February 7, 2020

232 words 2 mins read

Where is my Code Vulnerable: Matching CVEs and Source Code

Where is my Code Vulnerable: Matching CVEs and Source Code

Surprisingly, often it's hard to find the precise correspondence between a known software vulnerability (in CVE) and the exact origin of the software (Maven coordinates or github repo/tag). Ideally, t …

Talk Title Where is my Code Vulnerable: Matching CVEs and Source Code
Speakers Peter Shin (CEO, Canvass Labs Inc.), David A. Barrett (Sr. Director, Canvass Labs)
Conference Open Source Summit + ELC North America
Conf Tag
Location San Diego, CA, USA
Date Aug 19-23, 2019
URL Talk Page
Slides Talk Slides
Video

Surprisingly, often it’s hard to find the precise correspondence between a known software vulnerability (in CVE) and the exact origin of the software (Maven coordinates or github repo/tag). Ideally, this connection would be part of CVE. However, currently, it is not, and creating this correspondence often requires significant human effort.Dave and Peter introduce Canvass Labs' open-source implementation and discuss techniques it uses to solve this problem. They show how to parse and map CVE information, quantify the current statistics of this correspondence, and discuss the free open data produced by their open-source tool and its further use.Currently, most Java and JavaScript projects do not add CVE information in their fixes. They show that if OSS engineers were to add CVE information when they commit (as in Linux or OpenSSL), then big data and AI practitioners can create an AI programming assistant that can identify similar bugs and suggest fixes.

comments powered by Disqus