RFC: vulnerability reachability

[TG1999]

Vulnerability reachability is to check if vulnerable code is reachable or not.
This is important to help triage vulnerabilities.

Some of the things to consider:

• Collecting introducing/fix commits or patches to find vulnerable functions
  • VCIO-next: Add support to track fix commits: Include commits and patches that fix a vulnerability #207
  • Include commits and patches that introduce a vulnerability
  • Infer Package URL from references and other references issues for "commitish" URLs  #327
• Finding the path in the affected package code graph to the vulnerable functions
• Finding the path in the codebase under analysis that may use the affected package vulnerable functions

[DennisClark]

for reference, see:
https://github.com/SAP/project-kb/tree/main/prospector
and
https://github.com/eclipse/steady

[pombredanne]

A unfinished attempt to collect fix commits is in #1226 and I am closing it. We can reuse some of it as inspiration for this feature here.

[JafarAkhondali]

@pombredanne Sorry I was busy with my research, I've created a new dataset that contains all the fixes to CVEs. I believe it can help this project. Dataset, code and the paper are publicly available:
https://dl.acm.org/doi/abs/10.1145/3663533.3664036

Let me know if you have any questions

[pombredanne]

@JafarAkhondali https://dl.acm.org/doi/abs/10.1145/3663533.3664036 looks wonderful!

[pombredanne]

@JafarAkhondali

• I assume all the code including the modified prospector is in there https://zenodo.org/records/11110595 ? is there a git repo with the code proper?
• What is the license for the data at https://zenodo.org/records/11199120 ? I see "free" on https://dl.acm.org/do/10.5281/zenodo.11199120/full/ but "free" is not a license and I cannot integrate data without a license

[JafarAkhondali]

I'll add the code in https://github.com/JafarAkhondali/morefixes soon.
The license is one of the limitations, I didn't add a restricted license for the dataset, however the license of the extracted projects is various and different.

[JafarAkhondali]

update: code added in repo.

[pombredanne]

@JafarAkhondali Thanks...
You wrote:

The license is one of the limitations, I didn't add a restricted license for the dataset, however the license of the extracted projects is various and different.

There are two things: the license of individual patches which is that of the code they originally belong to, and separately, the license of the database collection of patches that you created: this is this second license that I am interested in and that I need. It can be a CC0-1.0, a CC-BY-40, a CC-BY-SA-4.0 or anything, but I need a license to integrate this in VulnerableCode.

[JafarAkhondali]

@pombredanne This is on the Zenodo link(https://zenodo.org/records/11199120)

Is it enough or you need the license to be in another place?

[pombredanne]

@JafarAkhondali I had missed that. So I reckon that the data collection is under CC-BY-4.0 ?

[JafarAkhondali]

Yes, but tbh, I'm not so familiar with licensee. If there is something that I can handle, I'm open to make the dataset as OPEN as possible for any usage. The only restriction is that some codes belongs to projects that I don't own.

[pombredanne]

See also:

• https://github.com/AppThreat/atom/