[go: up one dir, main page]

CN112906007B - Open source software vulnerability control method and device - Google Patents

Open source software vulnerability control method and device Download PDF

Info

Publication number
CN112906007B
CN112906007B CN202110177893.7A CN202110177893A CN112906007B CN 112906007 B CN112906007 B CN 112906007B CN 202110177893 A CN202110177893 A CN 202110177893A CN 112906007 B CN112906007 B CN 112906007B
Authority
CN
China
Prior art keywords
open source
source software
current
vulnerability
construction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110177893.7A
Other languages
Chinese (zh)
Other versions
CN112906007A (en
Inventor
蔡兵克
张泳
刘伟
刁水带
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110177893.7A priority Critical patent/CN112906007B/en
Publication of CN112906007A publication Critical patent/CN112906007A/en
Application granted granted Critical
Publication of CN112906007B publication Critical patent/CN112906007B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

The invention belongs to the technical field of information security, and provides an open source software vulnerability management and control method and device, wherein the open source software vulnerability management and control method comprises the steps of obtaining characteristic values corresponding to all code files in a system; traversing the characteristic values in an open source software vulnerability database to generate a traversing result, and controlling the open source software vulnerabilities in the system according to the traversing result. The method overcomes the defects of the traditional processing method for the loopholes of the open source software in the prior art, and the method utilizes the mode of comparing the fingerprint codes of the open source software to compare the fingerprint codes of the loopholes software, the fingerprint codes of the open source software used by enterprises and the fingerprint codes in the loophole database of the open source software to determine the influence range of the current loopholes, and according to the loophole solution provided by the loophole database of the open source software, the method automatically and effectively prevents the propagation of the open source software with the loopholes, and realizes the repair of the loopholes in the automatic production environment so as to achieve the purposes of timely discovery, timely isolation and automatic upgrading.

Description

Method and device for managing and controlling loopholes of open source software
Technical Field
The application relates to the technical field of information security, in particular to a method and a device for managing and controlling open source software loopholes.
Background
With the explosive growth of the use of open source software by the finance industry and internet enterprises, each large enterprise usually pays attention to the availability and function realization when introducing the open source software, but neglects the control of the loopholes, the internet rapidly develops, and a huge amount of open source software bursts are brought, but once the loopholes burst, the enterprises have no effective control means to discriminate which loopholes exist in the open source software used by the enterprises, which influence the loopholes, how to grasp the loopholes information as soon as possible and block the spreading of the loopholes, and how to remedy the open source software with the loopholes which has been produced. This is currently the most important problem faced by most internet enterprises in using open source software, and is also a problem to be solved.
In the prior art, the vulnerability management and control method of the open source software is to acquire the vulnerability risk of the open source software through CNNVD (China national information security vulnerability database), and publish whether the vulnerability has information such as a repairing scheme, an emergency solving measure and the like. Enterprises need to subscribe to the information, and once the active source software bursts out of a vulnerability (such as a 2019 fastjson vulnerability), the enterprises can start to organize and comb those applications which are currently deployed to production to use the active source software with the vulnerability, so that the influence caused by repairing the vulnerability by the patch for emergency production is organized according to a vulnerability repair scheme issued by CNNVD.
The method has the defects that the vulnerability restoration efficiency is seriously affected by three points, namely, a certain delay exists in receiving the information issued by CNNVD, and a great time consumption is needed for carding the applications of the production environment to use the open source software, and a time delay exists in the production patching of the vulnerability restoration. The time delay of the three aspects creates a long available time window for the vulnerability, and in severe cases, huge potential safety hazards and property loss can be caused.
Disclosure of Invention
The invention belongs to the technical field of information security, overcomes the defects of low efficiency and long implementation period of the traditional means in the aspect of vulnerability management of open source software of Internet enterprises such as finance and communication fields, and provides an efficient, safe, intelligent and autonomous vulnerability management and control scheme and device.
In order to solve the technical problems, the invention provides the following technical scheme:
acquiring characteristic values corresponding to all code files in a system;
traversing the characteristic values in an open source software vulnerability database to generate a traversing result;
and controlling open source software vulnerabilities in the system according to the traversing result.
In one embodiment, the obtaining the feature values corresponding to all the code files in the system includes:
acquiring the code file according to the current codebook library, branches of the current codebook library, an original baseline of the current codebook library and the current baseline of the current codebook library;
And calculating the MD5 value corresponding to the code file.
In one embodiment, the managing the open source software vulnerabilities in the system according to the traversal result includes:
If the traversing result is that the open source software bug corresponding to the MD5 value exists in the open source software bug database, upgrading the open source software bug.
In one embodiment, upgrading the open source software vulnerability includes:
Determining an application service node and a deployment node catalog corresponding to the open source software vulnerability;
And upgrading the open source software loopholes of the application service nodes and the open source software loopholes of the deployment node catalogs respectively.
In a second aspect, the present invention provides an open source software vulnerability management and control apparatus, which includes:
The MD5 value acquisition unit is used for acquiring the characteristic values corresponding to all the code files in the system;
the traversal result generation unit is used for traversing the characteristic values in the open source software vulnerability database to generate traversal results;
and the vulnerability management and control unit is used for managing and controlling the open source software vulnerabilities in the system according to the traversing result.
In one embodiment, the MD5 value obtaining unit includes:
The code file acquisition module is used for acquiring the code file according to the current code book library, branches of the current code book library, an original baseline of the current code book library and a current baseline of the current code book library;
And the MD5 value calculating module is used for calculating the MD5 value corresponding to the code file.
In an embodiment, the vulnerability management and control unit is specifically configured to upgrade the open source software vulnerability.
In one embodiment, the vulnerability management control unit includes:
The node determining module is used for determining application service nodes and deployment node catalogues corresponding to the open source software vulnerabilities;
and the vulnerability upgrading module is used for upgrading the open source software vulnerabilities of the application service nodes and the open source software vulnerabilities of the deployment node catalogs respectively.
In a third aspect, the present invention provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of an open source software vulnerability management method when executing the program.
In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of an open source software vulnerability management method.
From the above description, the embodiment of the invention provides a method and a device for managing and controlling open source software vulnerabilities, which are characterized in that firstly, characteristic values corresponding to all code files in a system are obtained, then, the characteristic values are traversed in an open source software vulnerability database to generate a traversing result, and finally, the open source software vulnerabilities in the system are managed and controlled according to the traversing result. The method overcomes the defects of the traditional processing method of the open source software loopholes in the industry, and utilizes the mode of comparing the open source software fingerprint codes to compare the loophole software fingerprint, the enterprise using the open source software fingerprint, the fingerprint in the open source software loophole database and the three fingerprints to determine the influence range of the current loopholes, and according to the loophole solution provided by the open source software loophole database, the open source software with the loopholes is automatically and effectively transmitted and prevented, and meanwhile, the automatic production environment loophole repair is realized, so that the purposes of timely discovery, timely isolation and automatic upgrading are achieved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for managing and controlling vulnerabilities of open source software according to an embodiment of the present invention;
FIG. 2 is a flowchart of step 100 in an embodiment of the present invention;
FIG. 3 is a flowchart of step 300 in an embodiment of the present invention;
FIG. 4 is a flowchart illustrating step 301 in an embodiment of the present invention;
FIG. 5 is a flowchart of an open source software vulnerability management and control method in a specific application example of the present invention;
FIG. 6 is a schematic diagram illustrating a configuration of an open source software vulnerability management and control apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of the structure of the MD5 value obtaining unit 10 in the embodiment of the invention;
Fig. 8 is a schematic structural diagram of a vulnerability management unit 30 according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device in an embodiment of the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The embodiment of the invention provides a specific implementation manner of an open source software vulnerability management and control method, referring to fig. 1, which specifically includes the following contents:
and 100, acquiring characteristic values corresponding to all code files in the system.
Open-source software (open-source) refers to software whose source code can be used by the public, and the use, modification, and distribution of this software is not limited by the license. Open source software is developed by programmers teams distributed throughout the world, as well as by universities, government agency contractors, associations and business companies. The development of the source code is an innovation mode which is characterized by open innovation and common innovation and takes the person as the basis in the future and is brought by the network revolution caused by the development of the information technology. The open source software has the advantages that the number of the open source software is exponentially increased due to the friendly protocol and the open type collaborative development mode, and the use and the dependence of various industries, especially the Internet technology industry, are more prominent.
It can be understood that the code files in step 100 and the corresponding feature values thereof are in a one-to-one correspondence, a mapping between a plurality of code files and the feature values (note also a plurality of code files) in the system can be established first, and each code file in the system can be accurately and rapidly searched according to the mapping.
Step 200, traversing the characteristic values in an open source software vulnerability database to generate a traversing result;
It will be appreciated that vulnerabilities are flaws in the specific implementation of hardware, software, protocols or system security policies of a computer information system or network that may enable an attacker to access or destroy the system without authorization. Thus, once a vulnerability is found, protective measures should be taken, or patched, or an upgrade replaced accordingly.
In step 200, the open source software vulnerability database may be a national security vulnerability database (CNNVD) that sends various vulnerability information affecting system security and corresponding solutions in the internet in real time. Specifically, comparing the software fingerprint with the vulnerability fingerprint of the enterprise production deployment in the vulnerability database to determine the vulnerability influence range,
Step 300, controlling open source software vulnerabilities in the system according to the traversing result;
Specifically, when the traversing result is that the corresponding characteristic value exists in the open source software vulnerability database, the corresponding vulnerability exists in the system, and the system is required to be upgraded, otherwise, the system is considered to be safer at the moment and is not required to be processed.
From the above description, it can be seen that the embodiment of the present invention provides an open source software vulnerability management and control method, which includes firstly obtaining feature values corresponding to all code files in a system, then traversing the feature values in an open source software vulnerability database to generate a traversal result, and finally managing and controlling open source software vulnerabilities in the system according to the traversal result. The method overcomes the defects of the traditional processing method of the open source software loopholes in the industry, and utilizes the mode of comparing the open source software fingerprint codes to compare the loophole software fingerprint, the enterprise using the open source software fingerprint, the fingerprint in the open source software loophole database and the three fingerprints to determine the influence range of the current loopholes, and according to the loophole solution provided by the open source software loophole database, the open source software with the loopholes is automatically and effectively transmitted and prevented, and meanwhile, the automatic production environment loophole repair is realized, so that the purposes of timely discovery, timely isolation and automatic upgrading are achieved.
In one embodiment, referring to fig. 2, step 100 further comprises:
step 101, acquiring the code file according to a current codebook library, branches of the current codebook library, an original baseline of the current codebook library and a current baseline of the current codebook library;
