New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend benchmark to other languages #67
Comments
Yes. I personally hope to have CVE data for an additional language this year, along with a few associated analysis drivers. But in the short term, I only have various JavaScript improvements planned. For reference: https://github.com/ossf-cve-benchmark/ossf-cve-benchmark#status-and-roadmap
|
Thansk @esbena for the quick reply. For I have a couple more questions: Is the |
I have added #68 for tracking the MSR2019 suggestion. Thanks! (there are a few similar sources around, but this one seems to be particularly accessible)
No
Yes. While the dataset is github.com centric at the momment, it supports other source hosts as well (#2). Your "callable URL" can be constructed on a per-host basis (gitlab, bitbucket, ...). Similarly , the |
Just to say it, at SonarSource, we are really interested to see OpenSSF CVE Benchmark supporting Java, C#, PHP, Python and C. I'm sure we can contribute some CVEs but before doing that, it would be great to have the glue is place so that OpenSSF CVE Benchmark can run properly the scan of compiled languages (Java, C#, C). For PHP and Python I believe its support will be as easy as for JS but for for compiled languages, generally SAST tools need to compile the code to be able to scan it (this is the case for CodeQL and SonarCloud/SonarQube) and I'm sure you will hit this problem: dependencies are not longer reachable and so it's no longer possible to compile this Java project that was having a vuln in 2015. I would like to suggest to create one ticket per language to start to gather interest for that particular language and datasets, CVEs, ... whatever that can help to move forward. |
Great to hear. ❤️
I think the glue to run is there already, but that is beacuse I expect individual drivers to do the heavy lifting, perhaps with some shared logic in the (optional) driver.ts utility. To me, the general problem for compiled languages is the fundamental problem of irreproducible builds (see #125, #126, #127), and that this isn't something that is easily solved with more implementation glue, but rather additional information that is either recorded in the benchmark entries, or externally (an archive.org for builds?).
Please go ahead. As a starting point, the content could perhaps a be list of analysis tools that would be easy to implement drivers for. A link to a large source of CVEs for open source projects in the relevant language would also be relevant. Side-tracking a bit: I have a large amount of useful Java CVE data available, I can transform that to the benchmark format, and test it with the CodeQL driver. That should test the hypothesis that there already is enough glue. Would it be possible for you to easily try such Java benchmark entries on your internal SonarSource driver and report back about general issues? |
Yes, I will be able to work on that after Easter break, no problem. When I'm talking about the glue, I was thinking about:
|
The "does CVE X belong to language Y?" question is hard to answer. We have a simple selector that checks the extension of the mentioned files of a benchmark entry. So to select all javascript CVEs, one could try to use the two selectors
A report for javascript could be generated similarly:
But unless someone implements a smarter report, there will be no grouping by language inside a report that contains CVEs for multiple languages. |
I'm ready to allocate time to test the Java part whenever you are. Just ping me here and I'll work on it. |
@agigleux I can work on the Java bits next week onwards. How does that sound? I initially expect to import a bunch of internally triaged Java CVEs, I will add some Java drivers after that. |
@esbena All good on my side. |
First, I think this benchmark is much needed and can bring great value.
I am personally working on vulnerabilities for
Python
,Java
andC
.Is there is any plan to add support for other languages?
The text was updated successfully, but these errors were encountered: