[Tool demo] Prospector: a Tool to Find Fixes to Known Vulnerabilities of Open-Source Projects
Authors/Creators
- 1. SAP Security Research
- 2. FrontEndART Ltd
- 3. University of Trento, VU Amsterdam
- 4. University of Trento
- 5. TomTom
- 6. VU Amsterdam
- 7. SEARCH-LAB Ltd
Description
Though vulnerability databases are key for monitoring known vulnerabilities in open-source projects, they rarely contain information about the code changes that fix them. To manually find those is time-consuming and error-prone as it involves the consumption of multiple, unstructured resources.
In this paper we present \prospector, a tool that supports mapping
vulnerability advisories from vulnerability databases onto the corresponding fix in the source code. \prospector employs a set of heuristics that mimics and automates the
strategies that would be employed by human security experts.
Given an advisory expressed in natural language, \prospector processes the commits found in the target source code repository, ranks them based on a set of predefined rules, and produces a report that the user can inspect to
determine which commits to retain as the actual fix.
The tool is publicly available and is released under the Apache 2.0 license.
Files
tool_demo_final.mp4
Files
(45.1 MB)
| Name | Size | Download all |
|---|---|---|
|
md5:1786342717e35e6f67b071ede476c342
|
45.1 MB | Preview Download |