CN106919843B

CN106919843B - Vulnerability repair system, method and equipment

Info

Publication number: CN106919843B
Application number: CN201710055079.1A
Authority: CN
Inventors: 陈雄; 徐鹏捷
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2017-01-24
Filing date: 2017-01-24
Publication date: 2020-08-28
Anticipated expiration: 2037-01-24
Also published as: CN106919843A

Abstract

The invention provides a vulnerability fixing system, method and device. The system comprises a data release server, a file server and a client; the data issuing server is suitable for synchronously acquiring the accumulated updating data from the program provider according to a specified time period, and processing and issuing the accumulated updating data; the file server is suitable for synchronously updating the files and establishing an index containing identification and address information of the updated files; the client is suitable for loading a target scanning library which is issued through a specified channel and matched with a local system platform when a trigger event of vulnerability repair is received, and scanning the local vulnerability by using the target scanning library to obtain an identifier of an updated file to be installed; and acquiring the update file to be installed from the file server by using the identifier of the update file to be installed, and repairing the local vulnerability by using the update file to be installed. The embodiment of the invention can improve the efficiency of bug repair and improve the effectiveness of bug repair.

Description

Vulnerability repair system, method and equipment

Technical Field

The invention relates to the technical field of information security, in particular to a vulnerability fixing system, method and device.

Background

In win10, microsoft introduced a new windows update distribution mechanism, i.e., instead of using the past form of a separate installation package, the update package was instead a large cumulative monthly update package. The form solves the problem of serious fragmentation of the system update, and the system update process is simpler. However, there are some problems, for example, the accumulated update package volume is large (for example, win10x64 accumulated update exceeds 1G), and contains large and complete update information, which is not always necessary for a specific user terminal. Furthermore, microsoft also shows in its official blog that the way of cumulative updates of win10 will be gradually applied to all systems that currently support updates (e.g., win7sp1, win8.1, etc.), while gradually eliminating the update distribution form of the decentralized independent installation package.

At present, a vulnerability repair module implementation scheme is that decentralized independent installation package information is acquired from a website which is regularly published by microsoft monthly and provided with decentralized independent installation packages, then the information is issued to a user terminal in a patch library manner as soon as possible, user side reminding is triggered as soon as possible in a centralized time period, appropriate decentralized independent installation packages are downloaded to the user terminal with corresponding vulnerabilities under user intervention, and then the independent installation packages are installed on the user terminal one by one, so that upgrading and repairing of vulnerability files of a local user are achieved.

If microsoft completely adopts a new update release mechanism, although the user can be patched under the current implementation scheme, some serious problems exist:

(1) the volume of the accumulated update package is large, if the accumulated update package is to be released intensively to massive domestic users, the accumulated update package is a serious challenge to bandwidth resources, and the release difficulty is increased;

(2) for a specific user terminal, there is much useless information in the cumulative update packet, which causes unnecessary traffic waste.

Therefore, there is a need for a logical update for microsoft, a new update distribution mechanism, to solve the above problems.

Disclosure of Invention

In view of the above, the present invention is proposed to provide a vulnerability fixing system, a method and a corresponding device which overcome or at least partially solve the above problems.

According to an aspect of the present invention, there is provided a vulnerability fixing system, including: the system comprises a data release server, a file server and a client;

the data release server is suitable for synchronously acquiring accumulated updating data for repairing the program bugs from a program provider according to a specified time period; extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to a system platform to obtain scanning libraries of all platforms; issuing the update files in the accumulated update data to the file server, and issuing the scan libraries of each platform through a specified channel;

the file server is suitable for synchronizing the update file, acquiring the identifier of the update file and the address information of the file server where the update file is located, and establishing an index containing the identifier and the address information of the update file;

the client is suitable for loading a target scanning library which is issued through the specified channel and matched with a local system platform when a trigger event of vulnerability repair is received, and scanning the local vulnerability by using the target scanning library to obtain an identifier of an updated file to be installed; and acquiring the updated file to be installed from the file server by using the identifier of the updated file to be installed, and repairing the local vulnerability by using the updated file to be installed.

Optionally, the file server includes a plurality of content delivery network CDN nodes and a KV server;

each CDN node is suitable for synchronizing the update files;

the KV server is suitable for acquiring the identification of the updated file and the address information of each CDN node where the updated file is located, and establishing an index containing the identification and the address information of the updated file.

Optionally, the index further includes index information of at least one of the following:

and updating summary information, size, release time and verification information of the file.

Optionally, the data publishing server is further adapted to:

and uploading the updated file to a CDN delivery server and synchronizing the updated file to each CDN node.

Optionally, the data publishing server is further adapted to:

synchronously acquiring description information of accumulated updating data for repairing the program bug from a program provider according to a specified time period, wherein the description information comprises a downloading address for downloading the accumulated updating data;

and downloading according to the download address in the description information to obtain the accumulated updating data.

Optionally, the data publishing server is further adapted to:

invoking a first command to extract a full platform scan library containing one or more update patches from the cumulative update data;

calling a second command to derive an update list of patches of each platform from the full platform scanning library according to the identification of each system platform;

and calling a third command to generate the scanning library of each platform according to the full-platform scanning library and the update list.

Optionally, the scanning library of each platform records an identifier of an update file corresponding to each patch, and the client is further adapted to:

scanning the local vulnerability by using the target scanning library to obtain a scanning result set of the patch which is not installed on the local system;

selecting patches to be installed from the scanning result set;

and determining the identifier of the updated file to be installed corresponding to the patch to be installed according to the identifier of the updated file corresponding to each patch recorded in the target scanning library.

Optionally, the client is further adapted to:

enumerating all patches in the target scanning library to obtain an updated list;

and traversing the update list, judging whether each patch is installed on a local system, and if not, adding the patch to the scanning result set.

Optionally, the client is further adapted to:

and before traversing the update list and judging whether each patch is installed on the local system, judging whether the parent dependency of each patch passes the detection, and if so, judging whether each patch is installed on the local system.

Optionally, the client is further adapted to:

and if the parent dependency of a certain patch is not detected to pass, continuously taking the next patch from the updating list, and judging whether the parent dependency of the next patch is detected to pass or not.

Optionally, the client is further adapted to:

determining the identifier of the alternative update file corresponding to the patch to be installed according to the identifier of the update file corresponding to each patch recorded in the target scanning library;

and determining the identifier of the update file to be installed according to the identifier of the alternative update file.

Optionally, when the update file comprises an update package, the client is further adapted to:

determining the identification of the target update package corresponding to the patch to be installed according to the identification of the update package corresponding to each patch recorded in the target scanning library;

acquiring address information of the target update package from the KV server by using the identifier of the target update package;

downloading the target update package from a corresponding CDN node by using the address information of the target update package;

and decompressing the target update package to obtain the identifier of the alternative update file.

Optionally, the client is further adapted to:

judging whether the alternative update file exists on a local system or not according to the identifier of the alternative update file;

if not, writing the identifier of the alternative update file into a differential file list, and taking the identifier of the file in the differential file list as the identifier of the update file to be installed;

if yes, copying the alternative update file on the local system to the temporary installation directory.

Optionally, the client is further adapted to:

acquiring address information of the updated file to be installed from the KV server by using the identifier of the updated file to be installed;

and downloading the update file to be installed from a corresponding CDN node by utilizing the address information of the update file to be installed.

Optionally, the client is further adapted to:

and copying the downloaded update file to be installed to the temporary installation directory.

Optionally, the client is further adapted to:

acquiring index information of the updated file to be installed, which contains verification information of the updated file, from the KV server by using the identifier of the updated file to be installed;

and verifying the downloaded updated file to be installed by using the verification information, and copying the updated file to be installed to the temporary installation directory after the verification is passed.

Optionally, the client is further adapted to:

and installing the files in the temporary installation directory to repair the local loophole.

According to another aspect of the present invention, there is also provided a bug fixing method applied to a data distribution server, including:

synchronously acquiring accumulated updating data for repairing the program bug from a program provider according to a specified time period;

extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to a system platform to obtain scanning libraries of all platforms;

and issuing the update files in the accumulated update data to a file server, and issuing the scanning libraries of all the platforms through a specified channel.

According to another aspect of the present invention, there is also provided a bug fixing method applied to a file server, including:

synchronizing the updated files from the data distribution server;

and acquiring the identifier of the update file and the address information of the file server where the update file is located, and establishing an index containing the identifier and the address information of the update file.

According to another aspect of the present invention, there is also provided a bug fixing method applied to a client, including:

when a trigger event of vulnerability repair is received, loading a target scanning library which is released by a data release server through a specified channel and matched with a local system platform;

scanning the local vulnerability by using the target scanning library to obtain an identifier of the updated file to be installed;

and acquiring the updated file to be installed from a file server by using the identifier of the updated file to be installed, and repairing the local vulnerability by using the updated file to be installed.

According to still another aspect of the present invention, there is also provided a data distribution server including:

the first synchronization module is suitable for synchronously acquiring accumulated updating data for repairing the program bug from a program provider according to a specified time period;

the first processing module is suitable for extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to a system platform to obtain scanning libraries of all platforms;

and the issuing module is suitable for issuing the update files in the accumulated update data to a file server and issuing the scanning libraries of all the platforms through a specified channel.

According to still another aspect of the present invention, there is also provided a file server including:

the second synchronization module is suitable for synchronizing the updated files from the data distribution server;

and the second processing module is suitable for acquiring the identifier of the update file and the address information of the file server where the update file is positioned, and establishing an index containing the identifier and the address information of the update file.

According to another aspect of the present invention, there is also provided a client, including:

the loading module is suitable for loading a target scanning library which is released by the data release server through a specified channel and matched with the local system platform when a trigger event of bug fixing is received;

the scanning module is suitable for scanning the local vulnerability by using the target scanning library to obtain the identifier of the updated file to be installed;

and the vulnerability repairing module is suitable for acquiring the updated file to be installed from the file server by using the identifier of the updated file to be installed, and then repairing the local vulnerability by using the updated file to be installed.

The embodiment of the invention provides a bug fixing system comprising a data issuing server, a file server and a client, wherein the data issuing server synchronously acquires accumulated updating data for fixing a bug of a program from a program provider according to a specified time period; extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to the system platform to obtain scanning libraries of all platforms; issuing the update files in the accumulated update data to a file server, and issuing the scanning libraries of all platforms through an appointed channel; the file server synchronously updates the file, acquires the identification of the updated file and the address information of the file server where the updated file is located, and establishes an index containing the identification and the address information of the updated file; when a client receives a trigger event of vulnerability repair, loading a target scanning library which is issued through a specified channel and matched with a local system platform, and scanning a local vulnerability by using the target scanning library to obtain an identifier of an updated file to be installed; and acquiring the update file to be installed from the file server by using the identifier of the update file to be installed, and repairing the local vulnerability by using the update file to be installed. Therefore, the data release server synchronously acquires the accumulated update data from the program provider according to the specified time period, processes and releases the accumulated update data, so that the client does not need to acquire and process the accumulated update data from the program provider when bug fixing is performed, but directly acquires the update file from the file server to which the client is released, and the bug fixing efficiency can be improved. And the data publishing server splits the full-platform scanning library according to the system platform to obtain the scanning libraries of each platform, so that the client directly loads the scanning libraries matched with the system platform of the client when the bug fixing is carried out, the scanning efficiency can be improved, and the effectiveness of the bug fixing can be improved.

The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.

The above and other objects, advantages and features of the present invention will become more apparent to those skilled in the art from the following detailed description of specific embodiments thereof, taken in conjunction with the accompanying drawings.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

fig. 1 is a schematic structural diagram of a bug fixing system according to an embodiment of the present invention;

FIG. 2 is a schematic structural diagram of a bug fix system according to another embodiment of the present invention;

FIG. 3 is a schematic diagram illustrating a scan flow of client 230;

FIG. 4 is a schematic diagram illustrating one installation flow of client 230;

FIG. 5 is a flowchart illustrating a bug fix method applied to a data distribution server according to an embodiment of the present invention;

FIG. 6 is a flowchart illustrating a vulnerability fixing method applied to a file server according to an embodiment of the present invention;

FIG. 7 is a flowchart illustrating a bug fix method applied to a client according to an embodiment of the present invention;

FIG. 8 is a block diagram of a data publication server according to an embodiment of the invention;

FIG. 9 is a schematic diagram of a file server according to an embodiment of the present invention; and

fig. 10 shows a schematic structural diagram of a client according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

In order to solve the above technical problems, an embodiment of the present invention provides a bug fixing system. Fig. 1 shows a schematic structural diagram of a vulnerability fixing system according to an embodiment of the present invention. As shown in fig. 1, the vulnerability repair system 100 may include: data distribution server 110, file server 120, client 130.

The data publishing server 110 is suitable for synchronously acquiring accumulated updating data for repairing the program bug from the program provider according to a specified time period; extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to the system platform to obtain scanning libraries of all platforms; issuing the update files in the accumulated update data to a file server, and issuing the scanning libraries of all platforms through an appointed channel;

the file server 120 is coupled with the data distribution server 110 and is suitable for synchronously updating the files, acquiring the identification of the updated files and the address information of the file server where the updated files are located, and establishing an index containing the identification and the address information of the updated files;

the client 130 is coupled with the file server 120 and is suitable for loading a target scanning library which is issued through a specified channel and matched with a local system platform when a trigger event of vulnerability repair is received, and scanning the local vulnerability by using the target scanning library to obtain an identifier of an updated file to be installed; and acquiring the update file to be installed from the file server by using the identifier of the update file to be installed, and repairing the local vulnerability by using the update file to be installed.

In the embodiment of the present invention, the data distribution server 110 synchronously obtains the accumulated update data from the program provider according to the specified time period, and processes and distributes the accumulated update data, so that the client 130 does not need to obtain and process the accumulated update data from the program provider when performing bug fixing, but directly obtains the update file from the distributed file server 120, thereby improving the efficiency of bug fixing. In addition, the data publishing server 110 splits the full-platform scanning library according to the system platform to obtain the scanning libraries of each platform, so that the client 130 directly loads the scanning libraries matched with the system platform of the client during bug fixing, thereby improving scanning efficiency and improving effectiveness of bug fixing.

In an optional embodiment of the present invention, when the data publishing server 110 synchronizes the accumulated update data, the description information of the accumulated update data for repairing the bug of the program may be synchronously obtained from the program provider according to a specified time period, where the description information includes a download address for downloading the accumulated update data; and then downloading according to the download address in the description information to obtain the accumulated updating data.

In an alternative embodiment of the present invention, when the data distribution server 110 splits the full-platform scan library, the first command may be invoked to extract the full-platform scan library including one or more update patches from the accumulated update data, then the second command may be invoked to derive an update list of the patches of each platform from the full-platform scan library according to the identifier of each system platform, and then the third command may be invoked to generate the scan library of each platform according to the full-platform scan library and the update list. The identification of each system platform herein may be, for example, win7, win8.1, win10, office, etc., and the invention is not limited thereto.

In an alternative embodiment of the present invention, the file server 120 may include a plurality of CDN (Content delivery network) nodes and KV servers. Each CDN node in the CDN nodes is suitable for updating the file synchronously, the KV server is suitable for acquiring the identification of the updated file and the address information of each CDN node where the updated file is located, and an index containing the identification and the address information of the updated file is established. The index may be in the form of key-value, the identifier in the index may be a key, and the address information may be a value. In an optional embodiment, the index may further include index information such as summary information, size, release time, and check information of the update file, and these index information may be used as value.

In an alternative embodiment of the present invention, when each CDN node synchronizes the update file, the data delivery server 110 may upload the update file to the CDN delivery server and synchronize the update file to each CDN node.

In an optional embodiment of the present invention, the identifier of the update file corresponding to each patch is recorded in the scanning library of each platform, so that when the client 130 scans the local vulnerability according to the scanning rule by using the target scanning library, the scanning result set of the patches that are not installed on the local system may be determined, then the patches to be installed are selected from the scanning result set, and then the identifier of the update file to be installed corresponding to the patches to be installed is determined according to the identifier of the update file corresponding to each patch recorded in the target scanning library.

Further, the client 130 may enumerate all patches in the target scanning library to obtain an update list, then traverse the update list, and determine whether each patch is already installed on the local system, if not, add the patch to the scanning result set; if so, continuing to select the next patch from the update list, and judging whether the next patch is installed on the local system, and so on.

In an alternative embodiment, before traversing the update list and determining whether each patch has been installed on the local system, the client 130 may also determine whether the parent dependency of each patch has been detected, and if so, determine whether each patch has been installed on the local system; if not, continuing to select the next patch from the update list, and judging whether the parent dependency of the next patch passes the detection, and so on.

In an optional embodiment of the present invention, in order to reduce download traffic and improve bug fix efficiency, the embodiment of the present invention implements downloading of the differential update file, merges the differential update file with an existing file of the system, and then performs quick installation, thereby implementing bug fix. Specifically, the embodiment of the present invention may determine, according to the identifier of the update file corresponding to each patch recorded in the target scan library, the identifier of the alternative update file corresponding to the patch to be installed, and further determine, according to the identifier of the alternative update file, the identifier of the update file to be installed. Here, the candidate update files may be all update files corresponding to the patches to be installed, and the update files to be installed are delta update files, and how to determine the identifiers of the candidate update files and the identifiers of the update files to be installed will be described below.

Firstly, introducing a scheme for determining an identifier of an alternative update file, wherein the update file comprises an update package, the identifier of the alternative update file is recorded in the update package, and the client 130 determines the identifier of a target update package corresponding to a patch to be installed according to the identifier of the update package corresponding to each patch recorded in a target scanning library; then, acquiring address information of the target update package from the KV server by using the identifier of the target update package; further, the address information of the target update package is downloaded from the corresponding CDN node to obtain the target update package; and then decompressing the target update package to obtain the identifier of the alternative update file.

Then, a scheme for determining the identifier of the update file to be installed is introduced, that is, the client 130 determines whether the alternative update file already exists on the local system according to the identifier of the alternative update file; if not, writing the identifier of the alternative update file into a differential file list, and taking the identifier of the file in the differential file list as the identifier of the update file to be installed; if yes, copying the alternative update file on the local system to the temporary installation directory.

After determining the identifier of the update file to be installed, the client 130 may obtain the address information of the update file to be installed from the KV server by using the identifier of the update file to be installed, and further download the update file to be installed from the corresponding CDN node by using the address information of the update file to be installed. Next, the client 130 may copy the downloaded update file to be installed to the temporary installation directory, and install the file in the temporary installation directory to repair the local vulnerability.

In an optional embodiment, in order to ensure the validity of the update file to be installed, information verification may be performed on the update file to be installed, specifically, index information of the update file to be installed, which includes verification information of the update file, may be obtained from the KV server by using an identifier of the update file to be installed, the update file to be installed is further verified by using the verification information to obtain a download, and after the verification is passed, the update file to be installed is copied to the temporary installation directory.

In an alternative embodiment, the client 130 may be installed on a user terminal.

The bug fixing system provided by the embodiment of the invention is described in a specific application example. Taking microsoft as an example of a program provider, as introduced above, in win10, microsoft introduced a new windows update distribution mechanism, i.e., instead of using the past form of a distributed independent installation package, the new windows update distribution mechanism is in the form of a large cumulative update package per month. The data publishing Server 110 in the bug fixing system provided by the embodiment of the invention is a WSUS (Windows Server Update Services) Server, which comprises a standard WSUS service and a series of self-realized data publishing tools.

On the one hand, the WSUS service is responsible for periodically synchronizing the latest update database from the microsoft cloud server, where the update database contains important description information, mainly including a full platform scan library, URLs (uniform resource locators) of fast experience packages of all patches, URLs of complete packages of all patches and URLs of PSF files of patches, and so on.

On the other hand, the data publishing tool is responsible for downloading accumulated update data (such as a full platform scanning library, a quick experience package of a patch, a complete package of the patch, a PSF file of each patch, and the like) to the WSUS server according to the description information in the update database. And then, extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to the system platform to obtain the scanning libraries of all the platforms. Then, the update file in the accumulated update data is published to a file server, and the scanning libraries of each platform are published through a specified channel. And finally, backing up important data. As the only operation data source, a WSUS server is enough, and the safety of the WSUS server is also important.

The file server 120 in the bug fixing system provided by the embodiment of the present invention synchronizes the update file distributed from the data distribution server 110, where the file server 120 is an abstract concept, and as a destination of data distribution, the file server 120 is not a single server or several servers, but a series of server clusters cooperating with each other. The file server 120 mainly includes two parts, a CDN node and a KV server. On the one hand, each CDN node distributed around the country is responsible for synchronizing the latest delivered update file in time, and is also responsible for responding to hundreds of millions of client file download requests. On the other hand, the KV server cluster is responsible for establishing an index of update data in time and responding to hundreds of millions of client index requests, and specifically, the KV server acquires an identifier of an update file and address information of each CDN node where the update file is located, and establishes an index of the update file that includes the identifier and the address information.

When a client 130 in the vulnerability repair system provided by the embodiment of the present invention receives a trigger event (such as user trigger or a timer) for vulnerability repair, a target scanning library issued through a specified channel and matched with a local system platform is loaded, and a local vulnerability is scanned by using the target scanning library to obtain an identifier of an updated file to be installed; and then, initiating an index request to the KV server by using the identifier of the updated file to be installed, extracting download information (containing URL and various check information) of the updated file to be installed from a request result after the index request is returned, then initiating a data download request to the CDN node by using the download information, verifying the downloaded data by using the check information taken from the KV server after the data download is completed, merging the downloaded data with the local file to obtain a complete installation package after all the verification is passed, and finally installing the installation package through a local specified interface.

It should be noted that microsoft of the program provider listed herein is only an exemplary scenario and does not limit the present invention, and the embodiments of the present invention can be applied to any scenario that needs bug fixing on a program (such as an operating system, an application program, and the like).

Fig. 2 is a schematic structural diagram of a bug fixing system according to another embodiment of the present invention. As shown in fig. 2, the bug fix system 200 (not shown in fig. 2) may include: WSUS server 210, CDN node 221, KV server 222, and client 230.

The workflow of the bug fix system 200 may be divided into a data publishing phase and a client updating phase, which will be described in detail below.

The data distribution phase is first introduced. And in the data release stage, namely when the data is updated by the Microsoft, the vulnerability repair system synchronizes and processes the new data in time and then releases the new data to the users in the whole network in a self-mode. This is a "push" process. The data release stage can be divided into synchronous data updating, data processing and updating, data releasing and data backup stage.

(1) Synchronizing update data

In order to meet the requirement for timely obtaining microsoft cumulative update data, a standard WSUS server 210 needs to be set up, and the WSUS server 210 synchronously obtains description information of the cumulative update data for repairing the system program bugs from a microsoft cloud server periodically (for example, once every 30 minutes), wherein the cumulative update data includes a full platform scanning library, a quick experience package of patches, a complete package of patches, PSF files of patches, and the like, and the description information includes download addresses for downloading the cumulative update data.

(2) Processing update data

The WSUS server 210 downloads the accumulated updated data according to the download address in the description information. And then, extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to the system platform to obtain the scanning libraries of all the platforms.

When the full-platform scanning library is split, a WsusUtil command can be called to extract the full-platform scanning library containing one or more update patches from accumulated update data, then an UpdateMake command is called to derive an update list of the patches of each platform from the full-platform scanning library according to the identification of each system platform, and then a WsusScan command is called to generate the scanning library of each platform according to the full-platform scanning library and the update list. The identification of each system platform herein may be, for example, win7, win8.1, win10, office, etc., and the invention is not limited thereto.

(3) Publishing update data

Once the data is ready, the data can begin to be published. The WSUS server 210 delivers the update file in the accumulated update data to the CDN node 221. The key and index information (e.g., summary information, size, and URL delivered to the CDN for downloading by the client 230) of these update files are then computed and pushed to the KV server 222 cluster to build the index. Then, the PE file in the new update file is whitened. And finally, issuing each platform scanning library through a specified channel.

(4) Data backup phase

After the release is completed, important data needs to be backed up, wherein the computed index information and the scanning libraries of each platform mainly need to be backed up, and a remote backup strategy needs to be adopted to be backed up in other servers.

The client update phase is introduced next. After the data delivery is completed, it is time to play the role of the data, that is, the client requests data from the KV server and the CDN node and updates the operating system or the application program with the data, and this stage may be divided into a scanning stage and an installation stage.

1) Scanning phase

When a user manually or a background timer triggers scanning, the client 230 first updates the incremental scanning library liblean 2_ diff.dat, loads the latest version of the target scanning library which is released through a specified channel and matched with a local system platform after the request is successful, then scans local vulnerabilities according to rules in the target scanning library to obtain a scanning result set of patches which are not installed on a local system, and selects patches to be installed from the scanning result set.

Fig. 3 shows a schematic diagram of a scanning flow of the client 230, and as shown in fig. 3, the scanning flow of the client 230 may include the following steps S302 to S330.

Step S302, a target scanning library which is distributed through a specified channel and matched with a local system platform is loaded.

Step S304, enumerating all patches in the target scanning library to obtain an updated list.

Step S306, judging whether the updating list is traversed or not, if not, continuing to execute step S308; if yes, go on to step S330.

In step S308, a patch is taken out from the update list.

Step S310, judging whether the parent dependency of the patch passes the detection, if not, returning to execute the step S306; if yes, go on to step S312.

Step S312, enumerate all sub-patches of the patch to obtain a sub-update list, and continue to execute step S314.

Step S314, judging whether the traversal of the sub-update list is finished, if not, continuing to execute step S316; if yes, go to step S326.

In step S316, a sub-patch is retrieved from the sub-update list.

Step S318, judging whether the parent dependency of the sub patch passes the detection, if not, returning to execute the step S314; if yes, go on to step S320.

Step S320, determining whether the patch is already installed on the local system, if so, returning to step S314; if not, go to step S322.

Step S322, judging whether the patch is applicable, if not, returning to execute the step S314; if yes, go on to step S324.

In step S324, the sub-patch is added to the sub-update scan result set.

Step S326, determining whether the sub-update scanning result set is empty, if yes, returning to perform step S306; if not, the process continues to step S328.

Step S328, add the current patch to the updated scan result set, and continue to execute step S306.

In step S330, a scanning result set is obtained.

2) Stage of installation

After the scanning is completed, the user may select a patch to be installed (i.e., a patch to be installed) from the scanning result set, and then start the installation process. Firstly, a key of a quick experience package (namely an update package corresponding to a patch to be installed) is calculated according to a target scanning library, the key is used for requesting the KV server for index information (such as a downloading URL (uniform resource locator) and verification information of the quick experience package), when the KV server returns the index information of the quick experience package, the downloading URL of the quick experience package is extracted from the KV server, then the URL is used for requesting the CDN node for the quick experience package, and when the CDN returns the quick experience package, the verification information such as an abstract in the index information is used for verifying the quick experience package. After the verification of the rapid experience package is passed, the rapid experience package is used for calculating keys of the required difference updating file, the keys are used for requesting difference index information to the KV server, after the KV server returns the difference index information, a downloading URL of the difference updating file is extracted from the keys, then the URL is used for requesting the difference updating file to the CDN node, and after the CDN node returns the difference updating file, the difference updating file is verified by using verification information such as a summary in the index information. And after all the residual quantity updating files pass the verification, generating a complete package by combining the local files and the residual quantity updating files, and finally calling a specified interface to install the synthesized complete package.

Fig. 4 shows a schematic diagram of an installation flow of the client 230, and as shown in fig. 4, the installation flow of the client 230 may include the following steps S402 to S430.

Step S402, downloading the quick experience package.

Step S404, the quick experience package is decompressed to a temporary installation directory.

In this step, the temporary installation directory may be default or custom.

Step S406, enumerating all files ending with psf.cix.xml to obtain an xml file set.

Step S408, judging whether the xml file set is completely taken, if not, continuing to execute step S410; if yes, go to step S424.

Step S410, one xml file in the set is taken out.

Step S412, enumerating all Files/file nodes in the xml file to obtain a file set.

Step S414, judging whether the file set is completely taken, if so, returning to execute step S408; if not, go to step S416.

In step S416, a file in the collection is fetched.

Step S418, judging whether the file already exists in the winsxs historical version, if so, executing step S420; if not, continue to step S422.

In step S420, the file is copied to the temporary mount directory, and the process returns to step S414.

In step S422, the file relative path is written into the delta file list, and the process returns to step S414.

Step S424, determining whether the delta file list is empty, if yes, continuing to execute step S426; if not, the process continues to step S428.

In step S426, installation of the file in the temporary installation directory is started through the designated interface.

In step S428, the delta file packet is requested from the CDN node through the delta file list, and step S430 is continuously performed.

In step S430, after the delta file package is successfully downloaded, the delta file package is decompressed to the temporary installation directory, and step S426 is continuously executed.

The core idea of the bug fixing system provided by the embodiment of the invention is 'cumulative update data dispersion issue', that is, scanning the current system environment of the user terminal by using the scanning library of the platform, so as to calculate the binary dispersion (fragment file) of all files to be updated, then downloading the required fragment files from the server to the local, and finally using the fragment files and the local file to synthesize the required complete package for installation, so as to fix bugs existing on the user terminal. The differential updating and releasing mechanism can save the lower current-carrying capacity by more than 80 percent, and can fundamentally solve the problems of the existing implementation scheme.

In addition, compared with a self-contained windows update mechanism of a windows system, the vulnerability repair system provided by the embodiment of the invention has the following advantages.

First, because of the existence of objective reasons, it is slow for domestic ordinary users to directly access microsoft official servers, which results in very slow, even unacceptable, scanning and downloading speeds for windows update. In contrast, the servers in the embodiment of the invention are all in China, the problem does not exist, and in combination with the acceleration of the CDN and P2P, the data downloading speed is far superior to Windows update of Microsoft.

Secondly, because of the limitation of bandwidth, microsoft adopts a bandwidth optimization policy update mechanism of BITS (background intelligent delivery service), so that windows update can only be updated in a background silently in a time-sharing way, which inevitably causes the hysteresis of update. In contrast, the vulnerability repair system provided by the embodiment of the invention can be started and updated at any time, and can be used for patching domestic users in a large scale. Therefore, although the accumulated update data in the bug fix system provided by the embodiment of the invention is from microsoft, the user can obtain the update earlier than microsoft windows update.

Third, microsoft's update mechanism is now becoming increasingly difficult to use, mainly in its mandatory, uncontrollable nature, which is a great nuisance to users. In contrast, the vulnerability repair system provided by the embodiment of the invention can completely work under the intervention of the user, the user is completely controllable, and the advantages on the user experience are very obvious.

Based on the same inventive concept, the embodiment of the invention also provides a vulnerability repairing method applied to the data publishing server. Fig. 5 is a flowchart illustrating a vulnerability fixing method applied to a data distribution server according to an embodiment of the present invention. As shown in fig. 5, the method may include at least the following steps S502 to S506.

Step S502, synchronously acquiring accumulated updating data for repairing the program bug from the program provider according to a specified time period.

Step S504, a full platform scanning library containing one or more updating patches is extracted from the accumulated updating data, and the full platform scanning library is split according to the system platform to obtain the scanning libraries of all the platforms.

Step S506, the update file in the accumulated update data is published to the file server, and the scan libraries of each platform are published through the designated channel.

In the embodiment of the invention, the data release server synchronously acquires the accumulated update data from the program provider according to the specified time period, and processes and releases the accumulated update data, so that the client does not need to acquire and process the accumulated update data from the program provider when bug fixing is carried out, but directly acquires the update file from the issued file server, and the bug fixing efficiency can be improved. And the data publishing server splits the full-platform scanning library according to the system platform to obtain the scanning libraries of each platform, so that the client directly loads the scanning libraries matched with the system platform of the client when the bug fixing is carried out, the scanning efficiency can be improved, and the effectiveness of the bug fixing can be improved.

In step S502, when the accumulated update data is synchronized, an optional scheme is provided in the embodiments of the present invention, in the scheme, description information of the accumulated update data used for repairing the bug of the program may be synchronously obtained from the program provider according to a specified time period, where the description information includes a download address for downloading the accumulated update data; and then downloading according to the download address in the description information to obtain the accumulated updating data.

