[go: up one dir, main page]

CN119201191A - Vulnerability repair method, device, equipment, storage medium and program product - Google Patents

Vulnerability repair method, device, equipment, storage medium and program product Download PDF

Info

Publication number
CN119201191A
CN119201191A CN202310769450.6A CN202310769450A CN119201191A CN 119201191 A CN119201191 A CN 119201191A CN 202310769450 A CN202310769450 A CN 202310769450A CN 119201191 A CN119201191 A CN 119201191A
Authority
CN
China
Prior art keywords
functional component
component
functional
code
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310769450.6A
Other languages
Chinese (zh)
Inventor
吴翔
滕征岑
李宠
孙永侠
马若飞
郝强
赵鹏
许文帅
王碧玉
穆琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kunlun Digital Technology Co ltd
China National Petroleum Corp
Original Assignee
Kunlun Digital Technology Co ltd
China National Petroleum Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kunlun Digital Technology Co ltd, China National Petroleum Corp filed Critical Kunlun Digital Technology Co ltd
Priority to CN202310769450.6A priority Critical patent/CN119201191A/en
Publication of CN119201191A publication Critical patent/CN119201191A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/658Incremental updates; Differential updates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/43Checking; Contextual analysis
    • G06F8/433Dependency analysis; Data or control flow analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

本申请实施例公开了一种漏洞修复方法、装置、设备、存储介质及程序产品,属于信息安全技术领域。该方法包括:在代码工程存在漏洞的情况下,基于所述代码工程中功能组件的依赖关系,对所述功能组件进行逐级检验,得到检验结果;在所述检验结果指示第一功能组件存在漏洞,且所述第一功能组件依赖的第二功能组件不存在漏洞,或,第一功能组件存在漏洞,且所述第一功能组件不存在依赖的第二功能组件的情况下,确定所述第一功能组件为待升级组件;对组件代码包中的所述第一功能组件进行版本升级,其中,版本升级后的所述第一功能组件不存在漏洞。采用本申请实施例提供的方案,能够在代码工程存在漏洞时,确定引起漏洞的原因,并进行针对性的修复。

The embodiments of the present application disclose a vulnerability repair method, device, equipment, storage medium and program product, which belong to the field of information security technology. The method includes: in the case of a vulnerability in a code project, based on the dependency relationship of the functional components in the code project, the functional components are checked step by step to obtain a test result; when the test result indicates that a first functional component has a vulnerability, and the second functional component on which the first functional component depends does not have a vulnerability, or when a first functional component has a vulnerability and the first functional component does not have a second functional component that it depends on, the first functional component is determined to be a component to be upgraded; the first functional component in the component code package is upgraded, wherein the first functional component after the version upgrade does not have a vulnerability. By adopting the solution provided by the embodiments of the present application, when there is a vulnerability in a code project, the cause of the vulnerability can be determined and targeted repairs can be performed.

