摘要
近年来,软件开发中使用开源软件的比例越来越高,开源代码引起的一系列软件安全问题不容忽视。安全开发管控最重要的手段就是对源代码进行静态分析,当前的源代码静态分析技术主要包括语法分析、语义分析、数据流分析及控制流分析等,此类静态分析技术主要是针对缺陷类型构建分析模型,并不考虑开源代码漏洞问题。通过从开放漏洞数据库中抽取所有可用的漏洞记录,并从开源项目所在开源代码库中收集易受攻击的代码建立开源缺陷代码库,挖掘代码缺陷库中的缺陷匹配信息,并通过应用实例证明这是一种有效的源代码安全漏洞挖掘技术,具有较高的缺陷搜索匹配速度和准确性。
In recent years,the proportion of open source software used in software development is getting higher,and software security vulnerabilities caused by open source code cannot be ignored.The most important mean for secure development management and control is static analysis of the source code.The current source code static analysis technologies mainly includes syntax analysis,semantic analysis,data flow analysis and control flow analysis,etc.This kind of static analysis technologies focus on constructing analysis models for defect types and do not consider open source code vulnerabilities.This paper extracts all available CVE vulnerability records from open vulnerability databases and collects vulnerable code from open source code base where open source projects are located to establish an open source defect code base.It mines the defect matching information in the code defect base and proves through application examples that it is an effective source code security vulnerability mining technology with high speed and accuracy in defect searching and matching.
作者
张勇
张合磊
赵平
ZHANG Yong;ZHANG Helei;ZHAO Ping(China Industrial Control Systems Cyber Emergency Response Team,Beijing 100040,China;Beijing Code-Pecker Information Technology Co.,Ltd.,Beijing 100041,China)
出处
《信息安全与通信保密》
2023年第7期70-82,共13页
Information Security and Communications Privacy
关键词
开源代码
漏洞
源代码静态分析
代码缺陷
open source code
vulnerability
static analysis of source code
code defect