System and method for management of application vulnerabilities
US-10579803-B1 · Mar 3, 2020 · US
Open source vulnerability remediation tool
US11734433B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11734433-B2 |
| Application number | US-202217709241-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 30, 2022 |
| Priority date | Dec 20, 2018 |
| Publication date | Aug 22, 2023 |
| Grant date | Aug 22, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method and system for remediating vulnerable code libraries, including open source libraries, in a software application. An application, that uses code libraries, and information regarding known library vulnerabilities are received, then it is determined if one or more libraries in the application are vulnerable based upon the information. For each of the one or more vulnerable libraries, a library version that minimizes risk is determined. The determined library version is incorporated into the application to form a test application, and an application test is performed on the test application. If an application test score on the test application is below a predetermined threshold, the determined library version is incorporated into a final application precursor. A final application can be determined from the final application precursor for each of the one or more vulnerable libraries.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, by a remediation computer, a candidate application that uses a plurality of code libraries; identifying, by the remediation computer, a vulnerable library from the plurality of code libraries; obtaining, by the remediation computer, a list of a plurality of versions of the vulnerable library; for each of the plurality of versions of the vulnerable library in the list: identifying one or more risks, wherein each of the identified one or more risks is assigned a risk score; assigning an intermediate risk score to each of the identified one or more risks based on the risk score for each of the identified one or more risks; evaluating one or more operational risks to generate a change score; sorting, by the remediation computer, the plurality of versions of the vulnerable library in the list based on the generated change score; determining a version of the vulnerable library that minimizes risk from the sorted list; and incorporating the determined version of the vulnerable library that minimizes the risk into the candidate application. 2. The method according to claim 1 , wherein the identifying the one or more risks comprises: obtaining security risk information from a security risk database server; obtaining license risk information from a license database server; identifying at least one risk from the security risk information; identifying at least one risk from the license risk information; and setting an error flag for each risk identified from the security risk information and the license risk information. 3. The method according to claim 1 , wherein the vulnerable library is a library that is within the candidate application. 4. The method according to claim 1 , wherein the vulnerable library is a library within the candidate application that calls an external vulnerable library. 5. The method according to claim 1 , wherein the list of the plurality of versions of the vulnerable library are obtained from an external database. 6. The method according to claim 1 , wherein the assigning the intermediate risk score to each of the identified one or more risks based on the risk score for each of the identified one or more risks comprises: in response to determining a risk of the identified one or more risks is high, adding a high number to the risk score; in response to determining that the risk of the identified one or more risks is medium, adding a medium number to the risk score; and in response to determining that the risk of the identified one or more risks is low, adding a low number to the risk score. 7. The method according to claim 1 , wherein an operational risk is a risk that affects an operation of the candidate application. 8. The method according to claim 1 , wherein the evaluating the one or more operational risks to generate the change score comprises: comparing a major version number of the vulnerable library with a major version number of a proposed library version of the plurality of versions of the vulnerable library in the list; determining whether the major version number of the vulnerable library is greater than the major version number of the proposed library version of the plurality of versions of the vulnerable library in the list by a first predetermined threshold; and in response to determining that the major version number of the vulnerable library is greater than the major version number of the proposed library version of the plurality of versions of the vulnerable library by the first predetermined threshold, increasing the change score by a first value. 9. The method according to claim 8 , wherein the evaluating the one or more operational risks to generate the change score further comprises: comparing a minor version number of the vulnerable library with a minor version number of the proposed library version of the plurality of versions of the vulnerable library in the list; determining whether the minor version number of the vulnerable library is greater than the minor version number of the proposed library version of the plurality of versions of the vulnerable library in the list by a second predetermined threshold; and in response to determining that the minor version number of the vulnerable library is greater than the minor version number of the proposed library version of the plurality of versions of the vulnerable library by the second predetermined threshold, increasing the change score by a second value that is lower than the first value. 10. The method according to claim 1 , wherein the evaluating the one or more operational risks to generate the change score comprises: comparing an artifact path of the vulnerable library with an artifact path of a proposed library version of the plurality of versions of the vulnerable library in the list; determining whether the artifact path of the vulnerable library is greater than the artifact path of the proposed library version of the plurality of versions of the vulnerable library in the list by a first predetermined value; and in response to determining that the artifact path of the vulnerable library is greater than the artifact path of the proposed library version of the plurality of versions of the vulnerable library in the list by the first predetermined value, increasing the change score by a first value. 11. The method according to claim 10 , wherein the evaluating the one or more operational risks to generate the change score further comprises: in response to determining that the artifact path of the vulnerable library is not greater than the artifact path of the version of the plurality of versions of the vulnerable library in the list by the first predetermined value, increasing the change score by a second value that is less than the first value. 12. The method according to claim 10 , wherein an artifact is data that persists after the candidate application is built or run. 13. The method according to claim 12 , wherein the artifact path is a directory listing instructing a computer building or running the candidate application where to store the artifact. 14. A remediation computer comprising: a processor; and a computer readable medium comprising code, executable by the processor, for implementing a method comprising: receiving, by the remediation computer, a candidate application that uses a plurality of code libraries; identifying, by the remediation computer, a vulnerable library from the plurality of code libraries; obtaining, by the remediation computer, a list of a plurality of versions of the vulnerable library; for each of the plurality of versions of the vulnerable library in the list: identifying one or more risks, wherein each of the identified one or more risks is assigned a risk score; assigning an intermediate risk score to each of the identified one or more risks based on the risk score for each of the identified one or more risks; evaluating one or more operational risks to generate a change score; sorting, by the remediation computer, the plurality of versions of the vulnerable library in the list based on the generated change score; determining a version of the vulnerable library that minimizes risk from the sorted list; and incorporating the determined version of the vulnerable library that minimizes the risk into the candidate application. 15. The remediation computer according to claim 14 , wherein the identifying the one or more risks comprises: obtaining security risk information from a security risk database server; obtaining license risk information from a license database server; i
Assignees
Inventors
Classifications
Environments for analysis, debugging or testing of software · CPC title
- G06F21/577Primary
Assessing vulnerabilities and evaluating computer system security · CPC title
Version control (security arrangements therefor G06F21/57); Configuration management · CPC title
Physics · mapped topic
for test design, e.g. generating new test cases · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11734433B2 cover?
- A method and system for remediating vulnerable code libraries, including open source libraries, in a software application. An application, that uses code libraries, and information regarding known library vulnerabilities are received, then it is determined if one or more libraries in the application are vulnerable based upon the information. For each of the one or more vulnerable libraries, a l…
- Who is the assignee on this patent?
- Visa Int Service Ass
- What technology area does this patent fall under?
- Primary CPC classification G06F21/577. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 22 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).