-
Notifications
You must be signed in to change notification settings - Fork 210
Project Ideas
This includes integration with other aboutcode tools, namely scancode io and scancode-toolkit .
At a higher level these tools detect all the packages used by a codebase. They will then query VulnerableCode and verify whether each of the found package is vulnerable or not .
See https://github.com/nexB/vulnerablecode#how for background info. We want to search for more vulnerability data sources and consume them. There is a large number of pending tickets for data sources. See https://github.com/nexB/vulnerablecode/issues?q=is%3Aissue+is%3Aopen+label%3A"Data+collection"
The project would be to provide a way to effectively mine issues (such as GitHub issues) for possible unreported vulnerabilities. For a start this should be focused on a few prominent repos.
Create a CI integrations which would scan the codebase for packages using SBOM tools like scancode-toolkit. Then verify whether each of the package is safe. Implement a Github action, jenkins plugins that does this .
We could add UI components that would enable reviewers to triage, refine, improve and curate vulnerability data. This could include linking and displaying references and helpers to link the vulnerability to packages. VulnerableCode should obviously consume this newly minted data.
Often security advisories do not provide structured information on which package and package versions are vulnerable. We could create a system which would infer vulnerable package name and version(s) by parsing the vulnerability description using natural language processing techniques and heuristics.
Create scanners which would verify whether a codebase is vulnerable to a vulnerability. Once we know that a vulnerable package is in use, a scanner could check for whether the vulnerable code is called, or if environmental conditions or configuration are conducive to the vulnerability, etc. This could be based on yara rules, OpenVAS or similar. Or based on Eclipse Steady and deeper code analysis, static or dynamic.
We can collect exploits and PoC that can verify whether a codebase is vulnerable to a given package vulnerability. Once we know that a vulnerable package is in use, the exploit could be to check for whether the vulnerable code is effectively being called.