Where is my Code Vulnerable: Matching CVEs and Source Code
Surprisingly, often it's hard to find the precise correspondence between a known software vulnerability (in CVE) and the exact origin of the software (Maven coordinates or github repo/tag). Ideally, t …
| Talk Title | Where is my Code Vulnerable: Matching CVEs and Source Code |
| Speakers | Peter Shin (CEO, Canvass Labs Inc.), David A. Barrett (Sr. Director, Canvass Labs) |
| Conference | Open Source Summit + ELC North America |
| Conf Tag | |
| Location | San Diego, CA, USA |
| Date | Aug 19-23, 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Surprisingly, often it’s hard to find the precise correspondence between a known software vulnerability (in CVE) and the exact origin of the software (Maven coordinates or github repo/tag). Ideally, this connection would be part of CVE. However, currently, it is not, and creating this correspondence often requires significant human effort.Dave and Peter introduce Canvass Labs' open-source implementation and discuss techniques it uses to solve this problem. They show how to parse and map CVE information, quantify the current statistics of this correspondence, and discuss the free open data produced by their open-source tool and its further use.Currently, most Java and JavaScript projects do not add CVE information in their fixes. They show that if OSS engineers were to add CVE information when they commit (as in Linux or OpenSSL), then big data and AI practitioners can create an AI programming assistant that can identify similar bugs and suggest fixes.
