SlideShare une entreprise Scribd logo

VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools

Télécharger en tant que PPTX, PDF
M
Michael Herzog

Comprehensive databases of known FOSS software vulnerabilities are mostly proprietary and privately maintained. But these should be open data – they are, after all, about FOSS code. “Using Components with Known Vulnerabilities” is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is hindered by data structure and tools that are (1) designed primarily for proprietary software components and (2) incomplete and too dependent on voluntary submissions to the National Vulnerability Database. With the explosion of FOSS usage over the last decade, we need a new approach to efficiently identify FOSS security vulnerabilities, based on open data and FOSS tools. With VulnerableCode, we are building FOSS tools to aggregate, correlate, and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities. The benefit: improved security of software applications with open tools and data for everyone. Ready to get started with VulnerableCode? Download VulnerableCode and learn more at nexb.com/vulnerablecode

Logiciels
1  sur  23
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ VulnerableCode Because a vulnerability database should not be about Vulnerabilities 1
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Project lead and maintainer for VulnerableCode, ScanCode and AboutCode ▷ Creator of Package URL, co-founder of SPDX, ClearlyDefined ▷ FOSS veteran, long time Google Summer of Code mentor ▷ Co-founder and CTO of nexB Inc., makers of DejaCode ▷ Weird facts and claims to fame ● Signed off on the largest deletion of lines of code in the Linux kernel (but these were only comments) ● Unrepentant code hoarder. Had 60,000+ GH forks now down only to 20K forks ▷ pombredanne@nexb.com irc:pombreda Philippe Ombredanne 2
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Agenda ▷ The state of vulnerability databases (open or not) ▷ How do we search vulnerabilities? By package first! ▷ A better approach: package first ▷ Why VulnerableCode? ▷ VulnerableCode Solution ▷ How to create a package vulnerability database ○ Aggregate and correlate many data sources ○ Multi level data refinement ▷ Issues with vulnerability data ▷ Future plans ▷ Next steps: we need your help! 3
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ State of vulnerability databases (1) ▷ Databases with ghost packages ● DBs reference packages that do not exist anywhere ▷ Databases ghost vulnerable versions ● Even though these are not vulnerable or the opposite ▷ Databases "Crying wolf" - improbable vulnerabilities ● DBs report a package as vulnerable if anything in the dependency tree may be vulnerable (Log4j) ▷ Impossible, self-contradictory version ranges ● Resolved to nothing or everything ▷ Redundant and noisy duplicated vulnerabilities ▷ Vulnerabilities mapped to hard-to-find CPEs 4
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ State of vulnerability databases (2) The Telephone Game problem ▷ Everyone is making something up a little by trying to improve data ▷ Each of them makes something up slightly differently ○ Too much reliance on automated tools on top of bad data ▷ Many DBs base their content on another DB’s content ○ At each step the data is transformed (and damaged) in subtle ways ▷ You can have as many vulnerable ranges as there are DB interpretations. ○ None of them is entirely faithful to the upstream data ○ Over time this turns into The Telephone game ▷ Upstream has better data 5
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ The true-true vulnerabilities are UPSTREAM! Credit https://live.staticflickr.com/3798/10142017736_7f69d9f472_h.jpg "Brown Bears at Brooks Camp, Katmai National Park" by Christoph Strässlerhttps://www.flickr.com/photos/christoph_straessler/ This work is licensed under a Creative Commons Attribution-2.50 License. https://creativecommons.org/licenses/by-sa/2.0/ https://www.youtube.com/watch?v=V4kWQSpCbvo 6
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ State of vulnerability databases (3) ▷ Databases of known FOSS software vulnerabilities are mostly proprietary and/or privately maintained using proprietary tools, processes and data. ▷ Why not open data? FOSS code likes open data about FOSS! ○ Some new entrants are now using open licenses: ○ GHSA (GitHub), OSV (Google), GitLab (one month delay) ▷ Emerging support for Package URL promotes interoperability ○ OSSF OSV, Sonatype OSSINDEX ▷ Emerging common format promotes interoperability ○ OSSF OSV ▷ But open formats do not mean common data identifiers 7
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ How do we search? By package first! Questions to answer: ▷ Is package foo@1.0 known to be vulnerable? ○ What are the vulnerabilities? ○ What is the severity of the vulnerability? ○ Which version has a fix? ▷ More rarely: do I have any package vulnerable to this vulnerability? 8
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ A better approach: package first Lookup vulnerabilities, find packages Find packages, lookup vulnerabilities 9
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Why VulnerableCode? accuracy and correctness ▷ Vulnerabilities are important! ▷ Code is more important! Package first! ▷ There is no Free Software Vulnerability Database that is ○ Open!! ○ Comprehensive for most ecosystems (system+package) ○ Curated by expert humans ○ Validated: Trusted, correlated and verified data ○ Working towards correctness 10
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Find packages with scanning, matching and tracing ○ Leverage all tools that report package-url (we support CPE too) ○ ScanCode.io and ScanCode, ORT, Tern, OWASP Dependency Track and many more .... or an SBOM (SPDX, CycloneDX) ▷ Lookup package vulnerabilities in an open database that aggregates them all ▷ Query by purl! ▷ Open data and open source tools are better for open source! ▷ Eventually review by experts to curate all the data. VulnerableCode Solution 11
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Use data from upstream, at the source of the source! ○ From the package maintainers and authors themselves ▷ Employ a confidence based system: not all data are equally trusted and of the same quality ▷ Aggregate and correlate many data sources to enrich, cross-check and validate ▷ Discover of new relations between vulnerabilities and packages from mining the graph ▷ Curate and review for correctness with experts (AI is nice but does not fix the problems) How to create a package vulnerability database? 12
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Aggregate and correlate many data sources ▷ Collect and parse many sources ○ Store in a common data model ○ Cross-reference to create a graph ▷ Project-specific trackers ○ Apache, OpenSSL, nginx... ○ Bug trackers, commit logs, projects CHANGELOGs. ▷ Linux distro trackers (Debian, Ubuntu, RedHat, SUSE, Gentoo, ...) ○ Custom or standard formats (CVRF, OVAL) ▷ Application package trackers ○ NuGet, Rust, RubyGems, Pysec, RustSec, npm, .... ▷ NVD, and other aggregators: OSV, GHSA, GitLab, GSD and more. 13
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Multi level data refinement ▷ The data is always imported in an “Advisory” staging area ▷ "Advisory" data are converted to "Vulnerability" and "Package" data and their relationships using "Improvers" ▷ "Advisory" data that cannot be converted are kept with a log to investigate and resolve issue ▷ Specific improvers can mine the graph, cross check with other data sources, resolve updated version ranges Import Improve Filter 14
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Issue: Ghost packages ▷ Some packages do not exist anywhere ○ Including versions that may not exist: they were never released ▷ Solution: Look up upstream in the package registries and repositories ○ We can look up in the registries and repositories to validate that the Package URLs and versions are correct and really exist upstream 15
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Issue: Lesser data quality ▷ Some vulnerability sources cannot be trusted ○ Known to make incorrect or inaccurate assertions about packages and versions ▷ Solution: store confidence level ○ Confidence level ensure we keep all inferred data, even lesser quality data ○ We do not trust others: We can discount the data sources we trust less ○ And we do not trust ourselves: we can discount the automated inferences we do if we are not 100% sure about their correctness 16
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Issue: Incorrect or missing versions ▷ Some package versions are missing or incorrect ○ Affected version statements are often ambiguous ○ "All the versions of package foo are vulnerable to CVE XZY" really means all versions of foo known at the time this advisory was published were vulnerable. ▷ Solution: store version range, resolve range and "time travel" ○ We store version ranges as a compact string (using new purl "vers" spec) ○ We expand and resolve ranges with "univers" version handling library ○ Package version can be re/checked for being in a vulnerable range as needed ■ In the past and in the future ○ Improvers can do "time travel" based on version publication dates and determine if a package version was vulnerable in the past when published. 17
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Issue: Duplicated data ▷ Some vulnerabilities are duplicates ○ Leads to many noisy relationships and lesser correlation abilities ▷ Solution: Introduce a new set of vulnerabilities id aliases ○ Before, we tracked by CVE id; only if there was none we created a VULCOID id. (VulnerableCode ID for a vulnerability) ○ We now always use a VULCOID id and track many aliases (including a CVE id when available) for each vulnerability ○ Aliases are used for data reconciliation during the second step of "Improvers" meaning that we avoid a large number of duplicates ○ Improver jobs will further merge additional duplicates 18
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Other issues ▷ Many data sources - redundant, unstructured, messy, incomplete ○ We grew to appreciate the complexity of the task and why commercial vendors currently dominate the space ○ Solution: integrate them all (all the data sources) to cross-check them ▷ Old, obsolete, or less useful data ○ More is not always better - e.g. old vulnerabilities on Windows 95 ○ Commercial-only software (Windows, etc.) or hardware is less interesting ○ Solution: let go of some of the past! and ignore the legacy 19
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Future plans ▷ More primary data sources, going upstream ▷ More data: Actual commits fixing and introducing vulnerabilities ▷ YARA Rules: enable finer grain detection of actual vulnerable code ▷ Community peer curation system including curation UI ▷ AI/ML for data quality improvements ▷ .... and good ole heuristics ▷ VulnTotal: Tool to compare all the Vulnerabilities DB ○ Think Virustotal for vulnerabilities 20
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ If you want to learn more about our projects ▷ Try out VulnerableCode with a free DejaCode account https://enterprise.dejacode.com/account/register/ ▷ Register for our upcoming webinars https://nexb.com/webinars ▷ Read our latest blog post at https://nexb.com/vulnerablecode-public-release ▷ Download VulnerableCode at https://github.com/nexB/vulnerablecode/releases/latest ▷ Visit https://nexb.com/vulnerablecode for more information 21
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ If you want to help You can contribute code, time, docs or funds ▷ Use these fine FOSS tools and specs ● https://github.com/nexb/vulnerablecode ● https://www.aboutcode.org/ ● https://github.com/nexB/ ● https://github.com/package-url ▷ Join the conversation at ● https://gitter.im/aboutcode-org ▷ Donate at ● https://opencollective.com/aboutcode 22
© 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Credits ▷ Presentation template by SlidesCarnival licensed under CC-BY-4.0 ▷ Photograph by Unsplash licensed under Unsplash License ▷ Other content licensed under CC-BY-4.0 23

Recommandé

A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!Michael Herzog
 
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...Michael Herzog
 
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode
VulnTotal: Cross-validate vulnerability coverage of VulnerableCodeVulnTotal: Cross-validate vulnerability coverage of VulnerableCode
VulnTotal: Cross-validate vulnerability coverage of VulnerableCodeMichael Herzog
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioMichael Herzog
 
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfManaging Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfAndrew Lamb
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source AutomationShane Coughlan
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 

Recommandé

A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!Michael Herzog
 
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...Michael Herzog
 
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode
VulnTotal: Cross-validate vulnerability coverage of VulnerableCodeVulnTotal: Cross-validate vulnerability coverage of VulnerableCode
VulnTotal: Cross-validate vulnerability coverage of VulnerableCodeMichael Herzog
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioMichael Herzog
 
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfManaging Software Dependencies and the Supply Chain_ MIT EM.S20.pdf
Managing Software Dependencies and the Supply Chain_ MIT EM.S20.pdfAndrew Lamb
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source AutomationShane Coughlan
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesBruno Cornec
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applicationsKarthik Gaekwad
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Clark Everetts
 
Node.js Module: I Choose You!
Node.js Module: I Choose You!Node.js Module: I Choose You!
Node.js Module: I Choose You!Bethany Nicolle Griggs
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0Shane Coughlan
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleParis Container Day
 
How is this sausage made
How is this sausage madeHow is this sausage made
How is this sausage madedejanb
 
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsI Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsMichael Lange
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerBob Killen
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era nexB Inc.
 
Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Open Source Experience
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfWilly Marroquin (WillyDevNET)
 

Contenu connexe

Similaire à VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesBruno Cornec
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applicationsKarthik Gaekwad
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Clark Everetts
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0Shane Coughlan
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleParis Container Day
 
How is this sausage made
How is this sausage madeHow is this sausage made
How is this sausage madedejanb
 
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsI Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsMichael Lange
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerBob Killen
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era nexB Inc.
 
Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Open Source Experience
 

Similaire à VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools (20)

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packages
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017Php Dependency Management with Composer ZendCon 2017
Php Dependency Management with Composer ZendCon 2017
 
Node.js Module: I Choose You!
Node.js Module: I Choose You!Node.js Module: I Choose You!
Node.js Module: I Choose You!
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie Frazelle
 
How is this sausage made
How is this sausage madeHow is this sausage made
How is this sausage made
 
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other ThingsI Just Want to Run My Code: Waypoint, Nomad, and Other Things
I Just Want to Run My Code: Waypoint, Nomad, and Other Things
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era
 
Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...
 

Dernier

%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentVictorSzoltysek
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 

Dernier (20)

%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 

VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools

  • 1. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ VulnerableCode Because a vulnerability database should not be about Vulnerabilities 1
  • 2. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Project lead and maintainer for VulnerableCode, ScanCode and AboutCode ▷ Creator of Package URL, co-founder of SPDX, ClearlyDefined ▷ FOSS veteran, long time Google Summer of Code mentor ▷ Co-founder and CTO of nexB Inc., makers of DejaCode ▷ Weird facts and claims to fame ● Signed off on the largest deletion of lines of code in the Linux kernel (but these were only comments) ● Unrepentant code hoarder. Had 60,000+ GH forks now down only to 20K forks ▷ pombredanne@nexb.com irc:pombreda Philippe Ombredanne 2
  • 3. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Agenda ▷ The state of vulnerability databases (open or not) ▷ How do we search vulnerabilities? By package first! ▷ A better approach: package first ▷ Why VulnerableCode? ▷ VulnerableCode Solution ▷ How to create a package vulnerability database ○ Aggregate and correlate many data sources ○ Multi level data refinement ▷ Issues with vulnerability data ▷ Future plans ▷ Next steps: we need your help! 3
  • 4. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ State of vulnerability databases (1) ▷ Databases with ghost packages ● DBs reference packages that do not exist anywhere ▷ Databases ghost vulnerable versions ● Even though these are not vulnerable or the opposite ▷ Databases "Crying wolf" - improbable vulnerabilities ● DBs report a package as vulnerable if anything in the dependency tree may be vulnerable (Log4j) ▷ Impossible, self-contradictory version ranges ● Resolved to nothing or everything ▷ Redundant and noisy duplicated vulnerabilities ▷ Vulnerabilities mapped to hard-to-find CPEs 4
  • 5. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ State of vulnerability databases (2) The Telephone Game problem ▷ Everyone is making something up a little by trying to improve data ▷ Each of them makes something up slightly differently ○ Too much reliance on automated tools on top of bad data ▷ Many DBs base their content on another DB’s content ○ At each step the data is transformed (and damaged) in subtle ways ▷ You can have as many vulnerable ranges as there are DB interpretations. ○ None of them is entirely faithful to the upstream data ○ Over time this turns into The Telephone game ▷ Upstream has better data 5
  • 6. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ The true-true vulnerabilities are UPSTREAM! Credit https://live.staticflickr.com/3798/10142017736_7f69d9f472_h.jpg "Brown Bears at Brooks Camp, Katmai National Park" by Christoph Strässlerhttps://www.flickr.com/photos/christoph_straessler/ This work is licensed under a Creative Commons Attribution-2.50 License. https://creativecommons.org/licenses/by-sa/2.0/ https://www.youtube.com/watch?v=V4kWQSpCbvo 6
  • 7. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ State of vulnerability databases (3) ▷ Databases of known FOSS software vulnerabilities are mostly proprietary and/or privately maintained using proprietary tools, processes and data. ▷ Why not open data? FOSS code likes open data about FOSS! ○ Some new entrants are now using open licenses: ○ GHSA (GitHub), OSV (Google), GitLab (one month delay) ▷ Emerging support for Package URL promotes interoperability ○ OSSF OSV, Sonatype OSSINDEX ▷ Emerging common format promotes interoperability ○ OSSF OSV ▷ But open formats do not mean common data identifiers 7
  • 8. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ How do we search? By package first! Questions to answer: ▷ Is package foo@1.0 known to be vulnerable? ○ What are the vulnerabilities? ○ What is the severity of the vulnerability? ○ Which version has a fix? ▷ More rarely: do I have any package vulnerable to this vulnerability? 8
  • 9. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ A better approach: package first Lookup vulnerabilities, find packages Find packages, lookup vulnerabilities 9
  • 10. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Why VulnerableCode? accuracy and correctness ▷ Vulnerabilities are important! ▷ Code is more important! Package first! ▷ There is no Free Software Vulnerability Database that is ○ Open!! ○ Comprehensive for most ecosystems (system+package) ○ Curated by expert humans ○ Validated: Trusted, correlated and verified data ○ Working towards correctness 10
  • 11. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Find packages with scanning, matching and tracing ○ Leverage all tools that report package-url (we support CPE too) ○ ScanCode.io and ScanCode, ORT, Tern, OWASP Dependency Track and many more .... or an SBOM (SPDX, CycloneDX) ▷ Lookup package vulnerabilities in an open database that aggregates them all ▷ Query by purl! ▷ Open data and open source tools are better for open source! ▷ Eventually review by experts to curate all the data. VulnerableCode Solution 11
  • 12. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ ▷ Use data from upstream, at the source of the source! ○ From the package maintainers and authors themselves ▷ Employ a confidence based system: not all data are equally trusted and of the same quality ▷ Aggregate and correlate many data sources to enrich, cross-check and validate ▷ Discover of new relations between vulnerabilities and packages from mining the graph ▷ Curate and review for correctness with experts (AI is nice but does not fix the problems) How to create a package vulnerability database? 12
  • 13. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Aggregate and correlate many data sources ▷ Collect and parse many sources ○ Store in a common data model ○ Cross-reference to create a graph ▷ Project-specific trackers ○ Apache, OpenSSL, nginx... ○ Bug trackers, commit logs, projects CHANGELOGs. ▷ Linux distro trackers (Debian, Ubuntu, RedHat, SUSE, Gentoo, ...) ○ Custom or standard formats (CVRF, OVAL) ▷ Application package trackers ○ NuGet, Rust, RubyGems, Pysec, RustSec, npm, .... ▷ NVD, and other aggregators: OSV, GHSA, GitLab, GSD and more. 13
  • 14. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Multi level data refinement ▷ The data is always imported in an “Advisory” staging area ▷ "Advisory" data are converted to "Vulnerability" and "Package" data and their relationships using "Improvers" ▷ "Advisory" data that cannot be converted are kept with a log to investigate and resolve issue ▷ Specific improvers can mine the graph, cross check with other data sources, resolve updated version ranges Import Improve Filter 14
  • 15. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Issue: Ghost packages ▷ Some packages do not exist anywhere ○ Including versions that may not exist: they were never released ▷ Solution: Look up upstream in the package registries and repositories ○ We can look up in the registries and repositories to validate that the Package URLs and versions are correct and really exist upstream 15
  • 16. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Issue: Lesser data quality ▷ Some vulnerability sources cannot be trusted ○ Known to make incorrect or inaccurate assertions about packages and versions ▷ Solution: store confidence level ○ Confidence level ensure we keep all inferred data, even lesser quality data ○ We do not trust others: We can discount the data sources we trust less ○ And we do not trust ourselves: we can discount the automated inferences we do if we are not 100% sure about their correctness 16
  • 17. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Issue: Incorrect or missing versions ▷ Some package versions are missing or incorrect ○ Affected version statements are often ambiguous ○ "All the versions of package foo are vulnerable to CVE XZY" really means all versions of foo known at the time this advisory was published were vulnerable. ▷ Solution: store version range, resolve range and "time travel" ○ We store version ranges as a compact string (using new purl "vers" spec) ○ We expand and resolve ranges with "univers" version handling library ○ Package version can be re/checked for being in a vulnerable range as needed ■ In the past and in the future ○ Improvers can do "time travel" based on version publication dates and determine if a package version was vulnerable in the past when published. 17
  • 18. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Issue: Duplicated data ▷ Some vulnerabilities are duplicates ○ Leads to many noisy relationships and lesser correlation abilities ▷ Solution: Introduce a new set of vulnerabilities id aliases ○ Before, we tracked by CVE id; only if there was none we created a VULCOID id. (VulnerableCode ID for a vulnerability) ○ We now always use a VULCOID id and track many aliases (including a CVE id when available) for each vulnerability ○ Aliases are used for data reconciliation during the second step of "Improvers" meaning that we avoid a large number of duplicates ○ Improver jobs will further merge additional duplicates 18
  • 19. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Other issues ▷ Many data sources - redundant, unstructured, messy, incomplete ○ We grew to appreciate the complexity of the task and why commercial vendors currently dominate the space ○ Solution: integrate them all (all the data sources) to cross-check them ▷ Old, obsolete, or less useful data ○ More is not always better - e.g. old vulnerabilities on Windows 95 ○ Commercial-only software (Windows, etc.) or hardware is less interesting ○ Solution: let go of some of the past! and ignore the legacy 19
  • 20. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Future plans ▷ More primary data sources, going upstream ▷ More data: Actual commits fixing and introducing vulnerabilities ▷ YARA Rules: enable finer grain detection of actual vulnerable code ▷ Community peer curation system including curation UI ▷ AI/ML for data quality improvements ▷ .... and good ole heuristics ▷ VulnTotal: Tool to compare all the Vulnerabilities DB ○ Think Virustotal for vulnerabilities 20
  • 21. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ If you want to learn more about our projects ▷ Try out VulnerableCode with a free DejaCode account https://enterprise.dejacode.com/account/register/ ▷ Register for our upcoming webinars https://nexb.com/webinars ▷ Read our latest blog post at https://nexb.com/vulnerablecode-public-release ▷ Download VulnerableCode at https://github.com/nexB/vulnerablecode/releases/latest ▷ Visit https://nexb.com/vulnerablecode for more information 21
  • 22. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ If you want to help You can contribute code, time, docs or funds ▷ Use these fine FOSS tools and specs ● https://github.com/nexb/vulnerablecode ● https://www.aboutcode.org/ ● https://github.com/nexB/ ● https://github.com/package-url ▷ Join the conversation at ● https://gitter.im/aboutcode-org ▷ Donate at ● https://opencollective.com/aboutcode 22
  • 23. © 2022 nexB Inc. License: CC-BY-SA-4.0 https://www.nexb.com/ https://www.aboutcode.org/ Credits ▷ Presentation template by SlidesCarnival licensed under CC-BY-4.0 ▷ Photograph by Unsplash licensed under Unsplash License ▷ Other content licensed under CC-BY-4.0 23