Specifically, all the code files involved in the current base line of the current code branch are obtained, the current code branch is constructed, the original base line of the current code branch is constructed at the time, and the current base line of the current code branch is constructed at the time.
102, Calculating an MD5 value corresponding to the code file;
It will be appreciated that the MD5 value corresponds to the characteristic value in step 100, and that MD5 (MessageDigestAlgorithmMD) is one of the hash algorithms widely used by computers to ensure that the information is transferred completely and consistently, and to provide integrity protection of the information. The basic principle of MD5 is to compress data information into 128-bit 2-ary numbers and generate an information digest. MD5 may generate a likewise unique "software fingerprint" for any file, and if anyone makes any changes to the file, its MD5 value, i.e., the corresponding "software fingerprint" will change.
In one embodiment, referring to fig. 3, step 300 further comprises:
Step 301, if the traversing result is that the open source software bug corresponding to the MD5 value exists in the open source software bug database, upgrading the open source software bug.
Specifically, after the information of the loopholes is provided for the user to make a decision, the loophole information and the upgrade recommended version which can be provided by the user make a decision. After the user decides to upgrade the version, the product is reconstructed according to the recommended version selected by the user. On the other hand, when the construction is performed again, the fingerprint code calculated by the construction is sent back to the vulnerability analysis tool again for analysis, and if the vulnerability analysis tool feeds back that the vulnerability information does not exist in the construction, the construction is successful.
In one embodiment, referring to fig. 4, step 301 further comprises:
Step 3011, determining an application service node and a deployment node catalog corresponding to the open source software vulnerability;
Step 3012, upgrading the open source software vulnerabilities of the application service nodes and the open source software vulnerabilities of the deployment node catalogs respectively.
In step 3011 and step 3012, the current artifact is first deployed on a server in a formulated reflow verification environment for verification according to a deployment definition file (deployment definition file: information defining application service nodes, corresponding application deployment node directories, etc. that should be deployed by the current artifact). The reloading verification environment can restart and execute the automatic script verification according to the deployment strategy, such as successful restart and passing the automatic script verification. The automatic bug repairing can be used for deployment production.
From the above description, it can be seen that the embodiment of the invention provides an open source software vulnerability management and control method, which does not need manual intervention, and is used for connecting a source software vulnerability database (for example: CNNVD information security vulnerability database), determining the vulnerability influence range by comparing software fingerprints with vulnerability fingerprints, wherein the vulnerability exists in the vulnerability database, with vulnerability fingerprints of enterprise production deployment, and meanwhile, blocking and propagating products with the vulnerability at the construction source, avoiding vulnerability propagation, and repairing the vulnerability to ensure production security for the vulnerability software synchronous automatic upgrading scheme of deployed production.
In order to further illustrate the present solution, CNNVD is also taken as an example, and a specific application example of the open source software vulnerability management and control method is provided in the present invention, see fig. 5.
S1, carrying out interface call with CNNVD.
The latest published vulnerability information can be synchronized back to the local database of the device in real time through the security vulnerability information interface externally provided by CNNVD;
And S2, fingerprint code matching is carried out on the vulnerability information open source software.
S3, comparing the vulnerability information.
The method comprises the steps of receiving new vulnerability information, carrying out fingerprint code matching of vulnerability information open source software by a pre-product management information center, notifying a construction tool of vulnerability information, comparing the vulnerability information in a device library when the construction tool is constructed, and if the vulnerability information exists, ending the construction at the time, and avoiding the construction of the information with the vulnerability to be a formal delivery product, so that the propagation of the vulnerability software is automatically prevented.
Further, the construction tool performs version product construction by acquiring a current code base, currently constructing a code branch used by the current code base, currently constructing an original baseline of the code branch, and currently constructing a current baseline of the code branch. After the base lines of the build version library, the branches, the start codes and the end codes are acquired, the build tool can download all the information such as source codes, jar files and the like between the start codes and the end codes on the current branch to a disk of a compiler to which the build tool belongs. Then, the build tool will start an independent thread to traverse for the file under the specified disk directory on the current compiler, compile into a bytecode file for Java code, and calculate its MD5 value at the same time, focusing on calculating the MD5 value for the jar file. After the MD5 values of all files are constructed at the time, the MD5 values are sent back to the vulnerability analysis tool for comparison analysis in the vulnerability database.
If the building tool compares and analyzes the MD5 transmitted by the current building and finds that the MD5 exists in the vulnerability information base, the building tool is notified. After receiving the notification of the vulnerability analysis tool, the construction tool terminates the current construction task and notifies the user that the vulnerability risk file exists in the current construction file. In order to avoid further propagation and diffusion of the loopholes, the user is asked to decide whether to automatically upgrade the loopholes. Termination of the build task, in other words, radically blocks the way for the vulnerability to further spread.
S4, after the vulnerability information fingerprint code is successfully matched with the product management center, screening out all application information related to the vulnerability;
S5, checking an application test environment using the vulnerability open source software, and if the vulnerability open source software is used, obtaining a vulnerability upgrade repair version by removing Maven according to a solution provided by CNNVD;
Specifically, after the construction tool provides the information of the loopholes existing in the current construction to the user for decision making, the user can make decision for the loophole information and the upgrade recommended version provided by the construction tool. After the user decides to upgrade the version, the build tool will actively reconstruct the build product according to the recommended version selected by the user. And when the construction tool carries out construction again, the fingerprint code calculated by the construction is sent back to the vulnerability analysis tool again for analysis, and if the vulnerability analysis tool feeds back that the current construction does not have vulnerability information, the construction is successful. The construction tool firstly deploys the product on a server in a formulated reflow verification environment for verification according to a deployment definition file (a deployment definition file: information defining application service nodes, corresponding application deployment node catalogs and the like which should be deployed by the current product) in the current product. The reloading verification environment can restart and execute the automatic script verification according to the deployment strategy, such as successful restart and passing the automatic script verification. The automatic bug repairing can be used for deployment production. The version product verified by the reflow can be used for distinguishing production environments by parameters, the deployment definition file is executed by the construction tool, automatic deployment and verification are completed on production, and the automatic upgrading function is completed.
S6, notifying a construction tool to reconstruct the version package and deploying the new version in the verification environment;
And S7, carrying out reloading verification by the reloading verification component.
If the verification of the reinstallation is passed, the version is automatically released to the production, other applications related to the current loophole are polled to repair and upgrade the loophole one by one, and after the polling is finished, the influence range, the influence function and the repair result of the loophole are notified to all applications in a mail mode to be responsible.
From the above description, it can be seen that the embodiment of the present invention provides a method for managing and controlling vulnerabilities of open source software, which overcomes the defects of internet enterprises such as finance and communication fields in terms of managing vulnerabilities of open source software, and the defects of low efficiency and long implementation period of conventional means, and provides an efficient, safe, intelligent and autonomous method for managing and controlling vulnerabilities. The method is a support non-invasive support for all enterprise applications, and the traditional post-treatment strategy is converted into a pre-management scheme, so that economic loss and potential safety hazard of the vulnerability codes are effectively avoided for enterprises. The beneficial effects are as follows:
1. The operation is simple, the full-flow automatic operation is realized after the tool is deployed, no manual intervention is needed, and the vulnerability is automatically identified by the device after the vulnerability is exposed.
2. Compared with the manual vulnerability processing, the vulnerability file upgrading tool has the advantages that the vulnerability file can be automatically upgraded under the condition that manual intervention is not needed, and meanwhile, the patching of reorganized versions is avoided.
3. And the device is in butt joint with CNNVD and triggers the device to perform vulnerability repair work at the first time of vulnerability exposure.
4. The method has high intelligent degree, and can automatically isolate the propagation and the propagation of the vulnerability open source software at the first time after the vulnerability is exposed, and prevent the vulnerability propagation from the source at the first time.
5. The device triggers the reinstallation verification component to verify the mode detection environment of the upgraded application service in the process of automatically repairing the loophole, and automatic deployment production is performed after verification is passed, so that the risk brought by the fact that the production environment cannot work normally and is retracted again after the upgrade is avoided.
Based on the same inventive concept, the embodiment of the application also provides an open source software vulnerability management and control device, which can be used for realizing the method described in the above embodiment, such as the following embodiment. Because the principle of the open source software vulnerability management and control device for solving the problem is similar to that of the open source software vulnerability management and control method, the implementation of the open source software vulnerability management and control device can be implemented by referring to the open source software vulnerability management and control method, and the repetition is omitted. As used below, the term "unit" or "module" may be a combination of software and/or hardware that implements the intended function. While the system described in the following embodiments is preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The embodiment of the invention provides a specific implementation manner of an open source software vulnerability management and control device capable of realizing an open source software vulnerability management and control method, referring to fig. 6, the open source software vulnerability management and control device specifically comprises the following contents:
An MD5 value obtaining unit 10, configured to obtain feature values corresponding to all code files in the system;
a traversal result generating unit 20, configured to traverse the feature values in the open source software vulnerability database to generate a traversal result;
And the vulnerability management and control unit 30 is used for managing and controlling the open source software vulnerabilities in the system according to the traversing result.
In one embodiment, referring to fig. 7, the MD5 value obtaining unit 10 includes:
a code file obtaining module 101, configured to obtain the code file according to a current codebook library, a branch of the current codebook library, an original baseline of the current codebook library, and a current baseline of the current codebook library;
and the MD5 value calculating module 102 is configured to calculate an MD5 value corresponding to the code file.
In an embodiment, the vulnerability management and control unit is specifically configured to upgrade the open source software vulnerability.
In one embodiment, referring to fig. 8, the vulnerability management unit 30 includes:
The node determining module 301 is configured to determine an application service node and a deployment node directory corresponding to the open source software vulnerability;
the vulnerability upgrade module 302 is configured to upgrade the open source software vulnerabilities of the application service node and the open source software vulnerabilities of the deployment node directory, respectively.
From the above description, it can be seen that the embodiment of the present invention provides an open source software vulnerability management and control device, which firstly obtains feature values corresponding to all code files in a system, then traverses the feature values in an open source software vulnerability database to generate a traversal result, and finally manages and controls open source software vulnerabilities in the system according to the traversal result. The method overcomes the defects of the traditional processing method of the open source software loopholes in the industry, and utilizes the mode of comparing the open source software fingerprint codes to compare the loophole software fingerprint, the enterprise using the open source software fingerprint, the fingerprint in the open source software loophole database and the three fingerprints to determine the influence range of the current loopholes, and according to the loophole solution provided by the open source software loophole database, the open source software with the loopholes is automatically and effectively transmitted and prevented, and meanwhile, the automatic production environment loophole repair is realized, so that the purposes of timely discovery, timely isolation and automatic upgrading are achieved.
The embodiment of the present application further provides a specific implementation manner of an electronic device capable of implementing all the steps in the open source software vulnerability management and control method in the foregoing embodiment, and referring to fig. 9, the electronic device specifically includes the following contents:
a processor 1201, a memory 1202, a communication interface (Communications Interface) 1203, and a bus 1204;
The processor 1201, the memory 1202 and the communication interface 1203 are in communication with each other through the bus 1204, wherein the communication interface 1203 is used for realizing information transmission between related devices such as server-side devices and client-side devices;
The processor 1201 is configured to invoke a computer program in the memory 1202, and when the processor executes the computer program, the processor implements all the steps in the open source software vulnerability management method in the above embodiment, for example, when the processor executes the computer program, the processor implements the following steps:
Step 100, obtaining characteristic values corresponding to all code files in a system;
step 200, traversing the characteristic values in an open source software vulnerability database to generate a traversing result;
And 300, controlling open source software vulnerabilities in the system according to the traversing result.
The embodiment of the present application further provides a computer readable storage medium capable of implementing all the steps of the open source software vulnerability management method in the above embodiment, where the computer readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program implements all the steps of the open source software vulnerability management method in the above embodiment, for example, when the processor executes the computer program, the following steps are implemented:
Step 100, obtaining characteristic values corresponding to all code files in a system;
step 200, traversing the characteristic values in an open source software vulnerability database to generate a traversing result;
And 300, controlling open source software vulnerabilities in the system according to the traversing result.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for a hardware+program class embodiment, the description is relatively simple, as it is substantially similar to the method embodiment, as relevant see the partial description of the method embodiment.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Although the application provides method operational steps as an example or a flowchart, more or fewer operational steps may be included based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented by an actual device or client product, the instructions may be executed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment) as shown in the embodiments or figures.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when implementing the embodiments of the present disclosure, the functions of each module may be implemented in the same or multiple pieces of software and/or hardware, or a module that implements the same function may be implemented by multiple sub-modules or a combination of sub-units, or the like. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller can be regarded as a hardware component, and means for implementing various functions included therein can also be regarded as a structure within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
The present embodiments may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments. In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the embodiments of the present specification. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
The foregoing is merely an example of an embodiment of the present disclosure and is not intended to limit the embodiment of the present disclosure. Various modifications and variations of the illustrative embodiments will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of the embodiments of the present specification, should be included in the scope of the claims of the embodiments of the present specification.

Claims (6)

1. The open source software vulnerability management and control method is characterized by comprising the following steps:
acquiring characteristic values corresponding to all code files in a system;
traversing the characteristic values in an open source software vulnerability database to generate a traversing result;
controlling open source software vulnerabilities in the system according to the traversing result;
Checking an application test environment of open source software using a vulnerability corresponding to new vulnerability information, and if the open source software is used, acquiring a vulnerability upgrading repair version and upgrading;
The feature values corresponding to all the code files in the acquisition system comprise:
acquiring the code file according to the current codebook library, branches of the current codebook library, an original baseline of the current codebook library and the current baseline of the current codebook library;
and calculating an MD5 value corresponding to the code file, specifically:
The construction tool acquires the current code book library, the branches of the current code book library, the original baselines of the current code book library and the current baselines of the current code book library when the version product is constructed, and after acquiring the current code book library, the branches of the current code book library, the original baselines of the current code book library and the current baselines of the current code book library, the construction tool downloads all source codes and jar file information between the original baselines of the current code book library and the current baselines of the current code book library on the current branches to a disk of a compiler to which the construction tool belongs;
The managing the open source software vulnerabilities in the system according to the traversal result includes:
If the vulnerability analysis tool compares and analyzes the MD5 value transmitted by the current construction, the MD5 value is found to exist in the open source software vulnerability database, the construction tool is informed, after the construction tool receives the notification of the vulnerability analysis tool, the current construction task is terminated, and a user is informed of the existence of a vulnerability risk file in the current construction file through the message;
The checking the application test environment of the open source software using the loopholes corresponding to the new loophole information, if the open source software is used, acquiring the loophole upgrading repair version and upgrading, including:
When the construction tool gives the information of the loopholes in the current construction to a user for decision, the user decides on the loophole information and the upgrade recommended version provided by the construction tool, after the user decides on the upgrade version, the construction tool actively rebuilds the construction product according to the recommended version selected by the user, when the construction tool rebuilds the construction, fingerprint codes calculated by the construction are sent back to the loophole analysis tool again for analysis, if the loophole analysis tool feeds back that the loophole information does not exist in the current construction, the construction is successful, the construction tool firstly deploys the product on a server in a designated reloading verification environment according to a deployment definition file in the current product, and then restarts and executes automatic script verification according to a deployment strategy in the reloading verification environment, if the restarting is successful and the automatic script verification passes, the automatic repair of the current deployable production is described, wherein the deployment definition file comprises application service nodes defining that the current product should be deployed and a corresponding application deployment node catalog.
2. The method of managing and controlling open source software vulnerabilities of claim 1, wherein upgrading the open source software vulnerabilities comprises:
Determining an application service node and a deployment node catalog corresponding to the open source software vulnerability;
And upgrading the open source software loopholes of the application service nodes and the open source software loopholes of the deployment node catalogs respectively.
3. An open source software vulnerability management and control device, comprising:
The MD5 value acquisition unit is used for acquiring the characteristic values corresponding to all the code files in the system;
the traversal result generation unit is used for traversing the characteristic values in the open source software vulnerability database to generate traversal results;
the vulnerability management and control unit is used for managing and controlling open source software vulnerabilities in the system according to the traversing result;
The vulnerability management and control unit is further configured to check an application test environment of open source software using a vulnerability corresponding to new vulnerability information, and if the open source software is used, obtain a vulnerability upgrade repair version and upgrade the vulnerability upgrade repair version;
the MD5 value acquisition unit includes:
The code file acquisition module is used for acquiring the code file according to the current code book library, branches of the current code book library, an original baseline of the current code book library and a current baseline of the current code book library;
The MD5 value calculation module is used for calculating an MD5 value corresponding to the code file;
the calculating the MD5 value corresponding to the code file comprises the following steps:
The construction tool acquires the current code book library, the branches of the current code book library, the original baselines of the current code book library and the current baselines of the current code book library when the version product is constructed, and after acquiring the current code book library, the branches of the current code book library, the original baselines of the current code book library and the current baselines of the current code book library, the construction tool downloads all source codes and jar file information between the original baselines of the current code book library and the current baselines of the current code book library on the current branches to a disk of a compiler to which the construction tool belongs;
The managing the open source software vulnerabilities in the system according to the traversal result includes:
If the vulnerability analysis tool compares and analyzes the MD5 value transmitted by the current construction, the MD5 value is found to exist in the open source software vulnerability database, the construction tool is informed, after the construction tool receives the notification of the vulnerability analysis tool, the current construction task is terminated, and a user is informed of the existence of a vulnerability risk file in the current construction file through the message;
The method comprises the steps of checking an application test environment of open source software using a vulnerability corresponding to new vulnerability information, obtaining and upgrading a vulnerability upgrading repair version if the application test environment is used for the open source software, enabling a user to make a decision on the vulnerability information and an upgrading recommended version provided by a construction tool after the construction tool provides the vulnerability information existing in the current construction for the user to make a decision, enabling the construction tool to actively reconstruct a constructed product according to the recommended version selected by the user after the user makes the decision on the upgrading version, enabling a fingerprint code calculated by the construction tool to be sent back to a vulnerability analysis tool again for analysis when the construction tool is constructed again, enabling the construction tool to succeed in constructing if the vulnerability analysis tool feeds back that the vulnerability information does not exist in the current construction, enabling the construction tool to be deployed on a specified server in a reflow verification environment according to a deployment definition file in the current product, enabling restarting and executing automatic script verification according to a deployment strategy in the reflow verification environment, and enabling the automatic script verification to pass, and describing that the automatic repairing can be produced, wherein the deployment definition file comprises application service nodes and corresponding application catalog nodes which are required to be deployed by defining the current product.
4. The open source software vulnerability management apparatus of claim 3, wherein the vulnerability management unit comprises:
The node determining module is used for determining application service nodes and deployment node catalogues corresponding to the open source software vulnerabilities;
and the vulnerability upgrading module is used for upgrading the open source software vulnerabilities of the application service nodes and the open source software vulnerabilities of the deployment node catalogs respectively.
5. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the open source software vulnerability management method of any one of claims 1-2 when the program is executed by the processor.
6. A computer readable storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the open source software vulnerability management method of any one of claims 1 to 2.
CN202110177893.7A 2021-02-09 2021-02-09 Open source software vulnerability control method and device Active CN112906007B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110177893.7A CN112906007B (en) 2021-02-09 2021-02-09 Open source software vulnerability control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110177893.7A CN112906007B (en) 2021-02-09 2021-02-09 Open source software vulnerability control method and device

Publications (2)

Publication Number Publication Date
CN112906007A CN112906007A (en) 2021-06-04
CN112906007B true CN112906007B (en) 2025-02-18

Family

ID=76123070

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110177893.7A Active CN112906007B (en) 2021-02-09 2021-02-09 Open source software vulnerability control method and device

Country Status (1)

Country Link
CN (1) CN112906007B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116089938A (en) * 2021-10-31 2023-05-09 华为技术有限公司 Security detection method and device for open source component package
CN115718842A (en) * 2022-11-30 2023-02-28 中国建设银行股份有限公司 Software recommendation method and device for bug fixing, electronic equipment and medium
CN118862098B (en) * 2024-09-23 2024-11-26 苏州棱镜七彩信息科技有限公司 A system and method for detecting security vulnerabilities of open source components

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104573525A (en) * 2014-12-19 2015-04-29 中国航天科工集团第二研究院七〇六所 Special information service software vulnerability fixing system based on white lists

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107977576A (en) * 2016-10-21 2018-05-01 北京计算机技术及应用研究所 A kind of host leakage location and method based on employing fingerprint
CN106446691B (en) * 2016-11-24 2019-07-05 工业和信息化部电信研究院 The method and apparatus for the open source projects loophole for integrating or customizing in inspection software
CN108763928B (en) * 2018-05-03 2020-10-02 北京邮电大学 An open source software vulnerability analysis method, device and storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104573525A (en) * 2014-12-19 2015-04-29 中国航天科工集团第二研究院七〇六所 Special information service software vulnerability fixing system based on white lists

Also Published As

Publication number Publication date
CN112906007A (en) 2021-06-04

Similar Documents

Publication Publication Date Title
CN112906007B (en) Open source software vulnerability control method and device
US8473913B2 (en) Method of and system for dynamic automated test case generation and execution
US10083027B2 (en) Systems and methods for managing software development environments
US11586433B2 (en) Pipeline release validation
CN110851135A (en) Application program automatic construction and uploading method, device and computer equipment, storage medium
US9092224B2 (en) Method and system to automatically enforce a hybrid branching strategy
US20200379880A1 (en) Embedded quality indication data for version control systems
US8938648B2 (en) Multi-entity test case execution workflow
CN107896244A (en) A kind of distribution method of version file, client and server
CN113760339B (en) Vulnerability restoration method and device
CN112596779B (en) Method, device, equipment and storage medium for generating dependency packages compatible with dual versions
CN113434158A (en) User-defined management method, device, equipment and medium for big data component
CN112199441A (en) Data synchronization processing method, device, equipment and medium based on big data platform
Bass et al. Eliciting operations requirements for applications
CN113238950A (en) System and method for testing distributed system, storage medium and electronic equipment
CN111176677B (en) Server system reinforcement updating method and device
Kumari et al. Validation of redfish: the scalable platform management standard
US20250021438A1 (en) Detecting an error in an updated software package by automatically rebuilding related downstream products
Sharma et al. Canonicalization for Unreproducible Builds in Java
CN114327588B (en) A code submission log processing method and device
CN114491422A (en) A method and device for checking user operation authority
US12443900B2 (en) Automatic creation and execution of a test harness for workflows
Da Silva et al. Design and Implementation of a Java Fault Injector for Exhaustif® SWIFI Tool
US20220207438A1 (en) Automatic creation and execution of a test harness for workflows
Coetzee et al. A model and framework for reliable build systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant