An application security vulnerability processing method and device, apparatus, and storage medium

Abstract

The application discloses an application security vulnerability processing method and device, equipment and a storage medium, wherein the discovered vulnerabilities are sorted according to preset rules, the sorted vulnerabilities are reproduced and principle analyzed, then the application source code or binary file is scanned by a vulnerability scanning tool, a scanning result is output, the scanning result is analyzed, and vulnerability information is obtained, finally, the source code is acquired, combined with the vulnerability principle database information, matched with corresponding vulnerability principle rules, and the static analysis technology is used to analyze whether the source code has a vulnerability exploitation condition and whether a mitigation measure has been taken. The vulnerability principle and repair mode are analyzed to form a database, combined with the application source code, the static code analysis technology is used in combination with the vulnerability principle database to judge whether the application has risks, if there is no risk, the component version does not need to be upgraded, and the human cost of enterprises in vulnerability repair is effectively reduced.

Description

Technical Field

[0001] This invention relates to the field of network security, and in particular to a method, apparatus, and storage medium for handling application security vulnerabilities. Background Technology

[0002] Currently, the industry's approach to handling application security vulnerabilities discovered through scanning is to provide a risk assessment and remediation recommendations after the scan is completed, and then to track and manage the vulnerability remediation.

[0003] Existing methods for handling application security vulnerabilities are not very developer-friendly, especially for patching vulnerabilities in open-source components. Currently, the industry's approach to detecting open-source component vulnerabilities often involves analyzing the application's component dependencies from the source code or binary files, checking the versions of dependent components against a vulnerability database, and outputting vulnerability information if a match is found. However, it's impossible to determine whether the vulnerability actually affects the application, and developers have to spend a significant amount of time and effort upgrading component versions and resolving compatibility issues. Summary of the Invention

[0004] Therefore, this application provides a technical solution for identifying whether the results given by vulnerability scanning tools contain risks, thereby addressing the problem of reducing manpower costs in vulnerability remediation. To solve the above technical problems, this invention provides an application security vulnerability handling method, apparatus, and storage medium.

[0005] To achieve the above objectives, in a first aspect, the present invention provides a method for handling application security vulnerabilities, characterized in that it includes:

[0006] The discovered vulnerabilities are sorted according to preset rules, and the sorted vulnerabilities are then reproduced and their underlying principles analyzed.

[0007] The reproduction and principle analysis include: confirming the exploitation conditions and mitigation measures of the discovered vulnerabilities and generating vulnerability principle database information;

[0008] The application source code or binary file is scanned using a vulnerability scanning tool, the scan results are output, and the vulnerability information is obtained by analyzing the scan results.

[0009] After obtaining the source code and combining it with the vulnerability principle database information, matching the corresponding vulnerability principle rules, static analysis technology is used to analyze whether the source code has vulnerability exploitation conditions and whether mitigation measures have been taken.

[0010] Furthermore, the conditions for confirming the exploitation of the vulnerability include: if the exploitation condition is an untrusted input to a function, then the class name and input parameter positions corresponding to the function name are recorded and stored in the configuration library. If the source code is available, combined with static analysis, if the source code does not use the function or does not contain untrusted input, then it is confirmed that there is no security risk.

[0011] Furthermore, if the mitigation measures for the vulnerability are configured to enable or disable a certain function through a configuration file, the configuration file name and configuration items are recorded and stored in the configuration library. If the source code is available, regular expression matching is used to confirm whether the application has taken mitigation measures for the vulnerability. If it has, it is confirmed that there is no security risk.

[0012] Furthermore, if there are no exploitable conditions or mitigation measures in place, the alert is cleared; otherwise, an alert is generated.

[0013] Secondly, the present invention also provides an application security vulnerability handling device, comprising: a reproduction analysis module, a scanning analysis module, and a verification module;

[0014] The reproduction analysis module is used to sort the discovered vulnerabilities according to preset rules, and then reproduce and analyze the underlying principles of the sorted vulnerabilities.

[0015] The reproduction and principle analysis include: confirming the exploitation conditions and mitigation measures of the discovered vulnerabilities and generating vulnerability principle database information;

[0016] The scanning and analysis module is used to scan application source code or binary files using vulnerability scanning tools, output scan results, analyze the scan results, and obtain vulnerability information.

[0017] The verification module is used to obtain the source code and, in conjunction with the vulnerability principle database information, match the corresponding vulnerability principle rules, and then use static analysis technology to analyze whether the source code has vulnerability exploitation conditions and whether mitigation measures have been taken.

[0018] Furthermore, the conditions for confirming the exploitation of the vulnerability include: if the exploitation condition is an untrusted input to a function, then the class name and input parameter positions corresponding to the function name are recorded and stored in the configuration library. If the source code is available, combined with static analysis, if the source code does not use the function or does not contain untrusted input, then it is confirmed that there is no security risk.

[0019] Furthermore, if the mitigation measures for the vulnerability are configured to enable or disable a certain function through a configuration file, the configuration file name and configuration items are recorded and stored in the configuration library. If the source code is available, regular expression matching is used to confirm whether the application has taken mitigation measures for the vulnerability. If it has, it is confirmed that there is no security risk.

[0020] Furthermore, if there are no exploitable conditions or mitigation measures in place, the alert is cleared; otherwise, an alert is generated.

[0021] Thirdly, the present invention provides a computing device, comprising:

[0022] Memory, used to store program instructions;

[0023] The processor is used to call program instructions stored in the memory and execute the application security vulnerability handling method described above according to the obtained program instructions.

[0024] Fourthly, the present invention provides a computer-readable storage medium, including computer-readable instructions, which, when read and executed by a computer, implement the application security vulnerability handling method described above. The readable medium may be multiple, and the multiple readable media can operate independently of each other.

[0025] Compared to existing technologies, this invention sorts discovered vulnerabilities according to preset rules, reproduces and analyzes the underlying principles of these vulnerabilities, then scans application source code or binary files using vulnerability scanning tools, outputs scan results, analyzes these results to obtain vulnerability information, and finally obtains the source code and combines it with the vulnerability principle database information. After matching the corresponding vulnerability principle rules, static analysis technology is used to analyze whether the source code has exploitable conditions and whether mitigation measures have been taken. This achieves the analysis of vulnerability principles and remediation methods to form a database. By combining application source code with static code analysis technology and the vulnerability principle database, it determines whether the application is at risk. If no risk is found, there is no need to upgrade component versions, reducing the manpower costs for enterprises in vulnerability remediation. Attached Figure Description

[0026] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0027] Figure 1 A flowchart illustrating an embodiment of the application security vulnerability handling method provided by the present invention;

[0028] Figure 2 A structural block diagram of an embodiment of the application security vulnerability handling device provided by the present invention;

[0029] Figure 3 A structural diagram of one embodiment of the application security vulnerability handling device provided by the present invention;

[0030] Figure 4 This is a schematic diagram of the structure of an electronic device provided by the present invention. Detailed Implementation

[0031] The embodiments of this application are described in detail below. Examples of the embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain this application, and should not be construed as limiting this application.

[0032] Those skilled in the art will understand that, unless specifically stated otherwise, the singular forms “a,” “an,” and “the” used herein may also include the plural forms. It should be further understood that the term “comprising” as used in the specification of this application means the presence of features, integers, steps, operations, elements, and / or components, but does not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / or groups thereof. The term “and / or” as used herein includes all or any units and all combinations of one or more associated listed items.

[0033] To make the objectives, technical solutions, and advantages of the present invention clearer, the specific embodiments of this application will be described in further detail below with reference to the accompanying drawings.

[0034] The core of this invention is to provide a method for handling application security vulnerabilities. Figure 1 The diagram shown is a flowchart of the application security vulnerability handling method provided in this embodiment. To better understand this method, it is now combined with... Figure 1 The technical solution of this embodiment will be described in detail:

[0035] Step S1: Sort the discovered vulnerabilities according to preset rules, and reproduce and analyze the underlying principles of the sorted vulnerabilities;

[0036] The reproduction and principle analysis include: confirming the exploitation conditions and mitigation measures of the discovered vulnerabilities and generating vulnerability principle database information;

[0037] Among them, vulnerability exploitation conditions are a series of conditions or prerequisites that need to be met when exploiting vulnerabilities to launch attacks or carry out malicious acts, which usually include whether certain functions need to be enabled or used.

[0038] Vulnerability mitigation measures refer to strategies for addressing known vulnerabilities, aiming to reduce the potential risks and impacts of vulnerabilities. They are used to temporarily fix vulnerabilities, reduce the risk of attacks, or limit the exploitability of vulnerabilities. They typically include temporary remedial measures (such as modifying configuration files, disabling certain functions, etc.) and security updates such as patches.

[0039] Step S2: Scan the application source code or binary file using a vulnerability scanning tool, output the scan results, analyze the scan results, and obtain vulnerability information;

[0040] Step S3: Obtain the source code and, in conjunction with the vulnerability principle database information, match the corresponding vulnerability principle rules, then use static analysis technology to analyze whether the source code has vulnerability exploitation conditions and whether mitigation measures have been taken.

[0041] In a preferred embodiment, the confirmation of vulnerability exploitation conditions includes: if the vulnerability exploitation condition is untrusted input to a function, then the class name corresponding to the function name and the input parameter position are recorded and stored in the configuration library. If the source code is available, combined with static analysis, if the source code does not use the function or does not contain untrusted input, then it is confirmed that there is no security risk.

[0042] In a preferred embodiment, if the mitigation measures for the vulnerability are configured to enable or disable a certain function through a configuration file, the configuration file name and configuration items are recorded and stored in a configuration library. If the source code is available, regular expression matching is used to confirm whether the application has taken mitigation measures for the vulnerability. If it has, it is confirmed that there is no security risk.

[0043] In a preferred embodiment, the alarm is cleared if there are no exploit conditions or mitigation measures in place, and an alarm is generated otherwise.

[0044] In this embodiment, discovered vulnerabilities are sorted according to preset rules, and the sorted vulnerabilities are then reproduced and their underlying principles analyzed. Next, a vulnerability scanning tool scans the application source code or binary files, outputting the scan results. These results are then analyzed to obtain vulnerability information. Finally, the source code is obtained and combined with the vulnerability principle database information. After matching the corresponding vulnerability principle rules, static analysis techniques are used to analyze whether the source code has exploitable conditions and whether mitigation measures have been implemented. This achieves the analysis of vulnerability principles and remediation methods to form a database. By combining the application source code with static code analysis techniques and the vulnerability principle database, it is determined whether the application is at risk. If no risk is found, there is no need to upgrade component versions, reducing the enterprise's manpower costs for vulnerability remediation.

[0045] To facilitate understanding, the present invention provides a specific embodiment for further explanation.

[0046] Example:

[0047] This embodiment provides a method for handling application security vulnerabilities within an enterprise, which specifically includes the following steps:

[0048] Step S201: Maintain an open-source vulnerability knowledge base: This step mainly relies on security personnel to analyze vulnerabilities, extract vulnerable functions, utilize conditions and mitigation measures, and store them as program-understandable configurations.

[0049] Step S202: Use a component vulnerability scanning tool to scan the source code in the source code repository to obtain dependent component information and first vulnerability information.

[0050] The program matches the scan results from step S202 against exploit conditions and mitigation measures in the vulnerability knowledge base. It then uses static code analysis to determine if the vulnerable function in the exploit condition is reachable and whether mitigation measures have been implemented. If the vulnerable function is unreachable or mitigation measures have been implemented, the scanned vulnerability is considered risk-free and requires no fix; otherwise, component upgrades are necessary.

[0051] In one embodiment, the present invention provides an application security vulnerability mitigation device, see [link to previous embodiment]. Figure 2 The diagram shown is a structural block diagram of an application security vulnerability handling device provided in this embodiment. Figure 3 The diagram shown is a structural diagram of an application security vulnerability handling device provided in this embodiment. The device includes: a reproduction analysis module 10, a scanning analysis module 20, and a verification module 30.

[0052] The reproduction analysis module 10 is used to sort the discovered vulnerabilities according to preset rules, reproduce and analyze the principles of the sorted vulnerabilities, including: confirming the exploitation conditions and mitigation measures of the discovered vulnerabilities and generating vulnerability principle database information.

[0053] The scanning and analysis module 20 is used to scan the application source code or binary file using a vulnerability scanning tool, output the scanning results, analyze the scanning results, and obtain vulnerability information.

[0054] The verification module 30 is used to obtain the source code and, in conjunction with the vulnerability principle database information, match the corresponding vulnerability principle rules, and then use static analysis technology to analyze whether the source code has vulnerability exploitation conditions and whether mitigation measures have been taken.

[0055] In a preferred embodiment, the confirmation of vulnerability exploitation conditions includes: if the vulnerability exploitation condition is untrusted input to a function, then the class name corresponding to the function name and the input parameter position are recorded and stored in the configuration library. If the source code is available, combined with static analysis, if the source code does not use the function or does not contain untrusted input, then it is confirmed that there is no security risk.

[0056] In a preferred embodiment, if the mitigation measures for the vulnerability are configured to enable or disable a certain function through a configuration file, the configuration file name and configuration items are recorded and stored in a configuration library. If the source code is available, regular expression matching is used to confirm whether the application has taken mitigation measures for the vulnerability. If it has, it is confirmed that there is no security risk.

[0057] In a preferred embodiment, the alarm is cleared if there are no exploit conditions or mitigation measures in place, and an alarm is generated otherwise.

[0058] In this embodiment, discovered vulnerabilities are sorted according to preset rules, and the sorted vulnerabilities are then reproduced and their underlying principles analyzed. Next, a vulnerability scanning tool scans the application source code or binary files, outputting the scan results. These results are then analyzed to obtain vulnerability information. Finally, the source code is obtained and combined with the vulnerability principle database information. After matching the corresponding vulnerability principle rules, static analysis techniques are used to analyze whether the source code has exploitable conditions and whether mitigation measures have been implemented. This achieves the analysis of vulnerability principles and remediation methods to form a database. By combining the application source code with static code analysis techniques and the vulnerability principle database, it is determined whether the application is at risk. If no risk is found, there is no need to upgrade component versions, reducing the enterprise's manpower costs for vulnerability remediation.

[0059] The application security vulnerability handling device in this embodiment is used to implement the aforementioned application security vulnerability handling method. Therefore, the specific implementation method of the application security vulnerability handling device can be found in the specific implementation method section of the application security vulnerability handling method above. Thus, the specific implementation method can be referred to the description of the corresponding embodiments. The device provided by the present invention is attached to the method provided by the present invention, and its specific effects can be referred to the above method, which will not be repeated here.

[0060] In one embodiment, a computing device is provided, comprising:

[0061] Memory, used to store program instructions;

[0062] A processor, configured to implement the steps of any of the above-described application security vulnerability mitigation methods when executing the computer program.

[0063] As an example, Figure 4A schematic diagram of the structure of an electronic device to which this application embodiment applies is shown, such as... Figure 4 As shown, the electronic device 2000 includes a processor 2001 and a memory 2003. The processor 2001 and the memory 2003 are connected, for example, via a bus 2002. Optionally, the electronic device 2000 may also include a transceiver 2004. It should be noted that in practical applications, the transceiver 2004 is not limited to one type, and the structure of the electronic device 2000 does not constitute a limitation on the embodiments of this application.

[0064] In this embodiment, the processor 2001 is used to implement the method shown in the above method embodiment. The transceiver 2004 may include a receiver and a transmitter. In this embodiment, the transceiver 2004 is used to enable the electronic device of this embodiment to communicate with other devices during execution.

[0065] Processor 2001 may be a CPU (Central Processing Unit), a general-purpose processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It can implement or execute the various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this application. Processor 2001 may also be a combination that implements computing functions, such as including one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.

[0066] Bus 2002 may include a pathway for transmitting information between the aforementioned components. Bus 2002 may be a PCI (Peripheral Component Interconnect) bus or an EISA (Extended Industry Standard Architecture) bus, etc. Bus 2002 can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 4 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0067] The memory 2003 may be ROM (Read Only Memory) or other types of static storage devices capable of storing static information and instructions, RAM (Random Access Memory) or other types of dynamic storage devices capable of storing information and instructions, or EEPROM (Electrically Erasable Programmable Read Only Memory), CD-ROM (Compact Disc Read Only Memory) or other optical disc storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital universal optical discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium capable of carrying or storing desired program code in the form of instructions or data structures and accessible by a computer, but not limited thereto.

[0068] Optionally, the memory 2003 stores application code that executes the scheme of this application, and its execution is controlled by the processor 2001. The processor 2001 executes the application code stored in the memory 2003 to implement the investment and financing project recommendation method provided in any embodiment of this application.

[0069] The electronic device provided in this application is applicable to any of the above-described methods, and will not be described again here.

[0070] This invention provides a method for handling application security vulnerabilities, which has significant advantages and beneficial effects compared with existing technologies. It involves sorting discovered vulnerabilities according to preset rules, reproducing and analyzing the underlying principles of these vulnerabilities, scanning the application source code or binary files using vulnerability scanning tools, analyzing the scan results to obtain vulnerability information, and finally obtaining the source code and combining it with the vulnerability principle database information. After matching the corresponding vulnerability principle rules, static analysis techniques are used to analyze whether the source code has exploitable conditions and whether mitigation measures have been taken. This method achieves the analysis of vulnerability principles and remediation methods to form a database. By combining application source code with static code analysis techniques and the vulnerability principle database, it determines whether the application is at risk. If no risk is found, there is no need to upgrade component versions, reducing the manpower costs for enterprises in vulnerability remediation.

[0071] In one embodiment, a computer-readable storage medium is provided, including computer-readable instructions. When a computer reads and executes the computer-readable instructions, it implements the steps of the application security vulnerability handling method described above. The application security vulnerability handling method provided by this invention has significant advantages and beneficial effects compared with existing technologies. It involves sorting discovered vulnerabilities according to preset rules, reproducing and analyzing the principles of the sorted vulnerabilities, scanning the application source code or binary files using vulnerability scanning tools, outputting scan results, analyzing the scan results to obtain vulnerability information, and finally obtaining the source code and combining it with the vulnerability principle database information. After matching the corresponding vulnerability principle rules, static analysis technology is used to analyze whether the source code has vulnerability exploitation conditions and whether mitigation measures have been taken. This achieves the analysis of vulnerability principles and repair methods to form a database. By combining the application source code with static code analysis technology and the vulnerability principle database, it determines whether the application has risks. If no risks are found, there is no need to upgrade component versions, reducing the enterprise's manpower costs for vulnerability repair.

[0072] Through the above description of the embodiments, those skilled in the art will understand that, for the sake of convenience and brevity, only the division of the above functional modules is used as an example. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the specific device can be divided into different functional modules to complete all or part of the functions described above.

[0073] Those skilled in the art will recognize that the modules and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0074] In the embodiments covered by this application, it should be understood that the disclosed apparatus, devices, and methods can be implemented in other ways. For example, the division of modules is merely a logical functional division, and in actual implementation, there may be other division methods. For instance, multiple modules or components may be combined or integrated into another device, or some features may be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, devices, or modules, or it may be an electrical, mechanical, or other form of connection.

[0075] The modules described as separate components may or may not be physically separate. Similarly, the components shown as modules may or may not be physical modules; they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected to achieve the purpose of the embodiments of this application, depending on actual needs.

[0076] Furthermore, the functional modules in the various embodiments of this application can be implemented either in hardware or as software functional modules. If these functional modules are implemented as software functional modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a computer program product, which includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the flow or function according to the embodiments of this application is generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer program product is stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available media can be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media (e.g., solid state disks (SSDs)).

[0077] The above description is merely an example and illustration of the structure of the present invention. Those skilled in the art can make various modifications or additions to the specific embodiments described, or use similar methods to replace them, as long as they do not deviate from the structure of the invention or exceed the scope defined in the claims, all of which should fall within the protection scope of the present invention.

Claims

1. A method for handling application security vulnerabilities, characterized in that, include: The discovered vulnerabilities are sorted according to preset rules, and the sorted vulnerabilities are then reproduced and their underlying principles analyzed. The reproduction and principle analysis include: confirming the exploitation conditions and mitigation measures of the discovered vulnerabilities and generating vulnerability principle database information; The exploit conditions are a series of conditions or prerequisites that need to be met when exploiting vulnerabilities to launch attacks or carry out malicious acts, including whether certain functions need to be enabled or used. The exploit conditions for the vulnerability are confirmed, including: if the exploit condition is an untrusted input to a function, the class name and input parameter positions corresponding to the function name are recorded and stored in the configuration library; if the source code is available, static analysis is performed; if the source code does not use the function or has no untrusted input, then there is no security risk; the application source code or binary file is scanned using a vulnerability scanning tool, the scan results are output, and the scan results are analyzed to obtain vulnerability information; After obtaining the source code and combining it with the vulnerability principle database information, matching the corresponding vulnerability principle rules, static analysis technology is used to analyze whether the source code has vulnerability exploitation conditions and whether mitigation measures have been taken.

2. The application security vulnerability handling method according to claim 1, characterized in that, If the mitigation measures for the vulnerability involve enabling or disabling a function through a configuration file, then the configuration file name and configuration items are recorded and stored in the configuration library. If the source code is available, regular expression matching is used to confirm whether the application has taken mitigation measures for the vulnerability. If it has, then there is no security risk.

3. The application security vulnerability handling method according to claim 1, characterized in that, If there are no exploitable conditions or mitigation measures in place, the alert will be cleared; otherwise, an alert will be generated.

4. An application security vulnerability handling device, characterized in that, include: Reproducibility analysis module, scanning analysis module, verification module; The reproduction analysis module is used to sort the discovered vulnerabilities according to preset rules, and then reproduce and analyze the underlying principles of the sorted vulnerabilities. The reproduction and principle analysis include: confirming the exploitation conditions and mitigation measures of the discovered vulnerabilities and generating vulnerability principle database information; The exploit conditions are a series of conditions or prerequisites that need to be met when exploiting vulnerabilities to launch attacks or carry out malicious acts, including whether certain functions need to be enabled or used. The conditions for exploiting the vulnerability are confirmed, including: if the exploitation condition is an untrusted input to a function, the class name and input parameter positions corresponding to the function name are recorded and stored in the configuration library. If the source code is available, combined with static analysis, if the source code does not use the function or does not contain untrusted input, then it is confirmed that there is no security risk. The scanning and analysis module is used to scan application source code or binary files using vulnerability scanning tools, output scan results, analyze the scan results, and obtain vulnerability information. The verification module is used to obtain the source code and, in conjunction with the vulnerability principle database information, match the corresponding vulnerability principle rules, and then use static analysis technology to analyze whether the source code has vulnerability exploitation conditions and whether mitigation measures have been taken.

5. The application security vulnerability handling device according to claim 4, characterized in that, If the mitigation measures for the vulnerability involve enabling or disabling a function through a configuration file, then the configuration file name and configuration items are recorded and stored in the configuration library. If the source code is available, regular expression matching is used to confirm whether the application has taken mitigation measures for the vulnerability. If it has, then there is no security risk.

6. The application security vulnerability handling device according to claim 4, characterized in that, If there are no exploitable conditions or mitigation measures in place, the alert will be cleared; otherwise, an alert will be generated.

7. A computing device, characterized in that, include: Memory, used to store program instructions; A processor is configured to invoke program instructions stored in the memory and execute the method as described in any one of claims 1 to 3 according to the obtained program instructions.

8. A computer-readable storage medium, characterized in that, It includes computer-readable instructions, which, when read and executed by a computer, implement any one of the methods as claimed in claims 1 to 3, wherein there are multiple readable media, and the multiple readable media are capable of operating independently of each other.

Images