CN110806978A - Defect management method and device for third-party component - Google Patents
Defect management method and device for third-party component Download PDFInfo
- Publication number
- CN110806978A CN110806978A CN201911050967.XA CN201911050967A CN110806978A CN 110806978 A CN110806978 A CN 110806978A CN 201911050967 A CN201911050967 A CN 201911050967A CN 110806978 A CN110806978 A CN 110806978A
- Authority
- CN
- China
- Prior art keywords
- component
- party
- defective
- target
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007547 defect Effects 0.000 title claims abstract description 40
- 238000007726 management method Methods 0.000 title abstract description 39
- 230000002950 deficient Effects 0.000 claims abstract description 105
- 238000000034 method Methods 0.000 claims abstract description 58
- 238000001514 detection method Methods 0.000 claims abstract description 32
- 238000010586 diagram Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 231100001261 hazardous Toxicity 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Prevention of errors by analysis, debugging or testing of software
- G06F11/362—Debugging of software
- G06F11/366—Debugging of software using diagnostics
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a defect management method of a third-party component, which comprises the following steps: carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component; searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component; and when the target component exists in the preset third-party component library, upgrading the defective component according to the target component. In the method, not only the third-party component is subjected to vulnerability detection to determine the defective component in the third-party component, but also the target component matched with the defective component is determined, the defective component is upgraded according to the target component, and a third-party component information base in each application system of an enterprise is established, so that defect management of the third component is realized.
Description
Technical Field
The invention relates to the technical field of bug fixing, in particular to a method and a device for managing defects of a third-party component.
Background
At present, most of application systems of enterprises can effectively save the development time of projects and improve the development efficiency by calling third-party components.
However, security problems caused by security vulnerabilities existing when a third-party component is called are frequent, and in the prior art, defects of the third-party component of an application system are detected and are not managed.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for managing defects of a third-party component, so as to solve the problem that a method for systematically solving the bug detection, upgrade, and location of the third-party component is lacking in the prior art, and the specific scheme is as follows:
a method of defect management for a third party component, comprising:
carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component;
searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component;
and when the target component exists in the preset third-party component library, upgrading the defective component according to the target component.
The above method, optionally, further includes:
and when the target component does not exist in the preset third-party component library, accessing the Internet to download the target component.
Optionally, in the method, the detecting the vulnerability of the third-party component in the application system to be detected to determine the defective component in the third-party component includes:
determining a hash value of the third party component;
matching the hash value with each component hash value in a dangerous component library;
and if a target hash value identical to at least one of the dangerous component hash values exists in the hash values, taking the third party component corresponding to the target hash value as a defective component.
The above method, optionally, further includes:
and upgrading the dangerous component library at preset first time intervals.
The above method, optionally, further includes:
and upgrading the preset third-party component library at intervals of preset second time.
The above method, optionally, further includes:
acquiring component information of the defective component;
and informing the item group to which the defective component belongs of the component information.
A defect management apparatus of a third party component, comprising:
the detection and determination module is used for carrying out vulnerability detection on a third-party component in the application system to be detected and determining a defective component in the third-party component;
the searching module is used for searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component;
and the upgrading module is used for upgrading the defective component according to the target component when the target component exists in the preset third-party component library.
The above apparatus, optionally, the detecting and determining module includes:
a hash value determination unit for determining a hash value of the third party component;
the matching unit is used for matching the hash value with each component hash value in the dangerous component library;
and the defective component determining unit is used for taking a third party component corresponding to the target hash value as a defective component if the target hash value identical to at least one of the hash values of the components exists in the hash values.
A storage medium comprising a stored program, wherein said program performs the above-mentioned method of defect management of a third party component.
A processor configured to run a program, wherein the program is run to perform the method for managing defects of the third-party component.
Compared with the prior art, the invention has the following advantages:
the invention discloses a defect management method of a third-party component, which comprises the following steps: carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component; searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component; and when the target component exists in the preset third-party component library, upgrading the defective component according to the target component. In the method, not only the third-party component is subjected to vulnerability detection to determine the defective component in the third-party component, but also the target component matched with the defective component is determined, the defective component is upgraded according to the target component, and a third-party component information base in each application system of an enterprise is established, so that defect management of the third component is realized.
Of course, it is not necessary for any product in which the invention is practiced to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for defect management of a third-party component according to an embodiment of the present disclosure;
FIG. 2 is a flowchart of a method for defect management of a third-party component according to an embodiment of the present disclosure;
FIG. 3 is a diagram of a defect management platform for a third party component according to an embodiment of the present disclosure;
fig. 4 is a block diagram of a defect management apparatus for a third-party component according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The invention discloses a defect management method and a device of a third-party component, which are applied to the defect management process of the third-party component in an application system, wherein the application system comprises a plurality of components, the components comprise self-research components and the third-party component, and as the third-party component generates security risks under the conditions of security vulnerability introduction or new disclosure and the like due to the upgrade of the application system, the invention provides a defect management method of the third-party component, the execution flow of the management method is shown in figure 1, and the defect management method comprises the following steps:
s101, carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component;
in the embodiment of the invention, when a project enters the field, whether a third-party component is called by a source code is detected in a code warehouse of the application system to be detected, the source code is automatically scanned in a detection mode, if the third-party component exists, after the third-party component is determined, vulnerability detection needs to be carried out on the third-party component, and a defective component contained in the third-party component is determined by matching a hash value.
S102, searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component;
in the embodiment of the present invention, the preset third-party component library is constructed according to the third-party component included in the application system, and the construction process is as follows: and accessing a code warehouse of the application system, identifying all used third-party components in the application system, directly bringing the identified security components into the preset third-party component library for management, and taking the components with the holes into the preset third-party component library for management after downloading the security component versions through connecting the Internet. And the third-party component library stores information such as component names, version numbers, component hash values, application system names, storage paths and the like of the components.
Furthermore, because the components in the preset third-party component library need to be updated, the component version in the preset third-party component library is downloaded and upgraded by connecting the internet at a preset first time interval.
In the embodiment of the present invention, a hash value of the defective component is first determined, where the hash value may be calculated by using a hash algorithm such as MD5, SHA1, SHA256, and the like. Any change in the content of the defective component results in a difference in the hash value. The defective component can be converted into a fixed-length character string through a hash algorithm, such as: d8b85a9c8a9e4ac65633999d7a20 cacb. Traversing the preset third-party component library, and searching a component hash value which is the same as the hash value of the defective component, wherein the third-party component corresponding to the component hash value is the target component.
Further, in order to verify the target component, the target component may also be verified by using a component name, a version number, and the like.
S103, when the target component exists in the preset third-party component library, upgrading the defective component according to the target component.
In the embodiment of the invention, the defective component exists in the source code in the application system. The existence form can be stored under different paths according to different project groups of the application system. At this time, when the target component exists in the preset third-party component library, determining a path of the defective component in the application system by a search method, and replacing the defective component with the target component under the path, or in another case, storing the defective components under the specified path, and replacing the defective components under the specified path with the target components corresponding to the defective components.
And S104, when the target component does not exist in the preset third-party component library, accessing the Internet to download the target component.
In the embodiment of the invention, when the target component does not exist in the preset third-party component library, the internet is accessed to download the target component.
The invention discloses a defect management method of a third-party component, which comprises the following steps: carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component; searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component; and when the target component exists in the preset third-party component library, upgrading the defective component according to the target component. In the method, not only the third-party component is subjected to vulnerability detection to determine the defective component in the third-party component, but also the target component matched with the defective component is determined, the defective component is upgraded according to the target component, and a third-party component information base in each application system of an enterprise is established, so that defect management of the third component is realized.
In an embodiment of the present invention, after determining the defective component, component information of the defective component is obtained, where the component information includes: the method comprises the steps that component information such as damage, vulnerability description and risk level of a component and component information needing to be updated is sent to a project group to which an application system where the defective component belongs, an account needs to be associated with each project in advance before sending, and notification information is sent to the account. The sending form may be a mail, a short message, a WeChat or other sending forms, and in the embodiment of the present invention, the specific sending form is not limited. The notification information may be:
the system name is as follows: financial management system
Hazardous component name: apache Struts2
Vulnerability name: remote code execution vulnerability (CVE-2017-
Risk rating: height of
The following steps are described: the malicious user can trigger the vulnerability by modifying the Content-Type value in the HTTP request header when uploading the file, and then execute the system command. The industries such as banks, the internet, governments and the like which are widely applied to the Struts2 become the high-risk vulnerability disaster area.
