Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OpenRefactory December 2024 Report #453

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions alpha/engagements/2024/OpenRefactory/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ This engagement started in July 2023. Reports for 2023 are available here: https
* [September 2024](update-2024-09.md)
* [October 2024](update-2024-10.md)
* [November 2024](update-2024-11.md)
* [December 2024](update-2024-12.md)

## Primary Contacts

Expand Down
104 changes: 104 additions & 0 deletions alpha/engagements/2024/OpenRefactory/update-2024-12.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# OpenRefactory Update: December 2024

## Scan Results
Link to results: https://docs.google.com/spreadsheets/d/1K8dc6SrSEoqqh46cFisZM1tiN4CigaXsqkCKfCM8UTs/

We first show the work done month over month. This is followed by the cumulative results. Finally we show language specific breakdown of the cumulative results.



### December
| Month | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | Dec 2024 |
|--------------------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|
| Projects analyzed | 300 | 530 | 780 | 712 | 785 | 1,198 | 896 | 1,206 | 1,296 | 51 | 597 | 493 |
| Projects with no bugs | 279 | 525 | 776 | 708 | 784 | 1,198 | 896 | 1,198 | 1,286 | 37 | 595 | 487 |
| Total bugs filed | 13 | 7 | 7 | 4 | 7 | 1 | 0 | 0 | 11 | 17 | 3 | 6 |
| Security/Reliability bugs filed | 8 | 6 | 5 | 2 | 5 | 2 | 0 | 1 | 6 | 6 | 3 | 1 |
| Bugs with a fix suggestion | 10 | 2 | 2 | 4 | 0 | 1 | 0 | 19 | 7 | 4 | 3 | 4 |
| Bugs with a PoC exploit | 1 | 2 | 3 | 0 | 0 | 0 | 0 | 1 | 0 | 2 | 0 | 0 |
| Fixes merged by maintainers | 10 | 5 | 3 | 4 | 0 | 1 | 1 | 6 | 7 | 5 | 2 | 4 |
| Security/Reliability fixes merged | 6 | 2 | 1 | 0 | 0 | 0 | 1 | 7 | 1 | 3 | 2 | 0 |
| Fixes ignored by maintainers | 1 | 1 | 0 | 2 | 0 | 2 | 0 | 6 | 0 | 6 | 0 | 6 |
| Reports still open | 2 | 1 | 4 | 0 | 7 | 0 | 0 | 0 | 4 | 6 | 1 | 0 |



### High Severity Bugs (Cumulative)
| Month | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | Dec 2024 |
|---------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|
| Weak Crypto | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 9 | 12 | 12 | 12 | 12 |
| Data Race | 5 | 5 | 5 | 6 | 6 | 6 | 6 | 6 | 6 | 6 | 6 | 7 |
| XSS | 5 | 7 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 |
| Log Injection | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 5 | 5 | 5 | 5 | 5 |
| Path Manipulation | 0 | 3 | 5 | 5 | 5 | 5 | 5 | 5 | 5 | 6 | 6 | 6 |
| Insecure Deserialization | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 3 | 3 | 4 |
| OS Command Injection | 0 | 0 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| Inappropriate umask | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| Open Redirect | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| Security Misconfiguration | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 2 | 2 | 2 |
| Sensitive Data Leak | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| SSRF | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| Null Dereference | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 1 | 1 |
| XXE | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 2 | 2 |
| Deadlock | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 |
| Channel Blocking | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 |
| **TOTAL** | 29 | 34 | 39 | 40 | 40 | 40 | 40 | 42 | 46 | 51 | 53 | 55 |



#### 2 High Severity Bugs
- Insecure Deserialization
(Go) emicklei/go-restful @ 3.11.0
https://github.com/emicklei/go-restful/issues/575

- Data Race
(Go) google/cadvisor @ 0.49.0
https://github.com/google/cadvisor/issues/3637



### Cumulative Data
| Month | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | Dec 2024 |
|--------------------------------------|------------|-------------|--------------|--------------|--------------|-------------|-----------------|--------------|--------------|--------------|--------------|--------------|
| Projects analyzed | 1,707 | 2,237 | 3,017 | 3,729 | 4,514 | 5,712 | 6,608 | 7,813 | 9,109 | 9,160 | 9,757 | 10,250 |
| Projects with no bugs | 1,510 | 2,035 | 2,811 | 3,519 | 4,303 | 5,501 | 6,091 | 7,595 | 8,881 | 8,918 | 9,513 | 10,000 |
| Total bugs filed | 237 | 244 | 251 | 255 | 262 | 263 | 263 | 262 | 273 | 290 | 293 | 299 |
| Security/Reliability bugs filed | 102 | 108 | 113 | 115 | 120 | 122 | 122 | 123 | 129 | 135 | 138 | 139 |
| Total high severity bugs filed | 29 | 34 | 39 | 40 | 40 | 40 | 40 | 42 | 46 | 51 | 53 | 55 |
| Bugs with a fix suggestion | 200 | 202 | 204 | 208 | 208 | 209 | 209 | 228 | 235 | 239 | 242 | 246 |
| Bugs with a PoC exploit | 27 | 29 | 32 | 32 | 32 | 32 | 32 | 33 | 33 | 35 | 35 | 35 |
| Fixes merged by maintainers | 113 (47.7%)| 118 (48.4%) | 121 (48.2%) | 125 (49.01%) | 125 (47.7%) | 126 (47.9%) | 127 (48.3%) | 133 (50.76%) | 140 (51.3%) | 145 (50%) | 147 (50.17%) | 151 (50.5%) |
| Security/Reliability fixes merged | 37 (36.2%) | 39 (36.1%) | 40 (35.4%) | 40 (34.78%) | 40 (33.33%) | 40 (32.8%) | 41 (33.6%) | 48 (39.02%) | 49 (38%) | 52 (38.5%) | 54 (39.13%) | 54 (38.85%) |
| Fixes ignored by maintainers | 11 (4.6%) | 12 (4.9%) | 12 (4.78%) | 14 (5.5%) | 14 (5.35%) | 16 (6.08%) | 16 (6.08%) | 22 (8.4%) | 22 (8.06%) | 28 (9.65%) | 28 (9.55%) | 34 (11.37%) |
| Reports still open | 113 (47.7%)| 114 (46.7%) | 118 (47.01%) | 116 (45.49%) | 123 (46.95%) | 121 (46%) | 120 (45.62%) | 107 (40.84%) | 111 (40.66%) | 117 (40.34%) | 118 (40.27%) | 114 (38.13%) |



### Language Specific Data (Cumulative)
| Language | Python | Java | Go | TOTAL |
|------------------------------------------------|----------|------|------|--------|
| \# of total projects analyzed | 9,817 | 216 | 217 | 10,250 |
| \# of total zerofix projects | 9,635 | 175 | 190 | 10,000 |
| \# of total bugs filed | 216 | 48 | 35 | 299 |
| \# of total security/reliablity bugs filed | 94 | 29 | 16 | 139 |
| \# of total bugs with fix suggestion | 189 | 28 | 29 | 246 |
| \# of total POC exploit | 27 | 7 | 1 | 35 |
| \# of total merged fixes | 117 | 14 | 20 | 151 |
| \# of total merged security/reliability fixes | 32 | 10 | 12 | 54 |
| \# of total ignored/rejected fixes | 18 | 11 | 5 | 34 |
| \# of total open fixes | 81 | 23 | 10 | 114 |



## Attestations
Link to attestations: https://github.com/OpenRefactory-Inc/attestations. A sample attestation JSON can be found [here](https://github.com/OpenRefactory-Inc/attestations/blob/master/aiohttp/4.0.0a1/2024-04-24/attestation.json).



### Cumulative Data
| Month | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | Dec 2024 |
|-------------------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|
| Total # of Unique Projects | 16 | 282 | 373 | 679 | 867 | 1,154 | 1,436 | 1,436 | 1,626 | 1,671 |
| Total # of Unique Releases/Versions | 75 | 1360 | 1,779 | 3,144 | 3,938 | 5,259 | 6,361 | 6,361 | 7,023 | 7,599 |
| Total # of Generated Attestations | 75 | 738 | 1,492 | 2,788 | 3,770 | 5,474 | 6,484 | 6,484 | 7,277 | 7,809 |

Loading