Problems in vulnerability detection process

[ElenaBaninemeh]

I checked two projects using the "check" command for vulnerability detection, including "open-cv" and "roslyn" a few days ago, and I didn't get any results. I realized that the servers do not work correctly.

I checked the monitoring of one of the servers today, and as you can see in the screenshot, the checking command is still running for those projects for 191 hours and 204 hours, and they consumed almost all of the resources; and I think it's the main reason that the servers aren't responsive. I killed the process, but the problem hasn't been solved.

So, the current problems are as follows:

1. Portal doesn't work after even killing the processes.
2. When I use the "check" command for vulnerability detection, it can't connect to science-vs295 and science-vs313.
3. SearchSECO can't complete the detection process, and even it can't terminate the process.

[slingerbv]

I'm not completely sure what the problem is, but some kind of monitoring for these processes would be good to have. The least thing we can do is when the database doesn't come back with any result, is say "Database timed out" or something like that.

Furthermore, it would be great to get some progress tracking, so that we know how far along it is, for instance on a per method or per file basis. I'll turn this into a new bounty.

[ElenaBaninemeh]

I ran SerachSECO in the local machine through docker, then used the "check" command to check the vulnerability of a project (for instance, roslyn). By running this command, SearchSECO looks for vulnerabilities based on matching methods. It compares the methods of the project with all the methods in the databases. You can access more details regarding the commands in the following link: https://github.com/SecureSECO/SearchSECOController/blob/master/Documentation/User_Manual.pdf Yes, it's a screenshot of monitoring the science-vs295 server.

1. The latest master branch
2. Do you want the logs of the docker container or the logs of the servers?

[slingerbv]

Damn. I can't share much. What is it you need precisely? I can get logs, so many logs...

[slingerbv]

Yeah, probably around the time we were in Belgium, that was 12 September

On Sat, Oct 15, 2022 at 8:31 PM abebeos @.***> wrote:

a few days ago

@ElenaBaninemeh https://github.com/ElenaBaninemeh , you did those failing checks around 3 weeks ago.

Did you run those checks successfully before? and if yes, when was this?

— Reply to this email directly, view it on GitHub https://github.com/SecureSECO/SearchSECOController/issues/35#issuecomment-1279802946, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAERHLDPTHYHRJ6NRA2ECWTWDL2ANANCNFSM6AAAAAAQ24ZDSI . You are receiving this because you were mentioned.Message ID: @.***>

-- dr. Slinger Jansen (Roijackers) Do you want to secure software ecosystems https://secureseco.org/ with us? Software Production Research Group https://www.uu.nl/en/research/software-systems/organization-and-information , Utrecht University http://www.slingerjansen.nl +31 6 19 884 880 book me through YouCanBook.me http://slingerroijackers.YouCanBook.me