[go: up one dir, main page]

CN114116471A - Automatic code scanning method, system, electronic equipment and storage medium - Google Patents

Automatic code scanning method, system, electronic equipment and storage medium Download PDF

Info

Publication number
CN114116471A
CN114116471A CN202111392774.XA CN202111392774A CN114116471A CN 114116471 A CN114116471 A CN 114116471A CN 202111392774 A CN202111392774 A CN 202111392774A CN 114116471 A CN114116471 A CN 114116471A
Authority
CN
China
Prior art keywords
code scanning
code
software
tool
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111392774.XA
Other languages
Chinese (zh)
Inventor
梁冰
刘晓玲
路小菲
袁楚尧
钱戈
徐雄
张萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111392774.XA priority Critical patent/CN114116471A/en
Publication of CN114116471A publication Critical patent/CN114116471A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/3604Analysis of software for verifying properties of programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

本公开提供一种自动化代码扫描方法、系统、电子设备与存储介质,通过设置变量采集模块、代码扫描工具匹配模块、代码扫描任务管理模块、代码扫描任务执行模块和代码扫描结果管理模块,获取软件安全测试流水线运行时配置代码扫描工具所需变量后依据内置匹配规则结合所述代码扫描工具所需变量解析出匹配所述软件安全测试流水线项目需求的代码扫描工具选择指令,并依据所述代码扫描工具选择指令选择代码扫描工具并创建对应的代码扫描任务,从而将所述代码扫描任务自动化部署到所述软件安全测试流水线中执行软件代码扫描,该自动化代码扫描方法和系统可根据软件开发的不同阶段、代码变更情况自动选择代码扫描工具,使用户在软件开发阶段尽早发现代码质量和安全问题。

Figure 202111392774

The present disclosure provides an automated code scanning method, system, electronic device and storage medium. By setting a variable acquisition module, a code scanning tool matching module, a code scanning task management module, a code scanning task execution module and a code scanning result management module, software is obtained. When the security test pipeline is running, configure the variables required by the code scanning tool according to the built-in matching rules and combine the variables required by the code scanning tool to parse out the code scanning tool selection instruction that matches the requirements of the software security test pipeline project, and scan the code according to the code scanning tool. The tool selection instruction selects a code scanning tool and creates a corresponding code scanning task, so as to automatically deploy the code scanning task into the software security testing pipeline to perform software code scanning. The automatic code scanning method and system may be based on different software development. The code scanning tool is automatically selected according to the stage and code change situation, so that users can find code quality and security problems as early as possible in the software development stage.

Figure 202111392774

Description

Automatic code scanning method, system, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of software testing technologies, and in particular, to an automated code scanning method, system, electronic device, and storage medium.
Background
The main work content of software code security detection is to analyze a source code file of a system and locate a code structure causing a security vulnerability. In recent years, the security test of the source code has been greatly developed and is divided into a static test and a dynamic test, wherein the static analysis of the code is relatively mature, the advantages are obvious, the method has the characteristics of high efficiency, automation, low cost and the like, and the security analysis can be performed on the tested program under the condition that the tested program is not operated. The static test method adopts a static analysis method to collect the relevant information and code characteristics of the program and makes corresponding judgment without executing the program. The current common static test methods include lexical grammar analysis, semantic analysis based on abstract syntax tree, rule check analysis, data flow control stream analysis, character string matching and modeling analysis. The lexical and grammatical analysis method is mainly used for carrying out lexical and grammatical analysis on a source code and marking out possible safety problems by contrasting a set safety cave library. The semantic analysis method based on the abstract syntax tree is to scan source codes, construct the abstract syntax tree according to the scanning result, conduct inductive refining on the constructed syntax tree, extract code cores, investigate code semantic information, conduct global, module and local analysis on the codes, and detect security vulnerabilities. The rule detection is actually rule comparison, according to the international security vulnerability definition, some universal vulnerabilities are described by adopting specific syntax, are analyzed and converted into acceptable internal code representation through an intermediate file, and the acquired required information after source code scanning is matched with the written code rule to find describable source code security vulnerabilities. The method is widely used, and can more accurately discover the security holes in the codes. The data flow control analysis method is a code logic analysis method, and is used for carrying out variable acquisition and analysis according to a code logic path and detecting whether a variable is unsafe to use or not. The method has large detection data volume and better detection effect on code memory errors, and is mostly used for testing by auxiliary methods at present.
Static code scanning is one content in software code security detection, and by simply scanning and analyzing the semantic structure and the like of the code, the problems of the code in the writing process are found, and a corresponding solution is provided according to the loopholes, so that the quality of the code is ensured, and meanwhile, a large amount of labor and time cost can be saved. The goal of static code scanning is to find as many problems as possible during development, since the later a bug is found during development, the greater the cost of repair, and statistically demonstrates that 30% to 70% of code logic design and coding defects can be found and repaired by static code analysis throughout the software development lifecycle.
The method can comprehensively and quickly find the defect problems in the code through a code scanning tool, and the code scanning tool analyzes the source code from several aspects of data flow, control flow, semantics, structure, configuration and the like by utilizing a predefined rule. At present, a software development platform code scanning flow based on DevOps selects a scanning tool and performs corresponding development configuration according to a project technology stack and safety requirements, when a project introduces a new development language or selects a new scanning tool, reconfiguration adjustment is required, and a user cannot freely select the combination and execution steps of safety testing tools according to the characteristics of an application project, so that flexible application of the code scanning flow is limited, and software safety testing efficiency and testing quality are reduced.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure is directed to an automated code scanning method and system for overcoming, at least to some extent, the problems of the related art, which may result in failure to automatically select a code scanning tool and version according to different stages of software development and code change situations.
According to one aspect of the present disclosure, there is provided an automated code scanning method, comprising:
acquiring variables required by a configuration code scanning tool when a software safety test pipeline runs;
analyzing a code scanning tool selection instruction matched with the software safety test assembly line project requirement according to a built-in matching rule and the variables required by the code scanning tool;
selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task;
automatically deploying the code scanning task into the software security testing pipeline to execute software code scanning;
and acquiring the software code scanning result and forming a software code scanning report.
In an exemplary embodiment of the present disclosure, the variables required by the code scanning tool include a code base address, a code base branch, a code base version, a development language, a trigger event, a compiled instruction, a pipeline type, and an execution cycle. The matching rules include code base addresses, code base branches, development language, compilation instructions, pipeline types, and execution cycles. The code scanning tool selection instruction comprises a scanning tool docker mirror image name, scanning tool authentication information, a scanning rule set, a scanning instruction and scanning tool parameters.
According to one aspect of the present disclosure, there is provided an automated code scanning system comprising:
the variable acquisition module is used for acquiring variables required by the configuration code scanning tool when the software safety test assembly line runs;
the code scanning tool matching module is used for analyzing a code scanning tool selection instruction matched with the software security test pipeline project requirement according to a built-in matching rule and a variable required by the code scanning tool;
the code scanning task management module is used for selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task;
the code scanning task execution module is used for automatically deploying the code scanning task to the software security testing pipeline to execute software code scanning;
and the code scanning result management module is used for acquiring the software code scanning result and forming a software code scanning report.
In an exemplary embodiment of the present disclosure, the code scanning tool is provided with an API interface.
In an exemplary embodiment of the present disclosure, a docker container is disposed in the code scanning task execution module.
In one exemplary embodiment of the present disclosure, the software security test pipeline is provided in a software development platform of DevOps.
In an exemplary embodiment of the disclosure, the code scanning task execution module includes a quality detection module.
In an exemplary embodiment of the present disclosure, the code scan result management module includes a system administrator management module, a debugging personnel management module, and a report generation module.
According to an aspect of the present disclosure, there is provided an electronic device including:
a memory; and
a processor coupled to the memory, the processor configured to perform the automated code scanning method as described above based on instructions stored in the memory.
According to an aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a program which, when executed by a processor, implements an automated code scanning method as described above.
The disclosed embodiment resolves a code scanning tool selection instruction matching the project requirement of the software safety test production line by setting a variable acquisition module, a code scanning tool matching module, a code scanning task management module, a code scanning task execution module and a code scanning result management module according to a built-in matching rule and in combination with the variables required by the code scanning tool after acquiring the variables required by the code scanning tool configured during the running of the software safety test production line, selects the code scanning tool according to the code scanning tool selection instruction and creates a corresponding code scanning task, thereby automatically deploying the code scanning task to the software safety test production line to execute the software code scanning, the automatic code scanning method and system support a plurality of scanning tools, and the code scanning tool can be automatically selected according to different stages of software development and code change conditions, and the user can find the code quality and safety problems as early as possible in the software development stage.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 schematically illustrates a flow chart of one automated code scanning method 100 of the present disclosure.
Fig. 2 schematically shows a flow chart of the rule matching step in fig. 1.
FIG. 3 schematically illustrates a schematic diagram of an automated code scanning system 300 of the present disclosure.
Fig. 4 schematically shows a built-in module diagram in the code scan result management module in fig. 3.
Fig. 5 schematically shows a management flow diagram built into the system administrator management module in fig. 4.
Fig. 6 schematically shows a management flowchart built in the human debugger management module in fig. 4.
Fig. 7 schematically shows a management flowchart built in the report generation module in fig. 4.
Fig. 8 schematically illustrates a block diagram of an electronic device 800 in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Further, the drawings are merely schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus, a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
FIG. 1 schematically illustrates a flow chart of one automated code scanning method 100 of the present disclosure.
Referring to FIG. 1, an automated code scanning method 100 may include:
step S102, obtaining variables required by a configuration code scanning tool when a software safety test pipeline runs;
step S104, resolving a code scanning tool selection instruction matching the software safety test pipeline project requirement according to a built-in matching rule and the variables required by the code scanning tool;
step S106, selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task;
step S108, automatically deploying the code scanning task to the software security testing production line to execute software code scanning;
and step S110, acquiring the software code scanning result and forming a software code scanning report.
The code is an important component of the software product, and the quality of the code can reflect the quality of the software. After a team is gradually enlarged and people change and the like, the quality of codes is reduced, which is an unavoidable matter, so that the platform is determined to be developed inside a company to maintain the quality of the existing codes, and simultaneously, the quality of the new codes is strictly required, and an automatic control platform is provided for the overall code quality. The code quality refers to the quality of the code itself, and includes elements such as complexity, repetition rate, code style and the like. The code is common property of the team, and the code quality is direct embodiment of the technical level and the management level of the team. The degradation of code quality is usually self-causal, leading to a vicious circle.
Most teams often make a code writing specification at the beginning of the project development, but many members often ignore the code specification and write randomly during the project development process, and the random code writing reduces the readability, maintainability and changeability of the code. In order to solve the above problems and the potential problems, a platform capable of visualizing the code quality is necessary to strictly control the quality of the product code, and the online code and the newly produced code are gradually converted into the high-quality code, and the high-quality code needs to have the following characteristics: the logic is clear, and the bug is difficult to hide; the dependence is minimum, and the maintenance is easy; error handling may be according to an explicit policy; optimizing the performance; the encapsulated code does only one thing. These characteristics are well understood, but are not easily realized in the practical application process, so a code quality control platform is established inside a company to assist in realizing code management, and the manpower can be reduced to a greater extent.
According to the method and the system for automatically scanning the codes, the code scanning tool is automatically selected according to different stages of software development and code change conditions, so that a user can find the code quality and safety problems as early as possible in the software development stage. By the automatic code scanning method 100 of the embodiment of the disclosure, submitted codes can be evaluated and fed back in real time, so that developers can receive related messages in time to perform a series of quality assurance works, the overall code quality can be improved, and codes written by the developers can be gradually normalized to improve the working efficiency.
The steps of the automated code scanning method 100 are described in detail below.
And step S102, obtaining variables required by the configuration code scanning tool when the software safety test pipeline runs.
Variables required by the code scanning tool include a code base address, a code base branch, a code base version, a development language, a trigger event, a compiling instruction, a pipeline type, an execution cycle and the like, and serve as input parameters of code scanning. The data collection of step S102 is embedded in the persistent integration pipeline as part of the pipeline common function library.
And step S104, resolving a code scanning tool selection instruction matching the software safety test pipeline project requirement according to a built-in matching rule and the variables required by the code scanning tool. The matching rules include code base addresses, code base branches, development language, compiled instructions, pipeline type, and execution cycles. The code scanning tool selection instruction comprises a scanning tool docker mirror image name, scanning tool authentication information, a scanning rule set, a scanning instruction and a scanning tool parameter. The system administrator can also set which rules need to be detected and which rules do not need to be detected when different languages are scanned at each time, and the matching rules are divided into different groups, so that the codes can be conveniently selected and used during scanning and detection.
All code scanning and detection need to be according to rules agreed in advance, a system administrator can write the rules, testers and developers can put forward new rules, and the codes need to be detected according to the content in the rules during each scanning.
Fig. 2 schematically shows a flow chart of the rule matching step in fig. 1.
Referring to fig. 2, the step of matching the built-in rule specifically includes: step S202, collecting rules; step S204, writing rules; step S206, compiling into a rule base; in step S208, code scanning is performed.
And step S106, selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task. Alternative code scanning tools include SonarQube Community and Enterprise editions, and Fortify, among others. The SonarQube (Sonar) is an open source platform for code quality management, is used for managing the quality of source codes, can detect the code quality from seven dimensions, can manage most languages by the platform itself, and can support the code quality management and detection of twenty programming languages including Java, C #, C/C + +, PIJSQL, Cobol, JavaScript, Groovy and the like in a plug-in form. The Fortify SCA is a Software source code safety testing tool based on static analysis, which is developed by Fortify Software corporation. The method carries out static analysis on the source code of the application software from data flow, semantics, structure, control flow, configuration flow and the like, and carries out comprehensive matching and searching with a special software security vulnerability rule set in the analysis process, thereby scanning out the security vulnerability existing in the source code and giving a sorting report.
Specifically, the embodiment can develop the static code scanning function on the SonarQubs open source platform for the second time, can scan most development languages, and contains a part of rules of the languages inside, thereby facilitating the use of users, most of the rules are frequently encountered in some development processes, although some common problems can be scanned, the detection rules inside the company cannot be met, so that the rules suitable for the inside of the company need to be added inside, and the independent scanning function needs to be added inside the safety detection, thereby facilitating the users to view a comprehensive code scanning report.
The automated code scanning method 100 supports a plurality of scanning tools (including code scanning with a compiling process), generates a scanning command executable by a pipeline through a background module, and has a simple pipeline implementation mode without developing aiming at different scanning tools.
Step S104 and step S106 are embedded in a background management system independent of the pipeline, and the background management system records the scan record and returns data (docker image name, authentication parameters, execution instructions and parameters, etc. of the scan tool) required for executing code scan to the pipeline. The tester can log in the tester account, can manage different code scanning tasks after entering the background management system, set the visibility of different code scanning tasks to different developers, and can find the developers to modify codes according to problem classification.
And S108, automatically deploying the code scanning task to the software security testing pipeline to execute software code scanning.
And step S110, acquiring the software code scanning result and forming a software code scanning report.
The software code scanning report comprises the following steps of carrying out context tracking on problem points found by the scanning report, analyzing the mutual calling condition of code blocks in the system, transmitting various parameters and calling a function method, and also comprises key contents such as a detailed analysis process for finding code problems, a vulnerability verification result, a vulnerability reinforcing suggestion and the like, and the software code scanning report can be used for closed-loop management tracking for subsequently correcting the code problems.
Fig. 3 schematically illustrates a schematic diagram of an automated code scanning system 300 of the present disclosure.
Referring to FIG. 3, an automated code scanning system 300, comprising:
the variable acquisition module 310 is used for acquiring variables required by a configuration code scanning tool when the software security test pipeline runs;
the code scanning tool matching module 320 is used for resolving a code scanning tool selection instruction matching the software security test pipeline project requirement according to a built-in matching rule and a variable required by the code scanning tool;
the code scanning task management module 330 is configured to select a code scanning tool according to the code scanning tool selection instruction and create a corresponding code scanning task;
a code scanning task execution module 340, configured to automatically deploy the code scanning task into the software security testing pipeline to execute software code scanning;
and a code scan result management module 350, configured to obtain the software code scan result and form a software code scan report.
Specifically, the software security testing pipeline is arranged in a software development platform of DevOps, the code scanning tool is provided with an api (application Programming interface) application program interface, and the scanning task execution module is provided with a docker container. Docker is an open source platform that includes a container engine and a Docker Hub registration server. Wherein the Docker container engine allows developers to package their applications and dependency packages into a portable container and then distribute them to any Linux machine. The Docker Hub registry server allows users to create their own image library on the server to store, manage and share images. By means of Docker, one-time configuration and anywhere operation of software can be achieved.
DevOps (a combination of Development and Operations) is a collective term for a set of processes, methods and systems for facilitating communication, collaboration and integration between Development (application/software engineering), technical Operations and Quality Assurance (QA) departments. The core concept of DevOps is efficient communication and collaboration among production teams (research, development, operation and maintenance and QA) to solve the common problems of (1) smaller or more frequent demand changes; (2) the production environment is not controlled by developers; (3) services are application-centric, not infrastructure; (4) more cost and time are needed for the development and deployment process with concise and clear definition; (5) the development and deployment process cannot be completely automated; (6) existing platform as a service (PaaS) virtual machines have difficulty facilitating development and operation collaboration.
In the embodiment, the Docker container is combined with a DevOps system, which has the advantages that:
(1) and (3) standardization: the integration and delivery links of the service are standardized by using the mirror image and the container respectively, and the working flow of product development and delivery is unified; the standardized production test environment avoids the problem of non-uniform environment in the development test process.
(2) Intelligentization: continuous integration enables code integration to be intelligent, and code pushing is automatically constructed; the automatic operation and maintenance provides intelligent state feedback and health check functions; the intelligent monitoring can know the service and the host operation state in time and find potential problems.
(3) Comprehensive: the development, operation and maintenance links of each product such as integration, deployment, operation and maintenance, monitoring and the like are covered, one step is achieved, and the worry and the labor are saved.
(4) And (3) fast: the s-level construction and deployment can be realized, and the development and delivery efficiency is improved; the rollback and the capacity expansion and contraction are quickly upgraded, so that the service can be quickly iterated and elastically expanded and contracted; convenient page operation and standard use flow enable the user to get on hand fast, improve work efficiency.
Through a virtualization mode provided by Docker, a set of reusable development environment can be quickly established, the development environment is distributed to all developers in a mirror image mode, and the purpose of simplifying the construction process of the development environment is achieved. Docker takes mirror image and container constructed on the basis of mirror image as the basis, and takes container as developing, testing and publishing unit, all dependencies related to the application are encapsulated in the container, the transplantation is convenient, the problem of dependency caused by migration of the application among different platforms is avoided, and the fact that the application achieves highly consistent actual effect in each stage of production environment is ensured.
Specifically, the system service user in the automated code scanning system 200 in the disclosed embodiment can be set to three roles, i.e., developer, tester and system administrator. Different roles have different rights to use different functions of the system. The system administrator can modify or supplement the scanning rules in the platform, can also perfect online test cases and the like, ensures that the detection result of the system is the latest and most reliable and meets the requirements, can check the test result provided by the system to review codes, and can submit the codes to the online after self-detection and modification after the codes are modified or added by developers.
The code scanning task execution module 240 includes a quality detection module 241, and in the quality detection module 41, various qualities can be detected and managed, including complexity detection, coverage detection, document detection, repeatability detection, problem detection, maintainability detection, reliability detection, and the like, and these sub-functional modules include smaller functional modules respectively. The document detection mainly detects the part of automatically generated documents in codes, and comprises the detection of multiple aspects such as annotation lines, annotations (%), public APIs (application program interfaces), public annotated APIs (%), public unannotated APIs (application program interfaces), and the like, different problems are classified into different degrees of severity in problem detection, wherein the problems comprise the division of multiple degrees such as blocking violations, confirming problems, serious violations, misjudgment problems, prompting violations, major violations, minor violations, and the like, if the problem is input and the rule is seriously violated, the rule is highlighted in the report, so that the rule is convenient for testers and developers to check by themselves, if the blocking violation rules in the detected codes are detected, the report is marked with red marks, special prompt is performed on the machine of the developer, and the developer is sent to repeatedly remind so as to prevent the developer from missing, the problems of other levels are common reminding, and the on-line use and the later stage can be modified in advance if the normal use of the function is not influenced. The file size scanning comprises scanning of various specifications such as classes, catalogues, files, methods, generated line numbers, generated code line numbers, code line numbers, items and sentences, if a single file is too large or a certain method exceeds a specified line number, ordinary prompting is carried out, and developers are reminded that the functions can be split so as to enhance the readability and reusability of codes. If the system detects a security breach, the same prompt as the blocking problem is made and an email is sent to the relevant tester to remind the tester of the test.
Fig. 4 schematically shows a built-in module diagram in the code scan result management module in fig. 3.
Fig. 5 schematically shows a management flow diagram built into the system administrator management module in fig. 4.
Fig. 6 schematically shows a management flowchart built in the human debugger management module in fig. 4.
Fig. 7 schematically shows a management flowchart built in the report generation module in fig. 3.
Referring to fig. 4, a system administrator management module 351, a debugging personnel management module 352 and a report generation module 353 are arranged in the code scan result management module 350, and management flows built in the system administrator management module 351, the debugging personnel management module 352 and the report generation module 353 are shown in fig. 5, fig. 6 and fig. 7.
Referring to fig. 5, the management flow built in the system administrator management module 351 includes: step S502: configuring a system background; step S504: starting a server; step S506: logging in the system by using an administrator account; step S508: setting the authority of the account in a setting tab; step S510: setting grouping and group permission; step S512: rule groupings are set, which are used and which are not.
Referring to fig. 6, the built-in management flow of the commissioning personnel management module 352 includes: step S602: logging in a tester account; step S604: assigning different groups of item visibility rights; step S606: see details of the report of the project.
Referring to fig. 7, the management flow built in the report generation module 353 includes: step S702: acquiring all data after code scanning analysis; step S704: cleaning and unifying data; step S706: a specific report is generated.
The disclosed embodiment resolves a code scanning tool selection instruction matching the project requirement of the software safety test production line according to a built-in matching rule and by combining with the variables required by the code scanning tool after obtaining the variables required by the code scanning tool configured during the running of the software safety test production line by setting a variable acquisition module, a code scanning tool matching module, a code scanning task management module, a code scanning task execution module and a code scanning result management module, selects the code scanning tool according to the code scanning tool selection instruction and creates a corresponding code scanning task, thereby automatically deploying the code scanning task to the software safety test production line to execute the software code scanning, and the automatic code scanning method and the system can automatically select the code scanning tool according to the code change conditions at different stages of software development, and the user can find the code quality and safety problems as early as possible in the software development stage.
Since the functions of the automatic code scanning system have been described in detail in the corresponding method embodiments, the disclosure is not repeated herein.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 800 according to this embodiment of the invention is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present invention.
As shown in fig. 8, electronic device 800 is in the form of a general purpose computing device. The components of the electronic device 800 may include, but are not limited to: a memory 820, and a processor 810 coupled to the memory 820, the processor 810 configured to perform the automated code scanning method 100 described above based on instructions stored in the memory 820. Data is transferred between the memory 820 and the processor 810 via the bus 830.
The memory 820 stores therein program code that may be executed by the processor 810 to cause the processor 810 to perform the steps according to various exemplary embodiments of the present invention described in the "exemplary methods" section above in this specification. For example, the processor 810 may execute step S102 shown in fig. 1, obtaining variables required by the software security test pipeline runtime configuration code scanning tool; step S104, resolving a code scanning tool selection instruction matching the software safety test pipeline project requirement according to a built-in matching rule and the variables required by the code scanning tool; step S106, selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task; step S108, automatically deploying the code scanning task to the software security testing production line to execute software code scanning; and step S110, acquiring the software code scanning result and forming a software code scanning report.
The memory 820 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)8201 and/or a cache memory unit 8202, and may further include a read only memory unit (ROM) 8203.
Memory 820 may also include a program/utility 8204 having a set (at least one) of program modules 8205, such program modules 8205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 830 may be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 800 may also communicate with one or more external devices 900 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 300, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 800 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 850. Also, the electronic device 800 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 860. As shown, the network adapter 860 communicates with the other modules of the electronic device 800 via the bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
The program product for implementing the above method according to an embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program codes, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice in the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1.一种自动化代码扫描方法,其特征在于,包括:1. an automatic code scanning method, is characterized in that, comprises: 获取软件安全测试流水线运行时配置代码扫描工具所需变量;Obtain the variables required to configure the code scanning tool when the software security test pipeline is running; 依据内置匹配规则结合所述代码扫描工具所需变量解析出匹配所述软件安全测试流水线项目需求的代码扫描工具选择指令;According to the built-in matching rules and in combination with the variables required by the code scanning tool, a code scanning tool selection instruction that matches the requirements of the software security testing pipeline project is parsed; 依据所述代码扫描工具选择指令选择代码扫描工具并创建对应的代码扫描任务;Selecting a code scanning tool according to the code scanning tool selection instruction and creating a corresponding code scanning task; 将所述代码扫描任务自动化部署到所述软件安全测试流水线中执行软件代码扫描;Automatically deploying the code scanning task into the software security testing pipeline to perform software code scanning; 获取所述软件代码扫描结果并形成软件代码扫描报告。Obtain the software code scanning result and form a software code scanning report. 2.如权利要求1所述的自动化代码扫描方法,其特征在于,所述代码扫描工具所需变量包括代码库地址、代码库分支、代码库版本、开发语言、触发事件、编译指令、流水线类型和执行周期;所述匹配规则包括代码库地址、代码库分支、开发语言、编译指令、流水线类型和执行周期;所述代码扫描工具选择指令包括扫描工具docker镜像名、扫描工具认证信息、扫描规则集、扫描指令、扫描工具参数。2. automatic code scanning method as claimed in claim 1, is characterized in that, described code scanning tool required variable comprises code base address, code base branch, code base version, development language, trigger event, compilation instruction, pipeline type and execution cycle; the matching rule includes code base address, code base branch, development language, compilation instruction, pipeline type and execution cycle; the code scanning tool selection instruction includes scanning tool docker image name, scanning tool authentication information, scanning rule Sets, scan commands, scan tool parameters. 3.一种自动化代码扫描系统,其特征在于,包括:3. an automatic code scanning system, is characterized in that, comprises: 变量采集模块,用于获取软件安全测试流水线运行时配置代码扫描工具所需变量;The variable acquisition module is used to obtain the variables required by the configuration code scanning tool when the software security test pipeline is running; 代码扫描工具匹配模块,用于依据内置匹配规则结合所述代码扫描工具所需变量解析出匹配所述软件安全测试流水线项目需求的代码扫描工具选择指令;a code scanning tool matching module, configured to parse out a code scanning tool selection instruction that matches the requirements of the software security testing pipeline project according to built-in matching rules in combination with the variables required by the code scanning tool; 代码扫描任务管理模块,用于依据所述代码扫描工具选择指令选择代码扫描工具并创建对应的代码扫描任务;a code scanning task management module, configured to select a code scanning tool and create a corresponding code scanning task according to the code scanning tool selection instruction; 代码扫描任务执行模块,用于将所述代码扫描任务自动化部署到所述软件安全测试流水线中执行软件代码扫描;a code scanning task execution module, configured to automatically deploy the code scanning task into the software security testing pipeline to perform software code scanning; 代码扫描结果管理模块,用于获取所述软件代码扫描结果并形成软件代码扫描报告。A code scanning result management module, configured to acquire the software code scanning result and form a software code scanning report. 4.如权利要求1所述的自动化代码扫描系统,其特征在于,所述代码扫描工具设置有API接口。4. The automated code scanning system according to claim 1, wherein the code scanning tool is provided with an API interface. 5.如权利要求1所述的自动化代码扫描系统,其特征在于,所述代码扫描任务执行模块中设置有docker容器。5. The automated code scanning system according to claim 1, wherein a docker container is provided in the code scanning task execution module. 6.如权利要求1所述的自动化代码扫描系统,其特征在于,所述软件安全测试流水线设置于DevOps的软件开发平台中。6. The automated code scanning system according to claim 1, wherein the software security testing pipeline is set in a DevOps software development platform. 7.如权利要求3所述的自动化代码扫描系统,其特征在于,所述代码扫描任务执行模块中包含质量检测模块。7. The automated code scanning system according to claim 3, wherein the code scanning task execution module comprises a quality detection module. 8.如权利要求3所述的自动化代码扫描系统,其特征在于,所述代码扫描结果管理模块中包括系统管理员管理模块、调试人员管理模块和报告生成模块。8. The automated code scanning system according to claim 3, wherein the code scanning result management module comprises a system administrator management module, a debugger management module and a report generation module. 9.一种电子设备,其特征在于,包括:9. An electronic device, characterized in that, comprising: 存储器;以及memory; and 耦合到所述存储器的处理器,所述处理器被配置为基于存储在所述存储器中的指令,执行如权利要求1-2任一项所述的自动化代码扫描方法。A processor coupled to the memory, the processor configured to perform the automated code scanning method of any of claims 1-2 based on instructions stored in the memory. 10.一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时实现如权利要求1-2任一项所述的自动化代码扫描方法。10. A computer-readable storage medium on which a program is stored, which implements the automatic code scanning method according to any one of claims 1-2 when the program is executed by a processor.
CN202111392774.XA 2021-11-23 2021-11-23 Automatic code scanning method, system, electronic equipment and storage medium Pending CN114116471A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111392774.XA CN114116471A (en) 2021-11-23 2021-11-23 Automatic code scanning method, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111392774.XA CN114116471A (en) 2021-11-23 2021-11-23 Automatic code scanning method, system, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114116471A true CN114116471A (en) 2022-03-01