When the full-platform scan library is split in step S504, an optional solution is provided in the embodiments of the present invention, that is, a first command may be invoked to extract the full-platform scan library including one or more update patches from the accumulated update data, a second command is then invoked to derive an update list of patches of each platform from the full-platform scan library according to the identifier of each system platform, and a third command is then invoked to generate a scan library of each platform according to the full-platform scan library and the update list. The identification of each system platform herein may be, for example, win7, win8.1, win10, office, etc., and the invention is not limited thereto.

In an optional embodiment of the present invention, the file server may include a plurality of CDN nodes and a KV server, and the step S506 above issues the update file in the accumulated update data to the file server, where the update file may be uploaded to the CDN issue server and synchronized to each CDN node.

Based on the same inventive concept, the embodiment of the invention also provides a vulnerability fixing method applied to the file server. FIG. 6 is a flowchart illustrating a vulnerability fixing method applied to a file server according to an embodiment of the present invention. As shown in fig. 6, the method may include at least the following steps S602 to S604.

Step S602 synchronizes the update file from the data distribution server.

Step S604, acquiring the identifier of the update file and the address information of the file server where the update file is located, and establishing an index containing the identifier and the address information of the update file.

In the embodiment of the invention, the data release server synchronously acquires the accumulated update data from the program provider according to the specified time period, and processes and releases the accumulated update data, so that the client does not need to acquire and process the accumulated update data from the program provider when bug fixing is carried out, but directly acquires the update file from the issued file server, and the bug fixing efficiency can be improved.

In an optional embodiment of the present invention, the file server may include a plurality of CDN nodes and a KV server, and each CDN node updates the file synchronously, and the KV server obtains an identifier of the update file and address information of each CDN node where the update file is located, and establishes an index of the update file that includes the identifier and the address information. The index may be in the form of key-value, the identifier in the index may be a key, and the address information may be a value. In an optional embodiment, the index may further include index information such as summary information, size, release time, and check information of the update file, and these index information may be used as value.

Based on the same inventive concept, the embodiment of the invention also provides a vulnerability fixing method applied to the client. Fig. 7 is a flowchart illustrating a bug fixing method applied to a client according to an embodiment of the present invention. As shown in fig. 7, the method may include at least the following steps S702 to S706.

Step S702, when a trigger event of bug fixing is received, a target scanning library which is distributed by the data distribution server through a specified channel and is matched with the local system platform is loaded.

Step S704, the target scanning library is used for scanning the local vulnerability to obtain the identification of the updated file to be installed.

Step S706, the updated file to be installed is obtained from the file server by using the identifier of the updated file to be installed, and then the updated file to be installed is used for repairing the local vulnerability.

In the embodiment of the invention, the data release server synchronously acquires the accumulated update data from the program provider according to the specified time period and processes and releases the accumulated update data, so that the client does not need to acquire and process the accumulated update data from the program provider when bug fixing is carried out, but directly acquires the update file from the issued file server, and the bug fixing efficiency can be improved. In addition, the data publishing server splits the full-platform scanning library according to the system platforms to obtain the scanning libraries of each platform, so that the client directly loads the scanning libraries matched with the system platforms of the client when bug fixing is carried out, the scanning efficiency can be improved, and the effectiveness of bug fixing is improved.

In an optional embodiment of the present invention, the identifier of the update file corresponding to each patch is recorded in the scanning library of each platform, so that in step S704, when the target scanning library is used to scan the local vulnerability, a scanning result set of the patches that are not installed on the local system may be determined, then the patches to be installed are selected from the scanning result set, and then the identifier of the update file to be installed corresponding to the patches to be installed is determined according to the identifier of the update file corresponding to each patch recorded in the target scanning library.

Furthermore, the embodiment of the present invention may enumerate all patches in the target scanning library to obtain an update list, then traverse the update list, and determine whether each patch has been installed on the local system, if not, add the patch to the scanning result set; if so, continuing to select the next patch from the update list, and judging whether the next patch is installed on the local system, and so on. In addition, before traversing the update list and judging whether each patch is installed on the local system, whether the parent dependency of each patch passes the detection can be judged, and if yes, whether each patch is installed on the local system is judged; if not, continuing to select the next patch from the update list, and judging whether the parent dependency of the next patch passes the detection, and so on.

Firstly, introducing a scheme for determining an identifier of an alternative update file, wherein the update file comprises an update package, the identifier of the alternative update file is recorded in the update package, and a client determines the identifier of a target update package corresponding to a patch to be installed according to the identifier of the update package corresponding to each patch recorded in a target scanning library; then, acquiring address information of the target update package from the KV server by using the identifier of the target update package; further, the address information of the target update package is downloaded from the corresponding CDN node to obtain the target update package; and then decompressing the target update package to obtain the identifier of the alternative update file.

Then, a scheme for determining an identifier of an update file to be installed is introduced, that is, according to the identifier of the alternative update file, the embodiment of the present invention determines whether the alternative update file already exists on the local system; if not, writing the identifier of the alternative update file into a differential file list, and taking the identifier of the file in the differential file list as the identifier of the update file to be installed; if yes, copying the alternative update file on the local system to the temporary installation directory.

After the identifier of the update file to be installed is determined, the embodiment of the invention can acquire the address information of the update file to be installed from the KV server by using the identifier of the update file to be installed, and further download the update file to be installed from the corresponding CDN node by using the address information of the update file to be installed. And copying the downloaded update file to be installed to a temporary installation directory, and installing the file in the temporary installation directory to repair the local vulnerability.

Based on the same inventive concept, the embodiment of the invention also provides a data publishing server. Fig. 8 is a schematic structural diagram of a data distribution server according to an embodiment of the present invention. As shown in fig. 8, the data distribution server may include: a first synchronization module 810, a first processing module 820, and a publication module 830.

A first synchronization module 810 adapted to synchronously obtain accumulated update data for repairing the program bug from the program provider according to a specified time period;

a first processing module 820, coupled to the first synchronization module 810, adapted to extract a full-platform scan library including one or more update patches from the accumulated update data, and split the full-platform scan library according to a system platform to obtain a scan library of each platform;

the publishing module 830, coupled to the first processing module 820, is adapted to publish the update file in the accumulated update data to the file server and publish the scan libraries of the platforms through a specified channel.

In an embodiment of the present invention, the file server includes a plurality of content delivery network CDN nodes, and the delivering module 830 is further adapted to:

In an embodiment of the present invention, the first synchronization module 810 is further adapted to:

In an embodiment of the present invention, the first processing module 820 is further adapted to:

Based on the same inventive concept, the embodiment of the invention also provides a file server. Fig. 9 is a schematic structural diagram of a file server according to an embodiment of the present invention. As shown in fig. 9, the file server may include: a second synchronization module 910 and a second processing module 920.

A second synchronization module 910 adapted to synchronize the update files from the data distribution server;

the second processing module 920 is coupled to the second synchronization module 910, and is adapted to obtain an identifier of the update file and address information of the file server where the update file is located, and establish an index of the update file, where the index includes the identifier and the address information.

In an embodiment of the present invention, the file server includes a plurality of content delivery network CDN nodes and a KV server;

the second synchronization module 910 is further adapted to synchronize the update files by each CDN node;

the second processing module 920 is further adapted to obtain, by the KV server, an identifier of the update file and address information of each CDN node where the update file is located, and establish an index of the update file that includes the identifier and the address information.

Based on the same inventive concept, the embodiment of the invention also provides the client. Fig. 10 shows a schematic structural diagram of a client according to an embodiment of the present invention. As shown in fig. 10, the client may include: a loading module 1010, a scanning module 1020, and a bug fixing module 1030.

The loading module 1010 is suitable for loading a target scanning library which is released by the data release server through a specified channel and matched with a local system platform when a trigger event of bug fixing is received;

the scanning module 1020 is coupled with the loading module 1010 and is suitable for scanning the local vulnerability by using the target scanning library to obtain an identifier of the updated file to be installed;

and the vulnerability repairing module 1030 is coupled with the scanning module 1020 and is adapted to acquire the update file to be installed from the file server by using the identifier of the update file to be installed, and then repair the local vulnerability by using the update file to be installed.

In an embodiment of the present invention, the target scan library records an identifier of an update file corresponding to each patch, and the scan module 1020 is further adapted to:

selecting patches to be installed from the scanning result set;

In an embodiment of the present invention, the scanning module 1020 is further adapted to:

In an embodiment of the present invention, the file server includes a plurality of CDN nodes of the content delivery network and a KV server, and each CDN node synchronizes the update file; the KV server establishes an index of the identification and address information of the update file, and the scanning module 1020 is further adapted to:

when the update file comprises an update package, determining an identifier of a target update package corresponding to the patch to be installed according to the identifier of the update package corresponding to each patch recorded in the target scanning library;

In an embodiment of the present invention, the bug fix module 1030 is further adapted to:

copying the downloaded update file to be installed to the temporary installation directory;

According to any one or a combination of multiple optional embodiments, the embodiment of the present invention can achieve the following advantages:

In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in the bug fix system and device according to embodiments of the invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Thus, it should be appreciated by those skilled in the art that while a number of exemplary embodiments of the invention have been illustrated and described in detail herein, many other variations or modifications consistent with the principles of the invention may be directly determined or derived from the disclosure of the present invention without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should be understood and interpreted to cover all such other variations or modifications.

According to an aspect of the embodiments of the present invention, a1 is provided, where the system includes: the system comprises a data release server, a file server and a client;

A2, the vulnerability fix system according to A1, wherein the file server comprises a plurality of Content Delivery Network (CDN) nodes and KV servers;

each CDN node is suitable for synchronizing the update files;

A3, the vulnerability repair system according to A2, wherein the index further includes index information of at least one of the following:

A4, the vulnerability repair system according to A2 or A3, wherein the data publishing server is further adapted to:

A5, the vulnerability repair system according to any of A1-A4, wherein the data publishing server is further adapted to:

A6, the vulnerability repair system according to any of A1-A5, wherein the data publishing server is further adapted to:

A7, the vulnerability fix system according to any one of A1-A6, wherein the identification of the update file corresponding to each patch is recorded in the scanning library of each platform, and the client is further adapted to:

selecting patches to be installed from the scanning result set;

A8, the vulnerability repair system according to A7, wherein the client is further adapted to:

A9, the vulnerability repair system according to A8, wherein the client is further adapted to:

A10, the vulnerability repair system according to A9, wherein the client is further adapted to:

A11, the vulnerability repair system according to A7, wherein the client is further adapted to:

A12, the vulnerability remediation system of A11, wherein when the update file includes an update package, the client is further adapted to:

A13, the vulnerability repair system according to A11 or A12, wherein the client is further adapted to:

A14, the vulnerability repair system according to A13, wherein the client is further adapted to:

A15, the vulnerability repair system according to A14, wherein the client is further adapted to:

A16, the vulnerability repair system according to A14, wherein the client is further adapted to:

A17, the vulnerability repair system according to A15 or A16, wherein the client is further adapted to:

According to another aspect of the embodiments of the present invention, there are also provided B18 and a bug fixing method applied to a data distribution server, including:

B19, the bug fixing method according to B18, wherein the file server includes a plurality of CDN nodes for content delivery network, and the method for delivering the update file in the accumulated update data to the file server includes:

B20, the bug fixing method according to B18 or B19, wherein the synchronously obtaining the accumulated update data for fixing the bug of the program from the program provider according to the specified time period includes:

B21, the bug fixing method according to any one of B18-B20, wherein extracting a full platform scan library including one or more update patches from the accumulated update data, and splitting the full platform scan library according to a system platform to obtain a scan library of each platform, includes:

According to another aspect of the embodiments of the present invention, there is further provided C22, a bug fixing method applied to a file server, including:

synchronizing the updated files from the data distribution server;

C23, the bug fixing method according to C22, wherein the file server comprises a plurality of CDN nodes and KV servers;

the synchronization of the update file from the data distribution server comprises the following steps: synchronizing the update files by each CDN node;

the acquiring the identifier of the update file and the address information of the file server where the update file is located, and establishing the index of the update file, which contains the identifier and the address information, includes: and the KV server acquires the identification of the update file and the address information of each CDN node where the update file is located, and establishes an index containing the identification and the address information of the update file.

C24, the vulnerability fixing method according to C22 or C23, wherein the index further includes index information of at least one of the following:

According to another aspect of the embodiments of the present invention, there are further provided D25 and a bug fixing method applied to a client, including:

D26, the bug fixing method according to D25, wherein the target scanning library records the identification of the update file corresponding to each patch, and the target scanning library is used for scanning the local bug to obtain the identification of the update file to be installed, and the method comprises the following steps:

selecting patches to be installed from the scanning result set;

D27, the bug fixing method according to D26, wherein the step of scanning the local bug by using the target scanning library to obtain a scanning result set of the patch which is not installed on the local system comprises the steps of:

D28, the bug fixing method according to D27, further comprising:

D29, the bug fixing method according to D28, wherein the judging whether the parent dependency of each patch passes the detection comprises:

D30 and the bug fixing method according to D26, wherein the determining, according to the identifier of the update file corresponding to each patch recorded in the target scanning library, the identifier of the update file to be installed corresponding to the patch to be installed includes:

D31, the bug fixing method according to D30, wherein the file server includes a plurality of CDN nodes and KV servers, and each CDN node is synchronized with the update file; the KV server establishes an index of the identification and address information of the update file;

when the updated file comprises an updated package, determining an identifier of a candidate updated file corresponding to the patch to be installed according to the identifier of the updated file corresponding to each patch recorded in the target scanning library, including:

D32, the bug fixing method according to D30 or D31, wherein the determining the identifier of the update file to be installed according to the identifier of the candidate update file includes:

D33, the bug fixing method according to D32, wherein the obtaining the update file to be installed from the file server by using the identifier of the update file to be installed includes:

D34, the bug fixing method according to D33, wherein the fixing the local bug by the to-be-installed update file includes:

D35, copying the updated file to be installed obtained by downloading to the temporary installation directory according to the bug fixing method D34, including:

According to another aspect of the embodiments of the present invention, there is also provided an E36, a data distribution server, including:

According to still another aspect of the embodiments of the present invention, there is also provided F37, a file server, including:

According to another aspect of the embodiment of the present invention, there is also provided G38, a client including:

Claims

1. A vulnerability fix system, comprising: the system comprises a data release server, a file server and a client;

2. The vulnerability fix system of claim 1, wherein the file server comprises a plurality of Content Delivery Network (CDN) nodes and KV servers;

each CDN node is suitable for synchronizing the update files;

3. The vulnerability fix system of claim 2, wherein the index further comprises index information for at least one of:

4. The vulnerability fix system of claim 2, wherein the data publication server is further adapted to:

5. The vulnerability remediation system of any of claims 1-4, wherein the data publication server is further adapted to:

6. The vulnerability remediation system of any of claims 1-4, wherein the data publication server is further adapted to:

7. The vulnerability fix system of claim 2, wherein an identification of the update file corresponding to each patch is recorded in the scanning library of each platform, the client is further adapted to:

selecting patches to be installed from the scanning result set;

8. The vulnerability remediation system of claim 7, wherein the client is further adapted to:

9. The vulnerability remediation system of claim 8, wherein the client is further adapted to:

10. The vulnerability remediation system of claim 9, wherein the client is further adapted to:

11. The vulnerability remediation system of claim 7, wherein the client is further adapted to:

12. The vulnerability fix system of claim 11, wherein, when the update file includes an update package, the client is further adapted to:

13. The vulnerability remediation system of claim 11 or 12, wherein the client is further adapted to:

14. The vulnerability remediation system of claim 13, wherein the client is further adapted to:

15. The vulnerability remediation system of claim 14, wherein the client is further adapted to:

16. The vulnerability remediation system of claim 14, wherein the client is further adapted to:

17. The vulnerability remediation system of claim 15 or 16, wherein the client is further adapted to:

18. A vulnerability repairing method is applied to a data release server and comprises the following steps:

extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to a system platform to obtain scanning libraries of all platforms; the full platform scanning library comprises an update list of patches of each platform;

19. The bug fix method of claim 18, wherein the file server comprises a plurality of Content Delivery Network (CDN) nodes, and delivering the update file in the accumulated update data to the file server comprises:

20. The bug fix method of claim 18, wherein the synchronously obtaining cumulative update data for fixing the bug from the program provider at a specified time period comprises:

21. The bug fixing method according to any of claims 18-20, wherein extracting a full platform scanning library including one or more update patches from the accumulated update data, splitting the full platform scanning library according to a system platform to obtain a scanning library of each platform, comprises:

22. A vulnerability repairing method is applied to a file server and comprises the following steps:

synchronizing the updated files from the data distribution server;

acquiring an identifier of the update file and address information of the file server where the update file is located, and establishing an index containing the identifier and the address information of the update file;

before synchronizing the update file from the data distribution server, the method further includes:

the data issuing server synchronously acquires accumulated updating data for repairing the program bug from a program provider according to a specified time period;

23. The bug fix method of claim 22, wherein the file server comprises a plurality of Content Delivery Network (CDN) nodes and KV servers;

24. The vulnerability fixing method according to claim 22 or 23, wherein the index further comprises index information of at least one of:

25. A vulnerability repairing method is applied to a client and comprises the following steps:

acquiring the updated file to be installed from a file server by using the identifier of the updated file to be installed, and repairing a local vulnerability by using the updated file to be installed;

before the loading of the target scan library which is published by the data publishing server through the specified channel and matched with the local system platform, the method further comprises the following steps:

26. The bug fixing method according to claim 25, wherein the target scanning library records an identifier of an update file corresponding to each patch, and the target scanning library is used to scan a local bug to obtain an identifier of an update file to be installed, including:

selecting patches to be installed from the scanning result set;

27. The vulnerability remediation method of claim 26, wherein scanning a local vulnerability using the target scanning library to obtain a set of scan results for an uninstalled patch on a local system comprises:

28. The bug fix method of claim 27, further comprising:

29. The bug fixing method of claim 28, wherein the determining whether the parent dependency of each patch is detected to pass comprises:

30. The bug fixing method according to claim 26, wherein determining the identifier of the updated file to be installed corresponding to the patch to be installed according to the identifier of the updated file corresponding to each patch recorded in the target scanning library comprises:

31. The bug fixing method according to claim 30, wherein the file server comprises a plurality of content delivery network CDN nodes and a KV server, and the update file is synchronized with each CDN node; the KV server establishes an index of the identification and address information of the update file;

32. The bug fix method of claim 31, wherein determining the identity of the update file to be installed according to the identity of the candidate update file comprises:

33. The bug fix method of claim 32, wherein obtaining the update-to-be-installed file from the file server using the identification of the update-to-be-installed file comprises:

34. The bug fix method of claim 33, wherein fixing a local bug with the update file to be installed comprises:

35. The bug fix method of claim 34, wherein copying the downloaded update-to-be-installed file to the temporary installation directory comprises:

36. A data distribution server, comprising:

the first processing module is suitable for extracting a full-platform scanning library containing one or more update patches from the accumulated update data, and splitting the full-platform scanning library according to a system platform to obtain scanning libraries of all platforms; the full platform scanning library comprises an update list of patches of each platform;

37. A file server, comprising:

the second processing module is suitable for acquiring the identification of the updated file and the address information of the file server where the updated file is located, and establishing an index containing the identification and the address information of the updated file;

wherein, the data publishing server comprises:

38. A client, comprising:

the vulnerability repairing module is suitable for acquiring the updated file to be installed from a file server by using the identifier of the updated file to be installed, and then repairing a local vulnerability by using the updated file to be installed;

wherein, the data publishing server comprises: