logo

Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All

2022-11-17

Authors:   Jonathan Leitschuh, Patrick Way


Summary

The talk discusses a highly scalable solution for fixing common security vulnerabilities in open source software through automated bulk pull request generation.
  • Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes.
  • Automated creation of thousands of bug reports by itself isn’t useful, & would be even more of a burden on volunteer maintainers of OSS projects.
  • The solution is automated bulk pull request generation, which provides maintainers with information about the vulnerability and a fix in the form of an easily actionable pull request.
  • The speaker generated over 150 pull requests to fix zip slip across the open source ecosystem, primarily in the Java ecosystem.
  • Technologies like CodeQL and OpenRewrite are discussed as tools to aid in this process.
The speaker's journey began with discovering a vulnerability in their corporate company's Gradle build, which led to the realization that the vulnerability was everywhere in the Java ecosystem, including in organizations like Spring, Apache, Red Hat, and LinkedIn.

Abstract

Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new, we’ve known about them for years, but they’re everywhere!The scale of GitHub & tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, & would be even more of a burden on volunteer maintainers of OSS projects. Ideally the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix & now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.

Materials: