WO2022222499A1 - Code processing method, and system, cluster, medium and program product - Google Patents

Code processing method, and system, cluster, medium and program product Download PDF

Info

Publication number
WO2022222499A1
WO2022222499A1 PCT/CN2021/137848 CN2021137848W WO2022222499A1 WO 2022222499 A1 WO2022222499 A1 WO 2022222499A1 CN 2021137848 W CN2021137848 W CN 2021137848W WO 2022222499 A1 WO2022222499 A1 WO 2022222499A1
Authority
WO
WIPO (PCT)
Prior art keywords
open source
analysis
code
components
component
Prior art date
Application number
PCT/CN2021/137848
Other languages
French (fr)
Chinese (zh)
Inventor
梁广泰
石敏
Original Assignee
华为云计算技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为云计算技术有限公司 filed Critical 华为云计算技术有限公司
Publication of WO2022222499A1 publication Critical patent/WO2022222499A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3616Software analysis for verifying properties of programs using software metrics
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software

Definitions

  • the present application relates to the technical field of software development and testing, and in particular, to a code processing method, a code processing system, a computer cluster, a computer-readable storage medium, and a computer program product.
  • the mainstream code defect detection includes static defect analysis (static application security testing, SAST).
  • SAST is a technology that directly analyzes software source code, bytecode, and binary packages in a static way to achieve code defect analysis. Specifically, given the code under inspection, the SAST tool combines the knowledge of defect patterns or repair patterns to perform systematic scanning and analysis, thereby identifying potential defects and providing possible repair solutions.
  • the above analysis methods usually consume a lot of time, and the analysis efficiency is relatively low, and it is difficult to meet business requirements.
  • the present application provides a code processing method. This method obtains open source components and self-owned components from the code under inspection, and then adopts different analysis methods for open source components and self-owned components, such as simple and efficient compliance analysis for open source components, and defect detection for self-owned components. Analysis, so that it can focus on its own components, improve analysis efficiency, and meet business needs.
  • the present application also provides a code processing system, a computer cluster, a computer-readable storage medium, and a computer program product corresponding to the above method.
  • the present application provides a code processing method.
  • the method may be performed by a code processing system.
  • the code processing system may be a software system with code analysis and repair functions, or a hardware system with code analysis and repair functions.
  • the code processing system obtains the inspected code, and the inspected code includes open source components and self-owned components, and then the code processing system can perform compliance analysis on the open source components, and perform defect analysis on the self-owned components, and obtain Analysis results of the code under test.
  • This method obtains open source components and self-owned components from the code under inspection, and then adopts different analysis methods for open source components and self-owned components, such as simple and efficient compliance analysis for open source components, and defect detection for self-owned components. Analysis, so that it can focus on its own components, improve analysis efficiency, and meet business needs.
  • the open source components include open source components.
  • the code processing system may also, when performing defect analysis on the own components, according to the knowledge of the open source components that the own components depend on, Defect analysis is performed on the own components. This can further improve the validity and coverage of defect analysis results for own components.
  • the knowledge of the open source component includes at least one of usage constraints, defect patterns, and semantic models.
  • Usage constraints refer to the specifications or requirements that need to be followed when using open source components.
  • open source components are provided to upper-layer applications for calling, they often need to follow the usage constraints of open source components to ensure the correctness, reliability, and stability of logic.
  • the user can configure whether to start the detection rule set related to the open source component.
  • the detection rule set defines a defect mode, and the defect mode can be characterized by the regular code sequence corresponding to the defect type.
  • the code processing system can initiate a more comprehensive analysis based on the defect patterns defined in the detection rule set, improving the accuracy of the analysis results.
  • the semantic model of open source components defines the specific operations and behavioral logic that open source components perform when given input.
  • the code processing system may recommend a semantic model corresponding to the above-mentioned open source components for the open source components included in the open source components of the code under inspection. Specifically, the code processing system receives the identifier of the semantic model selected by the user, then determines the corresponding semantic model according to the identifier, and performs defect analysis through the semantic model.
  • the semantic model can be used to help defect analysis, improve analysis efficiency, and avoid repetitive semantic analysis of common open source components.
  • the code processing system may further present the analysis result to the user through a user interface, where the analysis result includes the problems existing in the code under inspection.
  • the user interface may specifically include a graphical user interface or a command user interface.
  • the code processing system can provide help for the user to fix the problems in the inspected code and improve the user experience.
  • the analysis result focuses on the own components, so it can guide the user to focus on repairing the defects of the own components, reduce unnecessary repair actions, and improve the repair efficiency and user experience.
  • the code processing system may also present to the user repair suggestions for the problems existing in the code under inspection, such as repair suggestions for defects in its own components, through the user interface, and then the code processing system may According to the operation of the user on the repair suggestion, accept or reject the repair suggestion. In this way, the user is guided to repair, the repair action is simplified, and the defect repair of its own components is focused, the repair workload is reduced, and the repair efficiency is improved.
  • the code processing system may perform defect analysis on the self-owned components when the open source components (eg, open source components or open source code fragments) pass the compliance analysis. In this way, repeated analysis can be avoided and the analysis efficiency can be improved.
  • open source components eg, open source components or open source code fragments
  • the code processing system may repair the open source component when the compliance analysis of the open source component fails until the compliance analysis passes.
  • the code processing system can guide the user to repair the open source component through the user interface.
  • the code processing system can present compliance risk points and risk elimination suggestions to users through a user interface, and users can eliminate compliance risk points according to the risk elimination suggestions, such as upgrading or replacing open source components.
  • Defect analysis of self-owned components under the condition that the risk points of open-source components are eliminated can effectively improve the accuracy of defect analysis results of self-owned components, and improve the reliability of analysis results.
  • the code processing system may perform compliance analysis on the open source components based on licenses or security vulnerabilities.
  • the code processing system may query the license type according to the open source component, and determine the legality of the use method of the open source component according to the license type.
  • the types of licenses can include different types such as loose type and public copyright type, and different types of licenses have different requirements for the use method, so the code processing system can determine the legality of the current use method of open source components according to the type of license.
  • the code processing system may match the open source component with a set of open source code with security vulnerabilities (for example, a set of open source components with security vulnerabilities or a set of open source code fragments), and determine whether the open source component is associated with a security vulnerability .
  • a set of open source code with security vulnerabilities for example, a set of open source components with security vulnerabilities or a set of open source code fragments
  • the present application provides a code processing system.
  • the system includes:
  • a communication module used to obtain the code to be inspected, the code to be inspected includes open source components and self-owned components;
  • An analysis module configured to perform compliance analysis on the open source components, and perform defect analysis on the self-owned components, to obtain analysis results of the code under inspection.
  • the open source components include open source components
  • the analysis module is specifically used for:
  • Defect analysis is performed on the own component based on the knowledge of the open source component on which the own component depends.
  • the knowledge of the open source component includes at least one of usage constraints, defect patterns, and semantic models.
  • system further includes:
  • the display module is used for presenting the analysis result to the user through the user interface, and the analysis result includes the problems existing in the code under inspection.
  • system further includes:
  • a display module used for presenting a repair suggestion for the problem existing in the code under inspection to a user through a user interface
  • a repairing module configured to accept or reject the repairing suggestion according to the operation of the user on the repairing suggestion.
  • the analysis module is specifically used for:
  • system further includes:
  • a repairing module configured to repair the open source component until the compliance analysis passes when the open source component does not pass the compliance analysis.
  • the analysis module is specifically used for:
  • the present application provides a computer cluster.
  • the computer cluster includes at least one computer, the computer including a processor and a memory having computer readable instructions stored in the memory, the processor executing the computer readable instructions to perform the first aspect or the first aspect.
  • the code processing method in any one of the implementations of an aspect.
  • the present application provides a computer-readable storage medium.
  • the computer-readable storage medium includes computer-readable instructions, which, when executed on a computer, cause the computer to execute the code processing method in the first aspect or any implementation manner of the first aspect .
  • the present application provides a computer program product.
  • the computer program product includes computer-readable instructions that, when executed on a computer, cause the computer to execute the code processing method according to the first aspect or any one of the implementations of the first aspect.
  • the present application may further combine to provide more implementation manners.
  • FIG. 1 is a system architecture diagram of a code processing system provided by an embodiment of the present application.
  • FIG. 2 is an interactive flowchart of a code processing method provided by an embodiment of the present application
  • FIG. 3 is a schematic flowchart of a code processing method provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of a code component analysis interface provided by an embodiment of the present application.
  • FIG. 5 is a schematic diagram of a code component analysis result interface provided by an embodiment of the present application.
  • FIG. 6 is a schematic diagram of a configuration interface provided by an embodiment of the present application.
  • FIG. 7 is a schematic diagram of a configuration interface provided by an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of a code processing system provided by an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a computer cluster according to an embodiment of the present application.
  • first and second in the embodiments of the present application are only used for the purpose of description, and cannot be understood as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature defined as “first” or “second” may expressly or implicitly include one or more of that feature.
  • the inspected code specifically refers to the code to be inspected.
  • the inspected code may be code written by the developer during the application development process and to be subjected to application security testing (application security testing, AST).
  • application security testing application security testing
  • AST can be divided into static application security test (static AST, SAST), dynamic application security test (dynamic AST, DAST) and interactive security test (interactive AST, IAST) and so on.
  • SAST is a type of technology that directly analyzes source code, bytecode or binary packages in a static way for defect analysis. Generally, it is automatically integrated into integrated development environment (integrated development environment, IDE) plug-ins or code submission access control for automatic defect scanning. .
  • DAST is a type of technology that detects program errors by performing a series of tests on the code under test in a dynamic running mode. Specifically, IAST performs intrusive instrumentation of the code under inspection through the instrumentation technology, so that the code under inspection can collect interesting operation data during the test run, so as to identify possible defects in the code under inspection.
  • SAST is widely used in the industry due to its low threshold for use and fast defect identification.
  • SAST is usually a systematic scan and analysis combined with knowledge of defect patterns or repair patterns, so as to identify potential defects and give possible repair solutions. In this way, it takes a lot of time, the analysis efficiency is relatively low, and it is difficult to meet business needs.
  • embodiments of the present application provide a code processing method.
  • This method obtains open source components and self-owned components from the code under inspection, and then adopts different analysis methods for open source components and self-owned components, such as simple and efficient compliance analysis for open source components, and defect detection for self-owned components. Analysis, so that it can focus on its own components, improve analysis efficiency, and meet business needs.
  • the foregoing code processing method provided by the embodiment of the present application may be executed by a computing device.
  • the computing device may be a terminal, and the terminal includes but is not limited to a desktop computer, a notebook computer, a tablet computer, and the like.
  • the computing device may also be a server, and the server may be a cloud server (a server in a cloud computing cluster), an edge server (a server in an edge computing cluster), or a local server.
  • the local server refers to the server in the data center to which the user belongs.
  • the above code processing method may be stored in a computing device in the form of a computer program.
  • the computer program may be software or a client with independent functions.
  • the computer program may also be a small program or a plug-in integrated on other programs, such as a plug-in integrated in an IDE.
  • the terminal or server can execute the above-mentioned computer program, thereby executing the code processing method.
  • the server executes the above code processing method, it can interact with the terminal to display the analysis result of the code under inspection to the terminal.
  • the system 100 includes a terminal 102 and a server 104 .
  • Server 104 may be a cloud server.
  • the terminal 102 can receive the inspected code from the user, the inspected code specifically includes open source components and self-owned components, and then the server 104 can perform compliance analysis on the open source components and defect analysis on the self-owned components, thereby obtaining the analysis results. .
  • the analysis results may include problems in the code under inspection.
  • the terminal 102 can receive the analysis result sent by the server 104, and then present the analysis result to the user through a user interface, such as a graphical user interface (graphical user interface, GUI) or a command user interface (command user interface).
  • a user interface such as a graphical user interface (graphical user interface, GUI) or a command user interface (command user interface).
  • the terminal 102 may receive the repair suggestion sent by the server 104, and then present the above repair suggestion to the user through a GUI or a CUI.
  • the user can choose to accept or reject the repair suggestions through the GUI. When all the repair suggestions have been accepted or rejected, the processing of the inspected code is completed.
  • the method includes:
  • an IDE or an editor may be deployed on the terminal 102, the user may write code through the IDE or the editor, and the terminal 102 receives the code written by the user, thereby obtaining the inspected code. Then, the terminal 102 sends the checked code to the server 104 to perform detection and analysis on the checked code.
  • S204 The server 104 identifies the code under inspection, and obtains open source components and proprietary components of the code under inspection.
  • Open source components are specifically code derived from open source software.
  • the so-called open source software also known as development source code software, refers to a computer software whose source code is publicly available. Distribute this software to anyone for any purpose.
  • the self-owned component is specifically the code that the user owns the copyright, such as the code developed by the user.
  • the server 104 may identify the inspected code through a software composition analysis (SCA) technology, so as to obtain open source components and proprietary components of the inspected code.
  • SCA software composition analysis
  • the server 104 may further identify open source components and open source code fragments in the open source components.
  • a component is an object formed by simply encapsulating data and methods. This object can be reused. Code snippets are usually unencapsulated data, methods, etc. code.
  • the SCA is only a schematic implementation manner for the server 104 to obtain the open source components and its own components of the code under inspection, and in other possible implementation manners of the embodiments of the present application, the server 104 may also obtain the code in other ways. Open source and proprietary components of the code under review.
  • S206 The server 104 performs compliance analysis on the open source components. When the open source component compliance analysis fails, execute S208; when the open source component compliance analysis passes, execute S216.
  • the server 104 may not need to perform defect analysis on the open source component, but may directly perform compliance analysis on the open source component.
  • compliance refers to compliance with regulations.
  • compliance may be compliance with the relevant open source agreement.
  • the compliance analysis may include at least one of a license-based usage pattern legality analysis and a security vulnerability analysis.
  • a license-based usage pattern legality analysis and a security vulnerability analysis.
  • the following is a detailed description of the legality analysis and security vulnerability analysis of license-based usage.
  • the server 104 can query the type of the corresponding license according to the open source component.
  • the server 104 can query the corresponding license information according to the source of the third-party library corresponding to the open source component.
  • the license information can include the type of the license, and then the server 104 The legality of the current use of open source components can be judged according to the type of license.
  • the type of license may include loose type and public copyright (copyleft) type.
  • the loose type has almost no restrictions on users, and the public copyright type has relatively strict restrictions on users. Each of them will be described below.
  • the permissive license has the following characteristics: (1) no usage restrictions, users can use the code, and can also modify the code; (2) no warranty, users are at their own risk; (3) users must disclose the original author.
  • Common loose licenses allow users to use code arbitrarily. The difference between different loose licenses is mainly in the conditions that users are required to abide by. For example, some licenses require that the original license statement must be retained when distributing an application. Further, some licenses require not only retaining the original license statement, but also not using the original author's name for promotion. In addition, some licenses require that when distributing an application, the original license statement must be retained, and modified files must declare to the user that they have been modified, and files that have not been modified must keep the license unchanged.
  • the public copyright type license has the following characteristics: (1) if the binary format is distributed, the source code must be provided; (2) the modified source code must be in the same license as the original source code; (3) it must not be used in addition to the original license Additional restrictions apply.
  • Different public copyright-type licenses may have different restrictions on users. For example, some licenses require that when the open source code used in the cloud service adopts the license, the code of the cloud service needs to be open source; other licenses require that if the project includes the source code using the license, the entire project must use the license. It should be noted that open source may not be required if the following conditions are met. For example, some licenses require that if the project uses dynamic linking to call the library of the license, the project may not use open source. Other licenses require that as long as the code using the license is in a separate file, other new files may not be open sourced. It should be noted that the four kinds of licenses listed above may be different.
  • the server 104 can determine whether the usage mode of the license meets the requirements of the license. If so, it indicates that the current usage mode of the open source component is legal, and the legality analysis of the usage mode based on the license passes. If not, it indicates that the current open source component is valid. The usage of the ingredients is illegal, and the legality analysis of the usage based on the license fails.
  • the server 104 may match the open source component with a set of open source code with security vulnerabilities to determine whether the open source component is associated with a security vulnerability.
  • the open source code set with security vulnerabilities may be an open source component set, and the server 104 determines the current open source component by matching the current open source component with the open source component pre-collected in the open source component set with security vulnerability. Whether the component is associated with a security vulnerability.
  • the open source component is an open source code fragment (usually unpackaged code)
  • the open source code set may be an open source code fragment set. Matches are made to determine whether the current open source code fragment is associated with a security vulnerability. If a security vulnerability is associated, it indicates that the security vulnerability analysis fails, and if the security vulnerability is not associated, it indicates that the security vulnerability analysis passes.
  • the server 104 may continue to perform S210 to analyze the own components.
  • the server 104 may execute S208 to guide the user to modify the open source component until the compliance analysis of the open source component passes.
  • the server 104 sends a compliance risk prompt to the terminal 102.
  • the compliance risk prompt is used to prompt the user of the risk points discovered by the compliance analysis of the open source components.
  • the compliance risk prompt can carry detailed information of risk points, such as the location of the risk point, the cause of the risk, and so on. Further, the compliance risk alert can also carry suggestions for eliminating risk points.
  • S210 The terminal 102 presents a compliance risk prompt to the user.
  • the terminal 102 may present the risk points discovered by the compliance analysis of the open source components when presenting the inspected code, for example, presenting the open source components of the inspected code.
  • the terminal 102 may present the above risk points by means of highlighting or linking or the like.
  • the terminal 102 when the terminal 102 presents the risk points found by the compliance analysis of the open source components, it can also present the position of the risk point and the cause of the risk, so that the user can understand the position of the risk point and the cause of the risk, in order to eliminate the risk. Click to help.
  • the terminal 102 may also present the elimination suggestion to the user, thereby guiding the user to eliminate the risk point and improve the open source components in the inspected code.
  • the terminal 102 receives the modification of the open source component by the user.
  • the user can trigger a modification operation on the open source component in combination with the modification suggestion presented by the terminal 102, and the terminal 102 receives the user's modification of the open source component in response to the operation, so that the open source component is compliant.
  • open source components include non-compliant open source components. Users can upgrade or replace the non-compliant open source components, so as to realize intelligent repair of non-compliant open source components, and ensure that the open source components that the inspected code depends on are trusted open source components.
  • the open source components include non-compliant pieces of open source code. Users can remove non-compliant open source code fragments or rectify non-compliant open source code fragments according to the suggestions for eliminating risk points, so as to turn the above open source code fragments into a trusted state. It should be noted that the server 104 can also introduce the patch intelligent integration capability of the open source community to repair the non-compliant open source components.
  • the server 104 may also directly repair the open source components, specifically the risk points of the open source components, in the background, so that the repaired open source components are compliant. In this way, the code processing system 100 does not need to perform the above steps S208 to S212 to guide the user to eliminate risks, thereby reducing user operations and improving user experience.
  • S214 The terminal 102 submits the modified open source component to the server 104.
  • the server 104 then executes S206.
  • the terminal 102 sends the modified open source component to the server 104, so that the server 104 re-analyzes the compliance of the modified open source component.
  • execute S216 executes S208 until the open source component compliance analysis passes.
  • S216 The server 104 performs defect analysis on its own components to obtain an analysis result.
  • the self-owned components depend on the above-mentioned open-source components, so the server 104 can perform systematic defect analysis on the above-mentioned self-owned components after the open-source component compliance analysis has passed, for example, by performing defect analysis through SAST to obtain the analysis results.
  • the analysis results may include defects in the own components. By focusing on its own components for defect analysis, the analysis efficiency can be improved, and the analysis results can be located in the range that can cause users such as developers to repair behaviors, which can improve the action rate of the analysis results and reduce unnecessary repair work.
  • the server 104 may also perform defect analysis on the own components according to the knowledge of the open source components in the open source components that the own components depend on. analyze.
  • the knowledge of the open source component may include at least one of usage constraints, defect patterns and semantic models of the open source component.
  • the server 104 presets a semantic model for common open source components in advance, and the semantic model can be used to help defect analysis, improve analysis efficiency, and avoid repeated semantic analysis for common open source components.
  • the semantic model of the open source component defines the specific operation and behavior logic that the open source component performs when given input.
  • the server 104 may recommend a semantic model corresponding to the above-mentioned open source component for the open source components included in the open source component of the code under inspection.
  • the server 104 receives the identifier of the semantic model selected by the user, and then determines the corresponding semantic model according to the identifier. Perform defect analysis.
  • open source components when open source components are provided to upper-layer applications for invocation, they often need to follow the usage constraints of open source components, such as specifications or requirements that need to be followed during use, to ensure the correctness, reliability and stability of logic.
  • the user can continue to configure whether to start the detection rule set related to the open source component.
  • the detection rule set defines a defect mode, and the defect mode can be characterized by a regular code sequence corresponding to the defect type.
  • the server 104 can initiate a more comprehensive analysis based on the defect patterns defined in the detection rule set, improving the accuracy of the analysis results.
  • the server 104 may first perform defect analysis on its own components according to the defect mode, and then perform defect analysis according to usage constraints, semantic models, and the like. This embodiment of the present application does not limit the sequence of performing defect analysis according to the semantic model, usage constraints, and defect mode.
  • S218 The server 104 sends the analysis result and the repair suggestion to the terminal 102.
  • defects are used to describe problems with the code itself, independent of execution results and expected specifications.
  • the categories of defects are limited and enumerable, and the defects do not depend on business logic, so the server 104 can obtain the defect types and the corresponding repair methods for each defect type, and build a knowledge base according to the defect types and their corresponding repair methods, After the server 104 determines the defect of the own component of the inspected code through defect analysis, it may generate a repair suggestion based on the above-mentioned knowledge base. The server 104 then returns the analysis results and repair suggestions to the terminal 102 .
  • the server 104 simultaneously sends the analysis result and the repair suggestion to the terminal 102 for illustration.
  • the server 104 may also send the above analysis result and repair suggestion respectively, for example, the server 104 may first send the analysis result and then send the repair suggestion.
  • S220 The terminal 102 presents the analysis results and repair suggestions to the user through the user interface.
  • the user interface may be an analysis results interface.
  • the analysis result interface can be GUI or CUI.
  • GUI GUI
  • the embodiments of the present application use GUI for illustration.
  • the terminal 102 can present the checked code and the problems existing in the checked code to the user through the GUI.
  • the problems existing in the code under inspection may include defects in the own components of the code under inspection.
  • the problems existing in the inspected code may also include code that fails the compliance analysis in the open source components of the inspected code, such as open source components associated with security vulnerabilities or code fragments that use illegal licenses.
  • the terminal 102 When the terminal 102 presents the checked code and the problems existing in the checked code to the user through the GUI, it can be displayed in different styles. For example, the terminal 102 can highlight the problems existing in the code under inspection to achieve the effect of highlighting the problems and reminding the user to pay attention. There are various ways for the terminal 102 to highlight the problems existing in the code under inspection. One way is that the terminal 102 simultaneously highlights the problem with the code under inspection. Another way is that the terminal 102, in response to the user's operation, displays the problems existing in the checked codes one by one. For example, a jump control can be carried on the GUI, and the jump control is used to jump from the current question to the next question. The terminal 102 highlights one of the problems existing in the code under inspection through the GUI. When the user passes the jump control A jump operation is triggered, and the terminal 102 highlights the next question of the question through the GUI.
  • the terminal 102 can present the user with repair suggestions for problems existing in the code under inspection through the GUI or CUI. Similar to the problem of presenting the checked code to the user, the terminal 102 presents repair suggestions in various ways. An implementation manner is that the terminal 102 simultaneously displays repair suggestions for multiple problems. Another implementation manner is that the terminal 102 displays the repair suggestions for the problems one by one in response to the user operation. For example, a jump control may be carried on the GUI, and the jump control is used to jump from the current problem to the next problem. When the user triggers the jump operation through the jump control, the terminal 102 displays the repair suggestion for the next problem through the GUI.
  • the terminal 102 may present a repair suggestion for the problem at a position near the problem, such as after the problem, when the problem is presented.
  • the terminal 102 may also present a repair suggestion under a specific area of the GUI, such as a code display area, so that the user can repair according to the repair suggestion.
  • the terminal 102 may simultaneously present the analysis results and repair suggestions, or may display the analysis results and repair suggestions sequentially in a set order according to business requirements, which is not limited in this embodiment of the present application.
  • S222 The terminal 102 accepts or rejects the repair suggestion according to the user's operation on the repair suggestion.
  • the terminal 102 may receive the user's operation on the above repair suggestion through GUI or CUI, and accept or reject the above repair suggestion.
  • the user interface is used as an example to illustrate the GUI, and the repair suggestions for each problem on the GUI are provided with accept and reject controls.
  • the user can trigger an operation through the accepting control, and accordingly, the terminal 102 can accept the repair suggestion in response to the operation.
  • the user can also trigger an operation through the rejection control, and accordingly, the terminal 102 can also reject the repair suggestion in response to the operation.
  • an embodiment of the present application provides a code processing method.
  • This method obtains open source components and self-owned components from the code under inspection, and then adopts different analysis methods for open source components and self-owned components, such as simple and efficient compliance analysis for open source components, and defect detection for self-owned components. Analysis, so that it can focus on its own components, improve analysis efficiency, and meet business needs.
  • the tested code is analyzed by open source components, and its own components and open source components can be obtained, wherein the open source components can be further divided into open source components and open source components. code segment.
  • the open source components may be jar packages.
  • SCA tools provide code cloning analysis, big data analysis or distributed indexing for component analysis of inspected code.
  • the code processing system 100 may perform component analysis through the SCA tool.
  • the interface 400 carries the address input control 402 of the checked item, and the address input control 402 includes any one or more of the local path input control and the remote code warehouse input control.
  • the user can select the local path input control or the remote code warehouse input control according to the storage location of the tested code, input the address of the tested code, and then trigger the code component analysis through the startup analysis control 404 carried on the interface 400 .
  • the terminal 102 in the code processing system 100 generates a code component analysis request in response to the code component analysis operation triggered by the user.
  • the interface 400 may also provide other address input controls.
  • the user may also input the address of the code under inspection in other ways, so as to process the code under inspection according to the current state.
  • the server 104 may, in response to the code component analysis request, identify the components of the inspected code through code clone analysis, big data analysis or distributed indexing provided by the SCA tool, for example, the inspected code may be compared with pre-collected codes of open source communities through the above-mentioned techniques Big data is matched to locate open source code fragments of the code under inspection. Then, the code component analysis result is returned to the terminal 102, and the terminal 102 presents the above code component analysis result to the user.
  • the interface 500 displays the components of the code under inspection.
  • the inspected code may be the code of a inspected project, and the inspected code may include multiple code files.
  • the interface 500 shows that each code file is an own component, an open source component, or a referenced open source code fragment.
  • the interface 500 is further provided with a revision control 502, and the revision control 502 is used to support the user to revise the code component analysis result.
  • the user can examine each code file to determine whether or not to revise the component corresponding to each code file. After the components corresponding to each code file are confirmed to be correct, the user can click the confirmation control 504 to confirm the code component analysis result.
  • the server 104 activates different analysis methods respectively.
  • the server 104 starts compliance analysis for open source components, and starts systematic defect analysis for self-owned components.
  • the analysis process of the server 104 will be described in detail below.
  • the server 104 starts compliance analysis, such as security vulnerability analysis, license-based legality analysis of usage methods, and gives an early warning when compliance risks are analyzed. Further, the server 104 can guide the user to perform intelligent repair of non-compliant components, such as intelligent repair through operations such as library upgrade or replacement, so as to ensure that the open source components on which the inspected code depends are adjusted to trusted open source components.
  • compliance analysis such as security vulnerability analysis, license-based legality analysis of usage methods
  • the server 104 can guide the user to perform intelligent repair of non-compliant components, such as intelligent repair through operations such as library upgrade or replacement, so as to ensure that the open source components on which the inspected code depends are adjusted to trusted open source components.
  • the server 104 starts compliance analysis, such as security vulnerability analysis, license-based legality analysis of usage methods, and conducts the analysis when a compliance risk is analyzed, for example, the open source code fragments include untrusted open source code fragments Warning. Similar to open source components, the server 104 can guide the user to process untrusted open source code fragments, so as to quickly remove, rectify and repair the untrusted open source code fragments.
  • the server 104 can then perform defect detection and repair on its own components. Wherein, the server 104 can perform a more comprehensive defect analysis of its own components in combination with the open source components on which its own components depend, such as information related to open source components.
  • the server 104 presets semantic models of common open source components (for example, APIs of open source components), and these semantic models define the specific operation process and behavior logic performed by the API when given specific input data.
  • the user can configure the open source components that need to enable the semantic model for analysis, so that the server 104 can use the corresponding semantic model for analysis according to the user's configuration.
  • the terminal 102 presents the open source components 602 included in the currently inspected code to the user through the configuration interface 600 , and presents the user with the status 604 of the semantic model corresponding to the open source components.
  • the status of the semantic model can include pre-analyzed or not pre-analyzed.
  • the user can configure whether to activate the semantic model in the configuration interface to improve the analysis accuracy. After the user completes the configuration of each open source component, the user can click the "confirm" control to submit the above configuration information to the server 104, so that the configuration information becomes effective.
  • Defect patterns can be formed when self-contained components such as upper-layer applications violate usage constraints. Defect patterns can be characterized by regular code sequences corresponding to specific defect types. Defect detection rules can also be generated based on defect patterns, wherein a defect detection rule can be used to detect one or more defect patterns.
  • the terminal 102 presents the defect detection rules 704 that can be provided by each open source component 702 to the user through the configuration interface 700 , and the defect detection rules cover multiple dimensions, such as covering correctness, stability , security and other dimensions, the user can configure whether to enable defect detection rules related to open source components through the configuration interface 700, thereby enabling a more comprehensive analysis.
  • the user can click the "confirm" control to submit the above configuration information to the server 104, so that the configuration information becomes effective.
  • the server 104 loads the preset semantic model of the open source component, so as to speed up the analysis and improve the analysis accuracy.
  • the server 104 activates a corresponding defect detection set based on the configuration information submitted by the terminal 102, conducts a systematic analysis around the use problem of the open source components, and obtains the analysis result. This increases the validity and coverage of defect analysis results for own components.
  • the server 104 can also provide an intelligent repair capability based on the analysis result, so as to assist the user to repair the defect more quickly.
  • This method organically integrates the capabilities of open source component analysis tools and code defect detection and repair tools, opens up the analysis results between the two tools, supports mutual utilization, further improves the effectiveness of each other's results, and can also reduce invalid analysis. Computing costs.
  • the code processing system 800 may be a software system or a hardware system.
  • the software system includes several modules. These multiple modules can be centrally deployed on one computer, or can be deployed on different computers in a distributed manner. For example, some modules may be deployed on the terminal 102 and other modules may be deployed on the server 104 .
  • the system 800 includes:
  • a communication module 802 configured to obtain a code to be inspected, where the code to be inspected includes open source components and self-owned components;
  • the analysis module 804 is configured to perform compliance analysis on the open source component, and perform defect analysis on the self-owned component to obtain an analysis result of the inspected code.
  • the open source components include open source components
  • the analysis module 804 is specifically used for:
  • Defect analysis is performed on the own component based on the knowledge of the open source component on which the own component depends.
  • the knowledge of the open source component includes at least one of usage constraints, defect patterns, and semantic models.
  • system 800 further includes:
  • a display module 806, configured to present the analysis result to the user through a user interface, where the analysis result includes the problems existing in the code under inspection.
  • system 800 further includes:
  • a display module 806, configured to present a repair suggestion for the problem existing in the code under inspection to the user through a user interface
  • a repairing module 808, configured to accept or reject the repairing suggestion according to the operation of the user on the repairing suggestion.
  • the analysis module 804 is specifically used for:
  • system 800 further includes:
  • a repairing module 808, configured to repair the open source component until the compliance analysis passes when the open source component does not pass the compliance analysis.
  • the analysis module 804 is specifically used for:
  • the code processing system 800 may correspond to executing the methods described in the embodiments of the present application, and the above-mentioned and other operations and/or functions of the modules/units of the code processing system 800 are respectively in order to realize the implementation shown in FIG. 2 .
  • the corresponding flow of each method in the example will not be repeated here.
  • the embodiment of the present application also provides a computer cluster.
  • the computer cluster may be a computer cluster formed by at least one computer in a cloud environment, an edge environment or a terminal device.
  • the computer cluster is specifically used to implement the functions of the code processing system 800 in the embodiment shown in FIG. 8 .
  • FIG. 9 provides a schematic structural diagram of a computer cluster.
  • the computer cluster 90 includes at least one computer 900
  • the computer 900 includes a bus 901 , a processor 902 , a communication interface 903 and a memory 904 .
  • the processor 902 , the memory 904 and the communication interface 903 communicate through the bus 901 .
  • the bus 901 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus or the like.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
  • the processor 902 can be a central processing unit (central processing unit, CPU), a graphics processing unit (graphics processing unit, GPU), a microprocessor (micro processor, MP), or a digital signal processor (digital signal processor, DSP), etc. any one or more of the devices.
  • CPU central processing unit
  • GPU graphics processing unit
  • MP microprocessor
  • DSP digital signal processor
  • the communication interface 903 is used for external communication.
  • the communication interface 903 of one computer may be used to communicate with the communication interface 903 of another computer to obtain the code under inspection, or to transmit the analysis result of the code under inspection, which may include the existence of the code under inspection. question.
  • Memory 904 may include volatile memory, such as random access memory (RAM).
  • RAM random access memory
  • the memory 904 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, hard disk drive (HDD), or solid state drive (solid state drive) , SSD).
  • non-volatile memory such as read-only memory (ROM), flash memory, hard disk drive (HDD), or solid state drive (solid state drive) , SSD).
  • Executable code is stored in the memory 904, and the processor 902 executes the executable code to execute the aforementioned code processing method.
  • each module of the code processing system 800 described in the embodiment of FIG. 8 is implemented by software
  • the function of the communication module 802 in FIG. 8 is controlled by the communication interface 903
  • the software or program code required to perform the functions of the analysis module 804 , the display module 806 , and the repair module 808 in FIG. 8 may be stored in the memory 904 .
  • the processor 802 executes the program codes corresponding to the aforementioned modules stored in the memory 804 to execute the aforementioned code processing method.
  • Embodiments of the present application also provide a computer-readable storage medium.
  • the computer-readable storage medium may be any available medium that a computing device can store, or a data storage device such as a data center that contains one or more available media.
  • the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state drives), and the like.
  • the computer-readable storage medium includes instructions that instruct a computing device to execute the code processing method described above.
  • the embodiments of the present application also provide a computer program product.
  • the computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computing device, all or part of the processes or functions described in the embodiments of the present application are generated.
  • the computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted over a wire from a website site, computer or data center. (eg coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.) to another website site, computer or data center.
  • a website site e.g coaxial cable, fiber optic, digital subscriber line (DSL)
  • wireless eg infrared, wireless, microwave, etc.
  • the computer program product may be a software installation package, and when any one of the aforementioned code processing methods needs to be used, the computer program product may be downloaded and executed on a computing device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

Provided in the present application is a code processing method. The method comprises: acquiring a tested code, wherein the tested code comprises an open source component and a self-contained component; performing compliance analysis on the open source component; and performing defect analysis on the self-contained component, so as to obtain an analysis result of the tested code. By means of the method, different analysis methods are respectively used for an open source component and a self-contained component, for example, simple and efficient compliance analysis is performed on the open source component, and defect analysis is performed on the self-contained component, such that it is possible to focus on the self-contained component, thereby improving the analysis efficiency and meeting service requirements.

Description

代码处理方法、系统、集群、介质及程序产品Code processing method, system, cluster, medium and program product
本申请要求于2021年04月24日提交中国国家知识产权局、申请号为202110446948.X、发明名称为“代码处理方法、系统、集群、介质及程序产品”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on April 24, 2021 with the State Intellectual Property Office of China, the application number is 202110446948.X, and the invention name is "code processing method, system, cluster, medium and program product", which The entire contents of this application are incorporated by reference.
技术领域technical field
本申请涉及软件开发及测试技术领域,尤其涉及一种代码处理方法、代码处理系统、计算机集群、计算机可读存储介质以及计算机程序产品。The present application relates to the technical field of software development and testing, and in particular, to a code processing method, a code processing system, a computer cluster, a computer-readable storage medium, and a computer program product.
背景技术Background technique
在进行软件开发时,为了提高效率,开发人员可以大量使用自动化流程,例如是开发安全运维一体化(Development & Security & Operations,DevSecOps)流程以打通开发、编译、测试、发布、部署、运维等各个环节,并引入自动分析技术提高各个环节的生产效率。In software development, in order to improve efficiency, developers can use a lot of automated processes, such as the Development & Security & Operations (DevSecOps) process to get through development, compilation, testing, release, deployment, and operation and maintenance. And other links, and the introduction of automatic analysis technology to improve the production efficiency of each link.
为了提升代码质量,业界主流的代码缺陷检测及测试技术也日益成为了DevSecOps工具链中的必备一环,为开发人员提供自动化、智能化的软件质量分析能力,帮助开发人员提早发现问题,降低缺陷修复成本。In order to improve code quality, mainstream code defect detection and testing technologies in the industry have increasingly become an essential part of the DevSecOps tool chain, providing developers with automated and intelligent software quality analysis capabilities, helping developers identify problems early and reduce Defect repair cost.
主流的代码缺陷检测包括静态缺陷分析(static application security testing,SAST)。SAST是通过静态方式直接分析软件源码、字节码、二进制包从而实现代码缺陷分析的技术。具体地,给定受检代码,SAST工具结合缺陷模式或修复模式知识进行系统化的扫描和分析,从而识别到潜在缺陷并给出可能的修复方案。The mainstream code defect detection includes static defect analysis (static application security testing, SAST). SAST is a technology that directly analyzes software source code, bytecode, and binary packages in a static way to achieve code defect analysis. Specifically, given the code under inspection, the SAST tool combines the knowledge of defect patterns or repair patterns to perform systematic scanning and analysis, thereby identifying potential defects and providing possible repair solutions.
上述分析方法通常需要耗费大量时间,分析效率比较低下,难以满足业务需求。The above analysis methods usually consume a lot of time, and the analysis efficiency is relatively low, and it is difficult to meet business requirements.
发明内容SUMMARY OF THE INVENTION
本申请提供了一种代码处理方法。该方法通过从受检代码中获取开源成分和自有成分,然后针对开源成分和自有成分分别采用不同的分析方法,例如针对开源成分进行简单、高效的合规分析,针对自有成分进行缺陷分析,如此可以聚焦在自有成分,提高分析效率,满足业务需求。本申请还提供了上述方法对应的代码处理系统、计算机集群、计算机可读存储介质以及计算机程序产品。The present application provides a code processing method. This method obtains open source components and self-owned components from the code under inspection, and then adopts different analysis methods for open source components and self-owned components, such as simple and efficient compliance analysis for open source components, and defect detection for self-owned components. Analysis, so that it can focus on its own components, improve analysis efficiency, and meet business needs. The present application also provides a code processing system, a computer cluster, a computer-readable storage medium, and a computer program product corresponding to the above method.
第一方面,本申请提供了一种代码处理方法。该方法可以由代码处理系统执行。代码处理系统可以是具有代码分析、修复功能的软件系统,或者是具有代码分析、修复功能的硬件系统。In a first aspect, the present application provides a code processing method. The method may be performed by a code processing system. The code processing system may be a software system with code analysis and repair functions, or a hardware system with code analysis and repair functions.
具体地,代码处理系统获取受检代码,该受检代码包括开源成分和自有成分,然后代码处理系统可以对所述开源成分进行合规分析,以及对所述自有成分进行缺陷分析,获得对所述受检代码的分析结果。Specifically, the code processing system obtains the inspected code, and the inspected code includes open source components and self-owned components, and then the code processing system can perform compliance analysis on the open source components, and perform defect analysis on the self-owned components, and obtain Analysis results of the code under test.
该方法通过从受检代码中获取开源成分和自有成分,然后针对开源成分和自有成分分 别采用不同的分析方法,例如针对开源成分进行简单、高效的合规分析,针对自有成分进行缺陷分析,如此可以聚焦在自有成分,提高分析效率,满足业务需求。This method obtains open source components and self-owned components from the code under inspection, and then adopts different analysis methods for open source components and self-owned components, such as simple and efficient compliance analysis for open source components, and defect detection for self-owned components. Analysis, so that it can focus on its own components, improve analysis efficiency, and meet business needs.
在一些可能的实现方式中,所述开源成分包括开源组件。考虑到自有成分依赖开源成分的情况,例如依赖开源组件的情况,代码处理系统还可以在对所述自有成分进行缺陷分析时,根据所述自有成分依赖的所述开源组件的知识,对所述自有成分进行缺陷分析。如此可以进一步提高自有成分的缺陷分析结果的有效性和覆盖率。In some possible implementations, the open source components include open source components. Considering the situation that its own components depend on open source components, such as the situation of relying on open source components, the code processing system may also, when performing defect analysis on the own components, according to the knowledge of the open source components that the own components depend on, Defect analysis is performed on the own components. This can further improve the validity and coverage of defect analysis results for own components.
在一些可能的实现方式中,所述开源组件的知识包括使用约束、缺陷模式和语义模型中的至少一种。使用约束是指开源组件使用时需要遵循的规范或要求。开源组件在提供给上层应用进行调用时,常常需要遵循开源组件的使用约束,以保障逻辑的正确性、可靠性和稳定性。用户可以配置是否启动开源组件相关的检测规则集合,该检测规则集合中定义有缺陷模式,该缺陷模式可以通过缺陷类型对应的具有规律性的代码序列表征。代码处理系统可以基于检测规则集合中定义的缺陷模式启动更全面的分析,提高分析结果的准确性。In some possible implementations, the knowledge of the open source component includes at least one of usage constraints, defect patterns, and semantic models. Usage constraints refer to the specifications or requirements that need to be followed when using open source components. When open source components are provided to upper-layer applications for calling, they often need to follow the usage constraints of open source components to ensure the correctness, reliability, and stability of logic. The user can configure whether to start the detection rule set related to the open source component. The detection rule set defines a defect mode, and the defect mode can be characterized by the regular code sequence corresponding to the defect type. The code processing system can initiate a more comprehensive analysis based on the defect patterns defined in the detection rule set, improving the accuracy of the analysis results.
开源组件的语义模型中定义了给定输入时开源组件所执行的具体操作以及行为逻辑。代码处理系统可以针对受检代码的开源成分包括的开源组件,推荐与上述开源组件对应的语义模型。具体地,代码处理系统接收用户选择的语义模型的标识,然后根据该标识确定对应的语义模型,通过该语义模型进行缺陷分析。该语义模型可以用于为缺陷分析提供帮助,提高分析效率,并且避免对常见开源组件进行重复语义分析。The semantic model of open source components defines the specific operations and behavioral logic that open source components perform when given input. The code processing system may recommend a semantic model corresponding to the above-mentioned open source components for the open source components included in the open source components of the code under inspection. Specifically, the code processing system receives the identifier of the semantic model selected by the user, then determines the corresponding semantic model according to the identifier, and performs defect analysis through the semantic model. The semantic model can be used to help defect analysis, improve analysis efficiency, and avoid repetitive semantic analysis of common open source components.
在一些可能的实现方式中,代码处理系统还可以通过用户界面向用户呈现所述分析结果,其中,分析结果包括所述受检代码存在的问题。用户界面具体可以包括图形用户界面或者是命令用户界面。In some possible implementations, the code processing system may further present the analysis result to the user through a user interface, where the analysis result includes the problems existing in the code under inspection. The user interface may specifically include a graphical user interface or a command user interface.
代码处理系统通过向用户展示分析结果,可以为用户修复受检代码中的问题提供帮助,提高用户体验。而且,该分析结果聚焦在自有成分,因而可以引导用户重点修复自有成分的缺陷,减少了不必要的修复动作,提高了修复效率以及用户体验。By showing the analysis results to the user, the code processing system can provide help for the user to fix the problems in the inspected code and improve the user experience. Moreover, the analysis result focuses on the own components, so it can guide the user to focus on repairing the defects of the own components, reduce unnecessary repair actions, and improve the repair efficiency and user experience.
在一些可能的实现方式中,代码处理系统还可以通过用户界面向用户呈现对所述受检代码存在的问题的修复建议,例如是自有成分的缺陷的修复建议,然后代码处理系统可以根据所述用户对所述修复建议的操作,接受或拒绝所述修复建议。如此实现引导用户进行修复,简化了修复动作,并且聚焦于自有成分的缺陷修复,减少了修复工作量,提高了修复效率。In some possible implementations, the code processing system may also present to the user repair suggestions for the problems existing in the code under inspection, such as repair suggestions for defects in its own components, through the user interface, and then the code processing system may According to the operation of the user on the repair suggestion, accept or reject the repair suggestion. In this way, the user is guided to repair, the repair action is simplified, and the defect repair of its own components is focused, the repair workload is reduced, and the repair efficiency is improved.
在一些可能的实现方式中,代码处理系统可以在所述开源成分(例如开源组件或开源代码片段)合规分析通过时,再对所述自有成分进行缺陷分析。如此可以避免重复分析,提高分析效率。In some possible implementation manners, the code processing system may perform defect analysis on the self-owned components when the open source components (eg, open source components or open source code fragments) pass the compliance analysis. In this way, repeated analysis can be avoided and the analysis efficiency can be improved.
在一些可能的实现方式中,代码处理系统可以在开源成分合规分析不通过时,修复所述开源成分直至合规分析通过。其中,代码处理系统可以通过用户界面引导用户修复开源成分。例如,代码处理系统可以通过用户界面向用户呈现合规风险点以及风险消除建议,用户可以根据该风险消除建议,如升级或替换开源组件等,消除合规风险点。In some possible implementations, the code processing system may repair the open source component when the compliance analysis of the open source component fails until the compliance analysis passes. Among them, the code processing system can guide the user to repair the open source component through the user interface. For example, the code processing system can present compliance risk points and risk elimination suggestions to users through a user interface, and users can eliminate compliance risk points according to the risk elimination suggestions, such as upgrading or replacing open source components.
在开源成分的风险点消除的情况下进行自有成分的缺陷分析,可以有效提高自有成分的缺陷分析结果的准确度,提升了分析结果的可靠性。Defect analysis of self-owned components under the condition that the risk points of open-source components are eliminated can effectively improve the accuracy of defect analysis results of self-owned components, and improve the reliability of analysis results.
在一些可能的实现方式中,代码处理系统可以基于许可证或安全漏洞对所述开源成分 进行合规分析。一方面,代码处理系统可以根据所述开源成分查询许可证的类型,根据所述许可证的类型确定所述开源成分使用方式的合法性。其中,许可证的类型可以包括宽松型、公共版权型等不同类型,不同类型许可证对于使用方式具有不同要求,因而代码处理系统可以根据许可证的类型确定当前开源成分使用方式的合法性。另一方面,代码处理系统可以将所述开源成分与存在安全漏洞的开源代码集合(例如是存在安全漏洞的开源组件集合或者是开源代码片段集合)进行匹配,确定所述开源成分是否关联安全漏洞。In some possible implementations, the code processing system may perform compliance analysis on the open source components based on licenses or security vulnerabilities. On the one hand, the code processing system may query the license type according to the open source component, and determine the legality of the use method of the open source component according to the license type. Among them, the types of licenses can include different types such as loose type and public copyright type, and different types of licenses have different requirements for the use method, so the code processing system can determine the legality of the current use method of open source components according to the type of license. On the other hand, the code processing system may match the open source component with a set of open source code with security vulnerabilities (for example, a set of open source components with security vulnerabilities or a set of open source code fragments), and determine whether the open source component is associated with a security vulnerability .
基于许可证或安全漏洞进行合规分析的计算量远小于直接进行缺陷分析的计算量,因此,对开源成分进行合规分析可以有效减少计算量,提高受检代码整体的分析效率。The amount of computation for compliance analysis based on licenses or security vulnerabilities is much smaller than that for direct defect analysis. Therefore, compliance analysis for open source components can effectively reduce the amount of computation and improve the overall analysis efficiency of the code under inspection.
第二方面,本申请提供了一种代码处理系统。所述系统包括:In a second aspect, the present application provides a code processing system. The system includes:
通信模块,用于获取受检代码,所述受检代码包括开源成分和自有成分;a communication module, used to obtain the code to be inspected, the code to be inspected includes open source components and self-owned components;
分析模块,用于对所述开源成分进行合规分析,以及对所述自有成分进行缺陷分析,获得对所述受检代码的分析结果。An analysis module, configured to perform compliance analysis on the open source components, and perform defect analysis on the self-owned components, to obtain analysis results of the code under inspection.
在一些可能的实现方式中,所述开源成分包括开源组件,所述分析模块具体用于:In some possible implementations, the open source components include open source components, and the analysis module is specifically used for:
根据所述自有成分依赖的所述开源组件的知识,对所述自有成分进行缺陷分析。Defect analysis is performed on the own component based on the knowledge of the open source component on which the own component depends.
在一些可能的实现方式中,所述开源组件的知识包括使用约束、缺陷模式和语义模型中的至少一种。In some possible implementations, the knowledge of the open source component includes at least one of usage constraints, defect patterns, and semantic models.
在一些可能的实现方式中,所述系统还包括:In some possible implementations, the system further includes:
显示模块,用于通过用户界面向用户呈现所述分析结果,所述分析结果包括所述受检代码存在的问题。The display module is used for presenting the analysis result to the user through the user interface, and the analysis result includes the problems existing in the code under inspection.
在一些可能的实现方式中,所述系统还包括:In some possible implementations, the system further includes:
显示模块,用于通过用户界面向用户呈现对所述受检代码存在的问题的修复建议;a display module, used for presenting a repair suggestion for the problem existing in the code under inspection to a user through a user interface;
修复模块,用于根据所述用户对所述修复建议的操作,接受或拒绝所述修复建议。A repairing module, configured to accept or reject the repairing suggestion according to the operation of the user on the repairing suggestion.
在一些可能的实现方式中,所述分析模块具体用于:In some possible implementations, the analysis module is specifically used for:
当所述开源成分合规分析通过时,对所述自有成分进行缺陷分析。When the open source component compliance analysis passes, perform defect analysis on the self-owned component.
在一些可能的实现方式中,所述系统还包括:In some possible implementations, the system further includes:
修复模块,用于当所述开源成分合规分析不通过时,修复所述开源成分直至合规分析通过。A repairing module, configured to repair the open source component until the compliance analysis passes when the open source component does not pass the compliance analysis.
在一些可能的实现方式中,所述分析模块具体用于:In some possible implementations, the analysis module is specifically used for:
根据所述开源成分查询许可证的类型,根据所述许可证的类型确定所述开源成分使用方式的合法性;和/或,Query the type of license according to the open source component, and determine the legality of the use method of the open source component according to the type of the license; and/or,
将所述开源成分与存在安全漏洞的开源代码集合进行匹配,确定所述开源成分是否关联安全漏洞。Matching the open source component with a set of open source code with security vulnerabilities to determine whether the open source component is associated with a security vulnerability.
第三方面,本申请提供一种计算机集群。所述计算机集群包括至少一台计算机,所述计算机包括处理器和存储器,所述存储器中存储有计算机可读指令,所述处理器执行所述计算机可读指令,以执行如第一方面或第一方面的任一种实现方式中的代码处理方法。In a third aspect, the present application provides a computer cluster. The computer cluster includes at least one computer, the computer including a processor and a memory having computer readable instructions stored in the memory, the processor executing the computer readable instructions to perform the first aspect or the first aspect. The code processing method in any one of the implementations of an aspect.
第四方面,本申请提供一种计算机可读存储介质。所述计算机可读存储介质包括计算机可读指令,当所述计算机可读指令在计算机上运行时,使得所述计算机执行如第一方面或第一方面的任一种实现方式中的代码处理方法。In a fourth aspect, the present application provides a computer-readable storage medium. The computer-readable storage medium includes computer-readable instructions, which, when executed on a computer, cause the computer to execute the code processing method in the first aspect or any implementation manner of the first aspect .
第五方面,本申请提供一种计算机程序产品。所述计算机程序产品包括计算机可读指令,当所述计算机可读指令在计算机上运行时,使得所述计算机执行如第一方面或第一方面的任一种实现方式中的代码处理方法。In a fifth aspect, the present application provides a computer program product. The computer program product includes computer-readable instructions that, when executed on a computer, cause the computer to execute the code processing method according to the first aspect or any one of the implementations of the first aspect.
本申请在上述各方面提供的实现方式的基础上,还可以进行进一步组合以提供更多实现方式。On the basis of the implementation manners provided by the above aspects, the present application may further combine to provide more implementation manners.
附图说明Description of drawings
为了更清楚地说明本申请实施例的技术方法,下面将对实施例中所需使用的附图作以简单地介绍。In order to illustrate the technical methods of the embodiments of the present application more clearly, the following briefly introduces the accompanying drawings used in the embodiments.
图1为本申请实施例提供的一种代码处理系统的系统架构图;1 is a system architecture diagram of a code processing system provided by an embodiment of the present application;
图2为本申请实施例提供的一种代码处理方法的交互流程图;FIG. 2 is an interactive flowchart of a code processing method provided by an embodiment of the present application;
图3为本申请实施例提供的一种代码处理方法的流程示意图;3 is a schematic flowchart of a code processing method provided by an embodiment of the present application;
图4为本申请实施例提供的一种代码成分分析界面的示意图;4 is a schematic diagram of a code component analysis interface provided by an embodiment of the present application;
图5为本申请实施例提供的一种代码成分分析结果界面的示意图;5 is a schematic diagram of a code component analysis result interface provided by an embodiment of the present application;
图6为本申请实施例提供的一种配置界面的示意图;6 is a schematic diagram of a configuration interface provided by an embodiment of the present application;
图7为本申请实施例提供的一种配置界面的示意图;7 is a schematic diagram of a configuration interface provided by an embodiment of the present application;
图8为本申请实施例提供的一种代码处理系统的结构示意图。FIG. 8 is a schematic structural diagram of a code processing system provided by an embodiment of the present application.
图9为本申请实施例提供的一种计算机集群的结构示意图。FIG. 9 is a schematic structural diagram of a computer cluster according to an embodiment of the present application.
具体实施方式Detailed ways
本申请实施例中的术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。The terms "first" and "second" in the embodiments of the present application are only used for the purpose of description, and cannot be understood as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature defined as "first" or "second" may expressly or implicitly include one or more of that feature.
首先对本申请实施例中所涉及到的一些技术术语进行介绍。First, some technical terms involved in the embodiments of this application are introduced.
受检代码具体是指待检测的代码。该受检代码可以是开发人员在进行应用开发过程中编写的、待进行应用安全测试(application security testing,AST)的代码。其中,AST可以分为静态应用安全测试(static AST,SAST)、动态应用安全测试(dynamic AST,DAST)和交互式安全测试(interactive AST,IAST)等。The inspected code specifically refers to the code to be inspected. The inspected code may be code written by the developer during the application development process and to be subjected to application security testing (application security testing, AST). Among them, AST can be divided into static application security test (static AST, SAST), dynamic application security test (dynamic AST, DAST) and interactive security test (interactive AST, IAST) and so on.
SAST具体是通过静态方式直接分析源码、字节码或二进制包等方式进行缺陷分析的一类技术,一般自动集成至集成开发环境(integrated development environment,IDE)插件或代码提交门禁中进行自动化缺陷扫描。DAST具体是通过动态运行方式对受检代码进行一系列测试从而发现程序错误的一类技术。IAST具体是通过插装技术对受检代码进行一定地侵入式插装,使得测试运行时受检代码能够收集到感兴趣的运行数据,从而识别出受检代码运行时可能存在的缺陷。SAST is a type of technology that directly analyzes source code, bytecode or binary packages in a static way for defect analysis. Generally, it is automatically integrated into integrated development environment (integrated development environment, IDE) plug-ins or code submission access control for automatic defect scanning. . DAST is a type of technology that detects program errors by performing a series of tests on the code under test in a dynamic running mode. Specifically, IAST performs intrusive instrumentation of the code under inspection through the instrumentation technology, so that the code under inspection can collect interesting operation data during the test run, so as to identify possible defects in the code under inspection.
目前,SAST由于使用门槛低,而且缺陷识别速度较快,因而在工业界得以广泛使用。然而,SAST通常是结合缺陷模式或修复模式知识进行系统化的扫描和分析,从而识别到潜在缺陷并给出可能的修复方案。如此,需要耗费大量时间,分析效率比较低下,难以满足业务需求。At present, SAST is widely used in the industry due to its low threshold for use and fast defect identification. However, SAST is usually a systematic scan and analysis combined with knowledge of defect patterns or repair patterns, so as to identify potential defects and give possible repair solutions. In this way, it takes a lot of time, the analysis efficiency is relatively low, and it is difficult to meet business needs.
有鉴于此,本申请实施例提供了一种代码处理方法。该方法通过从受检代码中获取开源成分和自有成分,然后针对开源成分和自有成分分别采用不同的分析方法,例如针对开源成分进行简单、高效的合规分析,针对自有成分进行缺陷分析,如此可以聚焦在自有成分,提高分析效率,满足业务需求。In view of this, embodiments of the present application provide a code processing method. This method obtains open source components and self-owned components from the code under inspection, and then adopts different analysis methods for open source components and self-owned components, such as simple and efficient compliance analysis for open source components, and defect detection for self-owned components. Analysis, so that it can focus on its own components, improve analysis efficiency, and meet business needs.
本申请实施例提供的上述代码处理方法可以由计算设备执行。其中,计算设备可以为终端,该终端包括但不限于台式机、笔记本电脑、平板电脑等等。在一些可能的实现方式中,计算设备还可以是服务器,该服务器可以是云服务器(云计算集群中的服务器)、边缘服务器(边缘计算集群中的服务器),或者是本地服务器。其中,本地服务器是指用户所属数据中心中的服务器。The foregoing code processing method provided by the embodiment of the present application may be executed by a computing device. The computing device may be a terminal, and the terminal includes but is not limited to a desktop computer, a notebook computer, a tablet computer, and the like. In some possible implementations, the computing device may also be a server, and the server may be a cloud server (a server in a cloud computing cluster), an edge server (a server in an edge computing cluster), or a local server. The local server refers to the server in the data center to which the user belongs.
上述代码处理方法可以以计算机程序的形式存储在计算设备。其中,计算机程序可以是具有独立功能的软件或客户端,在一些实施例中,计算机程序也可以是集成在其他程序之上的小程序、插件,例如是集成在IDE上的插件。终端或服务器可以执行上述计算机程序,从而执行代码处理方法。其中,服务器执行上述代码处理方法时,可以与终端交互,以向终端展示对受检代码的分析结果。The above code processing method may be stored in a computing device in the form of a computer program. The computer program may be software or a client with independent functions. In some embodiments, the computer program may also be a small program or a plug-in integrated on other programs, such as a plug-in integrated in an IDE. The terminal or server can execute the above-mentioned computer program, thereby executing the code processing method. Wherein, when the server executes the above code processing method, it can interact with the terminal to display the analysis result of the code under inspection to the terminal.
为了使得本申请的技术方案更加清楚、易于理解,下面结合附图对本申请实施例提供的代码处理方法的系统架构进行介绍。In order to make the technical solutions of the present application clearer and easier to understand, the following describes the system architecture of the code processing method provided by the embodiments of the present application with reference to the accompanying drawings.
参见图1所示的代码处理方法的系统架构图,如图1所示,该系统100包括终端102和服务器104。服务器104可以是云服务器。终端102可以接收来自于用户的受检代码,该受检代码具体包括开源成分和自有成分,然后服务器104可以对开源成分进行合规分析,以及对自有成分进行缺陷分析,从而获得分析结果。Referring to the system architecture diagram of the code processing method shown in FIG. 1 , as shown in FIG. 1 , the system 100 includes a terminal 102 and a server 104 . Server 104 may be a cloud server. The terminal 102 can receive the inspected code from the user, the inspected code specifically includes open source components and self-owned components, and then the server 104 can perform compliance analysis on the open source components and defect analysis on the self-owned components, thereby obtaining the analysis results. .
该分析结果可以包括受检代码中存在的问题。进一步地,终端102可以接收服务器104发送的分析结果,然后通过用户界面,例如是图形用户界面(graphical user interface,GUI)、命令用户界面(command user interface),向用户呈现所述分析结果。The analysis results may include problems in the code under inspection. Further, the terminal 102 can receive the analysis result sent by the server 104, and then present the analysis result to the user through a user interface, such as a graphical user interface (graphical user interface, GUI) or a command user interface (command user interface).
在一些可能的实现方式中,终端102可以接收服务器104发送的修复建议,然后通过GUI或者CUI向用户呈现上述修复建议。用户可以通过GUI选择接收或拒绝修复建议,当所有修复建议均已被接受或被拒绝,则完成对该受检代码的处理。In some possible implementations, the terminal 102 may receive the repair suggestion sent by the server 104, and then present the above repair suggestion to the user through a GUI or a CUI. The user can choose to accept or reject the repair suggestions through the GUI. When all the repair suggestions have been accepted or rejected, the processing of the inspected code is completed.
接下来,将从交互的角度对本申请实施例提供的代码处理方法进行详细介绍。参见图2所示的代码处理方法的流程图,该方法包括:Next, the code processing method provided by the embodiment of the present application will be introduced in detail from the perspective of interaction. Referring to the flowchart of the code processing method shown in FIG. 2, the method includes:
S202:终端102向服务器104发送受检代码。S202: The terminal 102 sends the checked code to the server 104.
具体地,终端102上可以部署IDE或者编辑器(editor),用户可以通过IDE或者editor编写代码,终端102接收用户编写的代码,从而获得受检代码。然后终端102向服务器104发送受检代码,以对受检代码进行检测分析。Specifically, an IDE or an editor (editor) may be deployed on the terminal 102, the user may write code through the IDE or the editor, and the terminal 102 receives the code written by the user, thereby obtaining the inspected code. Then, the terminal 102 sends the checked code to the server 104 to perform detection and analysis on the checked code.
S204:服务器104识别受检代码,获得受检代码的开源成分和自有成分。S204: The server 104 identifies the code under inspection, and obtains open source components and proprietary components of the code under inspection.
开源成分具体是来源于开源软件的代码。所谓开源软件又称作开发源代码软件,是指一种源代码可以公开获取的计算机软件,这种软件的著作权持有人在软件协议的规定之下保留一部分权利并允许用户学习、修改以及以任何目的向任何人分发该软件。自有成分具体是用户拥有著作权的代码,例如是用户自研代码。Open source components are specifically code derived from open source software. The so-called open source software, also known as development source code software, refers to a computer software whose source code is publicly available. Distribute this software to anyone for any purpose. The self-owned component is specifically the code that the user owns the copyright, such as the code developed by the user.
具体地,服务器104可以通过软件组成成分(software composition analysis,SCA)技术识别受检代码,从而得到受检代码的开源成分和自有成分。其中,SCA一般通过编译依赖分析、组件成分匹配等技术实现对受检代码的组成成分分析。服务器104在识别开源成分时,还可以进一步识别出开源成分中的开源组件和开源代码片段。其中,组件是对数据和方法进行简单封装形成的一种对象。该对象可以被重复使用。代码片段通常是未被封装的数据、方法等代码。Specifically, the server 104 may identify the inspected code through a software composition analysis (SCA) technology, so as to obtain open source components and proprietary components of the inspected code. Among them, SCA generally realizes the analysis of the components of the code under inspection through technologies such as compilation dependency analysis and component component matching. When identifying the open source components, the server 104 may further identify open source components and open source code fragments in the open source components. Among them, a component is an object formed by simply encapsulating data and methods. This object can be reused. Code snippets are usually unencapsulated data, methods, etc. code.
需要说明的是,SCA仅仅是服务器104获取受检代码的开源成分和自有成分的一种示意性的实现方式,在本申请实施例其他可能的实现方式中,服务器104也可以通过其他方式获得受检代码的开源成分和自有成分。It should be noted that the SCA is only a schematic implementation manner for the server 104 to obtain the open source components and its own components of the code under inspection, and in other possible implementation manners of the embodiments of the present application, the server 104 may also obtain the code in other ways. Open source and proprietary components of the code under review.
S206:服务器104对开源成分进行合规分析。当开源成分合规分析不通过时,执行S208;当开源成分合规分析通过时,执行S216。S206: The server 104 performs compliance analysis on the open source components. When the open source component compliance analysis fails, execute S208; when the open source component compliance analysis passes, execute S216.
由于开源成分可以由其著作权持有人维护,因此,服务器104可以不必对该开源成分进行缺陷分析,而是直接对该开源成分进行合规分析即可。其中,合规是指符合规定。对于开源成分而言,合规可以是符合相关开源协议的规定。Since the open source component can be maintained by its copyright holder, the server 104 may not need to perform defect analysis on the open source component, but may directly perform compliance analysis on the open source component. Among them, compliance refers to compliance with regulations. For open source components, compliance may be compliance with the relevant open source agreement.
合规分析可以包括基于许可证(license)的使用方式合法性分析和安全漏洞分析中的至少一个。下面对基于许可证的使用方式合法性分析和安全漏洞分析进行详细说明。The compliance analysis may include at least one of a license-based usage pattern legality analysis and a security vulnerability analysis. The following is a detailed description of the legality analysis and security vulnerability analysis of license-based usage.
具体地,服务器104可以根据开源成分查询对应的许可证的类型,例如服务器104可以根据开源成分所对应的第三方库的来源,查询相应的license信息,该license信息可以包括license的类型,然后服务器104可以根据license的类型判断当前开源成分使用方式的合法性。Specifically, the server 104 can query the type of the corresponding license according to the open source component. For example, the server 104 can query the corresponding license information according to the source of the third-party library corresponding to the open source component. The license information can include the type of the license, and then the server 104 The legality of the current use of open source components can be judged according to the type of license.
其中,license的类型可以包括宽松型和公共版权(copyleft)型。宽松型对用户几乎无限制,公共版权型对用户限制相对严格。下面分别进行说明。Among them, the type of license may include loose type and public copyright (copyleft) type. The loose type has almost no restrictions on users, and the public copyright type has relatively strict restrictions on users. Each of them will be described below.
宽松型的许可证具有如下特征:(1)无使用限制,用户可以使用代码,也可以修改代码;(2)无担保,用户自行承担风险;(3)用户必须披露原始作者。常见的宽松型license允许用户任意使用代码,不同宽松型license的区别主要在于要求用户遵守的条件不同。例如,一些license要求分发应用时,必须保留原始的许可证声明,进一步地,另有一些license不仅要求保留原始的许可证声明,还要求不得使用原始作者的名字进行促销。此外,还有一些license要求分发应用时,必须保留原始的许可证声明,并且修改过的文件必须向用户声明修改过,没有修改过的文件,必须保持许可证不变。The permissive license has the following characteristics: (1) no usage restrictions, users can use the code, and can also modify the code; (2) no warranty, users are at their own risk; (3) users must disclose the original author. Common loose licenses allow users to use code arbitrarily. The difference between different loose licenses is mainly in the conditions that users are required to abide by. For example, some licenses require that the original license statement must be retained when distributing an application. Further, some licenses require not only retaining the original license statement, but also not using the original author's name for promotion. In addition, some licenses require that when distributing an application, the original license statement must be retained, and modified files must declare to the user that they have been modified, and files that have not been modified must keep the license unchanged.
公共版权型的许可证具有如下特征:(1)如果分发二进制格式,必须提供源码;(2)修改后的源码必须与修改前的源码保持许可证一致;(3)不得在原始许可证以外,附加其他限制。不同公共版权型的许可证对于用户的限制可以不同。例如,一些license要求云服务中使用的开源代码采用了该license时,云服务的代码需要开源;另一些license要求如果项目包括了使用该license的源码,则整个项目必须使用该license。需要说明的是,在满足下述情况下,也可以不用开源。例如,一些license要求如果项目采用动态链接调用该license的库,则项目可以不用开源。另一些license要求只要使用该license的代码在单独的文件中,新增的其他文件可以不用开源。需要说明的是,上述例举的四种license可以是不同的。The public copyright type license has the following characteristics: (1) if the binary format is distributed, the source code must be provided; (2) the modified source code must be in the same license as the original source code; (3) it must not be used in addition to the original license Additional restrictions apply. Different public copyright-type licenses may have different restrictions on users. For example, some licenses require that when the open source code used in the cloud service adopts the license, the code of the cloud service needs to be open source; other licenses require that if the project includes the source code using the license, the entire project must use the license. It should be noted that open source may not be required if the following conditions are met. For example, some licenses require that if the project uses dynamic linking to call the library of the license, the project may not use open source. Other licenses require that as long as the code using the license is in a separate file, other new files may not be open sourced. It should be noted that the four kinds of licenses listed above may be different.
基于此,服务器104可以判断对于license的使用方式是否满足该license的要求,若是, 则表征当前开源成分的使用方式是合法的,基于license的使用方式合法性分析通过,若否,则表征当前开源成分的使用方式是不合法的,基于license的使用方式合法性分析不通过。Based on this, the server 104 can determine whether the usage mode of the license meets the requirements of the license. If so, it indicates that the current usage mode of the open source component is legal, and the legality analysis of the usage mode based on the license passes. If not, it indicates that the current open source component is valid. The usage of the ingredients is illegal, and the legality analysis of the usage based on the license fails.
类似地,服务器104可以将所述开源成分与存在安全漏洞的开源代码集合进行匹配,确定所述开源成分是否关联安全漏洞。其中,开源成分为开源组件时,存在安全漏洞的开源代码集合可以为开源组件集合,服务器104通过将当前开源组件与存在安全漏洞的开源组件集合中预先收集的开源组件进行匹配,从而确定当前开源组件是否关联安全漏洞。开源成分为开源代码片段(通常是未封装的代码)时,开源代码集合可以为开源代码片段集合,服务器104通过将当前开源代码片段与存在安全漏洞的开源代码片段集合中预先收集的开源代码片段进行匹配,从而确定当前开源代码片段是否关联安全漏洞。若关联安全漏洞,则表征安全漏洞分析不通过,若不关联安全漏洞,则表征安全漏洞分析通过。Similarly, the server 104 may match the open source component with a set of open source code with security vulnerabilities to determine whether the open source component is associated with a security vulnerability. Wherein, when the open source component is an open source component, the open source code set with security vulnerabilities may be an open source component set, and the server 104 determines the current open source component by matching the current open source component with the open source component pre-collected in the open source component set with security vulnerability. Whether the component is associated with a security vulnerability. When the open source component is an open source code fragment (usually unpackaged code), the open source code set may be an open source code fragment set. Matches are made to determine whether the current open source code fragment is associated with a security vulnerability. If a security vulnerability is associated, it indicates that the security vulnerability analysis fails, and if the security vulnerability is not associated, it indicates that the security vulnerability analysis passes.
需要说明的是,当基于license的使用方式合法性分析和安全漏洞分析中至少有一个不通过时,则表征合规分析不通过,当基于license的使用方式合法性分析和安全漏洞分析均通过时,则表征合规分析通过。当合规分析通过时,服务器104可以继续执行S210,以对自有成分进行分析。当合规分析不通过时,服务器104可以执行S208,引导用户修改开源成分直至开源成分合规分析通过。It should be noted that when at least one of the legality analysis and security vulnerability analysis based on the license-based usage method fails, it indicates that the compliance analysis fails. When both the legality analysis and security vulnerability analysis based on the license-based usage method pass , it indicates that the compliance analysis passed. When the compliance analysis passes, the server 104 may continue to perform S210 to analyze the own components. When the compliance analysis fails, the server 104 may execute S208 to guide the user to modify the open source component until the compliance analysis of the open source component passes.
S208:服务器104向终端102发送合规风险提示。S208: The server 104 sends a compliance risk prompt to the terminal 102.
合规风险提示用于向用户提示对开源成分进行合规分析发现的风险点。具体地,合规风险提示可以携带风险点的详情信息,如风险点的位置、产生风险的原因等等。进一步地,合规风险提示还可以携带风险点的消除建议。The compliance risk prompt is used to prompt the user of the risk points discovered by the compliance analysis of the open source components. Specifically, the compliance risk prompt can carry detailed information of risk points, such as the location of the risk point, the cause of the risk, and so on. Further, the compliance risk alert can also carry suggestions for eliminating risk points.
S210:终端102向用户呈现合规风险提示。S210: The terminal 102 presents a compliance risk prompt to the user.
终端102可以在呈现受检代码,例如是呈现受检代码的开源成分时,一并呈现对该开源成分进行合规分析发现的风险点。其中,终端102可以通过高亮显示或者链接等方式呈现上述风险点。The terminal 102 may present the risk points discovered by the compliance analysis of the open source components when presenting the inspected code, for example, presenting the open source components of the inspected code. The terminal 102 may present the above risk points by means of highlighting or linking or the like.
进一步地,终端102在呈现对开源成分进行合规分析发现的风险点时,还可以呈现风险点的位置、产生风险的原因,以便于用户了解风险点的位置以及产生风险的原因,为消除风险点提供帮助。Further, when the terminal 102 presents the risk points found by the compliance analysis of the open source components, it can also present the position of the risk point and the cause of the risk, so that the user can understand the position of the risk point and the cause of the risk, in order to eliminate the risk. Click to help.
在一些可能的实现方式中,合规风险提示携带有风险点的消除建议时,终端102还可以向用户呈现该消除建议,从而引导用户消除风险点,完善受检代码中的开源成分。In some possible implementations, when the compliance risk prompt carries a risk point elimination suggestion, the terminal 102 may also present the elimination suggestion to the user, thereby guiding the user to eliminate the risk point and improve the open source components in the inspected code.
S212:终端102接收用户对开源成分的修改。S212: The terminal 102 receives the modification of the open source component by the user.
具体地,用户可以结合终端102呈现的修改建议,触发对开源成分的修改操作,终端102响应于该操作接收用户对开源成分的修改,以使开源成分合规。Specifically, the user can trigger a modification operation on the open source component in combination with the modification suggestion presented by the terminal 102, and the terminal 102 receives the user's modification of the open source component in response to the operation, so that the open source component is compliant.
在一些实施例中,开源成分包括不合规的开源组件。用户可以对该不合规的开源组件进行升级或替换,从而实现对不合规的开源组件的智能修复,保证受检代码依赖的开源组件为可信开源组件。In some embodiments, open source components include non-compliant open source components. Users can upgrade or replace the non-compliant open source components, so as to realize intelligent repair of non-compliant open source components, and ensure that the open source components that the inspected code depends on are trusted open source components.
在另一些实施例中,开源成分包括不合规的开源代码片段。用户可以根据风险点的消除建议,将不合规的开源代码片段移除,或者是将不合规的开源代码片段进行整改,以将上述开源代码片段变为可信状态。需要说明的是,服务器104也可以引入开源社区的补丁智能合入能力对不合规的开源成分进行修复。In other embodiments, the open source components include non-compliant pieces of open source code. Users can remove non-compliant open source code fragments or rectify non-compliant open source code fragments according to the suggestions for eliminating risk points, so as to turn the above open source code fragments into a trusted state. It should be noted that the server 104 can also introduce the patch intelligent integration capability of the open source community to repair the non-compliant open source components.
在本申请实施例其他可能的实现方式中,服务器104也可以直接在后台对开源成分,具体是开源成分的风险点进行修复,以使修复后的开源成分合规。如此,代码处理系统100无需执行上述S208至S212引导用户进行风险消除,减少了用户操作,提高了用户体验。In other possible implementation manners of the embodiments of the present application, the server 104 may also directly repair the open source components, specifically the risk points of the open source components, in the background, so that the repaired open source components are compliant. In this way, the code processing system 100 does not need to perform the above steps S208 to S212 to guide the user to eliminate risks, thereby reducing user operations and improving user experience.
S214:终端102向服务器104提交修改后的开源成分。然后服务器104执行S206。S214: The terminal 102 submits the modified open source component to the server 104. The server 104 then executes S206.
终端102向服务器104发送修改后的开源成分,以使服务器104对修改后的开源成分重新进行合规分析。当合规分析通过时,执行S216,当合规分析不通过时,执行S208直至开源成分合规分析通过。The terminal 102 sends the modified open source component to the server 104, so that the server 104 re-analyzes the compliance of the modified open source component. When the compliance analysis passes, execute S216, and when the compliance analysis fails, execute S208 until the open source component compliance analysis passes.
S216:服务器104对自有成分进行缺陷分析,获得分析结果。S216: The server 104 performs defect analysis on its own components to obtain an analysis result.
自有成分依赖上述开源成分,因而服务器104可以在开源成分合规分析通过后再对上述自有成分进行系统化的缺陷分析,例如可以通过SAST进行缺陷分析,获得分析结果。该分析结果可以包括自有成分中的缺陷。通过聚焦自有成分进行缺陷分析,可以提高分析效率,而且将分析结果定位在能够引起用户如开发人员的修复行为的范围内,可以提升分析结果的可行动率,减少不必要的修复工作。The self-owned components depend on the above-mentioned open-source components, so the server 104 can perform systematic defect analysis on the above-mentioned self-owned components after the open-source component compliance analysis has passed, for example, by performing defect analysis through SAST to obtain the analysis results. The analysis results may include defects in the own components. By focusing on its own components for defect analysis, the analysis efficiency can be improved, and the analysis results can be located in the range that can cause users such as developers to repair behaviors, which can improve the action rate of the analysis results and reduce unnecessary repair work.
进一步地,考虑到自有成分依赖开源成分的情况,在对自有成分进行缺陷分析时,服务器104还可以根据自有成分依赖的开源成分中开源组件的知识,对所述自有成分进行缺陷分析。其中,开源组件的知识可以包括该开源组件的使用约束、缺陷模式和语义模型中的至少一种。Further, considering the fact that its own components depend on open source components, when performing defect analysis on the own components, the server 104 may also perform defect analysis on the own components according to the knowledge of the open source components in the open source components that the own components depend on. analyze. The knowledge of the open source component may include at least one of usage constraints, defect patterns and semantic models of the open source component.
在一些可能的实现方式中,服务器104针对常见开源组件提前预置语义模型,该语义模型可以用于为缺陷分析提供帮助,提高分析效率,并且避免对常见开源组件进行重复语义分析。具体地,开源组件的语义模型中定义了给定输入时开源组件所执行的具体操作以及行为逻辑。服务器104可以针对受检代码的开源成分包括的开源组件,推荐与上述开源组件对应的语义模型,服务器104接收用户选择的语义模型的标识,然后根据该标识确定对应的语义模型,通过该语义模型进行缺陷分析。In some possible implementations, the server 104 presets a semantic model for common open source components in advance, and the semantic model can be used to help defect analysis, improve analysis efficiency, and avoid repeated semantic analysis for common open source components. Specifically, the semantic model of the open source component defines the specific operation and behavior logic that the open source component performs when given input. The server 104 may recommend a semantic model corresponding to the above-mentioned open source component for the open source components included in the open source component of the code under inspection. The server 104 receives the identifier of the semantic model selected by the user, and then determines the corresponding semantic model according to the identifier. Perform defect analysis.
进一步地,开源组件在提供给上层应用进行调用时,常常需要遵循开源组件的使用约束,例如是使用时需要遵循的规范或要求,以保障逻辑的正确性、可靠性和稳定性。此外,用户可以继续配置是否启动开源组件相关的检测规则集合,该检测规则集合中定义有缺陷模式,该缺陷模式可以通过缺陷类型对应的具有规律性的代码序列表征。服务器104可以基于检测规则集合中定义的缺陷模式启动更全面的分析,提高分析结果的准确性。Further, when open source components are provided to upper-layer applications for invocation, they often need to follow the usage constraints of open source components, such as specifications or requirements that need to be followed during use, to ensure the correctness, reliability and stability of logic. In addition, the user can continue to configure whether to start the detection rule set related to the open source component. The detection rule set defines a defect mode, and the defect mode can be characterized by a regular code sequence corresponding to the defect type. The server 104 can initiate a more comprehensive analysis based on the defect patterns defined in the detection rule set, improving the accuracy of the analysis results.
在一些可能的实现方式中,服务器104也可以先根据缺陷模式对自有成分进行缺陷分析,然后再根据使用约束、语义模型等进行缺陷分析。本申请实施例对根据语义模型、使用约束、缺陷模式进行缺陷分析的顺序不作限定。In some possible implementations, the server 104 may first perform defect analysis on its own components according to the defect mode, and then perform defect analysis according to usage constraints, semantic models, and the like. This embodiment of the present application does not limit the sequence of performing defect analysis according to the semantic model, usage constraints, and defect mode.
基于使用约束、缺陷模式和语义模型可以实现更加完备地缺陷分析,提高了缺陷分析精度,并且也可以进行开源组件相关应用程序编程接口(application programming interface,API)使用方面的代码缺陷分析。Based on usage constraints, defect patterns and semantic models, a more complete defect analysis can be achieved, the accuracy of defect analysis can be improved, and code defect analysis in the use of application programming interfaces (APIs) related to open source components can also be performed.
需要说明的是,上述S206至S210仅仅是对受检代码进行分析的一种实现方式。在本申请实施其他可能的实现方式中,上述S206和S210也可以并行执行,或者是按照设定的顺序先后执行,本申请实施例对此不作限定。It should be noted that the above S206 to S210 are only an implementation manner of analyzing the code under inspection. In other possible implementation manners of the implementation of the present application, the foregoing S206 and S210 may also be executed in parallel, or sequentially executed in a set order, which is not limited in this embodiment of the present application.
S218:服务器104向终端102发送分析结果和修复建议。S218: The server 104 sends the analysis result and the repair suggestion to the terminal 102.
具体地,缺陷(defect)用于描述代码自身问题,不依赖于执行结果和预期的规范。缺陷的类别是有限的、可枚举的,并且缺陷不依赖于业务逻辑,因此服务器104可以获取缺陷类型以及各缺陷类型对应的修复方式,根据该缺陷类型及其对应的修复方式构建知识库,当服务器104通过缺陷分析确定受检代码的自有成分的缺陷后,可以基于上述知识库生成修复建议。然后服务器104向终端102返回分析结果和修复建议。Specifically, defects are used to describe problems with the code itself, independent of execution results and expected specifications. The categories of defects are limited and enumerable, and the defects do not depend on business logic, so the server 104 can obtain the defect types and the corresponding repair methods for each defect type, and build a knowledge base according to the defect types and their corresponding repair methods, After the server 104 determines the defect of the own component of the inspected code through defect analysis, it may generate a repair suggestion based on the above-mentioned knowledge base. The server 104 then returns the analysis results and repair suggestions to the terminal 102 .
需要说明的是,图2是以服务器104同时向终端102发送分析结果和修复建议进行示例说明。在一些可能的实现方式中,服务器104也可以分别发送上述分析结果和修复建议,例如服务器104可以先发送分析结果,然后发送修复建议。It should be noted that, in FIG. 2 , the server 104 simultaneously sends the analysis result and the repair suggestion to the terminal 102 for illustration. In some possible implementations, the server 104 may also send the above analysis result and repair suggestion respectively, for example, the server 104 may first send the analysis result and then send the repair suggestion.
S220:终端102通过用户界面向用户呈现分析结果和修复建议。S220: The terminal 102 presents the analysis results and repair suggestions to the user through the user interface.
该用户界面可以是分析结果界面。分析结果界面可以为GUI或者是CUI。为了便于理解,本申请实施例以GUI进行示例说明。具体地,终端102可以通过GUI向用户呈现受检代码以及受检代码存在的问题。其中,受检代码存在的问题可以包括受检代码的自有成分的缺陷。进一步地,受检代码存在的问题还可以包括受检代码的开源成分中合规分析不通过的代码,如与安全漏洞关联的开源组件或者license使用不合法的代码片段。The user interface may be an analysis results interface. The analysis result interface can be GUI or CUI. For ease of understanding, the embodiments of the present application use GUI for illustration. Specifically, the terminal 102 can present the checked code and the problems existing in the checked code to the user through the GUI. Among them, the problems existing in the code under inspection may include defects in the own components of the code under inspection. Further, the problems existing in the inspected code may also include code that fails the compliance analysis in the open source components of the inspected code, such as open source components associated with security vulnerabilities or code fragments that use illegal licenses.
终端102在通过GUI向用户呈现受检代码以及受检代码存在的问题时,可以采用不同样式展示。例如,终端102可以通过高亮显示受检代码存在的问题,以达到突出问题、提醒用户注意的效果。其中,终端102高亮显示受检代码存在的问题包括多种方式。一种方式为,终端102同时高亮显示受检代码存在的问题。另一种方式为,终端102响应于用户操作,逐个显示受检代码存在的问题。例如,GUI上可以承载跳转控件,该跳转控件用于从当前问题跳转至下一个问题,终端102通过GUI高亮显示受检代码存在的问题中的一个问题,当用户通过跳转控件触发跳转操作,终端102通过GUI高亮显示该问题的下一个问题。When the terminal 102 presents the checked code and the problems existing in the checked code to the user through the GUI, it can be displayed in different styles. For example, the terminal 102 can highlight the problems existing in the code under inspection to achieve the effect of highlighting the problems and reminding the user to pay attention. There are various ways for the terminal 102 to highlight the problems existing in the code under inspection. One way is that the terminal 102 simultaneously highlights the problem with the code under inspection. Another way is that the terminal 102, in response to the user's operation, displays the problems existing in the checked codes one by one. For example, a jump control can be carried on the GUI, and the jump control is used to jump from the current question to the next question. The terminal 102 highlights one of the problems existing in the code under inspection through the GUI. When the user passes the jump control A jump operation is triggered, and the terminal 102 highlights the next question of the question through the GUI.
终端102可以通过GUI或CUI向用户呈现受检代码存在的问题的修复建议。与向用户呈现受检代码存在的问题类似,终端102呈现修复建议有多种实现方式。一种实现方式为,终端102同时显示多个问题的修复建议。另一种实现方式为,终端102响应于用户操作,逐个显示问题的修复建议。例如,GUI上可以承载跳转控件,该跳转控件用于从当前问题跳转至下一个问题,当用户通过跳转控件触发跳转操作,终端102通过GUI显示下一个问题的修复建议。The terminal 102 can present the user with repair suggestions for problems existing in the code under inspection through the GUI or CUI. Similar to the problem of presenting the checked code to the user, the terminal 102 presents repair suggestions in various ways. An implementation manner is that the terminal 102 simultaneously displays repair suggestions for multiple problems. Another implementation manner is that the terminal 102 displays the repair suggestions for the problems one by one in response to the user operation. For example, a jump control may be carried on the GUI, and the jump control is used to jump from the current problem to the next problem. When the user triggers the jump operation through the jump control, the terminal 102 displays the repair suggestion for the next problem through the GUI.
考虑到阅读体验,终端102可以在呈现问题时,在问题的附近位置如问题之后呈现该问题的修复建议。在一些实施例中,终端102也可以在GUI的特定区域如代码显示区域下方呈现修复建议,以便用户根据该修复建议进行修复。Considering the reading experience, the terminal 102 may present a repair suggestion for the problem at a position near the problem, such as after the problem, when the problem is presented. In some embodiments, the terminal 102 may also present a repair suggestion under a specific area of the GUI, such as a code display area, so that the user can repair according to the repair suggestion.
其中,终端102可以同时呈现分析结果和修复建议,也可以根据业务需求按照设定顺序先后显示分析结果和修复建议,本申请实施例对此不作限定。The terminal 102 may simultaneously present the analysis results and repair suggestions, or may display the analysis results and repair suggestions sequentially in a set order according to business requirements, which is not limited in this embodiment of the present application.
S222:终端102根据用户对上述修复建议的操作,接受或拒绝所述修复建议。S222: The terminal 102 accepts or rejects the repair suggestion according to the user's operation on the repair suggestion.
具体地,终端102可以接收用户通过GUI或CUI对上述修复建议的操作,接受或拒绝上述修复建议。以用户界面为GUI进行示例说明,GUI上针对每个问题的修复建议提供有接受控件和拒绝控件。用户可以通过该接受控件触发操作,相应地,终端102可以响应于该操作接受修复建议。用户也可以通过该拒绝控件触发操作,相应地,终端102也可以响 应于该操作,拒绝修复建议。Specifically, the terminal 102 may receive the user's operation on the above repair suggestion through GUI or CUI, and accept or reject the above repair suggestion. The user interface is used as an example to illustrate the GUI, and the repair suggestions for each problem on the GUI are provided with accept and reject controls. The user can trigger an operation through the accepting control, and accordingly, the terminal 102 can accept the repair suggestion in response to the operation. The user can also trigger an operation through the rejection control, and accordingly, the terminal 102 can also reject the repair suggestion in response to the operation.
基于上述内容描述,本申请实施例提供了一种代码处理方法。该方法通过从受检代码中获取开源成分和自有成分,然后针对开源成分和自有成分分别采用不同的分析方法,例如针对开源成分进行简单、高效的合规分析,针对自有成分进行缺陷分析,如此可以聚焦在自有成分,提高分析效率,满足业务需求。Based on the above content description, an embodiment of the present application provides a code processing method. This method obtains open source components and self-owned components from the code under inspection, and then adopts different analysis methods for open source components and self-owned components, such as simple and efficient compliance analysis for open source components, and defect detection for self-owned components. Analysis, so that it can focus on its own components, improve analysis efficiency, and meet business needs.
为了使得本申请的技术方案更加清楚、易于理解,下面结合一具体示例对本申请的代码处理方法进行详细说明。In order to make the technical solution of the present application clearer and easier to understand, the code processing method of the present application will be described in detail below with reference to a specific example.
首先,参见图3所示的代码处理方法的流程示意图,在该示例中,受检代码经过开源成分分析,可以得到自有成分和开源成分,其中,开源成分可以进一步地分为开源组件和开源代码片段。在一些实施例中,开源组件可以是jar包。First, referring to the schematic flowchart of the code processing method shown in FIG. 3, in this example, the tested code is analyzed by open source components, and its own components and open source components can be obtained, wherein the open source components can be further divided into open source components and open source components. code segment. In some embodiments, the open source components may be jar packages.
SCA工具提供有代码克隆分析、大数据分析或分布式索引,用于对受检代码进行成分分析。代码处理系统100可以通过SCA工具进行成分分析。参见图4所示的代码成分分析界面的示意图,界面400承载有受检项目的地址输入控件402,该地址输入控件402包括本地路径输入控件和远程代码仓输入控件中的任意一个或多个。用户可以根据受检代码的存储位置选择本地路径输入控件或者远程代码仓输入控件,输入受检代码的地址,接着通过界面400上承载的启动分析控件404触发代码成分分析。代码处理系统100中的终端102响应于用户触发的代码成分分析操作,生成代码成分分析请求。此外,界面400也可以提供其他地址输入控件,对应地,用户也可以通过其他方式输入受检代码的地址,以便根据该在对受检代码进行处理。SCA tools provide code cloning analysis, big data analysis or distributed indexing for component analysis of inspected code. The code processing system 100 may perform component analysis through the SCA tool. Referring to the schematic diagram of the code component analysis interface shown in FIG. 4 , the interface 400 carries the address input control 402 of the checked item, and the address input control 402 includes any one or more of the local path input control and the remote code warehouse input control. The user can select the local path input control or the remote code warehouse input control according to the storage location of the tested code, input the address of the tested code, and then trigger the code component analysis through the startup analysis control 404 carried on the interface 400 . The terminal 102 in the code processing system 100 generates a code component analysis request in response to the code component analysis operation triggered by the user. In addition, the interface 400 may also provide other address input controls. Correspondingly, the user may also input the address of the code under inspection in other ways, so as to process the code under inspection according to the current state.
服务器104可以响应于代码成分分析请求,通过SCA工具提供的代码克隆分析、大数据分析或分布式索引识别受检代码的成分,例如可以通过上述技术将受检代码与预先收集的开源社区的代码大数据进行匹配,定位出受检代码的开源代码片段。然后向终端102返回代码成分分析结果,终端102向用户呈现上述代码成分分析结果。The server 104 may, in response to the code component analysis request, identify the components of the inspected code through code clone analysis, big data analysis or distributed indexing provided by the SCA tool, for example, the inspected code may be compared with pre-collected codes of open source communities through the above-mentioned techniques Big data is matched to locate open source code fragments of the code under inspection. Then, the code component analysis result is returned to the terminal 102, and the terminal 102 presents the above code component analysis result to the user.
参见图5所示的代码成分分析结果界面的示意图,界面500展示了受检代码的成分。其中,受检代码可以是一个受检项目的代码,受检代码可以包括多个代码文件,界面500展示了各个代码文件为自有成分、开源组件或者引用开源代码片段。进一步地,界面500还提供有修订控件502,该修订控件502用于支持用户对代码成分分析结果进行修订。用户可以检查各个代码文件,从而确定是否对各个代码文件对应的成分进行修订。当各个代码文件对应的成分确认无误后,用户可以点击确认控件504,以确认代码成分分析结果。Referring to the schematic diagram of the code component analysis result interface shown in FIG. 5 , the interface 500 displays the components of the code under inspection. The inspected code may be the code of a inspected project, and the inspected code may include multiple code files. The interface 500 shows that each code file is an own component, an open source component, or a referenced open source code fragment. Further, the interface 500 is further provided with a revision control 502, and the revision control 502 is used to support the user to revise the code component analysis result. The user can examine each code file to determine whether or not to revise the component corresponding to each code file. After the components corresponding to each code file are confirmed to be correct, the user can click the confirmation control 504 to confirm the code component analysis result.
针对开源成分和自有成分,服务器104分别启动不同分析方法。在本实施例中,服务器104对开源成分启动合规分析,对自有成分启动系统性的缺陷分析。下面对服务器104的分析过程进行详细说明。For open source components and proprietary components, the server 104 activates different analysis methods respectively. In this embodiment, the server 104 starts compliance analysis for open source components, and starts systematic defect analysis for self-owned components. The analysis process of the server 104 will be described in detail below.
具体地,针对开源组件,服务器104启动合规分析,如安全漏洞分析、基于许可证的使用方式合法性分析,并在分析到合规风险时进行预警。进一步地,服务器104可以引导用户进行不合规组件的智能修复,例如通过库升级或替换等操作进行智能修复,从而保证将该受检代码所依赖的开源组件调整为可信开源组件。Specifically, for open source components, the server 104 starts compliance analysis, such as security vulnerability analysis, license-based legality analysis of usage methods, and gives an early warning when compliance risks are analyzed. Further, the server 104 can guide the user to perform intelligent repair of non-compliant components, such as intelligent repair through operations such as library upgrade or replacement, so as to ensure that the open source components on which the inspected code depends are adjusted to trusted open source components.
接着,针对开源代码片段,服务器104启动合规分析,如安全漏洞分析、基于许可证 的使用方式合法性分析,并在分析到合规风险,例如是开源代码片段包括不可信开源代码片段时进行预警。与开源组件类似,服务器104可以引导用户对不可信开源代码片段进行处理,从而快速将不可信的开源代码片段进行移除、整改和修复。Next, for the open source code fragments, the server 104 starts compliance analysis, such as security vulnerability analysis, license-based legality analysis of usage methods, and conducts the analysis when a compliance risk is analyzed, for example, the open source code fragments include untrusted open source code fragments Warning. Similar to open source components, the server 104 can guide the user to process untrusted open source code fragments, so as to quickly remove, rectify and repair the untrusted open source code fragments.
当受检代码所依赖的开源组件以及开源代码片段均变为可信状态后,服务器104可以再对自有成分进行缺陷检测与修复。其中,服务器104可以结合自有成分依赖的开源成分如开源组件相关的信息,进行更加全面的自有成分缺陷分析。When the open source components and open source code fragments on which the code under inspection depends have become trusted, the server 104 can then perform defect detection and repair on its own components. Wherein, the server 104 can perform a more comprehensive defect analysis of its own components in combination with the open source components on which its own components depend, such as information related to open source components.
具体地,服务器104预置常见开源组件(例如是开源组件的API)的语义模型,这些语义模型定义了给定特定输入数据时,API所执行的具体操作过程和行为逻辑。用户可以配置需要启用语义模型进行分析的开源组件,以便服务器104可以根据用户的配置,采用相应的语义模型进行分析。参见图6所示的配置界面示意图,终端102通过配置界面600向用户呈现当前受检代码包括的开源组件602,以及向用户呈现上述开源组件对应的语义模型的状态604。语义模型的状态可以包括已预分析或者未预分析。当语义模型已预分析(已生成),则用户可以在该配置界面配置是否启动该语义模型以提升分析精度。当用户完成各开源组件的配置后,用户可以点击“确认”控件,向服务器104提交上述配置信息,从而使得配置信息正式生效。Specifically, the server 104 presets semantic models of common open source components (for example, APIs of open source components), and these semantic models define the specific operation process and behavior logic performed by the API when given specific input data. The user can configure the open source components that need to enable the semantic model for analysis, so that the server 104 can use the corresponding semantic model for analysis according to the user's configuration. Referring to the schematic diagram of the configuration interface shown in FIG. 6 , the terminal 102 presents the open source components 602 included in the currently inspected code to the user through the configuration interface 600 , and presents the user with the status 604 of the semantic model corresponding to the open source components. The status of the semantic model can include pre-analyzed or not pre-analyzed. When the semantic model has been pre-analyzed (generated), the user can configure whether to activate the semantic model in the configuration interface to improve the analysis accuracy. After the user completes the configuration of each open source component, the user can click the "confirm" control to submit the above configuration information to the server 104, so that the configuration information becomes effective.
进一步地,开源组件在提供给上层应用进行调用时,通常需要遵循API使用约束,以保证逻辑的正确性、可靠性和稳定性。当自有成分如上层应用违反了使用约束,可以形成缺陷模式。缺陷模式可以通过特定缺陷类型对应的具有规律性的代码序列表征。基于缺陷模式还可以生成缺陷检测规则,其中,一条缺陷检测规则可以用于检测一种或多种缺陷模式。Further, when open source components are provided to upper-layer applications for calling, they usually need to follow API usage constraints to ensure the correctness, reliability, and stability of logic. Defect patterns can be formed when self-contained components such as upper-layer applications violate usage constraints. Defect patterns can be characterized by regular code sequences corresponding to specific defect types. Defect detection rules can also be generated based on defect patterns, wherein a defect detection rule can be used to detect one or more defect patterns.
具体地,参见图7所示的配置界面示意图,终端102通过配置界面700向用户呈现各个开源组件702能够提供的缺陷检测规则704,该缺陷检测规则覆盖多个维度,例如覆盖正确性、稳定性、安全性等多个维度,用户可以通过配置界面700配置是否启动开源组件相关的缺陷检测规则,从而启动更全面的分析。当用户完成各开源组件的配置后,用户可以点击“确认”控件,向服务器104提交上述配置信息,从而使得配置信息正式生效。Specifically, referring to the schematic diagram of the configuration interface shown in FIG. 7 , the terminal 102 presents the defect detection rules 704 that can be provided by each open source component 702 to the user through the configuration interface 700 , and the defect detection rules cover multiple dimensions, such as covering correctness, stability , security and other dimensions, the user can configure whether to enable defect detection rules related to open source components through the configuration interface 700, thereby enabling a more comprehensive analysis. After the user completes the configuration of each open source component, the user can click the "confirm" control to submit the above configuration information to the server 104, so that the configuration information becomes effective.
服务器104基于终端102提交的配置信息,加载预置的开源组件的语义模型,以加快分析速度并提高分析精度。另外,服务器104基于终端102提交的配置信息,启用相应的缺陷检测集合,围绕开源组件的使用问题进行系统化分析,得到分析结果。如此可以提高自有成分的缺陷分析结果的有效性和覆盖率。进一步地,服务器104还可以在该分析结果基础上,提供智能修复能力,辅助用户更快地进行缺陷修复。Based on the configuration information submitted by the terminal 102, the server 104 loads the preset semantic model of the open source component, so as to speed up the analysis and improve the analysis accuracy. In addition, the server 104 activates a corresponding defect detection set based on the configuration information submitted by the terminal 102, conducts a systematic analysis around the use problem of the open source components, and obtains the analysis result. This increases the validity and coverage of defect analysis results for own components. Further, the server 104 can also provide an intelligent repair capability based on the analysis result, so as to assist the user to repair the defect more quickly.
该方法有机融合了开源成分分析工具和代码缺陷检测与修复工具的能力,打通了两个工具之间的分析结果,支持互相利用,进一步提升了彼此结果的有效性,同时也可以降低无效的分析计算成本。This method organically integrates the capabilities of open source component analysis tools and code defect detection and repair tools, opens up the analysis results between the two tools, supports mutual utilization, further improves the effectiveness of each other's results, and can also reduce invalid analysis. Computing costs.
上文结合图1至图7对本申请实施例提供的代码处理方法进行了详细介绍,下面将结合附图,从功能模块化的角度对本申请实施例提供的代码处理系统进行介绍。The code processing method provided by the embodiments of the present application has been described in detail above with reference to FIGS. 1 to 7 , and the code processing system provided by the embodiments of the present application will be introduced below from the perspective of functional modularity with reference to the accompanying drawings.
参见图8所示的代码处理系统示意图,该代码处理系统800可以是软件系统,也可以是硬件系统,为了便于描述,本申请以代码处理系统为软件系统进行示例说明。该软件系 统包括多个模块。这多个模块可以集中部署在一台计算机,也可以分布式地部署在不同计算机。例如一些模块可以部署在终端102,另一些模块可以部署在服务器104。如图8所示,该系统800包括:Referring to the schematic diagram of the code processing system shown in FIG. 8 , the code processing system 800 may be a software system or a hardware system. For convenience of description, the present application uses the code processing system as a software system for illustration. The software system includes several modules. These multiple modules can be centrally deployed on one computer, or can be deployed on different computers in a distributed manner. For example, some modules may be deployed on the terminal 102 and other modules may be deployed on the server 104 . As shown in Figure 8, the system 800 includes:
通信模块802,用于获取受检代码,所述受检代码包括开源成分和自有成分;a communication module 802, configured to obtain a code to be inspected, where the code to be inspected includes open source components and self-owned components;
分析模块804,用于对所述开源成分进行合规分析,以及对所述自有成分进行缺陷分析,获得对所述受检代码的分析结果。The analysis module 804 is configured to perform compliance analysis on the open source component, and perform defect analysis on the self-owned component to obtain an analysis result of the inspected code.
在一些可能的实现方式中,所述开源成分包括开源组件,所述分析模块804具体用于:In some possible implementations, the open source components include open source components, and the analysis module 804 is specifically used for:
根据所述自有成分依赖的所述开源组件的知识,对所述自有成分进行缺陷分析。Defect analysis is performed on the own component based on the knowledge of the open source component on which the own component depends.
在一些可能的实现方式中,所述开源组件的知识包括使用约束、缺陷模式和语义模型中的至少一种。In some possible implementations, the knowledge of the open source component includes at least one of usage constraints, defect patterns, and semantic models.
在一些可能的实现方式中,所述系统800还包括:In some possible implementations, the system 800 further includes:
显示模块806,用于通过用户界面向用户呈现所述分析结果,所述分析结果包括所述受检代码存在的问题。A display module 806, configured to present the analysis result to the user through a user interface, where the analysis result includes the problems existing in the code under inspection.
在一些可能的实现方式中,所述系统800还包括:In some possible implementations, the system 800 further includes:
显示模块806,用于通过用户界面向用户呈现对所述受检代码存在的问题的修复建议;A display module 806, configured to present a repair suggestion for the problem existing in the code under inspection to the user through a user interface;
修复模块808,用于根据所述用户对所述修复建议的操作,接受或拒绝所述修复建议。A repairing module 808, configured to accept or reject the repairing suggestion according to the operation of the user on the repairing suggestion.
在一些可能的实现方式中,所述分析模块804具体用于:In some possible implementations, the analysis module 804 is specifically used for:
当所述开源成分合规分析通过时,对所述自有成分进行缺陷分析。When the open source component compliance analysis passes, perform defect analysis on the self-owned component.
在一些可能的实现方式中,所述系统800还包括:In some possible implementations, the system 800 further includes:
修复模块808,用于当所述开源成分合规分析不通过时,修复所述开源成分直至合规分析通过。A repairing module 808, configured to repair the open source component until the compliance analysis passes when the open source component does not pass the compliance analysis.
在一些可能的实现方式中,所述分析模块804具体用于:In some possible implementations, the analysis module 804 is specifically used for:
根据所述开源成分查询许可证的类型,根据所述许可证的类型确定所述开源成分使用方式的合法性;和/或,Query the type of license according to the open source component, and determine the legality of the use method of the open source component according to the type of the license; and/or,
将所述开源成分与存在安全漏洞的开源代码集合进行匹配,确定所述开源成分是否关联安全漏洞。Matching the open source component with a set of open source code with security vulnerabilities to determine whether the open source component is associated with a security vulnerability.
根据本申请实施例的代码处理系统800可对应于执行本申请实施例中描述的方法,并且代码处理系统800的各个模块/单元的上述和其它操作和/或功能分别为了实现图2所示实施例中的各个方法的相应流程,为了简洁,在此不再赘述。The code processing system 800 according to the embodiments of the present application may correspond to executing the methods described in the embodiments of the present application, and the above-mentioned and other operations and/or functions of the modules/units of the code processing system 800 are respectively in order to realize the implementation shown in FIG. 2 . For the sake of brevity, the corresponding flow of each method in the example will not be repeated here.
本申请实施例还提供了一种计算机集群。该计算机集群可以是云环境、边缘环境或者终端设备中的至少一台计算机形成的计算机集群。该计算机集群具体用于实现如图8所示实施例中代码处理系统800的功能。The embodiment of the present application also provides a computer cluster. The computer cluster may be a computer cluster formed by at least one computer in a cloud environment, an edge environment or a terminal device. The computer cluster is specifically used to implement the functions of the code processing system 800 in the embodiment shown in FIG. 8 .
图9提供了一种计算机集群的结构示意图,如图9所示,计算机集群90包括至少一台计算机900,计算机900包括总线901、处理器902、通信接口903和存储器904。处理器902、存储器904和通信接口903之间通过总线901通信。FIG. 9 provides a schematic structural diagram of a computer cluster. As shown in FIG. 9 , the computer cluster 90 includes at least one computer 900 , and the computer 900 includes a bus 901 , a processor 902 , a communication interface 903 and a memory 904 . The processor 902 , the memory 904 and the communication interface 903 communicate through the bus 901 .
总线901可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。总线可以分为地 址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 901 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
处理器902可以为中央处理器(central processing unit,CPU)、图形处理器(graphics processing unit,GPU)、微处理器(micro processor,MP)或者数字信号处理器(digital signal processor,DSP)等处理器中的任意一种或多种。The processor 902 can be a central processing unit (central processing unit, CPU), a graphics processing unit (graphics processing unit, GPU), a microprocessor (micro processor, MP), or a digital signal processor (digital signal processor, DSP), etc. any one or more of the devices.
通信接口903用于与外部通信。例如,一台计算机的通信接口903可以用于和另一台计算机的通信接口903通信,以获取受检代码,或者是发送受检代码的分析结果,该分析结果可以包括受检代码中存在的问题。The communication interface 903 is used for external communication. For example, the communication interface 903 of one computer may be used to communicate with the communication interface 903 of another computer to obtain the code under inspection, or to transmit the analysis result of the code under inspection, which may include the existence of the code under inspection. question.
存储器904可以包括易失性存储器(volatile memory),例如随机存取存储器(random access memory,RAM)。存储器904还可以包括非易失性存储器(non-volatile memory),例如只读存储器(read-only memory,ROM),快闪存储器,硬盘驱动器(hard disk drive,HDD)或固态驱动器(solid state drive,SSD)。Memory 904 may include volatile memory, such as random access memory (RAM). The memory 904 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, hard disk drive (HDD), or solid state drive (solid state drive) , SSD).
存储器904中存储有可执行代码,处理器902执行该可执行代码以执行前述代码处理方法。Executable code is stored in the memory 904, and the processor 902 executes the executable code to execute the aforementioned code processing method.
具体地,在实现图8所示实施例的情况下,且图8实施例中所描述的代码处理系统800的各模块为通过软件实现的情况下,图8中通信模块802功能由通信接口903实现,执行图8中分析模块804、显示模块806、修复模块808功能所需的软件或程序代码可以存储在存储器904中。处理器802执行存储器804中存储的上述模块对应的程序代码,以执行前述代码处理方法。Specifically, when the embodiment shown in FIG. 8 is implemented, and each module of the code processing system 800 described in the embodiment of FIG. 8 is implemented by software, the function of the communication module 802 in FIG. 8 is controlled by the communication interface 903 To implement, the software or program code required to perform the functions of the analysis module 804 , the display module 806 , and the repair module 808 in FIG. 8 may be stored in the memory 904 . The processor 802 executes the program codes corresponding to the aforementioned modules stored in the memory 804 to execute the aforementioned code processing method.
本申请实施例还提供了一种计算机可读存储介质。所述计算机可读存储介质可以是计算设备能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘)等。该计算机可读存储介质包括指令,所述指令指示计算设备执行上述代码处理方法。Embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium may be any available medium that a computing device can store, or a data storage device such as a data center that contains one or more available media. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state drives), and the like. The computer-readable storage medium includes instructions that instruct a computing device to execute the code processing method described above.
本申请实施例还提供了一种计算机程序产品。所述计算机程序产品包括一个或多个计算机指令。在计算设备上加载和执行所述计算机指令时,全部或部分地产生按照本申请实施例所述的流程或功能。The embodiments of the present application also provide a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computing device, all or part of the processes or functions described in the embodiments of the present application are generated.
所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机或数据中心进行传输。The computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted over a wire from a website site, computer or data center. (eg coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.) to another website site, computer or data center.
所述计算机程序产品可以为一个软件安装包,在需要使用前述代码处理方法的任一方法的情况下,可以下载该计算机程序产品并在计算设备上执行该计算机程序产品。The computer program product may be a software installation package, and when any one of the aforementioned code processing methods needs to be used, the computer program product may be downloaded and executed on a computing device.
上述各个附图对应的流程或结构的描述各有侧重,某个流程或结构中没有详述的部分,可以参见其他流程或结构的相关描述。The descriptions of the processes or structures corresponding to each of the above-mentioned drawings have their own emphasis, and for the parts that are not described in detail in a certain process or structure, reference may be made to the related descriptions of other processes or structures.

Claims (19)

  1. 一种代码处理方法,其特征在于,所述方法包括:A code processing method, characterized in that the method comprises:
    获取受检代码,所述受检代码包括开源成分和自有成分;Obtain the inspected code, the inspected code includes open source components and self-owned components;
    对所述开源成分进行合规分析,以及对所述自有成分进行缺陷分析,获得对所述受检代码的分析结果。Compliance analysis is performed on the open source component, and defect analysis is performed on the self-owned component to obtain an analysis result of the inspected code.
  2. 根据权利要求1所述的方法,其特征在于,所述开源成分包括开源组件,所述对所述自有成分进行缺陷分析,包括:The method according to claim 1, wherein the open source components include open source components, and the performing defect analysis on the self-owned components includes:
    根据所述自有成分依赖的所述开源组件的知识,对所述自有成分进行缺陷分析。Defect analysis is performed on the own component based on the knowledge of the open source component on which the own component depends.
  3. 根据权利要求2所述的方法,其特征在于,所述开源组件的知识包括使用约束、缺陷模式和语义模型中的至少一种。The method of claim 2, wherein the knowledge of the open source components includes at least one of usage constraints, defect patterns, and semantic models.
  4. 根据权利要求1至3任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, wherein the method further comprises:
    通过用户界面向用户呈现所述分析结果,所述分析结果包括所述受检代码存在的问题。The analysis results are presented to the user through a user interface, and the analysis results include problems with the code under inspection.
  5. 根据权利要求1至4任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 4, wherein the method further comprises:
    通过用户界面向用户呈现对所述受检代码存在的问题的修复建议;Presenting repair suggestions to the problems existing in the code under inspection to the user through the user interface;
    根据所述用户对所述修复建议的操作,接受或拒绝所述修复建议。Accept or reject the repair suggestion according to the user's action on the repair suggestion.
  6. 根据权利要求1至5任一项所述的方法,其特征在于,所述对所述自有成分进行缺陷分析,包括:The method according to any one of claims 1 to 5, wherein the performing defect analysis on the own components comprises:
    当所述开源成分合规分析通过时,对所述自有成分进行缺陷分析。When the open source component compliance analysis passes, perform defect analysis on the self-owned component.
  7. 根据权利要求6所述的方法,其特征在于,所述方法还包括:The method according to claim 6, wherein the method further comprises:
    当所述开源成分合规分析不通过时,修复所述开源成分直至合规分析通过。When the compliance analysis of the open source component fails, repair the open source component until the compliance analysis passes.
  8. 根据权利要求1至7任一项所述的方法,其特征在于,所述对所述开源成分进行合规分析,包括:The method according to any one of claims 1 to 7, wherein the performing a compliance analysis on the open source components comprises:
    根据所述开源成分查询许可证的类型,根据所述许可证的类型确定所述开源成分使用方式的合法性;和/或,Query the type of license according to the open source component, and determine the legality of the use method of the open source component according to the type of the license; and/or,
    将所述开源成分与存在安全漏洞的开源代码集合进行匹配,确定所述开源成分是否关联安全漏洞。Matching the open source component with a set of open source code with security vulnerabilities to determine whether the open source component is associated with a security vulnerability.
  9. 一种代码处理系统,其特征在于,所述系统包括:A code processing system, characterized in that the system comprises:
    通信模块,用于获取受检代码,所述受检代码包括开源成分和自有成分;a communication module, used to obtain the code to be inspected, the code to be inspected includes open source components and self-owned components;
    分析模块,用于对所述开源成分进行合规分析,以及对所述自有成分进行缺陷分析,获得对所述受检代码的分析结果。An analysis module, configured to perform compliance analysis on the open source components, and perform defect analysis on the self-owned components, to obtain analysis results of the code under inspection.
  10. 根据权利要求9所述的系统,其特征在于,所述开源成分包括开源组件,所述分析模块具体用于:The system according to claim 9, wherein the open source component comprises an open source component, and the analysis module is specifically used for:
    根据所述自有成分依赖的所述开源组件的知识,对所述自有成分进行缺陷分析。Defect analysis is performed on the own component based on the knowledge of the open source component on which the own component depends.
  11. 根据权利要求10所述的系统,其特征在于,所述开源组件的知识包括使用约束、缺陷模式和语义模型中的至少一种。The system of claim 10, wherein the knowledge of the open source component includes at least one of usage constraints, defect patterns, and semantic models.
  12. 根据权利要求9至11任一项所述的系统,其特征在于,所述系统还包括:The system according to any one of claims 9 to 11, wherein the system further comprises:
    显示模块,用于通过用户界面向用户呈现所述分析结果,所述分析结果包括所述受检代码存在的问题。The display module is used for presenting the analysis result to the user through the user interface, and the analysis result includes the problems existing in the code under inspection.
  13. 根据权利要求9至12任一项所述的系统,其特征在于,所述系统还包括:The system according to any one of claims 9 to 12, wherein the system further comprises:
    显示模块,用于通过用户界面向用户呈现对所述受检代码存在的问题的修复建议;a display module, used for presenting a repair suggestion for the problem existing in the code under inspection to a user through a user interface;
    修复模块,用于根据所述用户对所述修复建议的操作,接受或拒绝所述修复建议。A repairing module, configured to accept or reject the repairing suggestion according to the operation of the user on the repairing suggestion.
  14. 根据权利要求9至13任一项所述的系统,其特征在于,所述分析模块具体用于:The system according to any one of claims 9 to 13, wherein the analysis module is specifically used for:
    当所述开源成分合规分析通过时,对所述自有成分进行缺陷分析。When the open source component compliance analysis passes, perform defect analysis on the self-owned component.
  15. 根据权利要求14所述的系统,其特征在于,所述系统还包括:The system of claim 14, wherein the system further comprises:
    修复模块,用于当所述开源成分合规分析不通过时,修复所述开源成分直至合规分析通过。A repairing module, configured to repair the open source component until the compliance analysis passes when the open source component does not pass the compliance analysis.
  16. 根据权利要求9至15任一项所述的系统,其特征在于,所述分析模块具体用于:The system according to any one of claims 9 to 15, wherein the analysis module is specifically used for:
    根据所述开源成分查询许可证的类型,根据所述许可证的类型确定所述开源成分使用方式的合法性;和/或,Query the type of license according to the open source component, and determine the legality of the use method of the open source component according to the type of the license; and/or,
    将所述开源成分与存在安全漏洞的开源代码集合进行匹配,确定所述开源成分是否关联安全漏洞。Matching the open source component with a set of open source code with security vulnerabilities to determine whether the open source component is associated with a security vulnerability.
  17. 一种计算机集群,其特征在于,所述计算机集群包括至少一台计算机,所述计算机包括处理器和存储器,所述存储器中存储有计算机可读指令,所述处理器执行所述计算机可读指令,以执行如权利要求1至8任一项所述的代码处理方法。A computer cluster, characterized in that the computer cluster includes at least one computer, the computer includes a processor and a memory, the memory stores computer-readable instructions, and the processor executes the computer-readable instructions , to execute the code processing method according to any one of claims 1 to 8.
  18. 一种计算机可读存储介质,其特征在于,包括计算机可读指令,当所述计算机可读指令在计算机上运行时,使得所述计算机执行如权利要求1至8任一项所述的代码处理方法。A computer-readable storage medium, characterized by comprising computer-readable instructions, which, when the computer-readable instructions are executed on a computer, cause the computer to execute the code processing according to any one of claims 1 to 8 method.
  19. 一种计算机程序产品,其特征在于,包括计算机可读指令,当所述计算机可读指令在计算机上运行时,使得所述计算机执行如权利要求1至8任一项所述的代码处理方法。A computer program product is characterized by comprising computer-readable instructions, which, when the computer-readable instructions are executed on a computer, cause the computer to execute the code processing method according to any one of claims 1 to 8.
PCT/CN2021/137848 2021-04-24 2021-12-14 Code processing method, and system, cluster, medium and program product WO2022222499A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110446948.XA CN115237743A (en) 2021-04-24 2021-04-24 Code processing method, system, cluster, medium and program product
CN202110446948.X 2021-04-24

Publications (1)

Publication Number Publication Date
WO2022222499A1 true WO2022222499A1 (en) 2022-10-27

Family

ID=83666660

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/137848 WO2022222499A1 (en) 2021-04-24 2021-12-14 Code processing method, and system, cluster, medium and program product

Country Status (2)

Country Link
CN (1) CN115237743A (en)
WO (1) WO2022222499A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160292066A1 (en) * 2015-04-03 2016-10-06 NodeSource, Inc. Source Code Inspection and Verification
CN106354632A (en) * 2016-08-24 2017-01-25 北京奇虎测腾科技有限公司 Source code detecting system and method based on static analysis technology
CN106372511A (en) * 2016-08-24 2017-02-01 北京奇虎测腾安全技术有限公司 Source code detection system and method
CN109697162A (en) * 2018-11-15 2019-04-30 西北大学 A kind of software defect automatic testing method based on Open Source Code library
CN112579469A (en) * 2020-12-29 2021-03-30 中国信息安全测评中心 Source code defect detection method and device
CN112579477A (en) * 2021-02-26 2021-03-30 北京北大软件工程股份有限公司 Defect detection method, device and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160292066A1 (en) * 2015-04-03 2016-10-06 NodeSource, Inc. Source Code Inspection and Verification
CN106354632A (en) * 2016-08-24 2017-01-25 北京奇虎测腾科技有限公司 Source code detecting system and method based on static analysis technology
CN106372511A (en) * 2016-08-24 2017-02-01 北京奇虎测腾安全技术有限公司 Source code detection system and method
CN109697162A (en) * 2018-11-15 2019-04-30 西北大学 A kind of software defect automatic testing method based on Open Source Code library
CN112579469A (en) * 2020-12-29 2021-03-30 中国信息安全测评中心 Source code defect detection method and device
CN112579477A (en) * 2021-02-26 2021-03-30 北京北大软件工程股份有限公司 Defect detection method, device and storage medium

Also Published As

Publication number Publication date
CN115237743A (en) 2022-10-25

Similar Documents

Publication Publication Date Title
WO2021098148A1 (en) Software compiling method and apparatus, and electronic device and storage medium
Gallaba et al. Use and misuse of continuous integration features: An empirical study of projects that (mis) use Travis CI
Li et al. Static analysis of android apps: A systematic literature review
He et al. Understanding and detecting evolution-induced compatibility issues in Android apps
US11086619B2 (en) Code analytics and publication platform
US8516446B2 (en) Automated qualification of a binary application program
US9619779B2 (en) Client-side policy enforcement of developer API use
US20180285247A1 (en) Systems, methods, and apparatus for automated code testing
US11263120B2 (en) Feature-based deployment pipelines
US8453115B2 (en) Automatic data manipulation to influence code paths
WO2022247199A1 (en) Vulnerability detection method and apparatus for open-source component
WO2022180702A1 (en) Analysis function addition device, analysis function addition program, and analysis function addition method
CN115543781A (en) Method and interactive system for automatically verifying automobile software model
Wang et al. Runtime permission issues in android apps: Taxonomy, practices, and ways forward
US10936307B2 (en) Highlight source code changes in user interface
Almogahed et al. Software security measurements: A survey
WO2022222499A1 (en) Code processing method, and system, cluster, medium and program product
Canfora et al. Patchworking: Exploring the code changes induced by vulnerability fixing activities
US20230185692A1 (en) Highly Tested Systems
Thooriqoh et al. Selenium Framework for Web Automation Testing: A Systematic Literature Review
US11880470B2 (en) System and method for vulnerability detection in computer code
CN108885574B (en) System for monitoring and reporting performance and correctness issues at design, compilation, and runtime
CN113420302A (en) Host vulnerability detection method and device
Harzevili et al. Automatic Static Vulnerability Detection for Machine Learning Libraries: Are We There Yet?
Xia et al. AuditGPT: Auditing Smart Contracts with ChatGPT

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21937721

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21937721

Country of ref document: EP

Kind code of ref document: A1