vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

RFC: vulnerability reachability

Open TG1999 opened this issue 2 years ago • 11 comments

Vulnerability reachability is to check if vulnerable code is reachable or not. This is important to help triage vulnerabilities.

Some of the things to consider:

  • [ ] Collecting introducing/fix commits or patches to find vulnerable functions
    • [ ] https://github.com/nexB/vulnerablecode/issues/207
    • [ ] Include commits and patches that introduce a vulnerability
    • [ ] https://github.com/nexB/vulnerablecode/issues/327
  • [ ] Finding the path in the affected package code graph to the vulnerable functions
  • [ ] Finding the path in the codebase under analysis that may use the affected package vulnerable functions

TG1999 avatar Oct 02 '23 10:10 TG1999

for reference, see: https://github.com/SAP/project-kb/tree/main/prospector and https://github.com/eclipse/steady

DennisClark avatar Oct 03 '23 16:10 DennisClark

A unfinished attempt to collect fix commits is in https://github.com/nexB/vulnerablecode/pull/1226 and I am closing it. We can reuse some of it as inspiration for this feature here.

pombredanne avatar Jul 16 '24 09:07 pombredanne

@pombredanne Sorry I was busy with my research, I've created a new dataset that contains all the fixes to CVEs. I believe it can help this project. Dataset, code and the paper are publicly available: https://dl.acm.org/doi/abs/10.1145/3663533.3664036

Let me know if you have any questions

JafarAkhondali avatar Jul 16 '24 13:07 JafarAkhondali

@JafarAkhondali https://dl.acm.org/doi/abs/10.1145/3663533.3664036 looks wonderful!

pombredanne avatar Jul 16 '24 13:07 pombredanne

@JafarAkhondali

  • I assume all the code including the modified prospector is in there https://zenodo.org/records/11110595 ? is there a git repo with the code proper?
  • What is the license for the data at https://zenodo.org/records/11199120 ? I see "free" on https://dl.acm.org/do/10.5281/zenodo.11199120/full/ but "free" is not a license and I cannot integrate data without a license

pombredanne avatar Jul 16 '24 14:07 pombredanne

I'll add the code in https://github.com/JafarAkhondali/morefixes soon. The license is one of the limitations, I didn't add a restricted license for the dataset, however the license of the extracted projects is various and different.

JafarAkhondali avatar Jul 16 '24 14:07 JafarAkhondali

update: code added in repo.

JafarAkhondali avatar Jul 16 '24 17:07 JafarAkhondali

@JafarAkhondali Thanks... You wrote:

The license is one of the limitations, I didn't add a restricted license for the dataset, however the license of the extracted projects is various and different.

There are two things: the license of individual patches which is that of the code they originally belong to, and separately, the license of the database collection of patches that you created: this is this second license that I am interested in and that I need. It can be a CC0-1.0, a CC-BY-40, a CC-BY-SA-4.0 or anything, but I need a license to integrate this in VulnerableCode.

pombredanne avatar Jul 18 '24 08:07 pombredanne

@pombredanne This is on the Zenodo link(https://zenodo.org/records/11199120) image Is it enough or you need the license to be in another place?

JafarAkhondali avatar Jul 18 '24 12:07 JafarAkhondali

@JafarAkhondali I had missed that. So I reckon that the data collection is under CC-BY-4.0 ?

pombredanne avatar Jul 18 '24 20:07 pombredanne

Yes, but tbh, I'm not so familiar with licensee. If there is something that I can handle, I'm open to make the dataset as OPEN as possible for any usage. The only restriction is that some codes belongs to projects that I don't own.

JafarAkhondali avatar Jul 18 '24 21:07 JafarAkhondali

See also:

  • https://github.com/AppThreat/atom/

pombredanne avatar Nov 28 '24 16:11 pombredanne