Patent Application
20230351025
The present invention relates to a vulnerability detection technology, and more particularly, to a method and system for detecting vulnerabilities of NODE.JS components.
At present, open source components are widely used by developers, and it is estimated that 80%-90% of each application is composed of open source components. Studies have shown that half of third-party components used in software applications are obsolete and may be insecure. Furthermore, more than 60% of all applications using, open source components contain known software vulnerabilities. Then the CVE analysis of each open source component will provide an effective information support for software composition analysis (SCA). However, there is no relevant mature technology and product on the market. Therefore, in order to solve this problem, generally, vulnerabilities are detected manually, a relevant product official website is searched for relevant information according to the descriptions of the vulnerabilities, and then the vulnerabilities of a NODE.JS component arc determined. However, manual review for vulnerabilities is labor intensive and inefficient.
In view of the technical problem to be solved by the present invention, a method and system for detecting vulnerabilities of NODE.JS components are provided, so as to quickly and efficiently detect vulnerabilities of NODE.JS components.
In order to solve the technical problem mentioned above, a method for detecting vulnerabilities of NODE.JS components is adopted as the technical solution, which includes the following steps:
The extracting first target vulnerability information from the first basic vulnerability information according to the key information of the NODE.JS component includes the following steps:
Optionally, after the extracting first target vulnerability information from the first basic vulnerability information according to the key information of the NODE.JS component, the method includes, the following steps:
Further, after the matching the key information, of the NODE.JS component with the CPE information to generate first target vulnerability information, the method also includes the following steps:
Optionally, after the generating first target vulnerability information, the method also includes the following steps:
Further, the key information of the NODE.JS component includes name information of the NODE.JS component and edition information of the NODE.JS component. After the acquiring second target vulnerability information, the method also includes the following steps:
Further, after the generating third target vulnerability information, the method also includes the following steps:
Further, the extracting first target vulnerability information from the first basic vulnerability information according to the key information of the NODE.JS component specifically includes:
Specifically, the third target vulnerability information contains one or more types of vulnerability information, version number information, hazard level information, and CVE information.
The present application also provides a system for detecting vulnerabilities of NODE.JS components, which includes the following modules:
The present invention has the following beneficial effects. With the method for detecting vulnerabilities of NODE.JS components provided by the present invention, first basic vulnerability information can be collected from a NODE.JS vulnerability database, and possible vulnerability information of a NODE.JS component may be quickly obtained. A package.json file is a file in the NODE.JS component. When parsing the package.json file, the key information of the to-be-detected NODE.JS component can be obtained, thereby contributing to data call and arrangement. Thus, as only a small amount of key information needs to be detected, a large amount of vulnerability information will be obtained front the to-be-detected NODE.JS component. First target vulnerability information is hereby generated.
A specific structure of the present invention will be described in detail with reference to the accompanying drawings.
In order to explain the technical contents, structural features, realized objects and effects of the present invention in detail, the following description is made in conjunction with the implementations and the accompanying drawings.
Reference is now made to
A method for detecting vulnerabilities of NODE.JS components includes the following steps:
With the method for detecting vulnerabilities of NODE.JS components provided by the present invention, the following functions may be realized first basic vulnerability information is collected from a NODE.JS vulnerability database, and possible vulnerability information of a NODE.JS component is quickly obtained. A package.json file is a file in the NODE.JS component. When parsing the package.json file, the key information of the to-be-detected NODE.JS component can be obtained, thereby contributing to data call and arrangement. Thus, as only a small amount of key information needs to be detected, a large amount of vulnerability information will be obtained from the to-be-detected NODE.JS component. First target vulnerability information is hereby generated. In conclusion, the vulnerability information of NODE.JS components may be acquired more accurately to guarantee the efficiency and effect of vulnerability audit.
In a specific embodiment, step S200 of parsing a package.json file includes the following steps:
With the above-mentioned method, both vulnerabilities of native codes of NODE.JS components and vulnerabilities of applied codes may be obtained. It will be appreciated that references may be by inheritance, encapsulation or otherwise.
Specifically, reference is now made to
The relevancy of the key information may be determined in various ways, may be set through the experience of programmers, and may also be determined according to specific software. In a specific embodiment, application edition information, product names, and vendor information are represented by vendor, product, and version in sequence. The application edition information, the product names, and the vendor information may be all in high priority, and have a certain priority difference.
In another embodiment, may not be expressed directly with the above-mentioned method, but with a name field. At this moment, the name field may be either vendor or product, both in high priority. At this moment, the name field may be directly defined as high priority. Still other fields, such as Description, author, maintainers, homepage, or bugs, may be vendor in low priority.
CVE is abbreviated from “Common Vulnerabilities & Exposures”. CVE provides a common name for widely recognized information security vulnerabilities or weaknesses that have been exposed. With a common name, users may be assisted in data sharing in various vulnerability databases and vulnerability assessment tools respectively independent. The structure of CVE is shown in
It is to be understood that the structure thereof is as shown in
In this embodiment, part is a, representing vulnerability information of software, specifically a Node.js component.
A series of values of application edition information, product names, and vendor information, and corresponding priorities thereof are parsed out and matched accordingly with vendor, product, and version in cpe information. The matching is performed in descending order of priority, i.e. from vendor, product, and version in high priority.
