"Next case study" ideas

[andymeneely]

Let's use this issue to track our ideas for "next case studies".

For each case study idea that someone has proposed, answer the following and check off as appropriate.

• Recognizable Is this is a recognizable OSS project? Will people see it as representative of successful (enough) software engineering?
• Enough vulns Do they have a lot of vulnerabilities? For a 331 section to curate this, we'll need 30 students * 3 vulnerabilities, so 90 vulnerabilities. It could have fewer, of course - but that's a good yardstick
• Traceability Does it have good traceability between CVE and git fix?
• Easy updates Are new vulnerabilities reported in a way that makes updating later on easier?
• Manageable Is the source code easily available? Is the codebase so gigantic that it'll be unmanageable? (e.g. chromium's problem)
• Acknowledge. Does the team actually acknowledge their vulnerabilities? If it's ONLY in CVEDetails or whatever then we could run into integrity problems.
• Understandable Would curators be able reasonably understand the code?
• Famous Vulns there been any famous vulnerabilities in this project?

Answers: ✅ ❌ ❔

Template:

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

OpenSSL

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

OpenJDK

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

PHP

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

Wireshark

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

ImageMagick

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

Log4j

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

Firefox

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

MySQL

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

PostgreSQL

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

Git

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

GitLab

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

cURL and libcurl

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

flask

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

libpng

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

linux kernel

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

openssh

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

node.js

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

numpy

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

opencv

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

rust

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

gzip

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

wordpress

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

tensorflow

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

glibc

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

bash

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

binutils

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

libxml2

Answer	Criterion	Reasoning
❔	Recognizable	TBD
❔	Enough vulns	TBD
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

[andymeneely]

Idea: SQLite

[andymeneely]

Microsoft's .NET CORE framework

[TrevBid]

Firefox

Answer	Criterion	Reasoning
Yes	Recognizable	Popular web browser
Yes	Enough vulns	2513 according to CVEDetails
No	Traceability	I haven't seen much linkages between Git commits and the CVEs
Yes	Easy updates	TBD
No	Manageable	Very large repo
Yes	Acknowledge	https://www.mozilla.org/en-US/security/
Yes	Understandable	Very large repo, it's understandable but can be challenging to put things together
Yes	Famous vuln	CVE-2022-26485 and CVE-2022-26486

[TrevBid]

GZIP

Answer	Criterion	Reasoning
Yes	Recognizable	Was once a very popular archiving tool
No	Enough vulns	10 according to CVEDetails
❔	Traceability	TBD
❔	Easy updates	TBD
❔	Manageable	TBD
❔	Acknowledge	TBD
❔	Understandable	TBD
❔	Famous vuln	TBD

Stopped research after finding that there's not enough vulns

[TrevBid]

binutils

Answer	Criterion	Reasoning
No	Recognizable	Relatively speaking to the other projects, its probably not as known unless you're a developer
Yes	Enough vulns	199 according to CVEDetails, but they may not be many interesting ones since the sample size is small
Yes	Traceability	From observance, the person putting in the fixing commit will comment the link to it. But it is up to the person to do so.
Yes	Easy updates	Everything is tracked on sourceware.org or Bugzilla
Yes	Manageable	Git clone source rep
Yes	Acknowledge	The discussions are open and available
Yes	Understandable	N/A
No	Famous vuln	N/A