In [1]:
import collections
import sys
from functools import reduce
import json
from pprint import pprint
import os
import socket

import pandas as pd
import matplotlib.pyplot as plt

from common import *
from vulnerability_database import VulnerabilityDatabase

#### Database generated with
```
LOAD=0.5 PORT=55555 node identification/dolos-preprocessor.mjs
LD_LIBRARY_PATH=$DOLOSPY python -m dolospy preindexer --preprocessor-url http://localhost:55555/preprocess --worker $(nproc) --log-level INFO
```

#### Dataset generated with
```
python generate_bundles.py -o $DATASETS/lab-bundles-one-for-each -1 -n 5663 -p 1 -r
python pack_bundles.py --v2 -i $DATASETS/lab-bundles-one-for-each -o $DATASETS/lab-bundles-one-for-each.bson -m $DATASETS/lab-bundles-meta.csv -s $DATASETS/lab-bundles-object-storage.tar
```

#### Resultset generated with
```
# Last duration: 4 min
# Use --no-comp and adjusted output name for compartment-less analysis
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$VIRTUAL_ENV/lib/python3.12/site-packages/dolospy" PORT=4200 python dolos_speed_eval_real_vd.py --worker $(nproc) -o $DATASETS/results-lab-dolospy.bson -s $DATASETS/lab-bundles-object-storage.tar $DATASETS/lab-bundles-one-for-each.bson
python dolos_speed_eval_recover.py -o $DATASETS/lab-bundles-results-dolospy.json -r $DATASETS/results-lab-dolospy.bson $DATASETS/lab-bundles-one-for-each.bson
```

In [2]:
with open(os.path.join(DATASETS, "lab-bundles-results-dolospy.json"), "r") as f:
    data_with_compartments = json.load(f)
    
with open(os.path.join(DATASETS, "lab-bundles-results-dolospy-nocomp.json"), "r") as f:
    data_without_compartments = json.load(f)

vulndb = VulnerabilityDatabase(os.path.join(DATASETS, "vulndb.json"))

# Compartment results

In [3]:
class Stats:
    pass

stats = Stats()
stats.total = 0

# Metric 1
stats.noError = 0
stats.patchError = 0
stats.minorError = 0
stats.majorError = 0

stats.hasNoError = collections.Counter()
stats.hasNoErrorAndUnique = collections.Counter()
stats.hasMajorError = collections.Counter()
stats.hasMinorError = collections.Counter()
stats.hasPatchError = collections.Counter()

# Metric 2
stats.versionDifferences = []

# Metric 3
stats.vulnerableTruePositive = 0
stats.vulnerableTrueNegative = 0
stats.vulnerableFalsePositive = 0
stats.vulnerableFalseNegative = 0

# Other
stats.packages = set()

In [4]:
del metric
def metric(similarity_dict):
    """
    Compute a similarity score

    :param similarity_dict: dict keys: "covered", "leftTotal", "rightTotal"
    :return: float
    """
    return similarity_dict["covered"] / similarity_dict["leftTotal"] if similarity_dict["leftTotal"] > 0 else 0

In [5]:
pnpmPkgs = set()
for result in data_with_compartments:
    if result.get("ignore", False):
        continue

    truths = set(reduce(extendReduce, [parse_pnpm_names(name) for name in result["groundTruth"]], []))
    if "noCompartments" in result: continue
    similarities = result["similarities"]
    for truth in truths:
        pkg, vers = truth.rsplit("@", 1)
        pnpmPkgs.add(pkg)

In [6]:
# List for Bundler Study packing
with open(f"/tmp/pnpm.list", "w") as f:
    f.write("\n".join(sorted(pnpmPkgs)))

In [None]:
for result in data_with_compartments:
    if result.get("ignore", False):
        continue

    truths = set(reduce(extendReduce, [parse_pnpm_names(name) for name in result["groundTruth"]], []))
    if "noCompartments" in result: continue
    similarities = result["similarities"]
    for truth in truths:
        pkg, vers = truth.rsplit("@", 1)

        # We ignore packages which are not indexed
        if pkg in similarities and len(similarities[pkg]) > 0:
            scores = {k: metric(v) for k, v in similarities[pkg].items()}

            try:
                assert vers in scores, f"Impossible to detect version. Maybe DB or lab bundle dataset are not synced?\n{truth=} {scores=}"
            except AssertionError:
                print(f"WARNING Skipping {truth}")
                continue

            maxScore = max(scores.values())
            maxVersions = [k for k in scores.keys() if scores[k] == maxScore]

            stats.total += 1
            stats.packages.add(pkg)

            try:
                distance = semver_distance_list(vers, list(maxVersions))
                stats.versionDifferences.append(distance)
            except ValueError as e:
                print(result.get("domain"), e)
                continue

            if vers in maxVersions:
                stats.noError += 1
                stats.hasNoError.update({pkg: 1})
                if len(maxVersions) == 1:
                    stats.hasNoErrorAndUnique.update({pkg: 1})

            else:

                if distance[0] > 0:
                    if pkg == "@sentry/utils":
                        print(f"INFO next: {result['id']}")
                    stats.majorError += 1
                    stats.minorError += 1
                    stats.patchError += 1
                    stats.hasMajorError.update({pkg: 1})
                    stats.hasMinorError.update({pkg: 1})
                    stats.hasPatchError.update({pkg: 1})
                elif distance[1] > 0:
                    stats.minorError += 1
                    stats.patchError += 1
                    stats.hasMinorError.update({pkg: 1})
                    stats.hasPatchError.update({pkg: 1})
                elif distance[2] > 0:
                    stats.patchError += 1
                    stats.hasPatchError.update({pkg: 1})

                detected_vulns = [vulndb.is_vulnerable(pkg, v) for v in maxVersions]
                try:
                    if vulndb.is_vulnerable(pkg, vers):
                        if all(detected_vulns):
                            stats.vulnerableTruePositive += 1
                        elif all([not v for v in detected_vulns]):
                            stats.vulnerableFalseNegative += 1
                    else:
                        if all(detected_vulns):
                            stats.vulnerableFalsePositive += 1
                        elif all([not v for v in detected_vulns]):
                            stats.vulnerableTrueNegative += 1
                except ValueError:
                    pass

In [7]:
print(f"Total results: {stats.total}")
print("")
print("Metric 1:")
print(f"  No Error: {stats.noError}")
print(f"  Major Error: {stats.majorError}")
print(f"  Minor Error: {stats.minorError}")
print(f"  Patch Error: {stats.patchError}")
print("")
print("Metric 2:")
print(f"  Major Error (min/median/mean/max): {'/'.join(map(str, compute_statistics([d[0] for d in stats.versionDifferences])))}")
print(f"  Minor Error (min/median/mean/max): {'/'.join(map(str, compute_statistics([d[1] for d in stats.versionDifferences])))}")
print(f"  Patch Error (min/median/mean/max): {'/'.join(map(str, compute_statistics([d[2] for d in stats.versionDifferences])))}")
print("")
print("Metric 3:")
print(f"  TP / FN: {stats.vulnerableTruePositive:4}  {stats.vulnerableFalseNegative:4}")
print(f"  FP / TN: {stats.vulnerableFalsePositive:4}  {stats.vulnerableTrueNegative:4}")

Total results: 25518

Metric 1:
  No Error: 22188
  Major Error: 699
  Minor Error: 2529
  Patch Error: 3330

Metric 2:
  Major Error (min/median/mean/max): 0/0.0/0.04749588525746532/14
  Minor Error (min/median/mean/max): 0/0.0/0.6432322282310526/680
  Patch Error (min/median/mean/max): 0/0.0/0.25781801081589467/35

Metric 3:
  TP / FN:   12     1
  FP / TN:  102  3214


In [9]:
print("Distribution of package errors:")
major = [1 - stats.hasMajorError.get(pkg, 0) / (stats.hasNoError.get(pkg, 0) + stats.hasPatchError.get(pkg, 0)) for pkg in stats.packages]
minor = [1 - stats.hasMinorError.get(pkg, 0) / (stats.hasNoError.get(pkg, 0) + stats.hasPatchError.get(pkg, 0)) for pkg in stats.packages]
patch = [1 - stats.hasPatchError.get(pkg, 0) / (stats.hasNoError.get(pkg, 0) + stats.hasPatchError.get(pkg, 0)) for pkg in stats.packages]
print(f"Count perfect major: {sum(1 for m in major if m >= 0.99)}/{len(major)}")
print(f"Count perfect minor: {sum(1 for m in minor if m >= 0.99)}/{len(minor)}")
print(f"Count perfect patch: {sum(1 for m in patch if m >= 0.99)}/{len(patch)}")


Distribution of package errors:
Count perfect major: 5718/5970
Count perfect minor: 5400/5970
Count perfect patch: 5203/5970


# Results w/o Compartments

In [9]:
class Stats:
    pass

stats = Stats()
stats.total = 0

# Metric 1
stats.noError = 0
stats.patchError = 0
stats.minorError = 0
stats.majorError = 0

stats.hasNoError = collections.Counter()
stats.hasNoErrorAndUnique = collections.Counter()
stats.hasMajorError = collections.Counter()
stats.hasMinorError = collections.Counter()
stats.hasPatchError = collections.Counter()

# Metric 2
stats.versionDifferences = []

# Metric 3
stats.vulnerableTruePositive = 0
stats.vulnerableTrueNegative = 0
stats.vulnerableFalsePositive = 0
stats.vulnerableFalseNegative = 0

# Other
stats.packages = set()

In [None]:
for result in data_without_compartments:
    if result.get("ignore", False):
        continue

    truths = set(reduce(extendReduce, [parse_pnpm_names(name) for name in result["groundTruth"]], []))
    similarities = result["similarities"]
    for truth in truths:
        pkg, vers = truth.rsplit("@", 1)

        # We ignore packages which are not indexed
        if pkg in similarities and len(similarities[pkg]) > 0:
            scores = {k: metric(v) for k, v in similarities[pkg].items()}

            try:
                assert vers in scores, f"Impossible to detect version. Maybe DB or lab bundle dataset are not synced?\n{truth=} {scores=}"
            except AssertionError:
                print(f"WARNING Skipping {truth}")
                continue

            maxScore = max(scores.values())
            maxVersions = [k for k in scores.keys() if scores[k] == maxScore]

            stats.total += 1
            stats.packages.add(pkg)

            try:
                distance = semver_distance_list(vers, list(maxVersions))
                stats.versionDifferences.append(distance)
            except ValueError as e:
                print(result.get("domain"), e)
                continue

            if vers in maxVersions:
                stats.noError += 1
                stats.hasNoError.update({pkg: 1})
                if len(maxVersions) == 1:
                    stats.hasNoErrorAndUnique.update({pkg: 1})

            else:

                if distance[0] > 0:
                    if pkg == "@sentry/utils":
                        print(f"INFO next: {result['id']}")
                    stats.majorError += 1
                    stats.minorError += 1
                    stats.patchError += 1
                    stats.hasMajorError.update({pkg: 1})
                    stats.hasMinorError.update({pkg: 1})
                    stats.hasPatchError.update({pkg: 1})
                elif distance[1] > 0:
                    stats.minorError += 1
                    stats.patchError += 1
                    stats.hasMinorError.update({pkg: 1})
                    stats.hasPatchError.update({pkg: 1})
                elif distance[2] > 0:
                    stats.patchError += 1
                    stats.hasPatchError.update({pkg: 1})

                detected_vulns = [vulndb.is_vulnerable(pkg, v) for v in maxVersions]
                try:
                    if vulndb.is_vulnerable(pkg, vers):
                        if all(detected_vulns):
                            stats.vulnerableTruePositive += 1
                        elif all([not v for v in detected_vulns]):
                            stats.vulnerableFalseNegative += 1
                    else:
                        if all(detected_vulns):
                            stats.vulnerableFalsePositive += 1
                        elif all([not v for v in detected_vulns]):
                            stats.vulnerableTrueNegative += 1
                except ValueError:
                    pass

In [11]:
print(f"Total results: {stats.total}")
print("")
print("Metric 1:")
print(f"  No Error: {stats.noError}")
print(f"  Major Error: {stats.majorError}")
print(f"  Minor Error: {stats.minorError}")
print(f"  Patch Error: {stats.patchError}")
print("")
print("Metric 2:")
print(f"  Major Error (min/median/mean/max): {'/'.join(map(str, compute_statistics([d[0] for d in stats.versionDifferences])))}")
print(f"  Minor Error (min/median/mean/max): {'/'.join(map(str, compute_statistics([d[1] for d in stats.versionDifferences])))}")
print(f"  Patch Error (min/median/mean/max): {'/'.join(map(str, compute_statistics([d[2] for d in stats.versionDifferences])))}")
print("")
print("Metric 3:")
print(f"  TP / FN: {stats.vulnerableTruePositive:4}  {stats.vulnerableFalseNegative:4}")
print(f"  FP / TN: {stats.vulnerableFalsePositive:4}  {stats.vulnerableTrueNegative:4}")
print("Distribution of package errors:")
major = [1 - stats.hasMajorError.get(pkg, 0) / (stats.hasNoError.get(pkg, 0) + stats.hasPatchError.get(pkg, 0)) for pkg in stats.packages]
minor = [1 - stats.hasMinorError.get(pkg, 0) / (stats.hasNoError.get(pkg, 0) + stats.hasPatchError.get(pkg, 0)) for pkg in stats.packages]
patch = [1 - stats.hasPatchError.get(pkg, 0) / (stats.hasNoError.get(pkg, 0) + stats.hasPatchError.get(pkg, 0)) for pkg in stats.packages]
print(f"Count perfect major: {sum(1 for m in major if m >= 0.99)}/{len(major)}")
print(f"Count perfect minor: {sum(1 for m in minor if m >= 0.99)}/{len(minor)}")
print(f"Count perfect patch: {sum(1 for m in patch if m >= 0.99)}/{len(patch)}")


Total results: 30221

Metric 1:
  No Error: 24733
  Major Error: 1788
  Minor Error: 4424
  Patch Error: 5488

Metric 2:
  Major Error (min/median/mean/max): 0/0/0.20257436881638596/22
  Minor Error (min/median/mean/max): 0/0/1.058634724198405/886
  Patch Error (min/median/mean/max): 0/0/0.403825154693756/62

Metric 3:
  TP / FN:   21     4
  FP / TN:  197  5247
Distribution of package errors:
Count perfect major: 5791/6296
Count perfect minor: 5343/6296
Count perfect patch: 5100/6296