In a case where information in the same priority has a plurality of corresponding values, e.g. vendor, product, and version in high priority have a plurality of corresponding values, if vendor has cn and seczone, product has seczone, sea, and sdlc, and version has 1.0 and 2.0, mixed matching will be performed in each case.
In an embodiment, if vendor is cn, product is seczone, and, version is 1.0, corresponding cpe is searched. After one of the above-mentioned vendor, product, and version is matched successfully, the other combinations in this high priority are continuously used to search for matched cpe. Finally, all matched eve information will be found according to the found cpe.
Low-priority information will be matched upon matching failure of high-priority information.
Further, step S300 of extracting first target vulnerability information from the first basic vulnerability information according to the key information of the NODE.JS component also includes the following steps:
Since different editions of the NODE.JS component may have different codes and frameworks and may even only have a file name unchanged, NODE.JS component edition information is needed to better detect vulnerabilities. Different vendors may also name different software with the same name.
The CVE information includes a CVE number.
The CVE number is a number that identifies open vulnerabilities and is a number that addresses specific vulnerability issues.
Further, after matching the key information of the NODE.JS component with the CPE information to generate first target vulnerability information in step S330, the method also includes the following steps:
It is to be understood that the CPE information and the CVE information are not in a one-to-one relationship, one type of CVE information may contain a plurality of types of CPE information, and one type of CPE information may exist among the plurality of types of CVE information. Based on this, duplicate information in the first target vulnerability information needs to be removed to ensure that a JS script file name corresponds to the CPE information on a one-to-one basis. In this embodiment, the first target vulnerability information is formed into a table, such as the table shown in
Further, reference is now made to
The shal coded hash value is calculated by a JS script file through a hash algorithm. The hash algorithm may be applied to convert a binary with an arbitrary length into a hash value with a fixed length, and a corresponding file may be found quickly and easily by applying the hash value.
In this embodiment. the shal coded hash value is directly called to match corresponding information in the first target vulnerability information, and thus vulnerabilities may be obtained quickly and accurately by parsing the NODE.JS component only once. Time consumed for scanning is saved, and the possibility of partial data analysis being inaccurate is also avoided.
In another embodiment, after generating first target vulnerability information in step S330, the method includes the following steps:
In this embodiment, an interface officially provided by NODE.JS is called to search for other vulnerabilities, and the steps are similar to those described above and will not be described in detail herein. However, in this embodiment, the above-mentioned CITE vulnerability information may be obtained, some non-CITE vulnerability information may also be obtained, and second target vulnerability information may be formed by combining the information together. Compared with the first target vulnerability information, the second target vulnerability information has more comprehensive vulnerability data, which can guarantee the security of the NODE.JS component.
Further, the key information of the NODE.JS component includes name information of the NODE.JS component and edition information of the NODE.JS component. Reference is now made to
In this embodiment, vulnerabilities are still detected in a similar manner as those described above. However, there is also a difference. In this embodiment, the second basic vulnerability information simultaneously records the vulnerability information thereof by using a component name and a plurality of vulnerabilities. In the vulnerabilities, version number information thereof is represented by atOrAbove and below, a severity level is represented by severity, and the specific content of the vulnerabilities is represented by identifiers.
In this embodiment, there are component names: angular, hubot-scripts, connect, libnotify, etc., and one or more vulnerabilities may be set for each component name. In one of the vulnerabilities, atOrAbove represents that, a version number is greater than or equal to a certain version number, and below represents that the version number is less than or equal to a certain version number, thereby dividing an interval. Within this interval, the vulnerability severity level within this interval is represented by severity, and the specific content of a vulnerability is represented by identifiers. If the vulnerability is a cve vulnerability, there will be a eve number. If the vulnerability is not a CVE Vulnerability, a specific state of the vulnerability is generally described as shown in
In this embodiment, as the name information of the NODE.JS component and the edition information of the NODE.JS component are matched with the above-mentioned second basic vulnerability information according to a mapping rule, accurate and comprehensive vulnerability information may be obtained.
Optionally, after generating first target vulnerability information, in step S360, the method also includes the following steps:
In a specific embodiment, the method includes the following steps:
In this step, retires and package.json may be updated separately or simultaneously.
Thus, it is possible to ensure that vulnerability data keeps pace with the times, and this technical solution is less likely to lag behind the times. Specifically, as shown in
With reference to
The above-mentioned modules are configured to carry the above-mentioned method. Any module, if implemented in the form of a software functional module and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on such an understanding, the technical solution of the present invention, in essence or in part contributing to the related art or in whole or in part, may be embodied in the form of a software product. It will be appreciated that the method and system are applied to a computer-readable storage medium, which may be a memory. The computer-readable storage medium has a computer program stored thereon. Further, the computer-readable storage medium may be a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disc, and other media which may store program codes.
It is to be noted that while the foregoing method embodiments have been described in terms of various combinations of acts for brevity, those skilled in the art, will recognize that the present invention is not limited by the described order of acts, as some steps may, in accordance with the present invention, be performed in other orders or simultaneously. Furthermore, those skilled in the art will also recognize that the embodiments described in the description belong to preferred embodiments and that the acts and modules involved are not necessarily required of the present invention.
The above descriptions are only the embodiments of the present, invention, and are not intended to limit the patent scope of the present invention. Any equivalent structure or equivalent process transformation made by using the contents of the description and drawings of the present invention, or directly or indirectly applied to other related technical fields, is similarly included in the scope of patent protection of the present invention.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/CN2020/087399 | 4/28/2022 | WO |
