公开(公告)号：US09792200B2

公开(公告)日：2017-10-17

申请号：US15057812

申请日：2016-03-01

Applicant: SAP SE

Inventor： Henrik Plate ,  Serena Ponta ,  Antonino Sabetta

IPC: G06F9/44 ,  G06F11/36 ,  G06F21/57

CPC classification number: G06F11/3636 ,  G06F11/3624 ,  G06F21/577

Abstract: Implementations are directed to enhancing assessment of one or more known vulnerabilities inside one or more third-party libraries used within an application program that interacts with the one or more third-party libraries. In some examples, actions include receiving a complete call graph that is provided by static source code analysis (SSCA) of the application program and any third-party libraries used by the application, receiving one or more stack traces that are provided based on dynamic source code analysis (DSCA) during execution of the application program, processing the complete call graph, the one or more stack traces, and vulnerable function data to provide one or more combined call graphs, the vulnerable function data identifying one or more vulnerable functions included in the one or more third-party libraries, each combined call graph being specific to a respective vulnerable function, and providing a graphical representation of each combined call graph.

公开(公告)号：US20160314302A1

公开(公告)日：2016-10-27

申请号：US14692203

申请日：2015-04-21

Applicant: SAP SE

Inventor： Antonino Sabetta ,  Luca Compagna ,  Serena Ponta ,  Stanislav Dashevskyi ,  Daniel Dos Santos ,  Fabio Massacci

IPC: G06F21/57 ,  G06F21/53 ,  G06F21/54

CPC classification number: G06F21/577 ,  G06F21/53 ,  G06F21/54 ,  G06F21/566 ,  G06F2221/033

Abstract: An input handler receives an exploit test request specifying at least one exploit to be tested against at least one application in at least one execution environment. A deployment engine deploys the at least one execution environment including instantiating a container providing a virtual machine image and configured based on the exploit test request, the instantiated container including the at least one application. A scheduler schedules execution of the at least one execution environment within at least one execution engine, including scheduling an injection of the at least one exploit as specified in the exploit test request. A report generator generates an exploit test report characterizing a result of the at least one exploit being injected into the at least one execution environment of the at least one execution engine.

Abstract translation: 输入处理程序接收在至少一个执行环境中针对至少一个应用程序指定要测试的至少一个漏洞利用的漏洞利用测试请求。 所述部署引擎部署所述至少一个执行环境，所述至少一个执行环境包括实例化提供虚拟机映像并且基于所述漏洞利用测试请求来配置的容器，所述实例化容器包括所述至少一个应用。 调度器调度至少一个执行引擎中的至少一个执行环境的执行，包括调度在漏洞利用测试请求中指定的至少一个利用的注入。 报告生成器生成攻击测试报告，其表征被注入至少一个执行引擎的至少一个执行环境中的至少一个利用的结果。