Skip to content

proof-of-vulnerability projects demonstrating the presence of vulnerabilities in projects cloning or shading vulnerable components

License

Notifications You must be signed in to change notification settings

jensdietrich/xshady-release

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

xshady-release

Proof-of-vulnerability projects demonstrating the presence of vulnerabilities in projects cloning or shading vulnerable components.

The repository is organised by CVE. It contains projects synthesised by the shade-detector that demonstrate the presence of a vulnerability in a component that is derived from the original component by means of shading or cloning. Those projects do not declare a dependency to the original component. The project titles are derived from the GAV coordinates (groupId+artifactId+version) of the vulnerable component. The poms in each project declare a dependency to the vulnerable component.

Since those components are deployed in Maven Central and generally not listed in vulnerability databases like the GHSA DB (at the time of commit), (metadata-based) software composition analysis tools will generally miss those vulnerabilities. However, any client application using these packages that we report is potentially vulnerable in the same way as if was using the already indexed vulnerable original component.

To verify that a vulnerability is present, run mvn test for the respective project. Some tests declare preconditions on the OS or Java version (i.e. assumptions), and if those are not satisfied, tests will be marked as skipped. Those projects are synthesised using a proof-of-vulnerability project for the original vulnerable project, for the semantics of the test (i.e. whether pass or fail indicates the vulnerability), check the repository containing those templates.

Each project folder also contains a subfolder /scan-results that contains the scan reports produced by several SCA tools. This is to demonstrate that those tools often miss vulnerabilities. As we disclose results, those gaps will be addressed and vulnerability databases will be updated, so those results are valid at the time of committing the respective reports.

A paper describing this approach and the shade-detector toll will be presented at SCORED'24. The project has been sponsored by Oracle Labs Australia, and is a collaboration between Jens Dietrich and Tim White (Victoria University of Wellington), Alex Jordan (Oracle Labs Austria) and Shawn Rasheed (UCOL).

Successful Disclosures

CVE GHSA Update Lib Name
CVE-2022-38749 github/advisory-database#2273 Commons Text
CVE-2015-6420 github/advisory-database#2326 Apache Commons Collections
CVE-2018-10237 github/advisory-database#2444 Guava
CVE-2021-44228 github/advisory-database#2445 Log4J
CVE-2019-12402 github/advisory-database#2823 Apache Commons Compress
CVE-2016-5394 github/advisory-database#2826 Apache Sling
CVE-2016-6798 github/advisory-database#2827 Apache Sling
CVE-2015-7501 github/advisory-database#2841 Apache Commons Collections
CVE-2018-1324 github/advisory-database#2855 Apache Commons Compress

About

proof-of-vulnerability projects demonstrating the presence of vulnerabilities in projects cloning or shading vulnerable components

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages