Automated software compliance analysis

US 10,127,147 B2
Filed: 12/23/2016
Issued: 11/13/2018
Est. Priority Date: 12/23/2016
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage media storing computer-executable instructions for causing a computing system to perform processing to analyze whether a software program may create a compliance issue, the processing comprising:

automatically determining, with a compliance tool specified by the computer-executable instructions, identifiers for each of a plurality of processes invoked by a software program by analyzing source code for the software program;

comparing the identifiers of the plurality of invoked processes with a process compliance library, the process compliance library comprising an identifier of at least one process;

determining that an invoked process results in a potential compliance violation;

from the source code, determining at least one data source accessed by the invoked process resulting in a potential compliance violation;

comparing the at least one data source with a data source compliance library, the data source compliance library comprising an identifier of the at least one data source;

from the source code, determining at least one location to which data from the at least one data source may be transmitted as a result of invoking the process resulting in a potential compliance violation;

determining that the at least one data source is associated with a compliance warning; and

outputting to a user a display of compliance results, the compliance results comprising a process of the plurality of processes, the process associated with the compliance warning,the display indicating the at least one data source accessed by the invoked process resulting in a potential compliance violation and the at least one location to which data from the at least one data source may be transmitted as a result of invoking the process resulting in a potential compliance violation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and solutions are described for facilitating the determination of whether a software program may raise a compliance issue, such as whether processes invoked by the software program may involve the sending of protected information. A compliance tool automatically determines a plurality of processes invoked by a program. A plurality of the invoked processes are compared with a process compliance library comprising at least one process. The comparing produces compliance results. The compliance results are output to a user.

33 Citations

View as Search Results

19 Claims

1. One or more non-transitory computer-readable storage media storing computer-executable instructions for causing a computing system to perform processing to analyze whether a software program may create a compliance issue, the processing comprising:
- automatically determining, with a compliance tool specified by the computer-executable instructions, identifiers for each of a plurality of processes invoked by a software program by analyzing source code for the software program;
  
  comparing the identifiers of the plurality of invoked processes with a process compliance library, the process compliance library comprising an identifier of at least one process;
  
  determining that an invoked process results in a potential compliance violation;
  
  from the source code, determining at least one data source accessed by the invoked process resulting in a potential compliance violation;
  
  comparing the at least one data source with a data source compliance library, the data source compliance library comprising an identifier of the at least one data source;
  
  from the source code, determining at least one location to which data from the at least one data source may be transmitted as a result of invoking the process resulting in a potential compliance violation;
  
  determining that the at least one data source is associated with a compliance warning; and
  
  outputting to a user a display of compliance results, the compliance results comprising a process of the plurality of processes, the process associated with the compliance warning,the display indicating the at least one data source accessed by the invoked process resulting in a potential compliance violation and the at least one location to which data from the at least one data source may be transmitted as a result of invoking the process resulting in a potential compliance violation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The one or more non-transitory computer-readable storage media of claim 1, wherein the compliance results comprise a compliance warning for any processes of the plurality of processes matching a process of the compliance library.
  - 3. The one or more non-transitory computer-readable storage media of claim 1, wherein the compliance results comprise a compliance warning for any processes of the plurality of processes that do not match a process of the compliance library.
  - 4. The one or more non-transitory computer-readable storage media of claim 1, wherein automatically determining a plurality of processes invoked by the program comprises calling a method to generate a call hierarchy of the program.
  - 5. The one or more non-transitory computer-readable storage media of claim 4, wherein the method is a method of an integrated development environment.
  - 6. The one or more non-transitory computer-readable storage media of claim 5, wherein the compliance tool is a plugin to the integrated development environment.
  - 7. The one or more non-transitory computer-readable storage media of claim 1, wherein the compliance results comprise at least one process of the plurality of processes associated with a compliance warning, the processing further comprising:
    - determining an external resource associated with the at least one process of the compliance results; and
      
      wherein the compliance results provide an indication of a potential compliance issue associated with the external resource.
  - 8. The one or more non-transitory computer-readable storage media of claim 7, the processing further comprising:
    - comparing the plurality of processes with an external resource process compliance library, the external resource process compliance library comprising an identifier of at least one external resource.
  - 9. The one or more non-transitory computer-readable storage media of claim 7, the processing further comprising:
    - analyzing data transmitted to, or received from, the external resource.
  - 10. The one or more non-transitory computer-readable storage media of claim 9, wherein analyzing data transmitted to, or received from, the external resource comprises analyzing descriptor information associated with the at least one process.
  - 11. The one or more non-transitory computer-readable storage media of claim 1, wherein automatically determining a plurality of processes invoked by the program comprises analyzing program documentation.
  - 12. The one or more non-transitory computer-readable storage media of claim 1, the processing further comprising:
    - automatically associating at least a portion of the plurality of processes invoked by the program with one or more formalized compliance terms using the compliance tool.
  - 13. The one or more non-transitory computer-readable storage media of claim 12, wherein determining compliance results comprises analyzing at least a portion of the plurality of processes invoked by the program using at least one formalized compliance norm comprising at least one of the one or more formalized compliance terms.
  - 14. The one or more non-transitory computer-readable storage media of claim 1, wherein outputting to the user the compliance results comprises displaying to the user a representation of formalized compliance terms associated with a formalized compliance norm, wherein formalized compliance terms potentially associated with a compliance issue are visually indicated to a user.
  - 15. The one or more non-transitory computer-readable storage media of claim 14, the processing further comprising:
    - receiving user input selecting a displayed formalized compliance term; and
      
      providing the user with text of the formalized compliance norm associated with the formalized compliance term.
  - 16. The one or more non-transitory computer-readable storage media of claim 14, wherein the formalized compliance terms each comprising a status, the processing further comprising:
    - receiving user input altering the status of at least one formalized compliance term.
  - 17. The one or more non-transitory computer-readable storage media of claim 16, further comprising updating a status of the formalized compliance norm based on the user input.

18. A computing system that implements a compliance tool, the computing system comprising:
- one or more memories;
  
  one or more processing units coupled to the one or more memories; and
  
  one or more non-transitory computer readable storage media storing instructions that, when loaded into the memories, cause the one or more processing units to perform operations for;
  
  automatically determining a call hierarchy for a program by analyzing source code for the program, the call hierarchy comprising a plurality of processes invoked by the program;
  
  determining from the source code program information associated with at least one of the plurality of invoked processes, the program information comprising an identifier of the at least one of the plurality of invoked processes, at least one data source accessed by the at least one of the plurality of invoked processes, andat least one location to which data associated with the at least one data source is transmitted by the at least one of the plurality of invoked processes;
  
  associating at least a portion of the program information with at least one formalized compliance term, the associating comprising;
  
  comparing the identifier with a library comprising a plurality of process identifiers;
  
  comparing the at least one data source with a data source compliance library, the data source compliance library comprising an identifier of the at least one data source;
  
  determining that the at least one data source is associated with a compliance warning; and
  
  determining based on at least one of the comparing the identifier and the comparing the at least one data source that the at least one of the plurality of invoked process results in a potential compliance violation;
  
  analyzing the at least one of the invoked processes using at least one formalized compliance norm comprising the at least one formalized compliance term; and
  
  outputting for display a visual representation of the formalized compliance norm and associated formalized compliance term, the visual representation comprising an indicator of the identifier, an identifier of the at least one of the plurality of invoked processes, the at least one data source, and the at least one location.

19. In a computing system comprising a memory and one or more processors, a method of evaluating a potential compliance issue associated with at least one formalized compliance norm, the method comprising:
- automatically determining a plurality of processes invoked by a program by analyzing source code for the program;
  
  automatically determining at least one of arguments, parameters, and addresses associated with at least one of the plurality of invoked processes by analyzing the source code;
  
  determining from the source code at least one data source accessed by the at least one of the plurality of invoked processes;
  
  comparing the at least one data source with a data source compliance library, the data source compliance library comprising an identifier of the at least one data source;
  
  determining that the at least one data source is associated with a compliance warning;
  
  associating at least one argument, parameter, or address of the at least one of the plurality of invoked processes with a potential compliance issue to provide compliance results; and
  
  outputting for display a visual representation of the compliance results, the visual representation comprising an identifier of the at least one argument, parameter, or address and an identifier of the at least one of the plurality of invoked processes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Oberle, Daniel
Primary Examiner(s)
Khatri, Anil

Application Number

US15/389,761
Publication Number

US 20180181483A1
Time in Patent Office

690 Days
Field of Search

717123-129
US Class Current
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 11/3688   for test execution, e.g. sc...

G06F 11/3692   for test results analysis

Automated software compliance analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Automated software compliance analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links