The repairing method comprises the following steps: upgrade to the specified version VX.X.X.
Further, the project group upgrades the defective component according to the component information, and after the upgrade is completed, the suitability verification is performed to verify whether the upgraded component version can normally support the function of the application system or not and whether the abnormal operation occurs or not.
In the embodiment of the present invention, the performing vulnerability detection on the third-party component and determining the execution flow of the defective component in the third-party component to be detected is shown in fig. 2, and the method includes the following steps:
s201, determining a hash value of the to-be-detected third-party component;
in the embodiment of the present invention, the method for determining the hash value of the third-party component to be detected is the same as the method for determining the hash value of the defective component, and details are not repeated here.
S202, matching the hash value with each dangerous hash value of each component in a dangerous component library;
in the embodiment of the invention, the dangerous component library is obtained through a national Information security Vulnerability library CNNVD (Chinese national virtualization Database of Information security) and an international security Vulnerability library CVE (Common virtualization and Exposuers), and is updated at intervals of a preset second time, wherein the dangerous component library comprises a component name, a version number, a dangerous Hash value of a component file, a CVE name, a CNNVD number, a Vulnerability grade, a Vulnerability description, a solution scheme and the like, and the functions of inquiring and editing the above contents are provided. And matching the hash value with each dangerous hash value in a dangerous component library, and judging whether dangerous hash values with the same hash value exist or not.
S203, if a target hash value identical to at least one of the dangerous hash values of the components exists in the hash values, taking the third party component to be detected corresponding to the target hash value as a defective component.
In the embodiment of the invention, if a target hash value identical to at least one of the dangerous hash values exists in the hash values, the third party component to be detected corresponding to the target hash value is taken as a defective component; and otherwise, if the dangerous hash value with the same hash value does not exist, the third-party component to be detected does not have a defective component.
Further, in order to verify the defective component, the defective component may also be verified by using a component name, a version number, and the like.
In the embodiment of the present invention, based on the above management method, a third-party component defect management platform is constructed in the present invention, where a schematic diagram of the management platform is shown in fig. 3, and the management platform includes: component application module, component library establish and inquiry module, component leak detection module, component risk notice module, third party component library module, component matching module, code warehouse, mail system, component update and download module, component leak update module, wherein:
the component application module is used for providing a component application function for the project group. And the preset third-party component library module provides component files according to the application information. The components as applied are not provided after being downloaded by a component updating and downloading module accessing the internet, which is managed by the third-party component library.
The component library creating and querying module is used for calling the component vulnerability detection module to detect the component vulnerability. The identified safe third-party components are directly brought into the third-party component library module for management. The method is also used for providing the existing third-party component and component vulnerability information query function, and can query and call the application system information of the component according to the component information.
The component vulnerability detection module is used for setting and managing a component vulnerability detection task and realizing the function of calling the source codes in the code warehouse and the component matching module to detect the component vulnerability at regular time or according to requirements.
And the component risk notification module is integrated with the mail system and used for automatically notifying the detected dangerous component information to a project group in a mail form for upgrading and software functional adaptation verification.
And the third-party component library module is used for setting the updating and downloading frequency of the components. And accepting the component application, and inquiring and extracting the security component files in the component library according to the component application information and the request of the component defect detection module. And calling a component updating and downloading module to access the Internet for downloading the security component for the security component which does not exist in the component library.
And the component matching module is used for automatically crawling third-party component information called in the source code, matching the third-party component information through information such as file names, version numbers, file hash values and the like, and if the third-party component information is consistent with the file hash values, determining that the third-party component information is a component with a bug.
And the component updating and downloading module is used for accessing the internet to download the safe component files according to the request of the third-party component library module. And automatically and periodically downloading and upgrading the component version in the preset third-party component library through the Internet.
And the component leakage library updating module is used for periodically accessing the Internet to update the dangerous component library.
Based on the foregoing method, an embodiment of the present invention further provides a defect management apparatus for a third-party component, where a structural block diagram of the defect management apparatus is shown in fig. 4, and the defect management apparatus includes:
a detection and determination module 301, a lookup module 302, and an upgrade module 303.
Wherein,
the detection and determination module 301 is configured to perform vulnerability detection on a third-party component in an application system to be detected, and determine a defective component in the third-party component;
the searching module 302 is configured to search a target component matching the defective component in a preset third-party component library, where the target component is a secure version of the defective component;
the upgrading module 303 is configured to, when the target component exists in the preset third-party component library, upgrade the defective component according to the target component.
The invention discloses a defect management device of a third-party component, which comprises: carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component; searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component; and when the target component exists in the preset third-party component library, upgrading the defective component according to the target component. In the device, not only the third-party component is subjected to vulnerability detection to determine the defective component in the third-party component, but also the target component matched with the defective component is determined, and the defective component is upgraded according to the target component to establish a third-party component information base in each application system of an enterprise, so that defect management of the third component is realized.
In this embodiment of the present invention, the detecting and determining module 301 includes:
a hash value determination unit 304, a matching unit 305, and a defective component determination unit 306.
Wherein,
the hash value determination unit 304 is configured to determine a hash value of the third-party component;
the matching unit 305 is configured to match the hash value with each component hash value in the dangerous component library;
the defective component determining unit 306 is configured to, if a target hash value that is the same as at least one of the hash values of the components exists in the hash values, take a third party component corresponding to the target hash value as a defective component.
The defect management device comprises a processor and a memory, wherein the detection and determination module, the search module, the upgrading module and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can set one or more, and the defect management of the third-party component is realized by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the invention provides a storage medium having a program stored thereon, which when executed by a processor implements the defect management method.
The embodiment of the invention provides a processor, which is used for running a program, wherein the defect management method is executed when the program runs.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the processor executes the program and realizes the following steps:
a method of defect management for a third party component, comprising:
carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component;
searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component;
and when the target component exists in the preset third-party component library, upgrading the defective component according to the target component.
The above method, optionally, further includes:
and when the target component does not exist in the preset third-party component library, accessing the Internet to download the target component.
Optionally, in the method, the detecting the vulnerability of the third-party component in the application system to be detected to determine the defective component in the third-party component includes:
determining a hash value of the third party component;
matching the hash value with each component hash value in a dangerous component library;
and if a target hash value identical to at least one of the dangerous component hash values exists in the hash values, taking the third party component corresponding to the target hash value as a defective component.
The above method, optionally, further includes:
and upgrading the dangerous component library at preset first time intervals.
The above method, optionally, further includes:
and upgrading the preset third-party component library at intervals of preset second time.
The above method, optionally, further includes:
acquiring component information of the defective component;
and informing the item group to which the defective component belongs of the component information.
The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device:
a method of defect management for a third party component, comprising:
carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component;
searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component;
and when the target component exists in the preset third-party component library, upgrading the defective component according to the target component.
The above method, optionally, further includes:
and when the target component does not exist in the preset third-party component library, accessing the Internet to download the target component.
Optionally, in the method, the detecting the vulnerability of the third-party component in the application system to be detected to determine the defective component in the third-party component includes:
determining a hash value of the third party component;
matching the hash value with each component hash value in a dangerous component library;
and if a target hash value identical to at least one of the dangerous component hash values exists in the hash values, taking the third party component corresponding to the target hash value as a defective component.
The above method, optionally, further includes:
and upgrading the dangerous component library at preset first time intervals.
The above method, optionally, further includes:
and upgrading the preset third-party component library at intervals of preset second time.
The above method, optionally, further includes:
acquiring component information of the defective component;
and informing the item group to which the defective component belongs of the component information.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for defect management of a third party component, comprising:
carrying out vulnerability detection on a third-party component in an application system to be detected, and determining a defective component in the third-party component;
searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component;
and when the target component exists in the preset third-party component library, upgrading the defective component according to the target component.
2. The method of claim 1, further comprising:
and when the target component does not exist in the preset third-party component library, accessing the Internet to download the target component.
3. The method according to claim 1, wherein performing vulnerability detection on a third-party component in the application system to be detected, and determining a defective component in the third-party component comprises:
determining a hash value of the third party component;
matching the hash value with each component hash value in a dangerous component library;
and if a target hash value identical to at least one of the dangerous component hash values exists in the hash values, taking the third party component corresponding to the target hash value as a defective component.
4. The method of claim 3, further comprising:
and upgrading the dangerous component library at preset first time intervals.
5. The method of claim 1, further comprising:
and upgrading the preset third-party component library at intervals of preset second time.
6. The method of claim 1, further comprising:
acquiring component information of the defective component;
and informing the item group to which the defective component belongs of the component information.
7. A defect management apparatus for a third party component, comprising:
the detection and determination module is used for carrying out vulnerability detection on a third-party component in the application system to be detected and determining a defective component in the third-party component;
the searching module is used for searching a target component matched with the defective component in a preset third-party component library, wherein the target component is a safe version of the defective component;
and the upgrading module is used for upgrading the defective component according to the target component when the target component exists in the preset third-party component library.
8. The apparatus of claim 7, wherein the detection and determination module comprises:
a hash value determination unit for determining a hash value of the third party component;
the matching unit is used for matching the hash value with each component hash value in the dangerous component library;
and the defective component determining unit is used for taking a third party component corresponding to the target hash value as a defective component if the target hash value identical to at least one of the hash values of the components exists in the hash values.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program performs a method of defect management of a third party component according to any of claims 1 to 6.
10. A processor configured to run a program, wherein the program when running performs the method of defect management of a third party component as claimed in any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911050967.XA CN110806978A (en) | 2019-10-31 | 2019-10-31 | Defect management method and device for third-party component |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911050967.XA CN110806978A (en) | 2019-10-31 | 2019-10-31 | Defect management method and device for third-party component |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110806978A true CN110806978A (en) | 2020-02-18 |
Family
ID=69489781
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911050967.XA Pending CN110806978A (en) | 2019-10-31 | 2019-10-31 | Defect management method and device for third-party component |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110806978A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111291385A (en) * | 2020-05-12 | 2020-06-16 | 深圳开源互联网安全技术有限公司 | JS script file vulnerability detection method and system |
CN111680302A (en) * | 2020-06-08 | 2020-09-18 | 中国银行股份有限公司 | Third-party component vulnerability scanning method and device |
CN112000572A (en) * | 2020-08-07 | 2020-11-27 | 北京浪潮数据技术有限公司 | Source code scanning tool, method, equipment and medium |
CN112118251A (en) * | 2020-09-15 | 2020-12-22 | 四川长虹电器股份有限公司 | Vulnerability detection method of Java project open source component based on maven plug-in |
CN112463200A (en) * | 2020-12-10 | 2021-03-09 | 微医云(杭州)控股有限公司 | Development kit processing method and device, electronic device and storage medium |
CN112868008A (en) * | 2020-04-28 | 2021-05-28 | 深圳开源互联网安全技术有限公司 | Vulnerability detection method and device of JAVA open source component and storage medium |
CN113449306A (en) * | 2021-09-02 | 2021-09-28 | 湖南省佳策测评信息技术服务有限公司 | Security vulnerability early warning method and system based on software source code analysis |
CN114443043A (en) * | 2021-12-17 | 2022-05-06 | 深圳开源互联网安全技术有限公司 | Maven source package third-party component detection method and system |
CN117031052A (en) * | 2023-10-09 | 2023-11-10 | 广州市普理司科技有限公司 | Single printed matter front and back vision detection control system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104573525A (en) * | 2014-12-19 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Special information service software vulnerability fixing system based on white lists |
CN108600222A (en) * | 2018-04-24 | 2018-09-28 | 北京握奇智能科技有限公司 | The communication means of client application and trusted application, system and terminal |
CN110221933A (en) * | 2019-05-05 | 2019-09-10 | 北京百度网讯科技有限公司 | Aacode defect assists restorative procedure and system |
CN110232279A (en) * | 2019-06-06 | 2019-09-13 | 深圳前海微众银行股份有限公司 | A kind of leak detection method and device |
-
2019
- 2019-10-31 CN CN201911050967.XA patent/CN110806978A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104573525A (en) * | 2014-12-19 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Special information service software vulnerability fixing system based on white lists |
CN108600222A (en) * | 2018-04-24 | 2018-09-28 | 北京握奇智能科技有限公司 | The communication means of client application and trusted application, system and terminal |
CN110221933A (en) * | 2019-05-05 | 2019-09-10 | 北京百度网讯科技有限公司 | Aacode defect assists restorative procedure and system |
CN110232279A (en) * | 2019-06-06 | 2019-09-13 | 深圳前海微众银行股份有限公司 | A kind of leak detection method and device |
Non-Patent Citations (2)
Title |
---|
HOUGHTWORKS中国: "第三方组件安全分析", 《HTTPS://ZHUANLAN.ZHIHU.COM/P/31985961》, 13 December 2017 (2017-12-13), pages 1 - 3 * |
THOUGHTWORKS中国: "第三方组件安全分析", pages 1 - 3, Retrieved from the Internet <URL:https://zhuanlan.zhihu.com/p/31985961> * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112868008A (en) * | 2020-04-28 | 2021-05-28 | 深圳开源互联网安全技术有限公司 | Vulnerability detection method and device of JAVA open source component and storage medium |
CN111291385B (en) * | 2020-05-12 | 2020-09-01 | 深圳开源互联网安全技术有限公司 | JS script file vulnerability detection method and system |
CN111898131A (en) * | 2020-05-12 | 2020-11-06 | 深圳开源互联网安全技术有限公司 | JS script file vulnerability detection method and system |
CN111291385A (en) * | 2020-05-12 | 2020-06-16 | 深圳开源互联网安全技术有限公司 | JS script file vulnerability detection method and system |
CN111898131B (en) * | 2020-05-12 | 2023-04-04 | 深圳开源互联网安全技术有限公司 | JS script file vulnerability detection method and system |
CN111680302A (en) * | 2020-06-08 | 2020-09-18 | 中国银行股份有限公司 | Third-party component vulnerability scanning method and device |
CN112000572B (en) * | 2020-08-07 | 2022-06-17 | 北京浪潮数据技术有限公司 | Tool, method, equipment and medium for scanning source code |
CN112000572A (en) * | 2020-08-07 | 2020-11-27 | 北京浪潮数据技术有限公司 | Source code scanning tool, method, equipment and medium |
CN112118251A (en) * | 2020-09-15 | 2020-12-22 | 四川长虹电器股份有限公司 | Vulnerability detection method of Java project open source component based on maven plug-in |
CN112463200A (en) * | 2020-12-10 | 2021-03-09 | 微医云(杭州)控股有限公司 | Development kit processing method and device, electronic device and storage medium |
CN113449306A (en) * | 2021-09-02 | 2021-09-28 | 湖南省佳策测评信息技术服务有限公司 | Security vulnerability early warning method and system based on software source code analysis |
CN114443043A (en) * | 2021-12-17 | 2022-05-06 | 深圳开源互联网安全技术有限公司 | Maven source package third-party component detection method and system |
CN117031052A (en) * | 2023-10-09 | 2023-11-10 | 广州市普理司科技有限公司 | Single printed matter front and back vision detection control system |
CN117031052B (en) * | 2023-10-09 | 2024-01-09 | 广州市普理司科技有限公司 | Single printed matter front and back vision detection control system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110806978A (en) | Defect management method and device for third-party component | |
CN102663281B (en) | Method and device for detecting malicious software | |
US20170161496A1 (en) | Method and device for identifying virus apk | |
CN105786538B (en) | software upgrading method and device based on android system | |
US10027704B2 (en) | Malicious program finding and killing device, method and server based on cloud security | |
CN105335187A (en) | Application processing method and apparatus | |
CN107038045A (en) | Load the method and device of library file | |
CN108460273B (en) | A terminal application management method, application server and terminal | |
US8869284B1 (en) | Systems and methods for evaluating application trustworthiness | |
CN113642004B (en) | A method, device and equipment for container image security scanning and repair | |
CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
US11645086B2 (en) | System and method for implementing a filesystem agent management solution | |
US11695793B2 (en) | Vulnerability scanning of attack surfaces | |
CN103885808A (en) | Hotfix processing method and device | |
CN110298179B (en) | Open source framework security vulnerability detection method and device | |
CN103793649A (en) | Method and device for cloud-based safety scanning of files | |
KR20140093699A (en) | Unauthorized application detection system and method | |
CN104156215A (en) | Method and device for obtaining application program information on basis of mobile operating system | |
CN114021115A (en) | Malicious application detection method and device, storage medium and processor | |
CN107103243B (en) | Vulnerability detection method and device | |
US9686310B2 (en) | Method and apparatus for repairing a file | |
CN104424429A (en) | Document behavior monitoring method and user equipment | |
CN110807198B (en) | Method for acquiring information for repairing bugs and patch processing system | |
CN109784051A (en) | Protecting information safety method, device and equipment | |
US12348550B2 (en) | Predicting and using threat levels for cyber threats using data from public data sources |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200218 |