search

ossf / wg-security-tooling

OpenSSF Security Tooling Working Group
https://openssf.org
Apache License 2.0
299 stars 52 forks source link

Phylum Vulnerability Reachability Project #67

Open MikV47 opened 3 months ago

MikV47 commented 3 months ago

Overview: Phylum has developed a reachability tool to perform call graph analysis in order to identify whether or not a particular vulnerability is reachable. This tool currently works for the Javascript programming language, and is functionally database-agnostic, enabling any vendor to provide their preferred catalogue of findings and prune/annotate false-positives. This is currently the cutting edge of the Software Composition Analysis (SCA) space, and as such, is quickly becoming a necessary feature in order to effectively compete.

Requirements for Implementation: In order to integrate and utilize this tool, the following steps must be completed: · Integration with an SCA Capability - Phylum’s vuln-reach tool needs to be integrated with an existing SCA product, and will need to receive the following bits of information: o Vulnerability information o Target files & packages to analyze o Vulnerability location data · Vulnerability Location Data - Vulnerability location data will need to be provided to match the vulnerability database being utilized. This will enable the vuln reachability tool to connect the two when analyzing a candidate codebase. The location data must be specific to the vulnerability dataset used - Phylum has some tools that can assist in automating this process.

How it Integrates: The Phylum vuln reachability solution can be integrated in a variety of ways: · Standalone CLI - a CLI utility to showcase the capability currently exists, and could operate as part of a suite of other tools. · Library - The tool can also be packaged as a shared library to simplify integration with any product from a client perspective.

ware commented 3 weeks ago

Is this redundant to TAC PR#388? How are we doing with meeting the Sandbox requirements? Specifically having maintainers from multiple organizations?

MikV47 commented 3 weeks ago

Yes, this was the first post we were asked to make priori to TAC PR#388. We have not yet found additional maintainers.

From: Ryan Ware @.> Date: Tuesday, October 29, 2024 at 8:51 AM To: ossf/wg-security-tooling @.> Cc: Mikala Vidal @.>, Author @.> Subject: Re: [ossf/wg-security-tooling] Phylum Vulnerability Reachability Project (Issue #67)

Is this redundant to TAC PR#388https://github.com/ossf/tac/pull/388? How are we doing with meeting the Sandbox requirementshttps://github.com/ossf/tac/blob/main/process/project-lifecycle.md#sandbox? Specifically having maintainers from multiple organizations?

— Reply to this email directly, view it on GitHubhttps://github.com/ossf/wg-security-tooling/issues/67#issuecomment-2444126426, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BKNOBXNVVYFCINVP7NCCOHLZ56AGHAVCNFSM6AAAAABMIAMO66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBUGEZDMNBSGY. You are receiving this because you authored the thread.Message ID: @.***>