Hello,
I'd like to figure out how
osv.dev can integrate or collaborate with
the
Vulnerability History
Project (VHP).
There seem to be a few possibilities:
1. Introduce you to our vulnerability contributing commit (VCC)
mining software called
archeogit
2. Cross-link vulnerabilities in
osv.dev with those in VHP
3. Develop joint pipeline/workflow for importing vulns (related:
https://github.com/google/osv/issues/44)
The VHP project is led by
Dr. Andy Meneely at
Rochester Institute of Technology (RIT). Secure Decisions (the
company where I work) is partnered with RIT to help fund the VHP
project and develop insights from its work (useful to software
engineering management and vulnerability hunting).
In VHP, volunteer "data shepherds" manually curate a rich set of
information about vulnerabilities in popular open source software
projects. VHP currently has curated data for Apache httpd, Apache
Struts, Apache Tomcat, Chromium, Django, and FFmpeg.
Sampled curated vulnerability:
Apache Struts vuln that led to CVE-2017-5638,
Equifax
beach
https://github.com/VulnerabilityHistoryProject/struts-vulnerabilities/blob/cf363b76588bfb9bed0c2e871e2e5e32628cc2c9/cves/CVE-2017-5638.yml
Other examples are in `<project>-vulnerabilities/cves/*.yaml`
files.
The concept of VCC (vulnerability contributing commits) seems the
same as the
osv.dev `introducedIn` attribute. This is valuable
information to researchers who want to study the state of a project
when a vulnerability
introduced, rather than when it was
fixed.
We have developed a tool called
archeogit to
automatically identify commits that likely contributed to a
vulnerability. VHP uses archeogit to seed CVE YAML data with
candidate VCCs, which are then manually validated by the data
shepherds.
Looking forward to talking more soon,
Chris
--
w (518) 207-3111
m (703) 407-7389
https://securedecisions.com
PGP fingerprint EBD0 41C6 0CD1 3583 C7F2 E252 5350 DDE1 87C6 FE31