vulnerablecode
vulnerablecode copied to clipboard
nexB
Collect all fix commits
Solution: How to collect fix commits?
There are many ways listed in this issue by @elanzini and inputs from @copernico:
- https://github.com/aboutcode-org/vulnerablecode/issues/207#issue-642333849
I would reformulate the sources as
- Include databases of these fixes, like the Project KB
- Collect these from data we get in structured advisories and their references
- Analyse the code, commit histories, issues trackers, mailing lists and structured advisories to collect these.
- Support fix triage, review and refinement
For now, we will start with 2., meaning that we create an improver that will scout the References to create CodeFix entries. The CodeFix design is at:
- https://github.com/aboutcode-org/vulnerablecode/issues/207
And the issue for the improver is at:
- [x] https://github.com/aboutcode-org/vulnerablecode/issues/1696
- [ ] Infer Package URL (and fix commits) from references (dupe?) https://github.com/aboutcode-org/vulnerablecode/issues/327
Later, we could also collect explicit data available in some importers (symbols in in Go advisories, commits in GHSA) and also do 1., 3. and 4.
- [ ] Collect datasets https://github.com/aboutcode-org/vulnerablecode/issues/1697
- [ ] Extract unpublished vulnerabilities from commit histories and trackers https://github.com/aboutcode-org/vulnerablecode/issues/1129
- [ ] Implement linked commits https://github.com/aboutcode-org/vulnerablecode/issues/1226
See also:
- RFC: vulnerability reachability https://github.com/aboutcode-org/vulnerablecode/issues/1313
