代码拉取完成,页面将自动刷新
CodeQL is an industry-leading semantic code analysis engine supported by GitHub. With its rich storage of built-in rules covering multiple developing languages and CWE catogaries, CodeQL has been extensively used by whitehat security experts for hunting for vulnerabilites in open-source-software (OSS) repositries.
However, locating known CVEs in old codebases remains as a difficult task for SAST tools like CodeQL. A large portion of vulnerablities, especially those found by hackers manually, have very complicated code context and cannot be matched with generic-purpose rules.
To this end, our attemp of automating the generation of CVE-oriented CodeQL rules comes to real life.
patch2ql is our solution, which aims at turning OSS bugfix patches into CodeQL rules (ql). Its basic idea is that reasons and causes of a defect of codes is reflected in the code patch, and by querying the similar code context of the unpatched functions, we can locate a vulnerable codebase. The matched code may be an out-of-date submodule, homologous functions, or even some other repository which `borrows' the very function.
patch2ql is currently under tensive research and development, and many features are still to be tested. This is why it is not yet ready for openning source.
This repository is the place to hold auto-generated rules we retrieve against some top OSS projects along the evolution stage of patch2ql. These released rules, organized according to their corresponding source projects and commit IDs, can be freely used for analyzing some other OSS project which originates/forked from or contains OSS projects whose CVEs we already covered.
As for now, we mainly focus on OSS written in C/C++, where package management and SCA techniques don't apply.
To focus on the most important, infra-like OSS, we borrowed the list from google/oss-fuzz, filtered out those denoted language: c/c++ in their yaml files. Besides, since our tool depends on Git commit to revert code-base to specific versions and to generate patches, we currently only support those hosted or mirrored on any Git platforms.
To collect patching commit IDs for any CVE vulnerability more easily, we utilized the amazing Ubuntu Security and Red Hat Bugzilla as processed info sources, which contain patches urls of corresponding upstream OSS if possible.Some specific projects required more manual handling, such as those repos hosted originally with Mercurial and SVN and patch urls don't contain a git commit ID.
Considering SAST queries/rules make a step further towards finding similar vulnerabilities, we are more than careful in opening source the whole storage of our rules. Rules of only a part of target OSS are made public, and some of them were generated by a former version of patch2ql.
Right now we welcome the maintainers of these OSS to contact us requiring its rules. The complete set of rules will be made public once we determine that it may not greatly lower the security level of the whole OSS domain.
The rules generated by patch2ql have been proved effective in finding cognate vulnerabilities in downstream OSS. However, it turned out that it is also useful to find cognate defects in the original upstream project, i.e. those similar to historical CVEs in root causes. I have not tried it for long, and a list of vulnerabilities found is as follows:
The CodeQL queries/rules in this repository is licensed under the MIT License.
The tool for generating these rules, i.e. patch2ql, is not ready for publication yet. It may be made public under a separate license.
When using the rules here together with CodeQL CLI to analyze any projects, you should follow the restrictions of CodeQL CLI LICENSE.
Wang, Fuwei. "Patch2QL: Discover Cognate Defects in Open Source Software Supply Chain With Auto-generated Static Analysis Rules." arXiv preprint arXiv:2401.12443 (2024).
Technical representations and explanations are still on their way. To exchange ideas, feel free to contact the maintainer. Any suggestions or collaborations are welcomed.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
