[go: up one dir, main page]

CN115982713A - Vulnerability repairing method and device, electronic equipment and computer readable storage medium - Google Patents

Vulnerability repairing method and device, electronic equipment and computer readable storage medium Download PDF

Info

Publication number
CN115982713A
CN115982713A CN202211634713.4A CN202211634713A CN115982713A CN 115982713 A CN115982713 A CN 115982713A CN 202211634713 A CN202211634713 A CN 202211634713A CN 115982713 A CN115982713 A CN 115982713A
Authority
CN
China
Prior art keywords
target
vulnerability
component
target application
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211634713.4A
Other languages
Chinese (zh)
Inventor
黄凯
余进奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Hubei Topsec Network Security Technology Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Hubei Topsec Network Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd, Hubei Topsec Network Security Technology Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211634713.4A priority Critical patent/CN115982713A/en
Publication of CN115982713A publication Critical patent/CN115982713A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Stored Programmes (AREA)

Abstract

The application provides a vulnerability fixing method, a vulnerability fixing device, electronic equipment and a computer readable storage medium, wherein a specific implementation mode of the method comprises the following steps: when a package management feature file of a target application is detected, determining a plurality of target components corresponding to the target application according to the package management feature file; respectively detecting vulnerability information corresponding to the target component in a preset risk component library; calculating the risk score of the target application according to the vulnerability information corresponding to the target components; and when the risk score is higher than a risk threshold value, repairing the vulnerability of the target application. The method can effectively reduce the security risk of the target application after the bug is repaired.

Description

漏洞修复方法、装置、电子设备和计算机可读存储介质Bug fixing method, device, electronic device and computer-readable storage medium

技术领域technical field

本申请涉及信息安全领域,具体而言,涉及一种漏洞修复方法、装置、电子设备和计算机可读存储介质。The present application relates to the field of information security, and in particular, relates to a vulnerability repair method, device, electronic equipment, and computer-readable storage medium.

背景技术Background technique

软件漏洞是指操作系统或软件中的安全缺陷,其使攻击者能够在未授权的情况下访问或破坏系统。系统漏洞扫描主要用于扫描主流的操作系统、应用服务、数据库、网络设备、虚拟化平台、视频监控系统、工业控制系统等的漏洞。A software vulnerability is a security flaw in an operating system or software that allows an attacker to gain unauthorized access or damage the system. System vulnerability scanning is mainly used to scan the vulnerabilities of mainstream operating systems, application services, databases, network devices, virtualization platforms, video surveillance systems, and industrial control systems.

由于开源软件中存在的缺陷、安全漏洞等也被一并封装在了软件部署包中,因此给存在该软件部署包的应用带来了较大的安全风险。在相关技术中,存在通过打补丁或者升级应用版本来修复应用的漏洞的方案。但在该方案中,存在应用的组件漏洞难发现、引入新的风险组件、没有修复措施或者修复措施不合适等实质上会导致应用的漏洞被修复后,其安全风险仍然较大的问题。Since the defects and security holes in the open source software are also packaged in the software deployment package, it brings a greater security risk to the application with the software deployment package. In related technologies, there is a solution for repairing application vulnerabilities by patching or upgrading the application version. However, in this solution, there are problems such as difficulty in finding application component vulnerabilities, introduction of new risky components, lack of repair measures or inappropriate repair measures, etc., which will substantially lead to problems that the security risks of the application are still relatively large after the application vulnerabilities are repaired.

发明内容Contents of the invention

本申请实施例的目的在于提供一种漏洞修复方法、装置、电子设备和计算机可读存储介质,用以在修复漏洞之后,有效降低目标应用的安全风险。The purpose of the embodiments of the present application is to provide a vulnerability repair method, device, electronic device and computer-readable storage medium, so as to effectively reduce the security risk of the target application after the vulnerability is repaired.

第一方面,本申请实施例提供了一种漏洞修复方法,该方法包括:在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件;在预设风险组件库中分别检测与所述目标组件对应的漏洞信息;根据多个所述目标组件对应的漏洞信息,计算所述目标应用的风险分数;在所述风险分数高于风险阈值时,修复所述目标应用的漏洞。这样,可以在修复漏洞之后,有效降低目标应用的安全风险。In the first aspect, the embodiment of the present application provides a vulnerability repair method, the method includes: when detecting the package management feature file of the target application, determining a plurality of target components corresponding to the target application according to the package management feature file ; Detect the vulnerability information corresponding to the target component in the preset risk component library; calculate the risk score of the target application according to the vulnerability information corresponding to the multiple target components; when the risk score is higher than the risk threshold , repairing the vulnerability of the target application. In this way, after the vulnerability is fixed, the security risk of the target application can be effectively reduced.

可选地,所述预设风险组件库的构建步骤包括:获取多个组件以及多个漏洞信息;所述漏洞信息包括漏洞对应的漏洞风险评分、漏洞修复措施;针对于一个应用,根据构建该应用的多个组件之间的依赖关系建立组件关系图谱;以及将所述组件关系图谱中包括的各个组件分别与各自相关的漏洞信息进行关联存储,得到所述预设风险组件库。这样,应用与组件、组件与漏洞之间的关系更加清晰明朗,便于管理。Optionally, the step of building the preset risk component library includes: obtaining multiple components and multiple vulnerability information; the vulnerability information includes vulnerability risk scores corresponding to vulnerabilities, and vulnerability repair measures; for an application, according to the construction of the Establishing a component relationship graph based on dependencies among multiple components of the application; and storing each component included in the component relationship graph in association with its respective vulnerability information to obtain the preset risk component library. In this way, the relationship between applications and components, and between components and vulnerabilities is clearer and easier to manage.

可选地,所述根据多个所述目标组件对应的漏洞信息,计算所述目标应用的风险分数,包括:针对于一个目标组件,确定该目标组件对应的多个漏洞信息,并将分数最高的漏洞风险评分确定为该目标组件对应的风险分数;以及确定该目标组件对应的权重比例系数;计算每个目标组件所对应的风险分数与权重比例系数的乘积,并将多个乘积进行累加,得到所述目标应用的风险分数。这样,确定出的目标应用的风险分数能够有效判断出目标应用的是否可以正常运行。Optionally, the calculating the risk score of the target application according to the vulnerability information corresponding to the plurality of target components includes: for a target component, determining a plurality of vulnerability information corresponding to the target component, and calculating the highest score The vulnerability risk score of the target component is determined as the risk score corresponding to the target component; and the weight proportional coefficient corresponding to the target component is determined; the product of the risk score corresponding to each target component and the weight proportional coefficient is calculated, and the multiple products are accumulated, A risk score of the target application is obtained. In this way, the determined risk score of the target application can effectively determine whether the target application can run normally.

可选地,所述多个目标组件基于所述依赖关系被分为直接组件和间接组件;其中,直接组件的权重比例系数大于间接组件的权重比例系数;以及所述计算每个目标组件所对应的风险分数与权重比例系数的乘积,并将多个乘积进行累加,得到所述目标应用的风险分数,包括:计算每个直接组件所对应的风险分数与权重比例系数的第一乘积,以及每个间接组件所对应的风险分数与权重比例系数的第二乘积;将多个所述第一乘积、多个所述第二乘积累加,得到所述目标应用的风险分数。这样,不会引入新的风险组件,提高了目标应用在修复之后的安全性。Optionally, the plurality of target components are divided into direct components and indirect components based on the dependency relationship; wherein, the weight proportional coefficient of the direct component is greater than the weight proportional coefficient of the indirect component; and the calculation corresponding to each target component The product of the risk score of the target application and the weight proportional coefficient, and accumulate the multiple products to obtain the risk score of the target application, including: calculating the first product of the risk score corresponding to each direct component and the weight proportional coefficient, and each A second product of the risk score corresponding to each indirect component and a weight proportional coefficient; accumulating a plurality of the first products and a plurality of the second products to obtain the risk score of the target application. In this way, no new risk components are introduced, which improves the security of the target application after repair.

可选地,所述在所述风险分数高于风险阈值时,修复所述目标应用的漏洞,包括:在所述风险分数高于风险阈值时,从所述预设风险组件库中查找各个所述目标组件分别对应的漏洞修复措施;根据所述漏洞修复措施修复目标组件对应的漏洞。Optionally, when the risk score is higher than a risk threshold, repairing the vulnerability of the target application includes: when the risk score is higher than a risk threshold, searching for each of the preset risk component libraries. Vulnerability repair measures corresponding to the target components respectively; according to the vulnerability repair measures, the corresponding vulnerabilities of the target components are repaired.

可选地,所述在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件,包括:在检测到目标应用的包管理特征文件时,若确定所述包管理特征文件的类型为包管理清单文件类型,提取所述目标应用的软件物料清单,并根据所述软件物料清单确定所述多个目标组件。这样,可以从文件层面扫描出包管理清单文件对应的目标组件,加深了扫描深度,能够扫描得更加详尽。Optionally, when the package management feature file of the target application is detected, determining the multiple target components corresponding to the target application according to the package management feature file includes: when the package management feature file of the target application is detected , if it is determined that the type of the package management characteristic file is a package management manifest file type, extracting a software bill of material of the target application, and determining the plurality of target components according to the software bill of material. In this way, the target component corresponding to the package management list file can be scanned from the file level, which deepens the scanning depth and enables more detailed scanning.

可选地,所述在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件,包括:在检测到目标应用的包管理特征文件时,若确定所述包管理特征文件的类型为二进制文件类型,提取该包管理特征文件中预设的二进制机器码特征,并根据所述二进制机器码特征确定所述多个目标组件。这样,可以从文件层面扫描出二进制文件对应的目标组件,加深了扫描深度,能够扫描得更加详尽。Optionally, when the package management feature file of the target application is detected, determining the multiple target components corresponding to the target application according to the package management feature file includes: when the package management feature file of the target application is detected , if it is determined that the type of the package management feature file is a binary file type, extracting binary machine code features preset in the package management feature file, and determining the plurality of target components according to the binary machine code features. In this way, the target component corresponding to the binary file can be scanned from the file level, which deepens the scanning depth and enables more detailed scanning.

第二方面,本申请实施例提供了一种漏洞修复装置,该装置包括组件确定模块、漏洞检测模块、计算模块以及修复模块。其中,组件确定模块,用于在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件;漏洞检测模块,用于在预设风险组件库中分别检测与所述目标组件对应的漏洞信息;计算模块,用于根据多个所述目标组件对应的漏洞信息,计算所述目标应用的风险分数;修复模块,用于在所述风险分数高于风险阈值时,修复所述目标应用的漏洞。能够在修复漏洞之后,有效降低目标应用的安全风险。In a second aspect, the embodiment of the present application provides a vulnerability repairing device, which includes a component determination module, a vulnerability detection module, a calculation module, and a repairing module. Wherein, the component determining module is configured to determine multiple target components corresponding to the target application according to the package management feature file when the package management feature file of the target application is detected; the vulnerability detection module is used to preset risk components Vulnerability information corresponding to the target component is detected in the library; a calculation module is used to calculate the risk score of the target application according to the vulnerability information corresponding to a plurality of target components; a repair module is used to calculate the risk score of the target application. When the risk threshold is higher than, the vulnerability of the target application is repaired. After the vulnerability is fixed, the security risk of the target application can be effectively reduced.

第三方面,本申请实施例提供一种电子设备,包括处理器以及存储器,所述存储器存储有计算机可读取指令,当所述计算机可读取指令由所述处理器执行时,运行如上述第一方面提供的所述方法中的步骤。In the third aspect, the embodiment of the present application provides an electronic device, including a processor and a memory, the memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, the operation as described above The steps in the method provided in the first aspect.

第四方面,本申请实施例提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时运行如上述第一方面提供的所述方法中的步骤。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps in the method provided in the first aspect above are performed.

本申请的其他特征和优点将在随后的说明书阐述,并且,部分地从说明书中变得显而易见,或者通过实施本申请实施例了解。本申请的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Other features and advantages of the present application will be set forth in the ensuing description and, in part, will be apparent from the description, or can be learned by practicing the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

附图说明Description of drawings

为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本申请的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the accompanying drawings that need to be used in the embodiments of the present application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present application, so It should not be regarded as a limitation on the scope, and those skilled in the art can also obtain other related drawings according to these drawings without creative work.

图1为本申请实施例提供的一种漏洞修复方法的流程图;FIG. 1 is a flow chart of a vulnerability repair method provided in an embodiment of the present application;

图2为本申请实施例提供的一种漏洞修复装置的结构框图;FIG. 2 is a structural block diagram of a vulnerability repair device provided by an embodiment of the present application;

图3为本申请实施例提供的一种用于执行漏洞修复方法的电子设备的结构示意图。FIG. 3 is a schematic structural diagram of an electronic device for executing a method for repairing a bug provided by an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。通常在此处附图中描述和示出的本申请实施例的组件可以以各种不同的配置来布置和设计。因此,以下对在附图中提供的本申请的实施例的详细描述并非旨在限制要求保护的本申请的范围,而是仅仅表示本申请的选定实施例。基于本申请的实施例,本领域技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only some of the embodiments of the present application, not all of them. The components of the embodiments of the application generally described and illustrated in the figures herein may be arranged and designed in a variety of different configurations. Accordingly, the following detailed description of the embodiments of the application provided in the accompanying drawings is not intended to limit the scope of the claimed application, but merely represents selected embodiments of the application. Based on the embodiments of the present application, all other embodiments obtained by those skilled in the art without making creative efforts belong to the scope of protection of the present application.

应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释。同时,在本申请的描述中,术语“第一”、“第二”等仅用于区分描述,而不能理解为指示或暗示相对重要性。It should be noted that like numerals and letters denote similar items in the following figures, therefore, once an item is defined in one figure, it does not require further definition and explanation in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second" and the like are only used to distinguish descriptions, and cannot be understood as indicating or implying relative importance.

应当说明的是,在不冲突的情况下,本申请中的实施例或者实施例中的技术特征可以进行结合。It should be noted that, in the case of no conflict, the embodiments in the present application or the technical features in the embodiments may be combined.

相关技术中,存在应用的漏洞被修复之后,该应用的安全风险仍然较大的问题;为了解决该问题,本申请提供一种漏洞修复方法、装置、电子设备和计算机可读存储介质;进一步地,从文件层面确定目标应用存在的目标组件,然后在预设库中检测与目标组件对应的漏洞信息,继而可以针对漏洞信息评估目标应用的安全风险,当确定目标应用的安全风险较大的时候,对检测到的漏洞进行修复。这样,加深了检测深度,能够将目标应用的漏洞检测得更加详尽;且,由于不是通过打补丁或者升级应用版本来降低应用的安全风险,而是直接修复目标应用中已存的漏洞,继而不会存在版本兼容性问题或者引入新的风险组件。因此,能够在修复漏洞之后,有效降低目标应用的安全风险。In the related art, there is a problem that the security risk of the application is still relatively large after the vulnerability of the application is repaired; in order to solve this problem, the present application provides a method, device, electronic device and computer-readable storage medium for repairing the vulnerability; further , determine the target components of the target application from the file level, and then detect the vulnerability information corresponding to the target component in the preset library, and then evaluate the security risk of the target application based on the vulnerability information. When the security risk of the target application is determined to be high , to fix the detected vulnerabilities. In this way, the detection depth is deepened, and the vulnerabilities of the target application can be detected in more detail; moreover, since the security risk of the application is not reduced by patching or upgrading the application version, but the existing vulnerabilities in the target application are directly repaired, and then no There will be version compatibility issues or the introduction of new risky components. Therefore, after the vulnerability is fixed, the security risk of the target application can be effectively reduced.

在一些应用场景中,上述漏洞修复方法可以应用于终端设备。该终端设备上例如可以包括手机、电脑等。In some application scenarios, the above vulnerability repairing method can be applied to terminal devices. The terminal device may include, for example, a mobile phone, a computer, and the like.

以上相关技术中的方案所存在的缺陷,均是发明人在经过实践并仔细研究后得出的结果,因此,上述问题的发现过程以及下文中本发明实施例针对上述问题所提出的解决方案,都应该是发明人在本发明过程中对本发明做出的贡献。The defects in the solutions in the above related technologies are all the results obtained by the inventor after practice and careful research. Therefore, the discovery process of the above problems and the solutions to the above problems proposed by the embodiments of the present invention below, All should be the inventor's contribution to the invention during the process of the invention.

请参考图1,其示出了本申请实施例提供的一种漏洞修复方法的流程图。如图1所示,该漏洞修复方法包括以下步骤101至步骤104。Please refer to FIG. 1 , which shows a flow chart of a method for repairing a bug provided by an embodiment of the present application. As shown in FIG. 1 , the vulnerability repair method includes the following steps 101 to 104 .

步骤101,在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件;Step 101, when the package management characteristic file of the target application is detected, determine a plurality of target components corresponding to the target application according to the package management characteristic file;

在一些应用场景中,终端设备例如可以使用系统漏洞扫描与分析软件(Nessus)检测目标应用的包管理特征文件。上述目标应用可以由多个开源组件构建。上述包管理特征文件例如可以包括包管理清单文件、二进制文件等。In some application scenarios, the terminal device may, for example, use system vulnerability scanning and analysis software (Nessus) to detect the package management feature file of the target application. The above target application can be built from multiple open source components. The aforementioned package management feature files may include, for example, package management manifest files, binary files, and the like.

在这些应用场景中,终端设备可以从目标应用的默认安装路径下检测包管理特征文件,并可以在检测到包管理特征文件时,根据该包管理特征文件确定目标应用所对应的多个目标组件。这里的目标组件可以视为存在安全风险的开源组件。In these application scenarios, the terminal device can detect the package management signature file from the default installation path of the target application, and can determine multiple target components corresponding to the target application according to the package management signature file when the package management signature file is detected . The target components here can be regarded as open source components with security risks.

步骤102,在预设风险组件库中分别检测与所述目标组件对应的漏洞信息;Step 102, respectively detecting vulnerability information corresponding to the target component in the preset risk component library;

上述预设风险组件库中例如可以包括多个开源组件的相关信息以及每一个开源组件对应的漏洞信息。这里的相关信息例如可以包括开源组件的名称信息、版本信息等,漏洞信息例如可以包括漏洞名称、产生原因、风险等级等。继而,终端设备在检测到多个目标组件之后,可以在预设风险组件库中检测每一个目标组件对应的漏洞信息。For example, the preset risk component library may include information about multiple open source components and vulnerability information corresponding to each open source component. The relevant information here may include, for example, the name information and version information of the open source component, and the vulnerability information may include, for example, the name of the vulnerability, its cause, and its risk level. Then, after detecting multiple target components, the terminal device may detect vulnerability information corresponding to each target component in the preset risk component library.

在一些应用场景中,目标组件可能存在一个漏洞,也可能存在多个漏洞。针对于每一个漏洞,终端设备可以从预设风险组件库中查找到该漏洞对应的漏洞信息。In some application scenarios, there may be one vulnerability or multiple vulnerabilities in the target component. For each vulnerability, the terminal device can find the vulnerability information corresponding to the vulnerability from the preset risk component library.

步骤103,根据多个所述目标组件对应的漏洞信息,计算所述目标应用的风险分数;Step 103, calculating the risk score of the target application according to the vulnerability information corresponding to the multiple target components;

终端设备检测到目标组件对应的漏洞信息之后,可以根据各个目标组件分别对应的漏洞信息,计算目标应用的风险分数。在一些应用场景中,例如可以统计各个目标组件分别对应的风险分数,将各个目标组件的风险分数的平均值视为目标应用的风险分数。After detecting the vulnerability information corresponding to the target component, the terminal device may calculate the risk score of the target application according to the vulnerability information corresponding to each target component. In some application scenarios, for example, the risk scores corresponding to each target component may be counted, and the average value of the risk scores of each target component may be regarded as the risk score of the target application.

步骤104,在所述风险分数高于风险阈值时,修复所述目标应用的漏洞。Step 104, when the risk score is higher than a risk threshold, repair the vulnerability of the target application.

终端设备在计算得到目标应用的风险分数之后,可以判断该风险分数是否高于风险阈值。在一些应用场景中,如果目标应用的风险分数高于风险阈值,可以视为该目标应用的安全风险较大,需要进行修复才能继续工作。如果目标应用的风险分数低于风险阈值,可以视为该目标应用的安全风险较小,其可以继续正常工作。After calculating the risk score of the target application, the terminal device can determine whether the risk score is higher than the risk threshold. In some application scenarios, if the risk score of the target application is higher than the risk threshold, it can be considered that the security risk of the target application is relatively high, and it needs to be repaired to continue working. If the risk score of the target application is lower than the risk threshold, it can be considered that the security risk of the target application is small, and it can continue to work normally.

终端设备如果判断出目标应用的风险分数高于风险阈值,可以修复该目标应用的漏洞。在一些应用场景中,例如可以将目标组件直接替换为无漏洞的版本,达到修复目的。If the terminal device determines that the risk score of the target application is higher than the risk threshold, it can repair the vulnerability of the target application. In some application scenarios, for example, the target component can be directly replaced with a non-vulnerable version to achieve the purpose of repair.

在本实施例中,通过上述步骤101至步骤104可以从文件层面扫描目标应用的漏洞,加深了漏洞的扫描深度,能够将目标应用的漏洞检测得更加详尽;且,由于不是通过打补丁或者升级应用版本来降低应用的安全风险,而是直接修复目标应用中已存的漏洞,继而不会存在版本兼容性问题或者引入新的风险组件。因此,能够在修复漏洞之后,有效降低目标应用的安全风险。In this embodiment, through the above steps 101 to 104, the vulnerability of the target application can be scanned from the file level, the scanning depth of the vulnerability is deepened, and the vulnerability of the target application can be detected in more detail; and, because it is not through patching or upgrading The application version is used to reduce the security risk of the application, but the existing vulnerabilities in the target application are directly fixed, so that there will be no version compatibility issues or the introduction of new risky components. Therefore, after the vulnerability is fixed, the security risk of the target application can be effectively reduced.

在一些可选的实现方式中,可以预先构建上述预设风险组件库。所述预设风险组件库的构建步骤包括:In some optional implementation manners, the foregoing preset risk component library may be pre-built. The construction steps of the preset risk component library include:

步骤1,获取多个组件以及多个漏洞信息;所述漏洞信息包括漏洞对应的漏洞风险评分、漏洞修复措施;Step 1, obtaining a plurality of components and a plurality of vulnerability information; the vulnerability information includes a vulnerability risk score corresponding to the vulnerability, and vulnerability repair measures;

在一些应用场景中,可以先获取大量的组件信息和漏洞信息。例如,可以从CVE(Common Vulnerabilities&Exposures,通用漏洞披露)、CVND(China NationalVulnerability Database,国家信息安全漏洞共享平台)和CNNVD(China NationalVulnerability Database of Information Security,国家信息安全漏洞库)等互联网漏洞信息公开平台获取大量漏洞信息。这里的漏洞信息可以包括漏洞对应的漏洞风险评分、漏洞修复措施,也可以包括对漏洞的描述信息、漏洞名称、漏洞编号等信息。在这些应用场景中,例如可以通过CVSS(Common Vulnerability Scoring System,通用漏洞评分系统”)得到漏洞对应的漏洞风险评分。步骤2,针对于一个应用,根据构建该应用的多个组件之间的依赖关系建立组件关系图谱;In some application scenarios, a large amount of component information and vulnerability information can be obtained first. For example, it can be obtained from Internet vulnerability information disclosure platforms such as CVE (Common Vulnerabilities & Exposures, Common Vulnerability Disclosure), CVND (China National Vulnerability Database, National Information Security Vulnerability Sharing Platform), and CNNVD (China National Vulnerability Database of Information Security, National Information Security Vulnerability Database) A lot of vulnerability information. The vulnerability information here may include the vulnerability risk score corresponding to the vulnerability, the vulnerability repair measures, and may also include the description information of the vulnerability, the vulnerability name, the vulnerability number and other information. In these application scenarios, for example, the vulnerability risk score corresponding to the vulnerability can be obtained through CVSS (Common Vulnerability Scoring System, Common Vulnerability Scoring System). Step 2, for an application, according to the dependencies between multiple components that build the application Relationship building component relationship graph;

获取到多个组件和多个漏洞信息之后,可以根据组件所在的应用将多个组件进行整合。具体的,针对于一个应用,可以确定出构建该应用的多个组件。进一步的,各个组件之间可以存在依赖关系。例如,组件A需要依赖于组件B的输出才能运行,则可以视为组件A依赖于组件B,两者存在依赖关系。After obtaining multiple components and multiple vulnerability information, multiple components can be integrated according to the application where the components are located. Specifically, for an application, multiple components for building the application may be determined. Further, there may be dependencies among various components. For example, if component A needs to depend on the output of component B to run, it can be considered that component A depends on component B, and there is a dependency relationship between the two.

继而,在确定出各个组件之间的依赖关系之后,可以根据该依赖关系建立组件关系图谱,以将用于构建同一个应用的多个组件进行关联。Then, after determining the dependency relationship among the various components, a component relationship graph can be established according to the dependency relationship, so as to associate multiple components used to build the same application.

在一些应用场景中,为了便于组件关系图谱的管理(例如查找、定位),可以为每一个组件设置永久统一资源定位符,继而能够利用该永久统一资源定位符唯一表征一个组件。该永久统一资源定位符例如可以由包管理器的名称、厂商名称、组件名称以及组件版本构成。In some application scenarios, in order to facilitate the management of the component relationship graph (such as searching and locating), a permanent uniform resource locator can be set for each component, and then the permanent uniform resource locator can be used to uniquely represent a component. The permanent uniform resource locator may consist of, for example, the name of the package manager, the name of the vendor, the name of the component, and the version of the component.

步骤3,将所述组件关系图谱中包括的各个组件分别与各自相关的漏洞信息进行关联存储,得到所述预设风险组件库。In step 3, each component included in the component relationship graph is associated and stored with their respective vulnerability information to obtain the preset risk component library.

构建完组件关系图谱之后,可以将该组件关系图谱中的各个组件与其各自相关的漏洞信息进行关联存储。例如,组件A可能存在漏洞a1、漏洞a2,则可以将组件A与漏洞a1、漏洞a2对应的漏洞信息进行关联。After the component relationship graph is constructed, each component in the component relationship graph can be stored in association with its respective vulnerability information. For example, component A may have vulnerabilities a1 and a2, and component A may be associated with vulnerability information corresponding to vulnerabilities a1 and a2.

在多个应用分别对应的组件关系图谱中,分别将组件与漏洞信息关联存储之后,即可得到预设风险组件库。应当说明的是,一个组件可以参与多个应用的构建,且一个漏洞可能存在于多个组件中。因此,在构建组件关系图谱时,不同应用对应的组件关系图谱之间可以通过组件或者漏洞信息进行关联。In the component relationship graphs corresponding to multiple applications, after the components and vulnerability information are associated and stored, the preset risk component library can be obtained. It should be noted that a component can participate in the construction of multiple applications, and a vulnerability may exist in multiple components. Therefore, when constructing component relationship graphs, component relationship graphs corresponding to different applications can be associated through component or vulnerability information.

在本实现方式中,可以根据应用与组件、组件与漏洞之间的关系建立预设风险组件库。这样,应用与组件、组件与漏洞之间的关系更加清晰明朗,便于管理。In this implementation manner, a preset risk component library may be established according to the relationship between applications and components, and between components and vulnerabilities. In this way, the relationship between applications and components, and between components and vulnerabilities is clearer and easier to manage.

在一些可选的实现方式中,上述步骤101中所述的在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件,包括:在检测到目标应用的包管理特征文件时,若确定所述包管理特征文件的类型为包管理清单文件类型,提取所述目标应用的软件物料清单,并根据所述软件物料清单确定所述多个目标组件。In some optional implementation manners, when the package management feature file of the target application is detected in step 101 above, determining multiple target components corresponding to the target application according to the package management feature file includes: When the package management signature file of the target application is detected, if it is determined that the type of the package management signature file is a package management list file type, extract the software bill of materials of the target application, and determine the multiple target component.

在一些应用场景中,终端设备在检测到包管理特征文件时,可以确定该包管理特征文件的类型。也即,可以确定包管理特征文件为包管理清单文件还是二进制文件。In some application scenarios, when the terminal device detects the package management feature file, it may determine the type of the package management feature file. That is, it can be determined whether the package management feature file is a package management manifest file or a binary file.

在这些应用场景中,若包管理特征文件的类型为包管理清单文件类型,可以提取目标应用的软件物料清单(Software Bill of Material,简称SBOM文件),继而可以根据该软件物料清单确定出多个目标组件。In these application scenarios, if the type of the package management feature file is the package management manifest file type, the software bill of material (Software Bill of Material, referred to as SBOM file) of the target application can be extracted, and then multiple target component.

例如,终端设备可以从目标应用的源代码(例如利用Java语言、PHP语言、Golang语言等具有包管理机制的编程语言编写的代码)中查找包管理特征文件,且该包管理特征文件的类型为包管理清单文件类型时,可以提取其SBOM文件,得到多个目标组件。若其中一个目标组件为Fastjson组件,其可能从预设风险组件库中查找到2个漏洞信息。其一例如可以为“编号为CVE-2022-25845的漏洞在1.2.80及以下版本中存在反序列化风险”;其二例如可以为“编号为CVE-2017-18349的漏洞在1.2.25版本存在允许远程攻击者通过特制的JSON请求执行任意代码的漏洞”。For example, the terminal device can search for the package management feature file from the source code of the target application (for example, code written in a programming language with a package management mechanism such as Java language, PHP language, Golang language), and the type of the package management feature file is When a package manages a manifest file type, its SBOM file can be extracted to obtain multiple target components. If one of the target components is a Fastjson component, it may find 2 vulnerability information from the preset risk component library. One of them can be, for example, "The vulnerability numbered CVE-2022-25845 has a deserialization risk in version 1.2.80 and below"; the other can be, for example, "The vulnerability numbered CVE-2017-18349 is in the A vulnerability exists that could allow a remote attacker to execute arbitrary code via a specially crafted JSON request."

在一些应用场景中,若查找到上述2个漏洞信息,可以在预设风险组件库中继续查找对应的漏洞修复措施。该漏洞修复措施对应的信息内容例如可以包括“受漏洞影响的版本:Fastjson<=1.2.80;不受漏洞影响的版本:Fastjson=1.2.83;可将1.2.80之下的版本替换为1.2.83的版本”。In some application scenarios, if you find the above two vulnerability information, you can continue to search for corresponding vulnerability repair measures in the preset risk component library. The information content corresponding to the vulnerability repair measures may include, for example, "Version affected by the vulnerability: Fastjson<=1.2.80; version not affected by the vulnerability: Fastjson=1.2.83; versions below 1.2.80 can be replaced with 1.2 .83 version".

在本实现方式中,若包管理特征文件为包管理清单文件类型,可以基于软件物料清单确定出目标组件。这样,可以从文件层面扫描出包管理清单文件对应的目标组件,加深了扫描深度,能够扫描得更加详尽。In this implementation manner, if the package management feature file is a package management list file type, the target component may be determined based on the software bill of materials. In this way, the target component corresponding to the package management list file can be scanned from the file level, which deepens the scanning depth and enables more detailed scanning.

在一些可选的实现方式中,上述步骤101中所述的在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件,包括:在检测到目标应用的包管理特征文件时,若确定所述包管理特征文件的类型为二进制文件类型,提取该包管理特征文件中预设的二进制机器码特征,并根据所述二进制机器码特征确定所述多个目标组件。In some optional implementation manners, when the package management feature file of the target application is detected in step 101 above, determining multiple target components corresponding to the target application according to the package management feature file includes: When detecting the package management feature file of the target application, if it is determined that the type of the package management feature file is a binary file type, extract the preset binary machine code feature in the package management feature file, and determine according to the binary machine code feature The plurality of target components.

在一些应用场景中,终端设备在检测到包管理特征文件为二进制文件时,可以提取该二进制文件中预设的二进制机器码特征,继而可以根据二进制机器码特征对应的信息内容进一步确定出目标组件。上述的二进制机器码特征对应的信息内容例如可以包括常量字符串、部分类名称、函数名称或者其他配置信息等。In some application scenarios, when the terminal device detects that the package management feature file is a binary file, it can extract the preset binary machine code features in the binary file, and then further determine the target component according to the information content corresponding to the binary machine code features . The information content corresponding to the aforementioned binary machine code feature may include, for example, a constant character string, a partial class name, a function name, or other configuration information.

例如,终端设备可以采用ldd命令(用于分析共享对象依赖关系的命令)从目标应用的源代码(例如利用C语言、C++语言等编写的代码)中查找包管理特征文件,且该包管理特征文件的类型为二进制文件类型时,可以进一步使用nm命令列出该二进制文件的符号。然后提取诸如常量字符串、部分类名称、函数名称等二进制机器码特征信息。然后进一步通过诸如机器学习、自然语言处理等匹配算法进行代码相似度计算,确定出目标组件对应的名称信息、版本信息等,继而确定出目标组件。For example, the terminal device can use the ldd command (command for analyzing the dependency relationship of shared objects) to find the package management feature file from the source code of the target application (such as code written in C language, C++ language, etc.), and the package management feature file When the file type is a binary file type, you can further use the nm command to list the symbols of the binary file. Then extract binary machine code feature information such as constant strings, partial class names, function names, etc. Then, the code similarity calculation is further performed through matching algorithms such as machine learning and natural language processing, and the name information, version information, etc. corresponding to the target component are determined, and then the target component is determined.

在本实现方式中,若包管理特征文件为二进制文件类型,可以基于二进制机器码特征确定出目标组件。这样,可以从文件层面扫描出二进制文件对应的目标组件,加深了扫描深度,能够扫描得更加详尽。In this implementation manner, if the package management characteristic file is a binary file type, the target component may be determined based on binary machine code characteristics. In this way, the target component corresponding to the binary file can be scanned from the file level, which deepens the scanning depth and enables more detailed scanning.

在一些可选的实现方式中,上述步骤103中所述的根据多个所述目标组件对应的漏洞信息,计算所述目标应用的风险分数,包括以下子步骤:In some optional implementation manners, the calculation of the risk score of the target application according to the vulnerability information corresponding to the plurality of target components described in step 103 above includes the following sub-steps:

子步骤1031,针对于一个目标组件,确定该目标组件对应的多个漏洞信息,并将分数最高的漏洞风险评分确定为该目标组件对应的风险分数;Sub-step 1031, for a target component, determine a plurality of vulnerability information corresponding to the target component, and determine the vulnerability risk score with the highest score as the risk score corresponding to the target component;

在一些应用场景中,目标组件可能对应有一个或多个漏洞信息。因此,需要综合考虑一个或多个漏洞信息,才能确定该目标组件对应的风险。具体的,如果目标组件仅对应于一个漏洞信息,可以将该漏洞信息中的漏洞风险评分确定为该目标组件对应的风险分数。如果目标组件对应于多个漏洞信息,可以比较多个漏洞信息中分别对应的漏洞风险评分,并将分数最高的漏洞风险评分确定为该目标组件的风险分数。In some application scenarios, the target component may have one or more vulnerability information. Therefore, it is necessary to comprehensively consider one or more vulnerability information to determine the risk corresponding to the target component. Specifically, if the target component only corresponds to one piece of vulnerability information, the vulnerability risk score in the vulnerability information may be determined as the risk score corresponding to the target component. If the target component corresponds to multiple vulnerability information, the vulnerability risk scores corresponding to the multiple vulnerability information may be compared, and the vulnerability risk score with the highest score is determined as the risk score of the target component.

子步骤1032,确定该目标组件对应的权重比例系数;Sub-step 1032, determine the weight proportional coefficient corresponding to the target component;

在一些应用场景中,可以根据目标组件的重要程度预先为每一个目标组件分配对应的权重比例系数。继而可以在确定了目标组件对应的风险分数之后,确定出该目标组件对应的权重比例系数。上述权重比例系数可以视为该目标组件对于构建目标应用的重要程度。In some application scenarios, each target component may be assigned a corresponding weight proportional coefficient in advance according to the importance of the target component. Then, after the risk score corresponding to the target component is determined, the weight proportional coefficient corresponding to the target component can be determined. The above weight proportional coefficient can be regarded as the importance of the target component for building the target application.

子步骤1033,计算每个目标组件所对应的风险分数与权重比例系数的乘积,并将多个乘积进行累加,得到所述目标应用的风险分数。Sub-step 1033, calculate the product of the risk score corresponding to each target component and the weight proportional coefficient, and accumulate the multiple products to obtain the risk score of the target application.

确定出目标组件对应的风险分数和权重比例系数之后,可以计算两者的乘积,并可以将得到的多个乘积进行累加,即可得到目标应用的风险分数。After the risk score and weight proportional coefficient corresponding to the target component are determined, the product of the two can be calculated, and the obtained multiple products can be accumulated to obtain the risk score of the target application.

在本实现方式中,通过上述步骤子步骤1031至子步骤1033,可以计算得到目标应用的风险分数。由于在计算过程中使用的是分数最高的漏洞风险评分,继而通过该漏洞风险评分计算得到的风险分数可以视为目标应用的最高风险分数。因此,若该风险分数大于风险阈值,可以视为目标应用的安全风险较大,需要进行修复。因此,通过上述步骤子步骤1031至子步骤1033确定出的目标应用的风险分数能够有效判断出目标应用是否可以正常运行。In this implementation manner, the risk score of the target application can be calculated through the above steps from sub-step 1031 to sub-step 1033 . Since the vulnerability risk score with the highest score is used in the calculation process, the risk score calculated through the vulnerability risk score can be regarded as the highest risk score of the target application. Therefore, if the risk score is greater than the risk threshold, it can be considered that the target application has a relatively high security risk and needs to be repaired. Therefore, the risk score of the target application determined through the above steps from sub-step 1031 to sub-step 1033 can effectively determine whether the target application can run normally.

在一些可选的实现方式中,所述多个目标组件基于所述依赖关系被分为直接组件和间接组件;其中,直接组件的权重比例系数大于间接组件的权重比例系数;In some optional implementation manners, the multiple target components are divided into direct components and indirect components based on the dependency relationship; wherein, the weight proportional coefficient of the direct component is greater than the weight proportional coefficient of the indirect component;

在一些应用场景中,由于构建目标应用的多个目标组件之间存在依赖关系,因此可以根据该依赖关系将其划分为直接组件和间接组件。具体的,直接组件可以位于组件关系图谱的最末端,间接组件在组件关系图谱中可以位于直接组件的上一级或上二级。In some application scenarios, since there is a dependency relationship between multiple target components for building a target application, they can be divided into direct components and indirect components according to the dependency relationship. Specifically, the direct component may be located at the end of the component relationship graph, and the indirect component may be located at the upper level or the upper level of the direct component in the component relationship graph.

由于直接组件相较于间接组件,其对于构建目标应用更加重要,因此,可以赋予直接组件较大的权重比例系数,赋予间接组件较小的权重比例系数。Since the direct component is more important for constructing the target application than the indirect component, the direct component can be given a larger weight proportional coefficient, and the indirect component can be given a smaller weight proportional coefficient.

这样,上述子步骤1033中所述的计算每个目标组件所对应的风险分数与权重比例系数的乘积,并将多个乘积进行累加,得到所述目标应用的风险分数,包括:计算每个直接组件所对应的风险分数与权重比例系数的第一乘积,以及每个间接组件所对应的风险分数与权重比例系数的第二乘积;将多个所述第一乘积、多个所述第二乘积累加,得到所述目标应用的风险分数。In this way, calculating the product of the risk score corresponding to each target component and the weight proportional coefficient described in the above sub-step 1033, and accumulating the multiple products to obtain the risk score of the target application includes: calculating each direct The first product of the risk score corresponding to the component and the weight proportional coefficient, and the second product of the risk score corresponding to each indirect component and the weight proportional coefficient; a plurality of the first products, a plurality of the second products Accumulate to obtain the risk score of the target application.

终端设备在计算目标应用的风险分数时,可以分别计算每个直接组件所对应的风险分数与权重比例系数的第一乘积,以及每个间接组件所对应的风险分数与权重比例系数的第二乘积。继而可以将多个第一乘积和多个第二乘积进行累加,即可得到目标应用的风险分数。例如,可以

Figure BDA0004006722650000121
表征目标应用的风险分数的计算步骤。其中,Sproject表示目标应用的风险分数;Wdirect表示直接组件的权重比例系数;Windirect表示间接组件的权重比例系数;Spackage表示目标组件的风险分数;且
Figure BDA0004006722650000122
When calculating the risk score of the target application, the terminal device can separately calculate the first product of the risk score corresponding to each direct component and the weight proportional coefficient, and the second product of the risk score corresponding to each indirect component and the weight proportional coefficient . Then, the multiple first products and the multiple second products can be accumulated to obtain the risk score of the target application. For example, you can
Figure BDA0004006722650000121
The calculation steps to characterize the risk score of the target application. Among them, S project represents the risk score of the target application; W direct represents the weight proportional coefficient of the direct component; W indirect represents the weight proportional coefficient of the indirect component; S package represents the risk score of the target component; and
Figure BDA0004006722650000122

在本实现方式中,通过将目标组件划分为直接组件和间接组件,可以提高目标应用的风险分数的可信度。In this implementation, by dividing the target components into direct components and indirect components, the reliability of the risk score of the target application can be improved.

在一些可选的实现方式中,所述在所述风险分数高于风险阈值时,修复所述目标应用的漏洞,包括:在所述风险分数高于风险阈值时,从所述预设风险组件库中查找各个所述目标组件分别对应的漏洞修复措施;根据所述漏洞修复措施修复目标组件对应的漏洞。In some optional implementation manners, when the risk score is higher than a risk threshold, repairing the vulnerability of the target application includes: when the risk score is higher than a risk threshold, starting from the preset risk component Finding the vulnerability repair measures corresponding to each of the target components in the database; and repairing the vulnerabilities corresponding to the target components according to the vulnerability repair measures.

在一些应用场景中,终端设备在确定了目标应用的风险分数之后,可以判断该风险分数是否大于风险阈值,如果大于,可以视为该目标应用的安全风险较大,继而可以修复其对应的漏洞。上述风险阈值例如可以包括0.7、0.75等实质上可以用于表征目标应用存在较大安全风险的阈值。In some application scenarios, after determining the risk score of the target application, the terminal device can determine whether the risk score is greater than the risk threshold. If it is greater, it can be considered that the security risk of the target application is greater, and then the corresponding vulnerability can be repaired . The aforementioned risk thresholds may include, for example, 0.7, 0.75, and other thresholds that can be used to indicate that the target application has relatively large security risks.

在这些应用场景中,在目标应用的风险分数高于风险阈值时,可以从预设风险组件库中查找每一个目标组件所对应的漏洞信息,然后从漏洞信息中查找对应的漏洞修复措施。继而可以根据该漏洞修复措施修复目标组件的漏洞。当所有目标组件的漏洞被修复之后,目标应用的漏洞也即被修复了。In these application scenarios, when the risk score of the target application is higher than the risk threshold, the vulnerability information corresponding to each target component can be found from the preset risk component library, and then the corresponding vulnerability repair measures can be found from the vulnerability information. Then, the vulnerability of the target component can be repaired according to the vulnerability repair measure. When the vulnerabilities of all target components are fixed, the vulnerabilities of the target application are also fixed.

在本实现方式中,通过修复目标组件的漏洞,达到了修复目标应用的漏洞的目的。这样,不会引入新的风险组件,提高了目标应用在修复之后的安全性。In this implementation manner, the purpose of repairing the vulnerability of the target application is achieved by repairing the vulnerability of the target component. In this way, no new risk components are introduced, which improves the security of the target application after repair.

在一些应用场景中,终端设备在检测到目标应用的风险分数高于风险阈值时,可以提供告警信息,以能够根据该告警信息分析目标应用的成分、漏洞影响的范围,制定新的漏洞排查方案或者漏洞修复方案等实质上能够降低目标应用的安全风险的措施。In some application scenarios, when the terminal device detects that the risk score of the target application is higher than the risk threshold, it can provide alarm information, so that it can analyze the components of the target application and the scope of vulnerability impact based on the alarm information, and formulate a new vulnerability troubleshooting plan Or measures that can substantially reduce the security risk of the target application, such as a vulnerability repair plan.

请参考图2,其示出了本申请实施例提供的一种漏洞修复装置的结构框图,该漏洞修复装置可以是电子设备上的模块、程序段或代码。应理解,该装置与上述图1方法实施例对应,能够执行图1方法实施例涉及的各个步骤,该装置具体的功能可以参见上文中的描述,为避免重复,此处适当省略详细描述。Please refer to FIG. 2 , which shows a structural block diagram of a vulnerability repairing device provided by an embodiment of the present application. The vulnerability repairing device may be a module, program segment or code on an electronic device. It should be understood that the device corresponds to the above-mentioned method embodiment in FIG. 1 , and can execute various steps involved in the method embodiment in FIG. 1 . The specific functions of the device can refer to the description above. To avoid repetition, detailed descriptions are appropriately omitted here.

可选地,上述漏洞修复装置包括组件确定模块201、漏洞检测模块202、计算模块203以及修复模块204。其中,组件确定模块201,用于在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件;漏洞检测模块202,用于在预设风险组件库中分别检测与所述目标组件对应的漏洞信息;计算模块203,用于根据多个所述目标组件对应的漏洞信息,计算所述目标应用的风险分数;修复模块204,用于在所述风险分数高于风险阈值时,修复所述目标应用的漏洞。Optionally, the vulnerability repairing apparatus includes a component determination module 201 , a vulnerability detection module 202 , a calculation module 203 and a repair module 204 . Wherein, the component determining module 201 is configured to determine a plurality of target components corresponding to the target application according to the package management characteristic file when detecting the package management characteristic file of the target application; the vulnerability detection module 202 is configured to The vulnerability information corresponding to the target component is respectively detected in the risk component library; the calculation module 203 is used to calculate the risk score of the target application according to the vulnerability information corresponding to the multiple target components; the repair module 204 is used to When the risk score is higher than a risk threshold, the vulnerability of the target application is repaired.

可选地,所述预设风险组件库的构建步骤包括:获取多个组件以及多个漏洞信息;所述漏洞信息包括漏洞对应的漏洞风险评分、漏洞修复措施;针对于一个应用,根据构建该应用的多个组件之间的依赖关系建立组件关系图谱;以及将所述组件关系图谱中包括的各个组件分别与各自相关的漏洞信息进行关联存储,得到所述预设风险组件库。Optionally, the step of building the preset risk component library includes: obtaining multiple components and multiple vulnerability information; the vulnerability information includes vulnerability risk scores corresponding to vulnerabilities, and vulnerability repair measures; for an application, according to the construction of the Establishing a component relationship graph based on dependencies among multiple components of the application; and storing each component included in the component relationship graph in association with its respective vulnerability information to obtain the preset risk component library.

可选地,计算模块203进一步用于:针对于一个目标组件,确定该目标组件对应的多个漏洞信息,并将分数最高的漏洞风险评分确定为该目标组件对应的风险分数;以及确定该目标组件对应的权重比例系数;计算每个目标组件所对应的风险分数与权重比例系数的乘积,并将多个乘积进行累加,得到所述目标应用的风险分数。Optionally, the calculation module 203 is further configured to: for a target component, determine a plurality of vulnerability information corresponding to the target component, and determine the vulnerability risk score with the highest score as the risk score corresponding to the target component; and determine the target component The weight proportional coefficient corresponding to the component; calculate the product of the risk score corresponding to each target component and the weight proportional coefficient, and accumulate the multiple products to obtain the risk score of the target application.

可选地,所述多个目标组件基于所述依赖关系被分为直接组件和间接组件;其中,直接组件的权重比例系数大于间接组件的权重比例系数;以及计算模块203进一步用于:计算每个直接组件所对应的风险分数与权重比例系数的第一乘积,以及每个间接组件所对应的风险分数与权重比例系数的第二乘积;将多个所述第一乘积、多个所述第二乘积累加,得到所述目标应用的风险分数。Optionally, the multiple target components are divided into direct components and indirect components based on the dependency relationship; wherein, the weight proportional coefficient of the direct component is greater than the weight proportional coefficient of the indirect component; and the calculation module 203 is further used to: calculate each The first product of the risk score corresponding to each direct component and the weight proportional coefficient, and the second product of the risk score corresponding to each indirect component and the weight proportional coefficient; a plurality of said first products, a plurality of said second products The squares are accumulated and accumulated to obtain the risk score of the target application.

可选地,修复模块204进一步用于:在所述风险分数高于风险阈值时,从所述预设风险组件库中查找各个所述目标组件分别对应的漏洞修复措施;根据所述漏洞修复措施修复目标组件对应的漏洞。Optionally, the repairing module 204 is further configured to: when the risk score is higher than a risk threshold, search for vulnerability repairing measures corresponding to each of the target components from the preset risk component library; according to the vulnerability repairing measures Fix the vulnerability corresponding to the target component.

可选地,组件确定模块201进一步用于:在检测到目标应用的包管理特征文件时,若确定所述包管理特征文件的类型为包管理清单文件类型,提取所述目标应用的软件物料清单,并根据所述软件物料清单确定所述多个目标组件。Optionally, the component determining module 201 is further configured to: when detecting the package management characteristic file of the target application, if it is determined that the type of the package management characteristic file is a package management list file type, extract the software bill of materials of the target application , and determine the multiple target components according to the software bill of material.

可选地,组件确定模块201进一步用于:在检测到目标应用的包管理特征文件时,若确定所述包管理特征文件的类型为二进制文件类型,提取该包管理特征文件中预设的二进制机器码特征,并根据所述二进制机器码特征确定所述多个目标组件。Optionally, the component determining module 201 is further configured to: when detecting the package management feature file of the target application, if it is determined that the type of the package management feature file is a binary file type, extract the binary file preset in the package management feature file. machine code features, and determine the multiple target components according to the binary machine code features.

需要说明的是,本领域技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再重复描述。It should be noted that those skilled in the art can clearly understand that for the convenience and brevity of description, the specific working process of the device described above can refer to the corresponding process in the foregoing method embodiment, and the description will not be repeated here.

请参照图3,图3为本申请实施例提供的一种用于执行漏洞修复方法的电子设备的结构示意图,所述电子设备可以包括:至少一个处理器301,例如CPU,至少一个通信接口302,至少一个存储器303和至少一个通信总线304。其中,通信总线304用于实现这些组件直接的连接通信。其中,本申请实施例中设备的通信接口302用于与其他节点设备进行信令或数据的通信。存储器303可以是高速RAM存储器,也可以是非易失性的存储器(non-volatilememory),例如至少一个磁盘存储器。存储器303可选的还可以是至少一个位于远离前述处理器的存储装置。存储器303中存储有计算机可读取指令,当所述计算机可读取指令由所述处理器301执行时,电子设备可以执行上述图1所示方法过程。Please refer to FIG. 3. FIG. 3 is a schematic structural diagram of an electronic device for performing a vulnerability repair method provided by an embodiment of the present application. The electronic device may include: at least one processor 301, such as a CPU, and at least one communication interface 302 , at least one memory 303 and at least one communication bus 304 . Wherein, the communication bus 304 is used to realize the direct connection and communication of these components. Wherein, the communication interface 302 of the device in the embodiment of the present application is used for signaling or data communication with other node devices. The memory 303 may be a high-speed RAM memory, or a non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory 303 may also be at least one storage device located away from the aforementioned processor. Computer-readable instructions are stored in the memory 303 , and when the computer-readable instructions are executed by the processor 301 , the electronic device can execute the above-mentioned method process shown in FIG. 1 .

可以理解,图3所示的结构仅为示意,所述电子设备还可包括比图3中所示更多或者更少的组件,或者具有与图3所示不同的配置。图3中所示的各组件可以采用硬件、软件或其组合实现。It can be understood that the structure shown in FIG. 3 is only for illustration, and the electronic device may also include more or less components than those shown in FIG. 3 , or have a configuration different from that shown in FIG. 3 . Each component shown in FIG. 3 may be implemented by hardware, software or a combination thereof.

本申请实施例提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时,可以执行如图1所示方法实施例中电子设备所执行的方法过程。An embodiment of the present application provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the method process performed by the electronic device in the method embodiment shown in FIG. 1 can be executed.

本申请实施例提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法,例如,该方法可以包括:在检测到目标应用的包管理特征文件时,根据所述包管理特征文件确定所述目标应用对应的多个目标组件;在预设风险组件库中分别检测与所述目标组件对应的漏洞信息;根据多个所述目标组件对应的漏洞信息,计算所述目标应用的风险分数;在所述风险分数高于风险阈值时,修复所述目标应用的漏洞。An embodiment of the present application provides a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, The computer can execute the methods provided in the foregoing method embodiments. For example, the method may include: when detecting the package management feature file of the target application, determining multiple target components corresponding to the target application according to the package management feature file ; Detect the vulnerability information corresponding to the target component in the preset risk component library; calculate the risk score of the target application according to the vulnerability information corresponding to the multiple target components; when the risk score is higher than the risk threshold , repairing the vulnerability of the target application.

在本申请所提供的实施例中,应该理解到,所揭露装置和方法,可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,又例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些通信接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some communication interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

另外,作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。In addition, a unit described as a separate component may or may not be physically separated, and a component displayed as a unit may or may not be a physical unit, that is, it may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

再者,在本申请各个实施例中的各功能模块可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或两个以上模块集成形成一个独立的部分。Furthermore, each functional module in each embodiment of the present application may be integrated to form an independent part, each module may exist independently, or two or more modules may be integrated to form an independent part.

在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。In this document, relational terms such as first and second etc. are used only to distinguish one entity or operation from another without necessarily requiring or implying any such relationship between these entities or operations. Actual relationship or sequence.

以上所述仅为本申请的实施例而已,并不用于限制本申请的保护范围,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above descriptions are only examples of the present application, and are not intended to limit the scope of protection of the present application. For those skilled in the art, various modifications and changes may be made to the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this application shall be included within the protection scope of this application.

Claims (10)

1. A vulnerability fixing method is characterized by comprising the following steps:
when a package management characteristic file of a target application is detected, determining a plurality of target components corresponding to the target application according to the package management characteristic file;
respectively detecting vulnerability information corresponding to the target component in a preset risk component library;
calculating the risk score of the target application according to the vulnerability information corresponding to the target components;
and when the risk score is higher than a risk threshold value, repairing the vulnerability of the target application.
2. The method of claim 1, wherein the step of constructing the library of pre-set risk components comprises:
acquiring a plurality of components and a plurality of vulnerability information; the vulnerability information comprises vulnerability risk scores and vulnerability repair measures corresponding to vulnerabilities;
aiming at an application, establishing a component relation map according to the dependency relationship among a plurality of components for constructing the application; and
and respectively associating and storing each component included in the component relation map with the relevant vulnerability information to obtain the preset risk component library.
3. The method of claim 2, wherein the calculating the risk score of the target application according to the vulnerability information corresponding to the target components comprises:
aiming at a target component, determining a plurality of vulnerability information corresponding to the target component, and determining the vulnerability risk score with the highest score as the risk score corresponding to the target component; and
determining a weight proportion coefficient corresponding to the target component;
and calculating the product of the risk score corresponding to each target component and the weight proportion coefficient, and accumulating the products to obtain the risk score of the target application.
4. The method of claim 3, wherein the plurality of target components are divided into direct components and indirect components based on the dependencies; wherein the weight scaling factor of the direct component is greater than the weight scaling factor of the indirect component; and
the calculating a product of the risk score corresponding to each target component and the weight proportion coefficient, and accumulating the products to obtain the risk score of the target application includes:
calculating a first product of the risk score and the weight scaling factor corresponding to each direct component and a second product of the risk score and the weight scaling factor corresponding to each indirect component;
and accumulating the plurality of first products and the plurality of second products to obtain the risk score of the target application.
5. The method according to any one of claims 2-4, wherein the fixing the vulnerability of the target application when the risk score is higher than a risk threshold value comprises:
when the risk score is higher than a risk threshold value, searching vulnerability repair measures corresponding to the target assemblies from the preset risk assembly library;
and repairing the bug corresponding to the target component according to the bug repairing measure.
6. The method according to claim 1, wherein the determining a plurality of target components corresponding to the target application according to the package management profile when the package management profile of the target application is detected comprises:
when a package management feature file of a target application is detected, if the type of the package management feature file is determined to be a package management list file type, extracting a software bill of materials of the target application, and determining the target components according to the software bill of materials.
7. The method according to claim 1, wherein the determining a plurality of target components corresponding to the target application according to the package management profile when the package management profile of the target application is detected comprises:
when a package management feature file of a target application is detected, if the type of the package management feature file is determined to be a binary file type, extracting a preset binary machine code feature in the package management feature file, and determining the target components according to the binary machine code feature.
8. A vulnerability repair apparatus, comprising:
the component determining module is used for determining a plurality of target components corresponding to the target application according to the package management characteristic file when the package management characteristic file of the target application is detected;
the vulnerability detection module is used for respectively detecting vulnerability information corresponding to the target component in a preset risk component library;
the calculation module is used for calculating the risk score of the target application according to the vulnerability information corresponding to the target components;
and the repairing module is used for repairing the vulnerability of the target application when the risk score is higher than a risk threshold value.
9. An electronic device comprising a processor and a memory, the memory storing computer readable instructions that, when executed by the processor, perform the method of any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
CN202211634713.4A 2022-12-19 2022-12-19 Vulnerability repairing method and device, electronic equipment and computer readable storage medium Pending CN115982713A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211634713.4A CN115982713A (en) 2022-12-19 2022-12-19 Vulnerability repairing method and device, electronic equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211634713.4A CN115982713A (en) 2022-12-19 2022-12-19 Vulnerability repairing method and device, electronic equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN115982713A true CN115982713A (en) 2023-04-18

Family

ID=85969315

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211634713.4A Pending CN115982713A (en) 2022-12-19 2022-12-19 Vulnerability repairing method and device, electronic equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115982713A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117201119A (en) * 2023-09-07 2023-12-08 中移互联网有限公司 Risk identification methods, devices and electronic equipment for open source components
CN120257302A (en) * 2025-06-04 2025-07-04 国家工业信息安全发展研究中心 Software supply chain security protection method, device, equipment and medium based on SBOM

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103258165A (en) * 2013-05-10 2013-08-21 华为技术有限公司 Processing method and device for leak evaluation
CN112184091A (en) * 2020-12-01 2021-01-05 杭州木链物联网科技有限公司 Industrial control system security threat assessment method, device and system
CN114296735A (en) * 2021-12-24 2022-04-08 深圳开源互联网安全技术有限公司 A binary file parsing method, device and computer-readable storage medium
CN114880671A (en) * 2022-04-01 2022-08-09 深圳开源互联网安全技术有限公司 Automatic open source component bug repairing method and system based on profiles software development process

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103258165A (en) * 2013-05-10 2013-08-21 华为技术有限公司 Processing method and device for leak evaluation
CN112184091A (en) * 2020-12-01 2021-01-05 杭州木链物联网科技有限公司 Industrial control system security threat assessment method, device and system
CN114296735A (en) * 2021-12-24 2022-04-08 深圳开源互联网安全技术有限公司 A binary file parsing method, device and computer-readable storage medium
CN114880671A (en) * 2022-04-01 2022-08-09 深圳开源互联网安全技术有限公司 Automatic open source component bug repairing method and system based on profiles software development process

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117201119A (en) * 2023-09-07 2023-12-08 中移互联网有限公司 Risk identification methods, devices and electronic equipment for open source components
CN120257302A (en) * 2025-06-04 2025-07-04 国家工业信息安全发展研究中心 Software supply chain security protection method, device, equipment and medium based on SBOM

Similar Documents

Publication Publication Date Title
CN108763928B (en) An open source software vulnerability analysis method, device and storage medium
CN110929264B (en) Vulnerability detection method and device, electronic equipment and readable storage medium
KR101568224B1 (en) Analysis device and method for software security
US9621571B2 (en) Apparatus and method for searching for similar malicious code based on malicious code feature information
US20090133125A1 (en) Method and apparatus for malware detection
JP6503141B2 (en) Access classification device, access classification method and access classification program
WO2020000743A1 (en) Webshell detection method and related device
US8572747B2 (en) Policy-driven detection and verification of methods such as sanitizers and validators
US20190180032A1 (en) Classification apparatus, classification method, and classification program
CN115146282A (en) AST-based source code exception detection method and device
CN115982713A (en) Vulnerability repairing method and device, electronic equipment and computer readable storage medium
WO2020244307A1 (en) Vulnerability detection method and apparatus
CN112817877B (en) Abnormal script detection method and device, computer equipment and storage medium
JP2019514119A (en) Hybrid Program Binary Feature Extraction and Comparison
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
JP6282217B2 (en) Anti-malware system and anti-malware method
CN114462040B (en) Malicious software detection model training method and device and malicious software detection method and device
CN118536122B (en) Source code vulnerability detection method, system, device and storage medium
CN112579330B (en) Methods, devices and equipment for processing abnormal data in operating systems
CN116055202B (en) Identification method, device and equipment of risk equipment and storage medium
CN116956285A (en) Stain source identification method, stain source identification device, electronic equipment and medium
CN115310096A (en) A security vulnerability processing method, device, equipment and medium
US12079285B2 (en) Training device, determination device, training method, determination method, training method, and determination program
CN110377499B (en) Method and device for testing application programs
KR20190061231A (en) Method for detecting malicious codes using big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination