CN112115473A - Method for security detection of Java open source assembly - Google Patents
Method for security detection of Java open source assembly Download PDFInfo
- Publication number
- CN112115473A CN112115473A CN202010968713.2A CN202010968713A CN112115473A CN 112115473 A CN112115473 A CN 112115473A CN 202010968713 A CN202010968713 A CN 202010968713A CN 112115473 A CN112115473 A CN 112115473A
- Authority
- CN
- China
- Prior art keywords
- open source
- security
- maven
- file
- source component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for security detection of a Java open source component, which comprises the steps of constructing a private warehouse by adopting Maven, marking security risk levels on the open source component stored in the private warehouse, and storing the open source component as a first open source component; uploading a system engineering file, and extracting a plug-in to analyze the system engineering file by configuring maven dependency package information in a maven engineering pom file to obtain a list of second open source components on which the engineering file depends; and finding out a third source assembly corresponding to the second source assembly from the first source assembly, and comparing the second source assembly with the third source assembly to generate a safety report. The open source component library is defined, the open source components are safely marked through four safety dimensions, the open source components quoted by the uploaded system engineering files are detected, the open source components with safety risks are found, and the safety of the system engineering files is improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method for security detection of a Java open source component.
Background
With the continuous deepening of social informatization, a computer software system is more and more complex, the software function is more and more complex, and the source code is more and more large, so that the correctness of a program is difficult to ensure. A great number of defects introduced in the software development process are one of the important reasons for generating software bugs. The system attacker can easily bypass the software security authentication by means of software security loopholes, attack and invade the information system, acquire illegal system user authority and execute a series of illegal operations and malicious attacks.
In the internet tide, more and more internet companies are gradually increasing software development strength and improving software technology content of related products. In the process, a plurality of open source components and open source software are used and secondarily developed, so that the open source components and the open source software are urgently required to be detected safely, and no method for detecting the open source components and the open source software in the prior art exists.
Disclosure of Invention
The invention aims to provide a method for security detection of a Java open source component, which is used for solving the problem that no security detection method for the open source component exists in the prior art.
The invention solves the problems through the following technical scheme:
a method for Java open source component security detection, comprising:
step S100: constructing a private warehouse by adopting Maven, marking a safety risk level on an open source component stored in the private warehouse, and storing the open source component as a first open source component; step S200: uploading a system engineering file, and extracting a plug-in to analyze the system engineering file by configuring maven dependency package information in a maven engineering pom file to obtain a list of second open source components on which the engineering file depends;
step S300: and finding out a third source assembly corresponding to the second source assembly from the first source assembly, and comparing the second source assembly with the third source assembly to generate a safety report.
The step S200 specifically includes:
step S210: establishing a base line for a maven code engineering file to be detected;
step S220: extracting a source code corresponding to the baseline version from a source code library;
step S230: compiling a source code engineering file, and downloading a dependency package on which the engineering file depends;
step S240: and configuring a maven dependency package information extraction plug-in the maven engineering pom file, executing a corresponding maven command, and generating a maven dependency package information data file of the current engineering file.
The step S300 specifically includes:
step S310: uploading a maven dependency package information data file;
step S320: and querying a maven open source dependent packet security database, comparing the maven dependent packet information one by one, and generating a security report.
The security risk level in the step S100 is marked by adopting three dimensions, wherein the three dimensions are authorization permission verification, virus Trojan horse detection and security vulnerability detection respectively;
the method for verifying the authorization permission comprises the following steps: obtaining authorization permission information of the open source assembly, and classifying security risks according to the authorization permission information;
the virus Trojan horse detection method comprises the following steps: virus Trojan detection is carried out on the split source component by integrating the existing virus Trojan detection interface;
the security vulnerability detection method comprises the following steps: and detecting the vulnerability of the switch source component by integrating the existing security vulnerability scanning software interface.
Before the step S300 generates the security report, it is further required to perform tamper-proof verification on the file and add the verification result to the security report, where the tamper-proof verification method for the file is as follows: and respectively performing MD5, SHA1 and SHA256 matching on the second opening source component and the third opening source component, and determining the file tampering risk level.
The private warehouse also stores open source software, and the security detection of the open source software is the same as the detection method of the open source assembly.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the invention defines a complete open source component library and an open source software library, carries out security standard on the open source components and software through four security dimensions of authorization permission (License) verification, virus Trojan detection, file tamper-proof verification and security vulnerability detection, and detects the open source components and software which are uploaded and quoted by system engineering files so as to find the open source components and software with security risks, provide rectification suggestions and improve the security of the system engineering files.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example (b):
referring to fig. 1, a method for security detection of a Java open source component includes:
step S100: constructing a private warehouse by adopting Maven, marking a safety risk level on an open source component stored in the private warehouse, and storing the open source component as a first open source component;
step S200: uploading a system engineering file, and extracting a plug-in to analyze the system engineering file by configuring maven dependency package information in a maven engineering pom file to obtain a list of second open source components on which the engineering file depends; the step S200 specifically includes:
step S210: a configuration manager establishes a base line for a maven code engineering file to be detected;
step S220: a developer extracts a source code corresponding to the baseline version from a source code library on site;
step S230: a developer compiles a source code engineering file and downloads a dependency package depended by the engineering file to the local;
step S240: and (3) configuring a maven dependency package information extraction plug-in the maven engineering pom file by a developer, executing a corresponding maven command, and generating a maven dependency package information data file of the current engineering file.
The plug-in coordinates and configuration are as follows:
configuring a plug-in:
acquiring coordinates:
mvn com.changhong.cloud:osc-sd-maven-plugin:1.0.0:detect\
-Ddetect.projectCode=codeXXX-Ddetect.projectName=nameXXX\
-Ddetect.email=somebody@changhong.com\
-Ddetect.serviceUrl=http://oscsd.changhong.io/v1
the security inspector copies the maven-dependent package information data file from the development unit. The extract Java component information command is as follows:
windows system
./osc-sd-tool_windows_amd64.exe
Linux system
./osc-sd-tool_linux_amd64
Macos system
./osc-sd-tool_darwin_amd64
And uploading the maven dependence package information data file by the security check personnel.
And the background program inquires the maven open-source dependency package safety database, compares the maven dependency package information one by one and generates a safety report. The background executes a security detection task:
mvn com.changhong.cloud:osc-sd-maven-plugin:1.0.0:detect
mvn com.changhong.cloud:osc-sd-maven-plugin:1.0.0:detect\
-Ddetect.projectCode=codeXXX-Ddetect.projectName=nameXXX\
-Ddetect.email=somebody@changhong.com\
-Ddetect.serviceUrl=http://oscsd.changhong.io/v1
and the safety inspection personnel feed the safety report back to the developer.
Example 2:
furthermore, the security risk level in step S100 is labeled by using three dimensions, where the three dimensions are authorization permission verification, virus trojan detection, and security vulnerability detection, respectively;
the method for verifying the authorization permission (License) comprises the following steps: obtaining authorization permission information of the open source assembly, and classifying security risks according to the authorization permission information;
the risk classification is as follows:
MIT-Low risk-program developer retains original author's license information in the modified source code;
apache 1.0-intermediate risk-open source component and open source software adopt Apache1.0 license certificates, and developers do not retain the license information of original authors in modified source codes;
apache 2.0-low risk-open source components and open source software adopt Apache2.0 license certificates, and developers do not retain license information of original authors in modified source codes;
other licensing agreements-intermediate hazards-open source components employ other licensing credentials, and developers do not retain the original author's licensing information in the modified source code.
The virus Trojan horse detection method comprises the following steps: virus Trojan detection is carried out on the split source component by integrating the existing virus Trojan detection interface;
the risk classification is as follows:
there is a virus-high risk;
suspected virus-intermediate risk;
no virus-no risk.
The security vulnerability detection method comprises the following steps: and detecting the vulnerability of the switch source component by integrating the existing security vulnerability scanning software interface.
The risk classification is as follows:
fatal security vulnerability-fatal risk;
severe security breaches-high risk risks;
high risk security hole-high risk;
medium risk security hole-medium risk;
low risk security hole-low risk.
Before the step S300 generates the security report, it is further required to perform tamper-proof verification on the file and add the verification result to the security report, where the tamper-proof verification method for the file is as follows: and respectively performing MD5, SHA1 and SHA256 matching on the second opening source component and the third opening source component, and determining the file tampering risk level.
The risk classification is as follows:
MD5 value match-no risk;
MD5 value mismatch-high risk;
SHA1 value match-no risk;
SHA1 value mismatch-high risk;
SHA256 value match-no risk;
SHA256 value mismatch-high risk.
Although the present invention has been described herein with reference to the illustrated embodiments thereof, which are intended to be preferred embodiments of the present invention, it is to be understood that the invention is not limited thereto, and that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure.
Claims (5)
1. A method for security detection of a Java open source component, comprising:
step S100: constructing a private warehouse by adopting Maven, marking a safety risk level on an open source component stored in the private warehouse, and storing the open source component as a first open source component;
step S200: uploading a system engineering file, and extracting a plug-in to analyze the system engineering file by configuring maven dependency package information in a maven engineering pom file to obtain a list of second open source components on which the engineering file depends;
step S300: and finding out a third source assembly corresponding to the second source assembly from the first source assembly, and comparing the second source assembly with the third source assembly to generate a safety report.
2. The method for security detection of a Java open source component according to claim 1, wherein the step S200 specifically includes:
step S210: establishing a base line for a maven code engineering file to be detected;
step S220: extracting a source code corresponding to the baseline version from a source code library;
step S230: compiling a source code engineering file, and downloading a dependency package on which the engineering file depends;
step S240: and configuring a maven dependency package information extraction plug-in the maven engineering pom file, executing a corresponding maven command, and generating a maven dependency package information data file of the current engineering file.
3. The method for security detection of a Java open source component according to claim 2, wherein the step S300 specifically includes:
step S310: uploading a maven dependency package information data file;
step S320: and querying a maven open source dependent packet security database, comparing the maven dependent packet information one by one, and generating a security report.
4. The method for security detection of the Java open source component according to claim 1, wherein the security risk level in step S100 is labeled with three dimensions, which are authorization permission verification, virus trojan detection, and security vulnerability detection, respectively;
the method for verifying the authorization permission comprises the following steps: obtaining authorization permission information of the open source assembly, and classifying security risks according to the authorization permission information;
the virus Trojan horse detection method comprises the following steps: virus Trojan detection is carried out on the split source component by integrating the existing virus Trojan detection interface;
the security vulnerability detection method comprises the following steps: and detecting the vulnerability of the switch source component by integrating the existing security vulnerability scanning software interface.
5. The method for security detection of a Java open source component according to claim 4, wherein before the step S300 generates the security report, a file tamper-proof verification is further performed and a verification result is added to the security report, and the file tamper-proof verification method includes: and respectively performing MD5, SHA1 and SHA256 matching on the second opening source component and the third opening source component, and determining the file tampering risk level.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010968713.2A CN112115473A (en) | 2020-09-15 | 2020-09-15 | Method for security detection of Java open source assembly |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010968713.2A CN112115473A (en) | 2020-09-15 | 2020-09-15 | Method for security detection of Java open source assembly |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112115473A true CN112115473A (en) | 2020-12-22 |
Family
ID=73803101
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010968713.2A Pending CN112115473A (en) | 2020-09-15 | 2020-09-15 | Method for security detection of Java open source assembly |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112115473A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113343222A (en) * | 2021-06-30 | 2021-09-03 | 招商局金融科技有限公司 | Java project engineering safety verification method and device, computer equipment and storage medium |
CN113343223A (en) * | 2021-06-30 | 2021-09-03 | 招商局金融科技有限公司 | Jar package safety monitoring method and device, computer equipment and storage medium |
CN114647854A (en) * | 2022-03-01 | 2022-06-21 | 深圳开源互联网安全技术有限公司 | Component security detection method and device, firewall and component downloading system |
CN115357898A (en) * | 2022-07-08 | 2022-11-18 | 深圳开源互联网安全技术有限公司 | Dependency analysis method, device and medium for JAVA component |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108293048A (en) * | 2015-11-25 | 2018-07-17 | 索纳泰公司 | The method and system of software hazard for control software exploitation |