Family

ID=80440321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111392774.XA Pending CN114116471A (en) 2021-11-23 2021-11-23 Automatic code scanning method, system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114116471A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114625451A (en) * 2022-03-28 2022-06-14 深圳市金蝶天燕云计算股份有限公司 Component access method and device of DevOps system
CN114996157A (en) * 2022-06-27 2022-09-02 北京百度网讯科技有限公司 Method, device, equipment and storage medium for identifying risk of changing code
CN115061917A (en) * 2022-06-22 2022-09-16 中国平安财产保险股份有限公司 Front-end code performance detection method and device, computer equipment and storage medium
CN115408269A (en) * 2022-08-01 2022-11-29 浪潮云信息技术股份公司 Code quality control method and system
CN115599695A (en) * 2022-11-04 2023-01-13 广州嘉为科技有限公司(Cn) Quality red line interception method, device and medium based on pipeline code scanning

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103425572A (en) * 2012-05-24 2013-12-04 腾讯科技(深圳)有限公司 Code analyzing method and system
CN107239391A (en) * 2016-03-29 2017-10-10 腾讯科技(深圳)有限公司 A kind of method of testing of application program, device and terminal
CN110716866A (en) * 2019-09-06 2020-01-21 中国平安财产保险股份有限公司 Code quality scanning method and device, computer equipment and storage medium
CN112256575A (en) * 2020-10-22 2021-01-22 深圳我家云网络科技有限公司 Code quality management method, system and related equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103425572A (en) * 2012-05-24 2013-12-04 腾讯科技(深圳)有限公司 Code analyzing method and system
CN107239391A (en) * 2016-03-29 2017-10-10 腾讯科技(深圳)有限公司 A kind of method of testing of application program, device and terminal
CN110716866A (en) * 2019-09-06 2020-01-21 中国平安财产保险股份有限公司 Code quality scanning method and device, computer equipment and storage medium
CN112256575A (en) * 2020-10-22 2021-01-22 深圳我家云网络科技有限公司 Code quality management method, system and related equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
程培原: "代码质量控制平台的设计与应用", 《中国优秀硕士学位论文全文数据库 信息科技辑》, no. 12, 15 December 2019 (2019-12-15), pages 138 - 136 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114625451A (en) * 2022-03-28 2022-06-14 深圳市金蝶天燕云计算股份有限公司 Component access method and device of DevOps system
CN115061917A (en) * 2022-06-22 2022-09-16 中国平安财产保险股份有限公司 Front-end code performance detection method and device, computer equipment and storage medium
CN114996157A (en) * 2022-06-27 2022-09-02 北京百度网讯科技有限公司 Method, device, equipment and storage medium for identifying risk of changing code
CN115408269A (en) * 2022-08-01 2022-11-29 浪潮云信息技术股份公司 Code quality control method and system
CN115599695A (en) * 2022-11-04 2023-01-13 广州嘉为科技有限公司(Cn) Quality red line interception method, device and medium based on pipeline code scanning

Similar Documents

Publication Publication Date Title
US8875110B2 (en) Code inspection executing system for performing a code inspection of ABAP source codes
CN114116471A (en) Automatic code scanning method, system, electronic equipment and storage medium
US11481200B1 (en) Checking source code validity at time of code update
US12079625B2 (en) Pipeline release validation
US20160357519A1 (en) Natural Language Engine for Coding and Debugging
US20120159434A1 (en) Code clone notification and architectural change visualization
Ren et al. Making smart contract development more secure and easier
CN103092761A (en) Method and device of recognizing and checking modifying code blocks based on difference information file
US9311077B2 (en) Identification of code changes using language syntax and changeset data
US9851944B2 (en) Operation search method and operation search apparatus
An et al. An empirical study of crash-inducing commits in Mozilla Firefox
US11740995B2 (en) Source quality check service
Ren et al. SCStudio: A secure and efficient integrated development environment for smart contracts
CN120021429A (en) Techniques for identifying and verifying security control steps in a software development pipeline
US11947966B2 (en) Identifying computer instructions enclosed by macros and conflicting macros at build time
US20240329983A1 (en) Development environment integrated with infrastructure cost estimation system
Furda et al. A practical approach for detecting multi-tenancy data interference
Liu et al. PF-Miner: A practical paired functions mining method for Android kernel in error paths
Xiao et al. Performing high efficiency source code static analysis with intelligent extensions
CN106020913A (en) Updating method and device for defect detection tools
Rodriguez Static File Path Analysis for Reliable Resource Locating
US10055332B2 (en) Variable detection in source code to reduce errors
WO2025044101A1 (en) Processing method and processing apparatus for checking rule
CN118535454A (en) A method for implementing code detection based on Webpack and related equipment
CN115827467A (en) Code detection method, medium, device and computing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination