Find patched vulnerabilities where fix commit is not change in a version file

[NikolausReichsoellner]

For my Bachelor Thesis I am trying to build a python library to analyze in what way the code complexity (or other metrics) changes when some vuln. is patched.

To achieve this i need to find the git commit, where a vuln. has been fixed and then do some measurements on the code.

When manually going through the data I realized often the "fix" commit only points to a commit in a json/yaml etc. where the version is changed but not to the fix itself.

Is there a way to filter out CVE's where the fix actually points to a patch commit? Or and does anybody of you can point me into a direction on how to filter out such CVE entries in the database or what tool/libary to use for code analysis?

Thanks in advance!

[michaelkedar]

Hi,

Unfortunately, most CVE records only list the release version an issue was fixed, and not the actual commit it was fixed in.

We do have some CVE records that have versions sourced from git commits. From what I can remember, Linux Kernel vulnerabilities usually include exact commits for patches.

Otherwise, I'm not sure if OSV has a way to tell whether a commit points to an actual patch or a release version. @jess-lowe would know more, but may not be able to get back to you this week.

Our CVE data is mostly converted from the cvelistV5 repo - you may have some luck trying to search commit hashes directly in there, but that might also require some manual verification.

Besides our converted CVEs, we do have some other data providers directly providing us with git ranges, which are probably more likely to point to the exact patches you want. e.g. EEF for Erlang, CURL, PSF for cpython. These might not cover as large of a range of different projects, but it may be a good start. If you'd like to look through these, the best way would probably be to download our data dump of GIT vulnerabilities from https://storage.googleapis.com/osv-vulnerabilities/GIT/all.zip and filter out all the CVE- prefixed JSON files (each data provider will have their own prefix).

We also have the OSV- prefixed vulnerabilities, which come from OSS-Fuzz. This covers a large range of projects, though these are all crashes/buffer overflows/etc. found by fuzzing, so the kinds of analysis you might be doing may be biased if only looking at this data. The OSS-Fuzz vulns are also in the GIT data dumps, if you wanted to take a look.

Hopefully this is helpful, and good luck with your thesis!

[NikolausReichsoellner]

Thanks for getting back to me,
This helped me a lot to understand the data better and on how I can use it for my project, thanks a lot!

For now I will mainly look into the OSS-Fuzz Data since it does cover a wide range of Projects since I am mainly interested in non niche open source software (if possible) and I will mainly focus on the electricity consumption as metric. Thank you for pointing out that the OSS-Fuzz data is biased, I will keep this in mind.