Vulnerability History Project integration/collaboration
60 views
Skip to first unread message
Chris Horn
Apr 1, 2021, 6:42:18 PM4/1/21
to osv-d...@googlegroups.com, Andy Meneely, Nuthan Munaiah
Hello,
I'd like to figure out how osv.dev can integrate or collaborate with the Vulnerability History Project (VHP).
There seem to be a few possibilities:
1. Introduce you to our vulnerability contributing commit (VCC) mining software called archeogit
2. Cross-link vulnerabilities in osv.dev with those in VHP
3. Develop joint pipeline/workflow for importing vulns (related: https://github.com/google/osv/issues/44)
The VHP project is led by Dr. Andy Meneely at Rochester Institute of Technology (RIT). Secure Decisions (the company where I work) is partnered with RIT to help fund the VHP project and develop insights from its work (useful to software engineering management and vulnerability hunting).
In VHP, volunteer "data shepherds" manually curate a rich set of information about vulnerabilities in popular open source software projects. VHP currently has curated data for Apache httpd, Apache Struts, Apache Tomcat, Chromium, Django, and FFmpeg.
Sampled curated vulnerability:
Apache Struts vuln that led to CVE-2017-5638, Equifax beach
https://github.com/VulnerabilityHistoryProject/struts-vulnerabilities/blob/cf363b76588bfb9bed0c2e871e2e5e32628cc2c9/cves/CVE-2017-5638.yml
Other examples are in `<project>-vulnerabilities/cves/*.yaml` files.
The concept of VCC (vulnerability contributing commits) seems the same as the osv.dev `introducedIn` attribute. This is valuable information to researchers who want to study the state of a project when a vulnerability introduced, rather than when it was fixed.
We have developed a tool called archeogit to automatically identify commits that likely contributed to a vulnerability. VHP uses archeogit to seed CVE YAML data with candidate VCCs, which are then manually validated by the data shepherds.
Looking forward to talking more soon,
Chris
I'd like to figure out how osv.dev can integrate or collaborate with the Vulnerability History Project (VHP).
There seem to be a few possibilities:
1. Introduce you to our vulnerability contributing commit (VCC) mining software called archeogit
2. Cross-link vulnerabilities in osv.dev with those in VHP
3. Develop joint pipeline/workflow for importing vulns (related: https://github.com/google/osv/issues/44)
The VHP project is led by Dr. Andy Meneely at Rochester Institute of Technology (RIT). Secure Decisions (the company where I work) is partnered with RIT to help fund the VHP project and develop insights from its work (useful to software engineering management and vulnerability hunting).
In VHP, volunteer "data shepherds" manually curate a rich set of information about vulnerabilities in popular open source software projects. VHP currently has curated data for Apache httpd, Apache Struts, Apache Tomcat, Chromium, Django, and FFmpeg.
Sampled curated vulnerability:
Apache Struts vuln that led to CVE-2017-5638, Equifax beach
https://github.com/VulnerabilityHistoryProject/struts-vulnerabilities/blob/cf363b76588bfb9bed0c2e871e2e5e32628cc2c9/cves/CVE-2017-5638.yml
Other examples are in `<project>-vulnerabilities/cves/*.yaml` files.
The concept of VCC (vulnerability contributing commits) seems the same as the osv.dev `introducedIn` attribute. This is valuable information to researchers who want to study the state of a project when a vulnerability introduced, rather than when it was fixed.
We have developed a tool called archeogit to automatically identify commits that likely contributed to a vulnerability. VHP uses archeogit to seed CVE YAML data with candidate VCCs, which are then manually validated by the data shepherds.
Looking forward to talking more soon,
Chris
-- w (518) 207-3111 m (703) 407-7389 https://securedecisions.com PGP fingerprint EBD0 41C6 0CD1 3583 C7F2 E252 5350 DDE1 87C6 FE31
Abhishek Arya
Apr 1, 2021, 7:01:29 PM4/1/21
to Chris Horn, Oliver Chang, Russ Cox, osv-discuss, Andy Meneely, Nuthan Munaiah
+cc Oliver who is OSV lead developer (ooo till tuesday - sydney timezone). Also ccing Russ who is involved with vulnerability schema discussions.
--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/3e1be8f1-2d88-8b94-daff-78d15d31f30c%40securedecisions.com.
Oliver Chang
Apr 5, 2021, 9:51:14 PM4/5/21
to Abhishek Arya, Chris Horn, Russ Cox, osv-discuss, Andy Meneely, Nuthan Munaiah
Hi Chris,
On the OSV side, our data is public at https://github.com/google/oss-fuzz-vulns. This is currently all generated from automated analysis (including performing bisections). We would be very happy to see this data and automation used more widely used in other places!
Thanks for introducing us to Archeogit -- it looks quite interesting and we'll explore if we can use this.
--
Oliver
Reply all
Reply to author
Forward
0 new messages