Link to results: https://docs.google.com/spreadsheets/d/1K8dc6SrSEoqqh46cFisZM1tiN4CigaXsqkCKfCM8UTs/edit#gid=228743971
We first show the work done month over month. This is followed by the cumulative results. Finally we show language specific breakdown of the cumulative results.
| Month | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 |
|---|---|---|---|---|
| Projects analyzed | 328 | 300 | 530 | 780 |
| Projects with no bugs | 293 | 279 | 525 | 776 |
| Total bugs filed | 56 | 13 | 7 | 7 |
| Security/Reliability bugs filed | 15 | 8 | 6 | 5 |
| Bugs with a fix suggestion | 50 | 10 | 2 | 2 |
| Bugs with a PoC exploit | 4 | 1 | 2 | 3 |
| Fixes merged by maintainers | 27 | 10 | 5 | 3 |
| Security/Reliability fixes merged | 6 | 6 | 2 | 1 |
| Fixes ignored by maintainers | 1 | 1 | 1 | 0 |
| Reports still open | 28 | 2 | 1 | 4 |
| Month | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 |
|---|---|---|---|---|
| Weak Crypto | 8 | 8 | 8 | 8 |
| Data Race | 2 | 5 | 5 | 5 |
| XSS | 5 | 5 | 7 | 8 |
| Log Injection | 4 | 4 | 4 | 4 |
| Path Manipulation | 0 | 0 | 3 | 5 |
| Insecure Deserialization | 2 | 2 | 2 | 2 |
| OS Command Injection | 0 | 0 | 0 | 2 |
| Inappropriate umask | 1 | 1 | 1 | 1 |
| Open Redirect | 0 | 1 | 1 | 1 |
| Security Misconfiguration | 1 | 1 | 1 | 1 |
| Sensitive Data Leak | 1 | 1 | 1 | 1 |
| SSRF | 1 | 1 | 1 | 1 |
| TOTAL | 25 | 29 | 34 | 39 |
- A high severity bug is any one of the following: (1) An injection related bug, (2) a weak cryptography related bug, (3) an access control related bug (4) a security or a reliability bug that is typically of medium priority but has been categorized as a high prioriy bug because it is found in a popular project (100+ forks).
| Month | Aug 2023 | Sep 2023 | Oct 2023 | Nov 2023 | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 |
|---|---|---|---|---|---|---|---|---|
| Projects analyzed | 132 | 458 | 809 | 1,079 | 1,407 | 1,707 | 2,237 | 3,017 |
| Projects with no bugs | 98 | 398 | 718 | 938 | 1,231 | 1,510 | 2,035 | 2,811 |
| Total bugs filed | 33 | 75 | 113 | 168 | 224 | 237 | 244 | 251 |
| Security/Reliability bugs filed | 12 | 23 | 43 | 79 | 94 | 102 | 108 | 113 |
| Total high severity bugs filed* | - | - | - | - | 25 | 29 | 34 | 39 |
| Bugs with a fix suggestion | 26 | 64 | 94 | 140 | 190 | 200 | 202 | 204 |
| Bugs with a PoC exploit | 6 | 13 | 18 | 22 | 26 | 27 | 29 | 32 |
| Fixes merged by maintainers | 15 (45%) | 38 (51%) | 54 (48%) | 76 (45.3%) | 103 (46%) | 113 (47.7%) | 118 (48.4%) | 121 (48.2%) |
| Security/Reliability fixes merged | Not measured | Not measured | 13 (30%) | 25 (31.6%) | 31 (32.9%) | 37 (36.2%) | 39 (36.1%) | 40 (35.4%) |
| Fixes ignored by maintainers | Not measured | 8 (11%) | 7 (6%) | 9 (5.3%) | 10 (4.5%) | 11 (4.6%) | 12 (4.9%) | 12 (4.78%) |
| Reports still open | Not measured | 29 (39%) | 52 (46%) | 83 (49.4%) | 111 (49.5%) | 113 (47.7%) | 114 (46.7%) | 118 (47.01%) |
| Language | Python | Java | Go | TOTAL |
|---|---|---|---|---|
| # of total projects analyzed | 2,700 | 190 | 127 | 3,017 |
| # of total zerofix projects | 2,530 | 170 | 111 | 2,811 |
| # of total bugs filed | 205 | 22 | 24 | 251 |
| # of total security/reliablity bugs filed | 90 | 12 | 11 | 113 |
| # of total bugs with fix suggestion | 178 | 6 | 20 | 204 |
| # of total POC exploit | 26 | 5 | 1 | 32 |
| # of total merged fixes | 102 | 6 | 13 | 121 |
| # of total merged security/reliability fixes | 29 | 3 | 8 | 40 |
| # of total ignored/rejected fixes | 10 | 1 | 1 | 12 |
| # of total open fixes | 93 | 15 | 10 | 118 |
Link to attestations: https://github.com/OpenRefactory-Inc/attestations
| Month | Mar 2024 |
|---|---|
| Total # of Unique Projects | 16 |
| Total # of Unique Releases/Versions | 75 |
| Total # of Generated Attestations | 75 |
Below is an example of the attestation JSON that we are generating. Here, as the subject field, we are using the archive (ZIP) of each release's source code. As for the predicate field, we're using the Cosign Vuln. Attestation Spec. Right now, inside the predicate.scanner.result field, we're storing two fields- bugs and summary. The bugs field contains the list of bugs found in that specific version of the project, and the summary field contains messages and total number of bugs.
We're using Cosign/Sigstore to sign and verify the attestation. As for the final format/schema of the attestaion, we're open to suggestions.
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://cosign.sigstore.dev/attestation/vuln/v1",
"subject": [
{
"name": "1.34.29.zip",
"digest": {
"sha256": "5e5552fc6f4fef6ad8c9724577bc6547034adf10f962c8340ca891f8a6d3e8f9"
}
}
],
"predicate": {
"invocation": {
"parameters": null,
"uri": "",
"event_id": "",
"builder.id": ""
},
"scanner": {
"uri": "https://www.openrefactory.com/",
"version": "1.0.0",
"db": {
"uri": "",
"version": ""
},
"result": {
"bugs": [],
"summary": {
"message": "This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation's Project Alpha-Omega. The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.",
"totalBugs": 0
}
}
},
"metadata": {
"scanStartedOn": "2024-03-22T11:44:55.463Z",
"scanFinishedOn": "2024-03-22T11:51:56.408Z"
}
}
}