US-12619735-B2 - Performing action based on mapping of runtime resource to hierarchy of assets utilized during development of code

Abstract

Techniques are described herein that are capable of performing an action based on mapping of a runtime resource to a hierarchy of assets utilized during development of code. A hierarchy of assets that are utilized during development of code on a user machine is identified (e.g., automatically identified). The assets in the hierarchy are included in respective hierarchical levels that correspond to respective asset types. A runtime resource, which is created by deployment of the code on a server machine that is coupled to the user machine via a network, is mapped (e.g., automatically mapped) to the assets in the hierarchy. An action is performed with regard to an identified asset, which is included among the assets in the hierarchy, based at least on the runtime resource being mapped to the identified asset.

Inventors

• Lavanya U. KASARABADA
• Sarika Calla
• Ayala Miller
• Laveesh ROHRA
• Jose Miguel PARRELLA ROMERO

Assignees

• MICROSOFT TECHNOLOGY LICENSING, LLC

Dates

Publication Date

20260505

Application Date

20230328

Claims (20)

1. 1 . A system comprising: memory; and a processing system coupled to the memory, the processing system configured to: automatically identify a hierarchy that includes assets that are utilized during development of code on a user machine such that the assets in the hierarchy are included in respective hierarchical levels that correspond to respective asset types, wherein a first asset in a higher hierarchical level of the hierarchy includes a second asset in a lower hierarchical level of the hierarchy; map a runtime resource, which is created by deployment of the code on a server machine that is coupled to the user machine via a network, to the assets in the hierarchy based at least on the assets being utilized during development of the code and further based at least on the runtime resource being created by the deployment of the code; generate a graphical user interface that includes a plurality of interface elements representing a plurality of respective runtime resources that includes the runtime resource that is created by deployment of the code on the server machine, the interface elements configured such that selection of the interface elements initiates monitoring of the respective runtime resources for security vulnerabilities; receive an instruction that indicates selection of an interface element representing the runtime resource that is created by deployment of the code on the server machine; initiate monitoring of the runtime resource that is created by deployment of the code on the server machine for security vulnerabilities as a result of receiving the instruction; identify a security vulnerability associated with the runtime resource as a result of the runtime resource being monitored; as a result of the runtime resource being mapped to an asset in the hierarchy, identify the asset as a source of the security vulnerability; and as a result of the asset being identified as the source of the security vulnerability associated with the runtime resource, address the security vulnerability by performing a remedial action with regard to the asset.
2. 2 . The system of claim 1 , wherein the processing system is configured to: add start scripts to a beginning of respective jobs in a build of the code and end scripts to an end of the respective jobs, the start scripts configured to query a daemon for first information regarding assets that are built prior to performance of the respective jobs, the end scripts configured to query the daemon for second information regarding assets that are built and pushed by the respective jobs and third information regarding assets that are pulled during the build of the code, the second information indicating the hierarchy of the assets; and automatically identify the hierarchy of the assets by reviewing the second information.
3. 3 . The system of claim 2 , wherein the processing system is configured to: trigger extraction of logs associated with the end scripts based at least on a build completion event, which indicates completion of the build of the code, wherein a first subset of the logs includes the second information, wherein a second subset of the logs includes the third information; and filter the logs to obtain the first subset of the logs, which includes the second information, and to disregard the second subset of the logs, which includes the third information.
4. 4 . The system of claim 1 , wherein the processing system is configured to: automatically map the runtime resource to the assets in the hierarchy based at least on the assets being utilized during development of the code and further based at least on the runtime resource being created by the deployment of the code; and perform the action with regard to the asset based at least on the runtime resource being automatically mapped to the asset.
5. 5 . The system of claim 1 , wherein the processing system is configured to: assign a unique identifier to the runtime resource; assign a plurality of identifiers to the assets in the hierarchy; map the unique identifier assigned to the runtime resource to the plurality of identifiers assigned to the assets in the hierarchy; and perform the action with regard to the asset based at least on the unique identifier assigned to the runtime resource being mapped to an identifier assigned to the asset; and wherein the plurality of identifiers includes the identifier assigned to the asset.
6. 6 . The system of claim 1 , wherein the processing system is configured to: automatically identify the hierarchy of the assets that are utilized during the development of the code by analyzing a build of the code; store a representation of the hierarchy in a store; identify a representation of the asset in the representation of the hierarchy that is stored in the store; and perform the action with regard to the asset based at least on identification of the representation of the asset in the representation of the hierarchy that is stored in the store.
7. 7 . The system of claim 1 , wherein the processing system is configured to: establish an asset-specific policy that defines a rule to be enforced with regard to the asset; and wherein the asset-specific policy is specific to the asset.
8. 8 . The system of claim 1 , wherein the processing system is configured to: provide a notification to a developer of the code via a graphical user interface, the notification suggesting an action to be initiated by the developer with regard to the asset to mitigate the security vulnerability.
9. 9 . A method implemented by a computing system, the method comprising: automatically identifying a hierarchy that includes assets that are utilized during development of code on a user machine such that the assets in the hierarchy are included in respective hierarchical levels that correspond to respective asset types, wherein a first asset in a higher hierarchical level of the hierarchy includes a second asset in a lower hierarchical level of the hierarchy; mapping a runtime resource, which is created by deployment of the code on a server machine that is coupled to the user machine via a network, to the assets in the hierarchy based at least on the assets being utilized during development of the code and further based at least on the runtime resource being created by the deployment of the code; generating a graphical user interface that includes a plurality of interface elements representing a plurality of respective runtime resources that includes the runtime resource that is created by deployment of the code on the server machine, the interface elements configured such that selection of the interface elements initiates monitoring of the respective runtime resources for security vulnerabilities; receiving an instruction from a developer of the code, the instruction indicating selection of an interface element representing the runtime resource that is created by deployment of the code on the server machine; initiating monitoring of the runtime resource that is created by deployment of the code on the server machine for security vulnerabilities as a result of receiving the instruction from the developer; identifying a security vulnerability associated with the runtime resource as a result of monitoring the runtime resource; as a result of the runtime resource being mapped to an asset in the hierarchy, mapping the security vulnerability to the asset; and as a result of the security vulnerability being mapped to the asset, addressing the security vulnerability by performing a remedial action with regard to the asset.