CN108763928A (en) * | 2018-05-03 | 2018-11-06 | 北京邮电大学 | A kind of open source software leak analysis method, apparatus and storage medium |
CN110543767A (en) * | 2019-08-10 | 2019-12-06 | 苏州浪潮智能科技有限公司 | automatic monitoring method and system for open source component vulnerability |
CN110618931A (en) * | 2019-08-14 | 2019-12-27 | 重庆金融资产交易所有限责任公司 | Dependency relationship detection method and device, computer equipment and readable storage medium |
CN110909363A (en) * | 2019-11-25 | 2020-03-24 | 中国人寿保险股份有限公司 | Software third-party component vulnerability emergency response system and method based on big data |
CN111309713A (en) * | 2020-05-14 | 2020-06-19 | 深圳开源互联网安全技术有限公司 | Method and device for generating Maven open source software library and storage medium |
CN111625839A (en) * | 2020-05-29 | 2020-09-04 | 深圳前海微众银行股份有限公司 | Third-party component vulnerability detection method, device, equipment and computer storage medium |
-
2020
- 2020-09-15 CN CN202010968713.2A patent/CN112115473A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108293048A (en) * | 2015-11-25 | 2018-07-17 | 索纳泰公司 | The method and system of software hazard for control software exploitation |
CN108763928A (en) * | 2018-05-03 | 2018-11-06 | 北京邮电大学 | A kind of open source software leak analysis method, apparatus and storage medium |
CN110543767A (en) * | 2019-08-10 | 2019-12-06 | 苏州浪潮智能科技有限公司 | automatic monitoring method and system for open source component vulnerability |
CN110618931A (en) * | 2019-08-14 | 2019-12-27 | 重庆金融资产交易所有限责任公司 | Dependency relationship detection method and device, computer equipment and readable storage medium |
CN110909363A (en) * | 2019-11-25 | 2020-03-24 | 中国人寿保险股份有限公司 | Software third-party component vulnerability emergency response system and method based on big data |
CN111309713A (en) * | 2020-05-14 | 2020-06-19 | 深圳开源互联网安全技术有限公司 | Method and device for generating Maven open source software library and storage medium |
CN111625839A (en) * | 2020-05-29 | 2020-09-04 | 深圳前海微众银行股份有限公司 | Third-party component vulnerability detection method, device, equipment and computer storage medium |
Non-Patent Citations (1)
Title |
---|
测试开发KEVIN: "代码依赖包安全漏洞检测神器 —— Dependency", 《HTTPS://WWW.JIANSHU.COM/P/3618761F9BC6》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113343222A (en) * | 2021-06-30 | 2021-09-03 | 招商局金融科技有限公司 | Java project engineering safety verification method and device, computer equipment and storage medium |
CN113343223A (en) * | 2021-06-30 | 2021-09-03 | 招商局金融科技有限公司 | Jar package safety monitoring method and device, computer equipment and storage medium |
CN114647854A (en) * | 2022-03-01 | 2022-06-21 | 深圳开源互联网安全技术有限公司 | Component security detection method and device, firewall and component downloading system |
CN115357898A (en) * | 2022-07-08 | 2022-11-18 | 深圳开源互联网安全技术有限公司 | Dependency analysis method, device and medium for JAVA component |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11455400B2 (en) | Method, system, and storage medium for security of software components | |
CN112115473A (en) | Method for security detection of Java open source assembly | |
KR101402057B1 (en) | Analyzing system of repackage application through calculation of risk and method thereof | |
US9251282B2 (en) | Systems and methods for determining compliance of references in a website | |
US20170161496A1 (en) | Method and device for identifying virus apk | |
Allix et al. | A Forensic Analysis of Android Malware--How is Malware Written and How it Could Be Detected? | |
US8875303B2 (en) | Detecting pirated applications | |
CN106845223B (en) | Method and apparatus for detecting malicious code | |
Khanmohammadi et al. | Empirical study of android repackaged applications | |
CN110298171B (en) | Intelligent detection and safety protection method for mobile internet big data application | |
CN112231702B (en) | Application protection method, device, equipment and medium | |
Yang et al. | APKLancet: tumor payload diagnosis and purification for android applications | |
CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
CN102656593A (en) | Detecting and responding to malware using link files | |
CN110858247A (en) | Android malicious application detection method, system, device and storage medium | |
US9954874B2 (en) | Detection of mutated apps and usage thereof | |
CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
KR101228902B1 (en) | Cloud Computing-Based System for Supporting Analysis of Malicious Code | |
Homaei et al. | Athena: A framework to automatically generate security test oracle via extracting policies from source code and intended software behaviour | |
KR20160090566A (en) | Apparatus and method for detecting APK malware filter using valid market data | |
US10880316B2 (en) | Method and system for determining initial execution of an attack | |
Zhang et al. | Android malware detection combined with static and dynamic analysis | |
Shi et al. | Precise (Un) Affected Version Analysis for Web Vulnerabilities | |
CN106407815A (en) | Vulnerability detection method and device | |
CN112671741B (en) | Network protection method, device, terminal and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201222 |
|
RJ01 | Rejection of invention patent application after publication |