Description

Vulnerability restoration method, device, equipment, storage medium and program product
Technical Field
The embodiment of the application relates to the technical field of information security, in particular to a vulnerability restoration method, device, equipment, storage medium and program product.
Background
With the continuous development of the software industry, modern software has evolved from a single mode to a large-scale collaboration mode represented by open source software, complex software often involves a plurality of open source components, and the security and reliability of the software are related to the complexity thereof. However, most open source components present security vulnerabilities.
In the related art, a software vulnerability database records vulnerability information of various open source components, and in general, whether a security vulnerability exists in a software program is determined by querying whether the vulnerability information collected in the vulnerability database contains a functional component on which the software program depends. After the existence of the security hole is determined, the open source component version directly depended on by the software program is upgraded to repair the hole.
However, in the scheme provided in the related art, only the open-source functional component directly depended on by the software program can be upgraded, and the open-source component directly applied may be huge, so that the engineering amount for directly upgrading the component is large, which results in poor applicability.
Disclosure of Invention
The embodiment of the application provides a vulnerability restoration method, device, equipment, storage medium and program product. The scheme is as follows:
In one aspect, an embodiment of the present application provides a vulnerability restoration method, where the method includes:
Under the condition that the code engineering has loopholes, based on the dependency relationship of the functional components in the code engineering, carrying out step-by-step inspection on the functional components to obtain inspection results;
determining that the first functional component is a component to be upgraded under the condition that the checking result indicates that the first functional component has a loophole and the second functional component on which the first functional component depends does not have the loophole, or the first functional component has the loophole and the first functional component does not have the second functional component on which the first functional component depends;
And carrying out version upgrading on the first functional component in the component code package, wherein the first functional component subjected to version upgrading has no loopholes.
In another aspect, the present application provides a vulnerability restoration device, including:
The testing module is used for testing the functional components step by step based on the dependency relationship of the functional components in the code engineering under the condition that the code engineering has loopholes, so as to obtain a testing result;
A determining module, configured to determine that a first functional component is a component to be upgraded when the test result indicates that the first functional component has a vulnerability and a second functional component on which the first functional component depends does not have a vulnerability, or the first functional component has a vulnerability and the first functional component does not have a second functional component on which the first functional component depends;
And the upgrading module is used for carrying out version upgrading on the first functional component in the component code package, wherein the first functional component subjected to version upgrading has no loopholes.
In another aspect, an embodiment of the present application provides a computer device, where the computer device includes a processor and a memory, where the memory stores at least one instruction, and the at least one instruction is configured to be executed by the processor to implement a bug fix method according to the above aspect.
In another aspect, embodiments of the present application provide a computer readable storage medium having at least one program code stored therein, the program code being loaded and executed by a processor to implement a bug fix method as described in the above aspect.
In another aspect, embodiments of the present application provide a computer program product comprising computer instructions stored in a computer-readable storage medium. The computer instructions are read from the computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the vulnerability restoration method provided in various alternative implementations of the above aspects.
In the embodiment of the application, under the condition that the loophole exists in the code engineering, the computer equipment checks the functional components step by step based on the dependency relationship of the functional components in the code engineering so as to check the loophole existing in the functional components, thereby determining a first functional component to be upgraded and upgrading the first function. According to the vulnerability repairing method provided by the embodiment of the application, the low-level relied functional components which need to be repaired can be determined according to the dependency relationship, and the vulnerability of code engineering is repaired in a mode of upgrading the functional components, so that the workload of repairing the vulnerability is reduced, and the applicability is higher.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow chart of a vulnerability restoration method provided by an exemplary embodiment of the present application;
FIG. 2 illustrates a schematic diagram of functional component dependencies provided by an exemplary embodiment of the application;
FIG. 3 illustrates a flow chart of a progressive inspection process provided by an exemplary embodiment of the present application;
FIG. 4 illustrates a schematic diagram of a progressive inspection provided by an exemplary embodiment of the present application;
FIG. 5 illustrates a version upgrade process flow diagram provided by an exemplary embodiment of the present application;
FIG. 6 is a schematic diagram of performing bug fixes according to an exemplary embodiment of the present application;
FIG. 7 illustrates a flowchart for vulnerability verification and repair provided by an exemplary embodiment of the present application;
FIG. 8 illustrates a block diagram of a vulnerability restoration apparatus provided by an exemplary embodiment of the present application;
fig. 9 is a block diagram showing the structure of a computer device according to an exemplary embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
For ease of understanding, terms involved in embodiments of the present application are described below.
Code engineering-in general, in the process of program development, the source code of the program is stored in a special folder, and the special folder equipped for the current program is an engineering file, namely a project file. Code engineering is a program that can be installed and run, and engineering files are used as support for running applications.
Functional components-open source software for supporting different functions performed by a program, which is relied on by code engineering when the functional components are formed, the code engineering is dependent on the functional components, and dependency relationship may exist between different functional components.
Vulnerabilities refer to defects in specific implementation of hardware, software and protocols or system security policies, that is, vulnerabilities refer to some kind of problems generated by hardware, software and protocols in various life cycles, and these problems have an influence on the security of a system, such as confidentiality, security and usability of the system. In the embodiment of the application, the loophole refers to a loophole of a software layer.
Today, the evolution of software from single-source software to software with complex modeling collaboration modes, represented by open-source software, involves a number of open-source software. And there is often a relatively complex dependency between these open source software. It is seen that open source software has become part of the modern information industry, however, open source software also presents a certain security risk. In the process of program development, if the open source software with the bug is applied in the code engineering, the code engineering also faces security risks because the open source software with the bug is applied.
In order to alleviate security risks caused by vulnerabilities of open source software, various vulnerability modes are provided for open source software in related technologies, and in the schemes provided in related technologies, in general, according to functional components with vulnerabilities, which are directly depended on by code projects shown in a vulnerability database, code projects directly depended on the functional components are determined, and the code projects are determined to have security vulnerabilities. And upgrading the functional component with the security hole, which is directly applied by the code engineering, so as to repair the hole of the code engineering.
However, since the software structure is huge and the number of functional components it depends on is large, in this case, the project amount of upgrading the code project is large by adopting the scheme provided by the related art, resulting in poor applicability of the related art.
Aiming at the problems of the related technology, the embodiment of the application provides a method for repairing loopholes, which can effectively avoid upgrading functional components on which code engineering depends on a large scale, and can upgrade functional components with loopholes really, thereby having strong applicability.
FIG. 1 shows a flowchart of a vulnerability restoration method provided by an exemplary embodiment of the present application, the method comprising:
Step 101, under the condition that the code engineering has loopholes, based on the dependency relationship of the functional components in the code engineering, the functional components are checked step by step to obtain a checking result.
In general, if the functional component a depends on the functional component B, in the case that the functional component B has a bug, the bug database records that the functional component a also has a bug, or in the case that the code of the functional component a itself has a bug, the functional component a is the bug. Thus, in the case where the code engineering relies on the functional component a with the vulnerability, the vulnerability database also stores the code engineering vulnerability.
However, if the functional component a is directly upgraded under the condition that the functional component a is determined to have the bug, the engineering amount is large, so that under the condition that the code bug of the functional component a does not exist, the functional component to be upgraded, which causes the functional component a to have the dependency bug, can be determined in a step-by-step inspection mode.
The dependency relationship of the functional components in the code engineering comprises a direct dependency relationship and an indirect dependency relationship, wherein the direct dependency relationship is formed between the functional components directly called by the code engineering and the code engineering, or the direct dependency relationship is formed between one kinetic energy component and another functional component directly called by the code engineering, and the indirect dependency relationship is formed between the code engineering and another functional component called by the kinetic energy component directly called by the code engineering. For example, if the function component a depends on the function component B and the function component B depends on the function component C, the dependency of the function component a on the function component B and the dependency of the function component B on the function component C become direct dependencies, and the dependency of the function component a on the function component C becomes indirect dependencies.
Schematically, fig. 2 shows a schematic diagram of dependency relationships of functional components according to an exemplary embodiment of the present application, where the dependency relationships include three kinds of functional components, and in the manner 1, the code engineering 1 directly depends on the functional component A1, the functional component A2, and the functional component A3. Wherein the code engineering A1, the functional component A2 and the functional component A3 all form a direct dependency relationship with the code constitution 1. In mode 2, code engineering 2 depends directly on functional component a, functional component a depends directly on functional component B, and functional component B depends directly on functional component C. In the function component mode 3, the code engineering 3 directly depends on the function component a, the function component a directly depends on the function component B and the function component B directly depends on the function component C, and the function components of the subsequent hierarchy sequentially depend on the function components of the next hierarchy until the function component of the X-1 hierarchy depends on the X-1 function component. Wherein the code function and other functional components except the functional component A form an indirect dependency relationship.
As in mode 2 of fig. 2, the functional components a, B and C form a hierarchical relationship. In one code engineering, there may be a plurality of functional components of a next level on which each level of functional components depend, and the dependency relationship between the functional components of different levels is illustrated by only one functional component of each level in the figure, which does not limit the number of functional components in each level.
Wherein the test results are used to indicate the presence of vulnerabilities for different functional components in the respective hierarchy.
Step 102, determining that the first functional component is a component to be upgraded when the checking result indicates that the first functional component has a vulnerability and the second functional component on which the first functional component depends does not have a vulnerability, or the first functional component has a vulnerability and the first functional component does not have the second functional component on which the first functional component depends.
In the process of determining the component to be upgraded according to the test result, the computer equipment is mainly based on the condition that one functional component has a bug, and the next-level bug test is continued under the condition that the functional component has a bug.
And determining the first functional component as the component to be upgraded under the condition that the checking result indicates that the first functional component has the loophole and the second functional component on which the first functional component depends does not have the loophole. In this case, it can be determined that the cause of the vulnerability of the first functional component is not a functional component depending on the presence of the vulnerability, but a cause of itself. Thus, the first functional component can be determined to be an love upgrade functional component.
In another case, when the test result indicates that the first functional component has a bug and the first functional component does not have a second functional component that depends on the first functional component, it can be determined that the first functional component does not depend on other functional components, and then it can be determined that the reason for the bug of the first functional component is not a functional component that depends on the bug, but is a self reason. Thus, the first functional component is determined to be the component to be upgraded.
And step 103, carrying out version upgrading on the first functional component in the component code package, wherein the first functional component after version upgrading has no loopholes.
After determining that the component to be upgraded is the first functional component candidate, assuming that the current version of the first functional component is version 1.0, the version without the vulnerability, such as version 3.0, can be searched for among other versions of the first functional component already published and replaced to the first functional component of version 1.0 in the component code package.
Where a component code package refers to a collection of code for all functional components that are relied upon during the code engineering operation. The code engineering together forms the running package of the application program.
In summary, in the embodiment of the present application, in the case where a bug exists in a code project, a computer device performs a step-by-step inspection on a functional component based on a dependency relationship of the functional component in the code project, so as to inspect the bug existing in the functional component, thereby determining a first functional component to be upgraded, and upgrading the first function. According to the vulnerability repairing method provided by the embodiment of the application, the low-level relied functional components which need to be repaired can be determined according to the dependency relationship, and the vulnerability of code engineering is repaired in a mode of upgrading the functional components, so that the workload of repairing the vulnerability is reduced, and the applicability is higher.
Based on the dependency relationship of the functional components in the code engineering, the functional components are required to be checked step by step, and in the checking process, whether the functional components have vulnerabilities or not is required to be determined through a vulnerability database, so that a checking result is obtained. The process of performing the progressive inspection will be described by one exemplary embodiment:
FIG. 3 illustrates a flow chart of a progressive inspection process provided by an exemplary embodiment of the present application.
The process comprises the following steps:
Step 301, obtaining a vulnerability database, wherein the vulnerability database comprises functional components with vulnerabilities.
And collecting, maintaining and sharing a platform of open source software with discovered vulnerabilities when the vulnerabilities are stored in the database. The loophole database can be acquired and called, and the information published by the known loophole database platform can be downloaded.
The vulnerability database contains the disclosed functional components with vulnerabilities.
Step 302, based on the dependency relationship of the functional components in the code engineering, a dependency relationship list is obtained step by step.
The dependency list is used for indicating the function components of the next level on which the function components of the previous level depend. For example, if code engineering directly depends on the functional component A1, the functional component A2, and the functional component A3, each functional component corresponds to a respective functional component identifier, and the functional component representation is a unique identifier of the computer device for distinguishing different functional components. Functional components that are directly dependent exist in code engineering, e.g., table 1 shows a list of dependencies.
TABLE 1
Wherein A1-AN is the functional component A1 through functional component AN component identity. The code engineering directly depends on N functional components, and optionally, the dependency list also comprises version numbers of each code component which depends on the N functional components so as to distinguish different versions of the same functional component.
Also, for code engineering, each functional component in each level corresponds to a dependency list that indicates the functional component of the next level on which the functional component depends. Alternatively, the dependency relationship of the different functional components is that the local device searches for the functional components, or may obtain a dependency relationship list of the functional group from the open source software management proposal, which is not limited in this embodiment.
Table 2 shows a list of dependencies of functional components.
TABLE 2
Wherein B1-BN is a functional component B1 to functional component BN component identity, the functional component A1 being directly dependent on N functional components.
Step 303, querying a vulnerability database based on the dependency relationship list of different levels to obtain a test result, where the test result is used to indicate vulnerability conditions of functional components of different levels.
And (3) different functional components in different levels are provided with corresponding dependency relation lists, inquiring a loophole database based on the dependency relation lists corresponding to the fault parts of different workers, comparing the functional components in the dependency relation lists with components with loopholes in the loophole database, and searching whether the functional components in the dependency relation list exist in the loophole database.
The searching process is a step-by-step searching process, namely, the dependency list of the upper layer level is checked preferentially, the functional components with holes are searched, and then the database is searched based on the dependency list of the functional components with holes, so that a checking result is obtained.
In one possible implementation, the functional components on which the code engineering depends have n-level dependencies, and the code engineering directly depends on the functional components of the first level.
I.e. code engineering directly depends on the functional components of the first level, which depend on the functional components of the second level, and so on.
A dependency list of a kth functional component in the kth hierarchy for which a vulnerability exists is obtained.
The dependency list comprises a k+1st-level functional component directly depended on by a k functional component, wherein k is greater than or equal to 1 and k is less than or equal to n;
For example, in the case where k is equal to 4, the computer device obtains a dependency list of a fourth functional component in the fourth hierarchy, including all functional components directly dependent on the fourth functional component, the functional components being functional components of the fifth hierarchy.
Subsequently, the computer device determines a kth+1 functional component for which a vulnerability exists in a kth+1 level by looking up the vulnerability database. For example, the fourth functional component directly depends on the functional component a, the functional component B and the functional component C, and then the functional components with vulnerabilities in the functional component a, the functional component B and the functional component C are determined by searching the vulnerability database.
Referring to FIG. 4, a schematic diagram of a progressive inspection is shown, in which components in code engineering directly depend on functional component A1, functional component A2, and functional component A3, according to an exemplary embodiment of the present application. By searching the vulnerability database, it is determined that the functional component A1 and the functional component A3 have vulnerabilities, and then the computer device acquires dependency lists corresponding to the functional component A1 and the functional component A3, where the dependency lists indicate that the functional component A1 directly depends on the functional component B1 and the functional component B2, and the functional component A3 directly depends on the functional component B4, the functional component B3 and the functional component B5. The computer device then determines the functional component B5 and the functional component B2 for which the vulnerability exists by looking up the vulnerability database. The computer equipment carries the functional component B5 without the loopholes and the dependency list corresponding to the functional component B2, and performs inspection, and finally, the inspection determines that the functional component C1 and the functional component C4 are components to be upgraded. In the figure, the functional components A1, A2, and A3 are functional components of a first hierarchy, the functional components B1, B2, B4, B3, and B5 are functional components of a second hierarchy. The functional components C1, C2, C3, and C4 are functional components of the third hierarchy.
According to the embodiment of the application, the detection result is obtained by searching the loophole database based on the step-by-step dependency relationship, and only the next-level functional component in the dependency relationship list of the functional component with the loophole is verified in the process, so that the data volume for verification is reduced, the functional component causing the code engineering loophole can be searched in a targeted manner, and the efficiency of determining the component to be upgraded is higher.
In general, the vulnerability database includes functional components with vulnerabilities and reasons for the existence of vulnerabilities, so when determining to perform inspection, it is further required to determine whether the reasons for the existence of the vulnerabilities of the functional components are dependent relationships vulnerabilities caused by the existence of the code vulnerabilities of the functional components or the existence of the vulnerabilities of the dependent functional components. Under the condition that the functional component is determined to have the code bug, the functional component in the component code package is upgraded without continuing to check the functional component of the next level on which the functional component depends, so that the code bug of the functional component is solved. The specific process is as follows:
in the process of inquiring the vulnerability database, the computer equipment inquires the vulnerability database based on dependency relation lists of different levels to obtain an inspection result.
The checking result is used for indicating the loopholes of the functional components of different levels and the reasons for the loopholes of the functional components, wherein the reasons for the loopholes include the existence of code loopholes of the functional components and the existence of dependency loopholes of the functional components of the components.
After determining that the code bug exists, if the bug is to be repaired, upgrading the functional component with the code bug to enable the functional component to have no bug.
Then, in the case that the checking result indicates that the first functional component has a bug and the first functional component indicates that the functional component has a code bug, determining that the first functional component is a component to be upgraded.
Optionally, in the step-by-step checking process, under the condition that the reason for the bug of the first functional component is determined to be the code bug, the dependency component of the first functional component is not required to be acquired, and the first functional component is directly determined to be the component to be upgraded.
After the first functional component causing the bug of the code engineering is detected, the first functional component needs to be upgraded, however, in the application process, there may be a situation that the upgraded first functional component is not compatible with a third functional component depending on the first functional component, in various situations, the third functional component needs to be upgraded so as to ensure that the functional software after version upgrade can be compatible with the functional software of the previous level depending on the functional software, thereby ensuring the normal operation of the code engineering.
FIG. 5 illustrates a version upgrade process flow diagram provided by an exemplary embodiment of the present application, the process comprising:
In step 501, in the case of the first functional component being upgraded depending on the incompatible version of the third functional component of the first functional component, the target functional component is determined based on the dependency relationship.
The third functional component depends on the first functional component, and may be reflected in that the third functional component calls the first functional component in the process of running the third functional component, and since the way in which the third functional component calls the first functional component cannot be modified in code engineering, after the first functional component is upgraded, a rule that the third functional component calls the first functional component may not be applicable to the upgraded first functional component, thereby causing the third functional component to be incompatible with the upgraded first functional component. Thus, the computer device needs to determine whether the third functional component is compatible with the upgraded first functional component.
Alternatively, the computer device may determine whether the first functional component is compatible with the upgraded first functional component by searching for a version of the first functional component that the third functional component is compatible with in a compatible component version list of the third functional component. The compatible component version manifest may be obtained from an open source platform of the third functional component.
Specifically, in the case of a k-1 functional component that depends on a k-1 functional component that is incompatible with a version-upgraded k-1 functional component, the version-upgraded k-1 functional component is queried.
For example, in the case where k is equal to 4, in the case of a fourth functional component that depends on a third functional component incompatible version of the fourth functional component, the fourth functional component needs to be upgraded, and the computer device queries the version-upgraded third functional component.
Subsequently, the k-1 functional component is determined to be the target functional component in the case where the k-2 functional component dependent on the k-1 functional component is compatible with the upgraded k-1 functional component.
For example, the second functional component is determined to be the target functional component in the case that the second functional component that relies on the third functional component is compatible with the upgraded third functional component.
Alternatively, the upgraded k-2 functional component is queried in the event that the dependent k-2 functional component is not compatible with the upgraded k-1 functional component.
Step 502, performing version upgrade on the target functional component in the component code package.
And the fourth functional component compatible version which depends on the target functional component is updated to the target functional component. The target functional component is the component to be upgraded.
For the specific implementation of this step, reference may be made to step 103, which is not described in detail in this embodiment.
And carrying out version upgrading on the k-1 functional component in the component code package. The process of version upgrade is to replace the k-1 function component of the current version in the component code packet with the k-1 function component after version upgrade. And, the k-1 functional component after version upgrade has no loopholes.
Schematically, fig. 6 shows a schematic diagram of bug fixes according to an exemplary embodiment of the present application, where code engineering directly depends on functional component a, functional component a directly depends on functional component B, and functional component B directly depends on functional component C. And, the current version of the function component a is 1.0, the current version of the function component B is 2.0, and the current version of the function component C is 1.0. The computer equipment determines the functional component C as the component to be upgraded through step-by-step inspection. After determining that C is the version to be upgraded, the computer equipment determines whether the functional component B can be compatible with the version 2.0 of the functional component C without loopholes after version upgrade, and if the functional component B is not compatible with the version 2.0 of the functional component C, the computer equipment determines whether the functional component A can be compatible with the version 4.0 of the functional component B after version upgrade. In the event that the computer device determines that the functional component a is compatible with version 4.0 of the upgraded functional component B, the functional component B is upgraded to version 4.0.
In the embodiment of the application, in the process of upgrading the functional component to be upgraded, the computer equipment determines whether the upgraded version is compatible with the functional component of the last level with the dependency relationship, so that the phenomenon of version incompatibility after upgrading a certain functional component can be avoided, and the normal operation of code engineering after bug repair can be ensured.
In one possible implementation manner, some functions of the functions that can be implemented by the code engineering are not put into use, in this case, if the function provided by the functional component to be upgraded is a function that is not applied by the code engineering, the functional component to be upgraded can be selected to be directly deleted from the component code package, so that the efficiency of bug fixes can be improved without affecting the application of the code engineering. The specific process is as follows:
first, based on the application function of the code engineering, the functional influence condition of the first functional component on the code engineering is determined.
Wherein the function impact condition is used for indicating whether the first functional component is called under the condition that the code engineering provides the application function. In some cases, the first functional component is a functional component on which a lower-level functional component depends, and the support of the first functional component may not be needed in the process of providing the application function in the whole code engineering, so that the first functional component can be deleted, and the application function of the whole code engineering is not affected.
Subsequently, in case the functional impact situation indicates that the first functional component is not invoked, the component to be upgraded is deleted from the component code package.
Optionally, when the function impact condition is used to instruct the code engineering to provide the application function, the first functional component is called, and version upgrade is required to be performed on the first common functional component in the component code package, and the specific upgrade process may refer to the version upgrade process in the above embodiment, which is not described in detail in this embodiment.
In the embodiment of the application, based on the functional influence condition of the component to be upgraded on the code engineering, the component to be upgraded is determined to be deleted from the component code package, the component to be upgraded can not be upgraded, the operation steps are reduced, and the efficiency of bug repair is improved.
Fig. 7 is a schematic diagram showing a vulnerability verification and repair flowchart provided by an exemplary embodiment of the present application, where after determining that a code project has a vulnerability, a step-by-step verification is performed based on a dependency relationship, where a step-by-step verification process needs to use a vulnerability database and a situation of an open source component included in a component repository such as Maven/PyPI, so as to determine a component to be upgraded. In the process of repairing the bug, the computer equipment needs to judge whether the component to be upgraded is a component directly depended on by the code engineering, and upgrade the component into a bug-free version under the condition that the component to be upgraded is a functional component directly depended on by the code engineering. And under the condition of incompatibility, determining the functional component of the upper layer as the component to be upgraded, searching the upgrade version of the component to be upgraded, and again confirming whether the component is a direct dependent control or not, thereby circulating until the bug is repaired.
The following are examples of the apparatus of the present application that may be used to perform the method embodiments of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the method of the present application.
FIG. 8 illustrates a block diagram of an exemplary embodiment of a vulnerability restoration apparatus. The apparatus may include:
The checking module 801 is configured to perform step-by-step checking on the functional component based on a dependency relationship of the functional component in the code engineering in the case that a bug exists in the code engineering, so as to obtain a checking result;
A determining module 802, configured to determine, when the test result indicates that a first functional component has a bug and a second functional component on which the first functional component depends does not have a bug, or if a first functional component has a bug and the first functional component does not have a second functional component on which the first functional component depends, that the first functional component is a component to be upgraded;
and the upgrade module 803 is configured to upgrade the version of the first functional component in the component code package, where the first functional component after the version upgrade has no vulnerability.
Optionally, the inspection module 801 is configured to:
obtaining a vulnerability database, wherein the vulnerability database comprises the functional components with vulnerabilities;
Based on the dependency relationship of the functional components in the code engineering, a dependency relationship list is obtained step by step, wherein the dependency relationship list is used for indicating the functional components of the next level on which the functional components of the previous level depend;
and inquiring the vulnerability database based on the dependency relationship list of different levels to obtain the checking result, wherein the checking result is used for indicating the vulnerability conditions of the functional components of different levels.
Optionally, the functional components on which the code engineering depends have n-level dependency relationships, and the code engineering directly depends on the functional components of the first level;
the inspection module 801 is configured to:
obtaining a dependency list of a kth functional component with a vulnerability in a kth level, wherein the dependency list comprises the functional components of a kth+1 level directly depended on by the kth functional component, k is greater than or equal to 1, and k is less than or equal to n;
and determining the k+1 functional component with the loopholes in the k+1 level by searching the loophole database.
Optionally, the vulnerability database includes the functional components with vulnerabilities and reasons for the vulnerabilities;
The inspection module 801 is configured to query the vulnerability database based on the dependency relationship lists of different levels, to obtain the inspection result, where the inspection result is used to indicate a vulnerability situation of the functional component of different levels and a cause of the vulnerability of the functional component, and the cause of the vulnerability includes a code vulnerability of the functional component and a dependency relationship vulnerability of the functional component of the component;
The determining module 802 is further configured to determine that the first functional component is a component to be upgraded if the test result indicates that the first functional component has a bug and the first functional component indicates that the functional component has a code bug.
Optionally, the upgrade module 803 is configured to:
under the condition that a third functional component dependent on the first functional component is compatible with the version-upgraded first functional component, version-upgrading the first functional component in a component code package;
the determining module 802 is further configured to determine, based on the dependency relationship, a target functional component in a case of the first functional component being upgraded depending on a third incompatible version of the first functional component;
The upgrade module 803 is further configured to upgrade the version of the target functional component in the component code package, where a fourth functional component dependent on the target functional component is compatible with the version-upgraded target functional component.
Optionally, the functional components on which the code engineering depends have n-level dependency relationships, and the code engineering directly depends on the functional components of the first level;
the determining module 802 is configured to:
Querying a k-1 functional component after version upgrade under the condition that the k-1 functional component is not compatible with the version upgrade depending on the k functional component;
determining the kth-1 functional component as the target functional component in the case that a kth-2 functional component dependent on the kth-1 functional component is compatible with the upgraded kth-1 functional component;
The upgrade module 803 is configured to upgrade the version of the kth-1 functional component in the component code package.
Alternatively to this, the method may comprise,
The determining module 802 is further configured to determine, based on an application function of the code project, a function impact situation of the first functional component on the code project, where the function impact situation is used to indicate whether the first functional component is invoked when the code project provides the application function;
the upgrade module 803 is further configured to delete the component to be upgraded from the component code package if the function impact indicates that the first functional component is not invoked.
In the embodiment of the application, under the condition that the loophole exists in the code engineering, the computer equipment checks the functional components step by step based on the dependency relationship of the functional components in the code engineering so as to check the loophole existing in the functional components, thereby determining a first functional component to be upgraded and upgrading the first function. According to the vulnerability repairing method provided by the embodiment of the application, the low-level relied functional components which need to be repaired can be determined according to the dependency relationship, and the vulnerability of code engineering is repaired in a mode of upgrading the functional components, so that the workload of repairing the vulnerability is reduced, and the applicability is higher.
Referring to FIG. 9, a block diagram of a computer device according to an exemplary embodiment of the present application is shown. The computer device 900 may be implemented as the computer device in the above-described embodiments. Computer device 900 may include one or more components including a processor 910 and a memory 920.
Processor 910 may include one or more processing cores. The processor 910 utilizes various interfaces and lines to connect various portions of the overall computer device 900, perform various functions of the computer device 900, and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 920, and invoking data stored in the memory 920. Alternatively, the processor 910 may be implemented in hardware in at least one of digital signal Processing (DIGITAL SIGNAL Processing, DSP), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 910 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), a neural network processor (Neural-network Processing Unit, NPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like, the GPU is used for rendering and drawing content required to be displayed by the touch display screen, the NPU is used for realizing an artificial intelligence (ARTIFICIAL INTELLIGENCE, AI) function, and the modem is used for processing wireless communication. It will be appreciated that the modem may not be integrated into the processor 910 and may be implemented by a single chip.
The Memory 920 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (ROM). Optionally, the memory 920 includes a non-transitory computer-readable medium (non-transitory computer-readable storage medium). Memory 920 may be used to store instructions, programs, code, sets of codes, or instruction sets. The memory 920 may include a stored program area that may store instructions for implementing an operating system, instructions for at least one function (e.g., a touch function, a sound playing function, an image playing function, etc.), instructions for implementing various method embodiments described below, etc., and a stored data area that may store data (e.g., audio data, phonebook) created according to the use of the computer device 900, etc.
In addition, those skilled in the art will appreciate that the structure of the computer device 900 illustrated in the above-described figures is not limiting of the computer device, and a computer device may include more or fewer components than illustrated, or may combine certain components, or a different arrangement of components. For example, the computer device 900 further includes a display screen, a camera assembly, a microphone, a speaker, a radio frequency circuit, an input unit, a sensor (such as an acceleration sensor, an angular velocity sensor, a light sensor, etc.), an audio circuit, a WiFi module, a power supply, a bluetooth module, etc., which are not described herein.
The embodiment of the application also provides a computer readable storage medium, which stores at least one program code, and the program code is loaded and executed by a processor to implement the bug fixing method according to the above embodiments.
Embodiments of the present application provide a computer program product comprising computer instructions stored in a computer-readable storage medium. The computer instructions are read from the computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the vulnerability restoration method provided in various alternative implementations of the above aspects.
It should be understood that references herein to "a plurality" are to two or more. "and/or" describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate that there are three cases of a alone, a and B together, and B alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. In addition, the step numbers described herein are merely exemplary of one possible execution sequence among steps, and in some other embodiments, the steps may be executed out of the order of numbers, such as two differently numbered steps being executed simultaneously, or two differently numbered steps being executed in an order opposite to that shown, which is not limiting.
The foregoing description of the preferred embodiments of the present application is not intended to limit the application, but rather, the application is to be construed as limited to the appended claims.

Claims (10)

1. A method for bug fixes, the method comprising:
Under the condition that the code engineering has loopholes, based on the dependency relationship of the functional components in the code engineering, carrying out step-by-step inspection on the functional components to obtain inspection results;
determining that the first functional component is a component to be upgraded under the condition that the checking result indicates that the first functional component has a loophole and the second functional component on which the first functional component depends does not have the loophole, or the first functional component has the loophole and the first functional component does not have the second functional component on which the first functional component depends;
And carrying out version upgrading on the first functional component in the component code package, wherein the first functional component subjected to version upgrading has no loopholes.
2. The method according to claim 1, wherein the step-by-step checking the functional components based on the dependency relationship of the functional components in the code engineering to obtain a checking result includes:
obtaining a vulnerability database, wherein the vulnerability database comprises the functional components with vulnerabilities;
Based on the dependency relationship of the functional components in the code engineering, a dependency relationship list is obtained step by step, wherein the dependency relationship list is used for indicating the functional components of the next level on which the functional components of the previous level depend;
and inquiring the vulnerability database based on the dependency relationship list of different levels to obtain the checking result, wherein the checking result is used for indicating the vulnerability conditions of the functional components of different levels.
3. The method of claim 2, wherein the functional components on which the code engineering depends have n-level dependencies, the code engineering directly depending on the functional components of a first level;
The step of querying the vulnerability database based on the dependency relationship list of different levels to obtain the test result comprises the following steps:
obtaining a dependency list of a kth functional component with a vulnerability in a kth level, wherein the dependency list comprises the functional components of a kth+1 level directly depended on by the kth functional component, k is greater than or equal to 1, and k is less than or equal to n;
and determining the k+1 functional component with the loopholes in the k+1 level by searching the loophole database.
4. The method of claim 2, wherein the vulnerability database contains the functional components for which a vulnerability exists and a cause of the vulnerability;
The step of querying the vulnerability database based on the dependency relationship list of different levels to obtain the test result comprises the following steps:
Inquiring the loophole database based on the dependency relation lists of different levels to obtain the checking result, wherein the checking result is used for indicating the loophole situation of the functional components of different levels and the reasons for the loophole of the functional components, and the reasons for the loophole include the code loophole of the functional components and the dependency relation loophole of the functional components of the components;
the determining that the first functional component is a component to be upgraded further includes:
And determining the first functional component as a component to be upgraded under the condition that the checking result indicates that the first functional component has a bug and the first functional component indicates that the functional component has a code bug.
5. The method of claim 1, wherein said version-up of the first functional component in the component code package comprises:
under the condition that a third functional component dependent on the first functional component is compatible with the version-upgraded first functional component, version-upgrading the first functional component in a component code package;
the method further comprises the steps of:
determining a target functional component based on the dependency relationship in the case of the first functional component being upgraded in dependence on a third incompatible version of the first functional component;
and carrying out version upgrading on the target functional component in the component code package, wherein a fourth functional component dependent on the target functional component is compatible with the target functional component after version upgrading.
6. The method of claim 4, wherein the functional components on which the code engineering depends have n-level dependencies, the code engineering directly relying on the functional components of a first level;
the determining a target functional component based on the dependency relationship comprises the following steps:
Querying a k-1 functional component after version upgrade under the condition that the k-1 functional component is not compatible with the version upgrade depending on the k functional component;
determining the kth-1 functional component as the target functional component in the case that a kth-2 functional component dependent on the kth-1 functional component is compatible with the upgraded kth-1 functional component;
the version upgrade of the target functional component in the component code package comprises:
And carrying out version upgrading on the k-1 functional component in the component code package.
7. The method of claim 1, wherein after the determining that the first functional component is a component to be upgraded, the method further comprises:
determining a function influence condition of the first functional component on the code project based on an application function of the code project, wherein the function influence condition is used for indicating whether the first functional component is called under the condition that the code project provides the application function;
And deleting the component to be upgraded from the component code packet under the condition that the function influence condition indicates that the first functional component is not called.
8. A vulnerability restoration apparatus, the apparatus comprising:
The testing module is used for testing the functional components step by step based on the dependency relationship of the functional components in the code engineering under the condition that the code engineering has loopholes, so as to obtain a testing result;
A determining module, configured to determine that a first functional component is a component to be upgraded when the test result indicates that the first functional component has a vulnerability and a second functional component on which the first functional component depends does not have a vulnerability, or the first functional component has a vulnerability and the first functional component does not have a second functional component on which the first functional component depends;
And the upgrading module is used for carrying out version upgrading on the first functional component in the component code package, wherein the first functional component subjected to version upgrading has no loopholes.
9. A computer device comprising a processor and a memory having stored therein at least one instruction that is loaded and executed by the processor to implement the vulnerability restoration method of any one of claims 1 to 7.
10. A computer readable storage medium having stored therein at least one instruction that is loaded and executed by a processor to implement the vulnerability restoration method of any one of claims 1 to 7.
CN202310769450.6A 2023-06-27 2023-06-27 Vulnerability repair method, device, equipment, storage medium and program product Pending CN119201191A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310769450.6A CN119201191A (en) 2023-06-27 2023-06-27 Vulnerability repair method, device, equipment, storage medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310769450.6A CN119201191A (en) 2023-06-27 2023-06-27 Vulnerability repair method, device, equipment, storage medium and program product

