing the static security check is,
Detecting an open-source library with known security vulnerabilities among open-source libraries associated with each of the first and second software source codes.
Source code management method, including. According to paragraph 2,
Wherein the static security check is performed before compilation of each of the first and second software source codes. According to paragraph 2,
The step of performing the dynamic security check is,
Using a test server, performing a simulated security check in the operating state of each of the first and second software source codes.
Source code management method, including. According to paragraph 2,
The dynamic security check is performed after compilation of each of the first and second software source codes. According to paragraph 1,
Each of the first and second security reports includes priority information or vulnerability type information for each of the first and second security issues. According to paragraph 1,
Each of the first and second security reports includes information associated with a solution to each of the first and second security issues. delete According to paragraph 1,
The first action plan includes a work start date and a work end date. delete delete delete delete According to paragraph 1,
Receiving a security issue list request associated with the first source code repository and the second source code repository from the user terminal; and
Transmitting to the user terminal a security issue list including a first set of security issues associated with the first source code repository and a second set of security issues associated with the second source code repository.
Further including, source code management method. According to paragraph 1,
Receiving a user work item list request associated with the first source code repository and the second source code repository from the user terminal; and
Transmitting to the user terminal a user work item list including a first set of user work items associated with the first set of security issues and a second set of user work items associated with the second set of security issues.
Further including, source code management method. A computer program stored in a computer-readable recording medium for executing the method according to any one of claims 1 to 10, 12, 17, and 18 on a computer. As a source code management system,
communication module;
Memory; and
At least one processor connected to the memory and configured to execute at least one computer-readable program included in the memory
Including,
The at least one program is,
Receiving first software source code associated with a first source code repository from a user terminal,
Receive from the user terminal a second software source code associated with a second source code repository, wherein the first source code repository is different from the second source code repository, and the first software source code is connected to the second software source code. Different from -,
perform a security check on each of the received first and second software source codes;
store in association with the first source code repository to track and manage a first set of security issues discovered through the security check;
store in association with the second source code repository to track and manage a second set of security issues discovered through the security check;
transmitting to the user terminal a security report on a first set of security issues associated with the first source code repository and a second set of security issues associated with the second source code repository;
Receiving a first action plan associated with a first security issue among the first set of security issues from the user terminal,
create a first user action item by storing the received first action plan in association with the first security issue;
Receiving a second action plan associated with a second security issue among the second set of security issues from the user terminal,
create a second user action item by storing the received second action plan in association with the second security issue;
Receiving a request to complete processing of the first security issue from the user terminal,
Change the progress of the first security issue to a resolved security issue,
Receiving a request for total security issue statistics associated with the first source code repository and the second source code repository from the user terminal,
Instructions for transmitting to the user terminal overall statistical data on all security issues, including a first set of security issues associated with the first source code repository and a second set of security issues associated with the second source code repository. Contains,
The second security issue is related to the first security issue,
The security report for the second security issue includes information about the first security issue associated with the second security issue,
A source code management system wherein the overall statistical data on all security issues includes time series data of the ratio by vulnerability type associated with the entire security issue and the rate by type of progress related to the entire security issue.

Images