How to detect link between a vulnerability and source code of project?

[JafarAkhondali]

As an example, consider this security advisory: GHSA-7p8h-86p5-wv3p

The CVE related to this advisory is "CVE-2021-21422". In this project(vulnerablecode), we can detect the relation between CVE and the package manager, which is npm in this case. However, I couldn't find a way to detect a link between a CVE and the project source code. It's also possible for some open source projects that they wouldn't have any package manager at all. Is adding the link between a vulnerability and a the project source code a possible\planned\in-scope feature for this project? My goal is to have a relation between a package and upstream source code. This way, we can link a many package to a github\gitlab\bitbucket project. Then for each project link, we can other metadata of the project as well. If we can discuss it further I might be able implement it.

[pombredanne]

Is adding the link between a vulnerability and a the project source code a possible\planned\in-scope feature for this project?

yes! and we have these related issues:

• VCIO-next: Add support to track fix commits: Include commits and patches that fix a vulnerability #207
  • Note that I have safekept the fix commit DB from vulncode-db and this will be merged in here eventually
  • See also:
    • Collect https://github.com/quarkslab/aosp_dataset #953 by @DarkaMaul https://github.com/quarkslab/aosp_dataset
    • Project KB by @copernico and team who are key WW experts in the domain and we have some support already at https://github.com/nexB/vulnerablecode/blob/16af83f4b38e293e404417a51eee06f4b5819e57/vulnerabilities/importers/project_kb_msr2019.py#L20
• Extract unpublished vulnerabilities from commit histories and trackers #1129
• Collect commits from dependabot #1130
• Add oss-fuzz confirmed security issues  #117
• Collect commits from dependabot #1130

Getting to the relationship between a vulnerability and the corresponding source has many layers!

1. The first step is to have a version range for the purl where this vulnerability is found and which version(s) fixes it. That's a core featureof this project
2. The second step is to find the corresponding source code and corresponding version control repo (e.g, git) for this package. @TG1999 must hasv his ears ringing because he is working on this as part of PurlDB and just pushed a PR Add support to find source repo for a package purldb#137
3. The third step if to find the corresponding tags an/or commits for the versions. This is also part of Add support to find source repo for a package purldb#137
4. The fourth step is to find which of the commit(s) from the commits in the range from 3. are the commits that effectively introduce and fix the vulnerability.

For this 4. there are many subtleties because finding these commits is difficult and eventually would need some kind of git bisect with a PoC or exploit to test all commits in the 4. range and that when found these commits may contain much more code than the code that matters. Or heuristic search on the commit messages or issues looking for links, comments and CVE references and similar.

Eventually the ideal outcome is a patch that may be a subset/superset of multiple commits and getting this patch can be complex as highlighted above and the effort can likely be assisted with some machine learning as well as heuristic and UI to best review and conclude on the actual patch.

Take your example GHSA-7p8h-86p5-wv3p : there is nothing special in the fixing version we can mine.

You also made several commits:

• mongo-express/mongo-express@b3de068
• mongo-express/mongo-express@0fa67c7
• mongo-express/mongo-express@c0c4d0c

Each of these may be the fix or all them as a patch. This is the kind of information we want to collect alright!

Then equipped with this the obvious next step is static or dynamic analysis to figure if the vulnerable code is effectively reachable and exploitable in a given usage context which would be the next awesome step!

Would you be willing to chip in on some of this?

[JafarAkhondali]

Wow, thank you for fast and comprehensive answer.
I completely agree with step 1 to 3, but step 4 will be complex in terms of implementation and runtime. I do have some ideas to improve aboutcode-org/purldb#137, that have not been done yet in other project( as far as I know). But one issue here for me is that I don't understand the relation between purldb project and this project. Let's say for now I want to start improving aboutcode-org/purldb#137 (in a separate fork and after it's merged), should I work with both of these projects ?!