Publications (1)

Publication Number Publication Date
CN119201191A true CN119201191A (en) 2024-12-27

Family

ID=94072774

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310769450.6A Pending CN119201191A (en) 2023-06-27 2023-06-27 Vulnerability repair method, device, equipment, storage medium and program product

Country Status (1)

Country Link
CN (1) CN119201191A (en)

Similar Documents

Publication Publication Date Title
US9910743B2 (en) Method, system and device for validating repair files and repairing corrupt software
US11650905B2 (en) Testing source code changes
JP6349395B2 (en) Call path finder
US11573887B2 (en) Extracting code patches from binary code for fuzz testing
US9405906B1 (en) System and method for enhancing static analysis of software applications
US10229273B2 (en) Identifying components for static analysis of software applications
JP7633398B2 (en) Providing application error data for use by third party library development systems
US11044096B2 (en) Blockchain based digital identity generation and verification
US12430447B2 (en) Using call graphs to identify an update when upgrading to a newer version
CN115576600A (en) Code change-based difference processing method and device, terminal and storage medium
CN108197020A (en) Plug-in unit method of calibration, electronic equipment and computer storage media
CN111240728A (en) Application program updating method, device, equipment and storage medium
CN117215965B (en) Test case identification-based test method and device, electronic equipment and medium
CN107451050A (en) Function acquisition methods and device, server
CN119201191A (en) Vulnerability repair method, device, equipment, storage medium and program product
CN116541847A (en) Security detection method and device for application program
CN114924977A (en) AI-based unit testing method and related equipment
US20250028514A1 (en) Automatic self-adapting application deployment for cloud applications
CN120653295A (en) A method, device, computing device and storage medium for determining destructive changes
CN119902816A (en) Configuration item change method, device, equipment and cluster
CN114995858A (en) Method and system for detecting compatibility of upgrade packages
CN119512938A (en) Software adaptability testing method, device, electronic device and storage medium
CN118708187A (en) A binary vulnerability repair method and device
CN115509862A (en) Recorder, recording method and component, detection method and component, and cloud system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination