Published May 25, 2023 | Version v4
Video/Audio Open

[Tool demo] Prospector: a Tool to Find Fixes to Known Vulnerabilities of Open-Source Projects

Creators

  • 1. SAP Security Research
  • 2. FrontEndART Ltd
  • 3. University of Trento, VU Amsterdam
  • 4. University of Trento
  • 5. TomTom
  • 6. VU Amsterdam
  • 7. SEARCH-LAB Ltd

Description

 

>>>> TOOL DEMO SCREENCAST: please download file tool_demo_final.mp4. <<<<

 

ABSTRACT: Though vulnerability databases are key for monitoring known vulnerabilities in open-source projects, they rarely contain information about the code changes that fix the flaws they describe. Finding them is time-consuming and error-prone as it involves the analysis of multiple, unstructured resources. 

In this paper we present \prospector, a tool that supports mapping
vulnerability advisories from vulnerability databases onto the corresponding fix in the source code. \prospector employs a set of heuristics that mimics and automates the
strategies that would be employed by human security experts.

Given an advisory expressed in natural language, \prospector processes the commits found in the target source code repository, ranks them based on a set of predefined rules, and produces a report that the user can inspect to
determine which commits to retain as the actual fix.
The tool is publicly available and is released under the Apache 2.0 license.

Files

demo_description.pdf

Files (121.2 MB)

Name Size Download all
md5:b8f49d59c90ae8dc2b7a00a52c4d2645
60.1 kB Preview Download
md5:36f2eeb86d8ea4f58ec0bb0cdcaf924e
121.1 MB Preview Download

Additional details

Funding

AssureMOSS – Assurance and certification in secure Multi-party Open Software and Services. 952647
European Commission