jakub014 / CG-dependency-analyzer

2 stars 2 forks source link

Find vulnerable dependencies & vulnerable methods in those dependencies #6

Open tudorpopovici1 opened 3 years ago

tudorpopovici1 commented 3 years ago
  1. For each project’s dependency, query the ‘package_versions’ table to find out whether that dependency is vulnerable
  2. Query ‘callables’ table to find the vulnerable methods in that vulnerable dependency
nmook commented 3 years ago

Get vulnerable deps for a given package name and version for Maven coordinate

SELECT DISTINCT pac2.package_name AS vulnerable_dep
FROM    dependencies AS dep,
        packages AS pac1,
        packages AS pac2,
        package_versions AS ver1,
        (   SELECT package_id as vulid
            FROM package_versions,packages
            WHERE package_versions.package_id = packages.id AND metadata ? 'vulnerabilities'
        ) AS vul
WHERE 
        pac1.id = ver1.id AND
        pac1.package_name = 'ai.tock:tock-translator-noop' AND
        ver1.version = '0.8.0' AND
        dep.dependency_id = vulid AND
        vulid = pac2.id;
nmook commented 3 years ago

The following Python program produced the set of vulnerable Fasten URIs in the CVEs in /mnt/fasten/vuln/consumer/lima-statements/. Results are in src/main/resources/VulnerableUris.txt.

import json
import os

v_dir = '/mnt/fasten/vuln/consumer/lima-statements/'
o_path = '/home/nmook/output.txt'

for v_filename in os.listdir(v_dir):

    # For each file in v_dir, open and load data
    v_filepath = os.path.join(v_dir, v_filename)
    v_file = open(v_filepath, )
    data = json.load(v_file)

    # If vulnerable_fasten_uris is non-empty, append contents to output file
    if data['vulnerable_fasten_uris'] is not None and len(data['vulnerable_fasten_uris']) > 0:
        v_list = data['vulnerable_fasten_uris']
        o_file = open('output.txt', 'a')
        for f_uri in v_list:
            o_file.write(f_uri + '\n')
        o_file.close()
    v_file.close()