10. 10 . The method of claim 9 , further comprising: adding start scripts to a beginning of respective jobs in a build of the code and end scripts to an end of the respective jobs, the start scripts configured to query a daemon for first information regarding assets that are built prior to performance of the respective jobs, the end scripts configured to query the daemon for second information regarding assets that are built and pushed by the respective jobs and third information regarding assets that are pulled during the build of the code, the second information indicating the hierarchy of the assets; wherein automatically identifying the hierarchy of the assets is performed by reviewing the second information.
11. 11 . The method of claim 10 , wherein automatically identifying the hierarchy of the assets further comprises: triggering extraction of logs associated with the end scripts based at least on a build completion event, which indicates completion of the build of the code, wherein a first subset of the logs includes the second information, wherein a second subset of the logs includes the third information; and filtering the logs to obtain the first subset of the logs, which includes the second information, and to disregard the second subset of the logs, which includes the third information.
12. 12 . The method of claim 9 , wherein performing the remedial action comprises: performing the remedial action with regard to a repository from which the code is deployed based at least on the runtime resource being mapped to the repository; and wherein the assets in the hierarchy include the repository.
13. 13 . The method of claim 9 , wherein mapping the runtime resource comprises: mapping a container image, which includes the code and additional code that enables the code to run, to the assets in the hierarchy based at least on the assets being utilized during development of the code and further based at least on the container image being created by the deployment of the code; and wherein performing the action comprises: performing the action with regard to the asset based at least on the container image being mapped to the asset.
14. 14 . The method of claim 9 , wherein mapping the runtime resource to the assets in the hierarchy comprises: mapping a plurality of runtime resources, which are created by deployment of the code on the server machine, to the assets in the hierarchy based at least on the assets being utilized during development of the code and further based at least on the plurality of runtime resources being created by the deployment of the code; wherein the method further comprises: receiving a request for an indication of runtime resources that are associated with the asset; and wherein performing the action comprises: generating a message, which indicates the plurality of runtime resources, in response to the request, based at least on the plurality of runtime resources being mapped to the asset.
15. 15 . The method of claim 9 , further comprising: configuring the graphical user interface to include a first interface element representing the runtime resource and a second interface element representing the asset; wherein an arrangement of the first interface element and the second interface element in the graphical user interface indicates a relationship between the runtime resource and the asset.
16. 16 . The method of claim 9 , wherein performing the remedial action comprises: changing a configuration of the asset.
17. 17 . The method of claim 9 , wherein the first asset in the higher hierarchical level is a build of the code; and wherein the second asset in the lower hierarchical level is a line of the code.
18. 18 . A computer program product comprising a computer-readable storage medium having instructions recorded thereon for enabling a processor-based system to perform operations, the operations comprising: automatically identifying a hierarchy that includes assets that are utilized during development of code on a user machine such that the assets in the hierarchy are included in respective hierarchical levels that correspond to respective asset types, wherein a first asset in a higher hierarchical level of the hierarchy includes a second asset in a lower hierarchical level of the hierarchy; mapping a runtime resource, which is created by deployment of the code on a server machine that is coupled to the user machine via a network, to the assets in the hierarchy based at least on the assets being utilized during development of the code and further based at least on the runtime resource being created by the deployment of the code; generating a graphical user interface that includes a plurality of interface elements representing a plurality of respective runtime resources that includes the runtime resource that is created by deployment of the code on the server machine, the interface elements configured such that selection of the interface elements initiates monitoring of the respective runtime resources for security vulnerabilities; receiving an instruction that indicates selection of an interface element representing the runtime resource that is created by deployment of the code on the server machine; initiating monitoring of the runtime resource that is created by deployment of the code on the server machine for security vulnerabilities as a result of receiving the instruction; identifying a security vulnerability associated with the runtime resource as a result of the runtime resource being monitored; as a result of the runtime resource being mapped to an asset in the hierarchy, identifying the asset as a source of the security vulnerability; and as a result of the asset being identified as the source of the security vulnerability associated with the runtime resource, addressing the security vulnerability by performing a remedial action with regard to the asset.
19. 19 . The computer program product of claim 18 , wherein the first asset in the higher hierarchical level is a repository from which the code is deployed; and wherein the second asset in the lower hierarchical level is a branch of the code.
20. 20 . The computer program product of claim 18 , wherein the operations further comprise: adding start scripts to a beginning of respective jobs in a build of the code and end scripts to an end of the respective jobs, the start scripts configured to query a daemon for first information regarding assets that are built prior to performance of the respective jobs, the end scripts configured to query the daemon for second information regarding assets that are built and pushed by the respective jobs and third information regarding assets that are pulled during the build of the code, the second information indicating the hierarchy of the assets; and wherein automatically identifying the hierarchy of the assets is performed by reviewing the second information.

Description

BACKGROUND Deployment of a computer program creates runtime resources, which may be targeted by malicious entities. For instance, when the computer program is deployed in the cloud, such malicious entities may launch a cyberattack against the runtime resources. Thus, the runtime resources often are analyzed to identify security vulnerabilities in the runtime resources. An endpoint detection and response (EDR) program is an example of a computer program that may be utilized to analyze the runtime resources. An EDR program is a computer program that is configured to monitor an entity to detect, mitigate, or block a cyber threat. A cyber threat is a malicious act that is configured (e.g., intended) to steal or damage data or to interfere with operation of an entity, such as a computing system or an enterprise. The EDR program may generate alerts or recommendations regarding security vulnerabilities that are identified in the runtime resources. Security administrators or workload owners typically discuss the alerts or recommendations with developers of the computer program to determine an appropriate plan to address the security vulnerabilities. SUMMARY Assets are utilized during development of code, and a runtime resource is created from the assets during deployment of the code. The assets are arranged in a hierarchy. It may be desirable to automatically identify the hierarchy and to map the runtime resource to the assets in the hierarchy (e.g., to a particular asset in the hierarchy). For example, by automatically identifying the hierarchy and mapping the runtime resource to the assets in the hierarchy, a source of an issue (e.g., a security vulnerability) in the runtime resource may be addressed by identifying and remedying a source of the issue in the hierarchy of assets. Accordingly, automatically identifying the hierarchy and mapping the runtime resource to the assets in the hierarchy may increase security of a computing system on which the runtime resource is deployed. Various approaches are described herein for, among other things, performing an action based on (e.g., based at least on) mapping of a runtime resource to a hierarchy of assets utilized during development of code. Examples of an asset that may be utilized during development of code include but are not limited to a build of the code, a line of the code, a pipeline (e.g., build pipeline, deployment pipeline, release pipeline, test pipeline), a repository (e.g., code repository), a GitHub action, a file (e.g., source code file), a template (e.g., infrastructure-as-code template), a workflow, a branch of the code, and a project. A hierarchy of assets includes multiple hierarchical levels among which the assets are arranged. Each hierarchical level in the hierarchy corresponds to a respective asset type. For instance, each hierarchical level may be restricted to include only assets of a particular (e.g., pre-defined) asset type. Examples of an asset type include but are not limited to a build of code, a line of code, a pipeline, a repository, a GitHub action, a file, a template, a workflow, a branch of code, and a project. Each hierarchical level in the hierarchy includes one or more of the assets. For example, a first (e.g., highest) hierarchical level may include (e.g., consist of) one or more builds of code; a second hierarchical level may include one or more repositories; a third hierarchical level may include one or more projects; a fourth hierarchical level may include one or more pipelines; a fifth hierarchical level may include one or more branches of code; a sixth hierarchical level may include one or more lines of code, and so on. The first hierarchical level is relatively higher than other hierarchical levels (e.g., the second hierarchical level, the third hierarchical level, and so on) in the hierarchy. The second hierarchical level is relatively lower than the first hierarchical level and relatively higher than the other hierarchical levels (e.g., the third hierarchical level, the fourth hierarchical level, and so on) in the hierarchy. The third hierarchical level is relatively lower than the first hierarchical level and the second hierarchical level and is relatively higher than the other hierarchical levels (e.g., the fourth hierarchical level, the fifth hierarchical level, and so on) in the hierarchy. Asset(s) in a relatively higher hierarchical level of the hierarchy may be said to include asset(s) in a relatively lower hierarchical level of the hierarchy. For example, a repository in a first (e.g., highest) hierarchical level may include a file, which is in a second hierarchical level that is lower in the hierarchy than the first hierarchical level. In accordance with this example, the file may include a line of code, which is in a third (e.g., lowest) hierarchal level that is lower in the hierarchy than the second hierarchical level. Examples of a runtime resource include but are not limited to a storage account, a virtual mac