Automated software compliance analysis
First Claim
1. One or more non-transitory computer-readable storage media storing computer-executable instructions for causing a computing system to perform processing to analyze whether a software program may create a compliance issue, the processing comprising:
- automatically determining, with a compliance tool specified by the computer-executable instructions, identifiers for each of a plurality of processes invoked by a software program by analyzing source code for the software program;
comparing the identifiers of the plurality of invoked processes with a process compliance library, the process compliance library comprising an identifier of at least one process;
determining that an invoked process results in a potential compliance violation;
from the source code, determining at least one data source accessed by the invoked process resulting in a potential compliance violation;
comparing the at least one data source with a data source compliance library, the data source compliance library comprising an identifier of the at least one data source;
from the source code, determining at least one location to which data from the at least one data source may be transmitted as a result of invoking the process resulting in a potential compliance violation;
determining that the at least one data source is associated with a compliance warning; and
outputting to a user a display of compliance results, the compliance results comprising a process of the plurality of processes, the process associated with the compliance warning,the display indicating the at least one data source accessed by the invoked process resulting in a potential compliance violation and the at least one location to which data from the at least one data source may be transmitted as a result of invoking the process resulting in a potential compliance violation.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques and solutions are described for facilitating the determination of whether a software program may raise a compliance issue, such as whether processes invoked by the software program may involve the sending of protected information. A compliance tool automatically determines a plurality of processes invoked by a program. A plurality of the invoked processes are compared with a process compliance library comprising at least one process. The comparing produces compliance results. The compliance results are output to a user.
33 Citations
19 Claims
-
1. One or more non-transitory computer-readable storage media storing computer-executable instructions for causing a computing system to perform processing to analyze whether a software program may create a compliance issue, the processing comprising:
-
automatically determining, with a compliance tool specified by the computer-executable instructions, identifiers for each of a plurality of processes invoked by a software program by analyzing source code for the software program; comparing the identifiers of the plurality of invoked processes with a process compliance library, the process compliance library comprising an identifier of at least one process; determining that an invoked process results in a potential compliance violation; from the source code, determining at least one data source accessed by the invoked process resulting in a potential compliance violation; comparing the at least one data source with a data source compliance library, the data source compliance library comprising an identifier of the at least one data source; from the source code, determining at least one location to which data from the at least one data source may be transmitted as a result of invoking the process resulting in a potential compliance violation; determining that the at least one data source is associated with a compliance warning; and outputting to a user a display of compliance results, the compliance results comprising a process of the plurality of processes, the process associated with the compliance warning, the display indicating the at least one data source accessed by the invoked process resulting in a potential compliance violation and the at least one location to which data from the at least one data source may be transmitted as a result of invoking the process resulting in a potential compliance violation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computing system that implements a compliance tool, the computing system comprising:
-
one or more memories; one or more processing units coupled to the one or more memories; and one or more non-transitory computer readable storage media storing instructions that, when loaded into the memories, cause the one or more processing units to perform operations for; automatically determining a call hierarchy for a program by analyzing source code for the program, the call hierarchy comprising a plurality of processes invoked by the program; determining from the source code program information associated with at least one of the plurality of invoked processes, the program information comprising an identifier of the at least one of the plurality of invoked processes, at least one data source accessed by the at least one of the plurality of invoked processes, and at least one location to which data associated with the at least one data source is transmitted by the at least one of the plurality of invoked processes; associating at least a portion of the program information with at least one formalized compliance term, the associating comprising; comparing the identifier with a library comprising a plurality of process identifiers; comparing the at least one data source with a data source compliance library, the data source compliance library comprising an identifier of the at least one data source; determining that the at least one data source is associated with a compliance warning; and determining based on at least one of the comparing the identifier and the comparing the at least one data source that the at least one of the plurality of invoked process results in a potential compliance violation; analyzing the at least one of the invoked processes using at least one formalized compliance norm comprising the at least one formalized compliance term; and outputting for display a visual representation of the formalized compliance norm and associated formalized compliance term, the visual representation comprising an indicator of the identifier, an identifier of the at least one of the plurality of invoked processes, the at least one data source, and the at least one location.
-
-
19. In a computing system comprising a memory and one or more processors, a method of evaluating a potential compliance issue associated with at least one formalized compliance norm, the method comprising:
-
automatically determining a plurality of processes invoked by a program by analyzing source code for the program; automatically determining at least one of arguments, parameters, and addresses associated with at least one of the plurality of invoked processes by analyzing the source code; determining from the source code at least one data source accessed by the at least one of the plurality of invoked processes; comparing the at least one data source with a data source compliance library, the data source compliance library comprising an identifier of the at least one data source; determining that the at least one data source is associated with a compliance warning; associating at least one argument, parameter, or address of the at least one of the plurality of invoked processes with a potential compliance issue to provide compliance results; and outputting for display a visual representation of the compliance results, the visual representation comprising an identifier of the at least one argument, parameter, or address and an identifier of the at least one of the plurality of invoked processes.
-
Specification