SlideShare una empresa de Scribd logo

VulnTotal: Cross-validate vulnerability coverage of VulnerableCode

Descargar como PPTX, PDF
M
Michael Herzog

In this slide, nexB co-founder and CTO Philippe Ombredanne presents a technical deep dive into VulnerableCode, a FOSS tool to collect, aggregate and refine software vulnerability information from more than 20 sources and to quickly create new importers. He then demonstrates how to use VulnTotal to cross-validate vulenrability coverage of VulnerableCode.

Software
1 de 25
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Introduction to VulnerableCode Q1 2023
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Abstract ▷ Databases of known FOSS software vulnerabilities are mostly proprietary and/or privately maintained. ▷ Why not open data? Open source likes open! ▷ Find how we are working to build new FOSS tools to: ○ Aggregate and publish software component vulnerability data from multiple sources and ○ Automate the search for FOSS component security vulnerabilities. ○ With open code and open data. ▷ The benefit will be improved security of software applications with open tools and open data for everyone.
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Agenda ▷ Software Supply Chain Security ▷ The Problem(s) ▷ The VulnerableCode Solution ▷ Demo ▷ Next Steps ▷ References 3
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Software Supply Chain Security o Obviously, a huge topic o Linux Foundation / OSSF has identified 3 focus areas: ▪ Securing OSS Production ▪ Improving Vulnerability Discovery & Remediation ▪ Shorten Ecosystem Patching Response Time o nexB focus is on using SCA to identify software vulnerabilities, their impact and remediation
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o There is no open code AND open data QUALITY vulnerability DB o Security vendors DO NOT WANT TO SOLVE the problem o Race to the BIGGEST database of @#$!* o Expensive and poor quality o Existing "free" database are problematic with opaque review process The Problem
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o DBs are making up packages that do not exist ▪ No big deal, none uses them... but this shatters confidence o DBs invent vulnerable ranges o They do not agree on vulnerable ranges o "Cry wolf" with dubious vulnerabilities o Claim to have "secret" "premium" vulnerabilities o Do not publish their findings upstream at the NVD to share back The Quality Problem
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 What I would hope for: a tidy and organized security gate Meanwhile at Security (1) Credit: https://www.flickr.com/photos/oddharmonic/4756905580 " oddharmonic Security at Denver International Airport License: CC-BY-20 https://creativecommons.org/licenses/by/2.0/
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 The reality: Meanwhile at Security (2) Credit: Arne Müseler http://arne-mueseler.com/ https://commons.wikimedia.org/wiki/File:Loveparade_2010_duisburg_tunnel_ramp.jpg License: CC-BY-SA-3.0 https://en.wikipedia.org/wiki/en:Creative_Commons From https://en.wikipedia.org/wiki/Love_Parade_disaster On 24 July 2010, a crowd disaster at the 2010 Love Parade electronic dance music festival in Duisburg, North Rhine-Westphalia, Germany, caused the deaths of 21 people from suffocation as attendees sought to escape a ramp leading to the festival area.[1] 652 people were injured.
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Our Solution VulnerableCode DB with GUI, API and Vulntotal An below the water line: o Many data sources o Import from upstream! o PURL, package first! o Cleaned, combined and merged o All data licenses are tracked o Smart vulnerable version ranges (Also used in OSV) o Bots to improve the data Credits: MoteOo https://pixabay.com/illustrations/iceberg-above-water-white-cold-3273216/ and openclipart by https://www.openclipart.org/detail/299871/tip-of-the-iceberg License: https://scancode-licensedb.aboutcode.org/pixabay-content.html
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Can you prove this is better?
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 “In God we trust. All others must bring data.” W. Edwards Deming said:
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 VulnTotal: Comparison shopping for VDB o By VulnerableCode team member, Keshav Priyadarshi
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 The workflow Scan for packages Package-URL Lookup in VulnerableCode
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 VulnerableCode.io Demo o Packages ▪ Affected by ▪ Fixing o Vulnerabilities o VulnTotal
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o I created Package URL for VulnerableCode and ScanCode The critical GLUE between all the software supply chain tools o Package URL project: https://github.com/package-url ▪ Spec is at: https://github.com/package-url/purl-spec ▪ Implementations for .NET, Go, Java, JavaScript, PHP, Python, Ruby and Rust o Recent proposal to add purl to NVD: ▪ https://owasp.org/blog/2022/09/13/sbom-forum-recommends-improvements-to-nvd.html Package URL aka. PURL
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o If I alone control this data, I am adopting the same flawed ways as others before us. o We need to make this a shared resource for everyone, that's under the shared control of EVERYONE o You can already self-host VulnerableCode o Working next on a new way to federate and decentralize this But wait!
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o Collect the fix commits for call graph or dynamic analysis o Design an Advisory clarity score and of their providers o Make VulnTotal work as a browser extension with zero install o More, smarter improvers ▪ Check if package exists, validate all ranges are correct ▪ Mine the graph to establish correlations o Natural language parsing of vulnerability descriptions and advisories o Extract unpublished vulnerabilities from commit histories and trackers o Federated and crowdsourced vulnerability curation o NVDR: Universal non-vulnerable dependency resolvers Next steps
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o By VulnerableCode maintainer, Tushar Goel o If you could blend ▪ Functional dependency constraints ▪ Known vulnerable ranges o And inject these in a package dependency resolver o You get Non Vulnerable Dependency Resolution! o Working PoC implemented in python-inspector tool and paper https://www.tdcommons.org/dpubs_series/5224/ NVDR: keep the barbarians at the gate!
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Sustainability ▷ Help us make this work for everyone and for YOU You MUST fund this project to build security commons ▷ We received grants from the European Union through the NGI-0 program and NLnet Contact me at pombredanne@nexb.com
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 References o VulnerableCode o ScanCode o Package-URL (purl) o AboutCode
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 VulnerableCode o Collect and aggregate vulnerability data from many public sources ▪ Projects, GitHub, Linux Distros, NVD, Package managers and others ▪ Focus on upstream projects (source of the source) o Apply confidence-based system ▪ not all data are equally trusted and of equivalent quality o Find anomalies using correlations and comparisons o Discover relations between vulnerabilities and packages from mining the graph o Public.VulnerableCode.io database o See https://nexb.com/vulnerablecode/ for more information
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Package-URL o Package URL project: https://github.com/package-url ▪ Spec is at: https://github.com/package-url/purl-spec ▪ Implementations for .NET, Go, Java, JavaScript, PHP, Python, Ruby and Rust o Recent proposal to add purl to NVD: ▪ https://owasp.org/blog/2022/09/13/sbom-forum-recommends- improvements-to-nvd.html
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 ScanCode o Identify FOSS and other third-party components & packages o Detect licenses, copyrights and dependencies o ScanCode Projects include: ▪ ScanCode.io: Server system with customizable pipelines ▪ ScanCode Toolkit: Scanning engine - use as CLI or library ▪ LicenseDB: 2000+ licenses detected by ScanCode ▪ ScanCode Workbench: Desktop app to review Scans o See https://nexb.com/scancode/ for more information
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 AboutCode o AboutCode is a virtual org for our collection of FOSS SCA tools ▪ Also, the home for our GSoC projects ▪ And we are on OpenCollective at: https://opencollective.com/aboutcode o Our projects are at: https://github.com/nexB o Documentation for each project is at ReadTheDocs.org o AboutCode home: https://www.aboutcode.org/
© 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Credits Special thanks to all the people who made and released these excellent free resources: o Presentation template by SlidesCarnival at https://www.slidescarnival.com/ licensed under CC-BY-4.0 https://www.slidescarnival.com/terms-of-use#templates-license o Photographs by Unsplash https://unsplash.com/license licensed under the unsplash license https://scancode- licensedb.aboutcode.org/unsplash.html All the open source software authors that made VulnerableCode, ScanCode and other AboutCode FOSS projects possible

Recomendados

VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsVulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
Michael Herzog
 
A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!
Michael Herzog
 
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
Michael Herzog
 
Running Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryRunning Java Applications on Cloud Foundry
Running Java Applications on Cloud Foundry
VMware Tanzu
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik
 
Docker meetup talk - chicago March 2014
Docker meetup talk - chicago March 2014Docker meetup talk - chicago March 2014
Docker meetup talk - chicago March 2014
Ryan Koop
 
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Mark Church
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 

Recomendados

VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS toolsVulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools
Michael Herzog
 
A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!A Vulnerability Database Should Not Be About Vulnerabilities!
A Vulnerability Database Should Not Be About Vulnerabilities!
Michael Herzog
 
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
Michael Herzog
 
Running Java Applications on Cloud Foundry
Running Java Applications on Cloud FoundryRunning Java Applications on Cloud Foundry
Running Java Applications on Cloud Foundry
VMware Tanzu
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik
 
Docker meetup talk - chicago March 2014
Docker meetup talk - chicago March 2014Docker meetup talk - chicago March 2014
Docker meetup talk - chicago March 2014
Ryan Koop
 
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256
Mark Church
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...
Open Source Experience
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
Canturk Isci
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
sparkfabrik
 
The 12 facets of the OpenAPI standard.pdf
The 12 facets of the OpenAPI standard.pdfThe 12 facets of the OpenAPI standard.pdf
The 12 facets of the OpenAPI standard.pdf
Cisco DevNet
 
Cloud Security - I ain’t rocket science @ Club.cloud 20211103
Cloud Security - I ain’t rocket science @ Club.cloud 20211103Cloud Security - I ain’t rocket science @ Club.cloud 20211103
Cloud Security - I ain’t rocket science @ Club.cloud 20211103
Edzo Botjes
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.io
Michael Herzog
 
Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
DevOps.com
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packages
Bruno Cornec
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0
Shane Coughlan
 
Container BoM Inspection with TERN
Container BoM Inspection with TERNContainer BoM Inspection with TERN
Container BoM Inspection with TERN
Open Source Technology Center MeetUps
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
VMware Tanzu
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
How is this sausage made
How is this sausage madeHow is this sausage made
How is this sausage made
dejanb
 
2023 Patch Tuesday de Octubre
2023 Patch Tuesday de Octubre2023 Patch Tuesday de Octubre
2023 Patch Tuesday de Octubre
Ivanti
 
Français Patch Tuesday – Octobre
Français Patch Tuesday – OctobreFrançais Patch Tuesday – Octobre
Français Patch Tuesday – Octobre
Ivanti
 
Corporate Shenanigans
Corporate ShenanigansCorporate Shenanigans
Corporate Shenanigans
Mike Milinkovich
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
Gleb Smirnoff
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
SolGuruz
 

Más contenido relacionado

Similar a VulnTotal: Cross-validate vulnerability coverage of VulnerableCode

Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.io
Michael Herzog
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packages
Bruno Cornec
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
VMware Tanzu
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
Gleb Smirnoff
 

Similar a VulnTotal: Cross-validate vulnerability coverage of VulnerableCode (20)

Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...Choisir le bon business model et la bonne licence pour la survie de son proje...
Choisir le bon business model et la bonne licence pour la survie de son proje...
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
The 12 facets of the OpenAPI standard.pdf
The 12 facets of the OpenAPI standard.pdfThe 12 facets of the OpenAPI standard.pdf
The 12 facets of the OpenAPI standard.pdf
 
Cloud Security - I ain’t rocket science @ Club.cloud 20211103
Cloud Security - I ain’t rocket science @ Club.cloud 20211103Cloud Security - I ain’t rocket science @ Club.cloud 20211103
Cloud Security - I ain’t rocket science @ Club.cloud 20211103
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.io
 
Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packages
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0
 
Container BoM Inspection with TERN
Container BoM Inspection with TERNContainer BoM Inspection with TERN
Container BoM Inspection with TERN
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
 
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
How is this sausage made
How is this sausage madeHow is this sausage made
How is this sausage made
 
2023 Patch Tuesday de Octubre
2023 Patch Tuesday de Octubre2023 Patch Tuesday de Octubre
2023 Patch Tuesday de Octubre
 
Français Patch Tuesday – Octobre
Français Patch Tuesday – OctobreFrançais Patch Tuesday – Octobre
Français Patch Tuesday – Octobre
 
Corporate Shenanigans
Corporate ShenanigansCorporate Shenanigans
Corporate Shenanigans
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
 

Último

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 

Último (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 

VulnTotal: Cross-validate vulnerability coverage of VulnerableCode

  • 1. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Introduction to VulnerableCode Q1 2023
  • 2. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Abstract ▷ Databases of known FOSS software vulnerabilities are mostly proprietary and/or privately maintained. ▷ Why not open data? Open source likes open! ▷ Find how we are working to build new FOSS tools to: ○ Aggregate and publish software component vulnerability data from multiple sources and ○ Automate the search for FOSS component security vulnerabilities. ○ With open code and open data. ▷ The benefit will be improved security of software applications with open tools and open data for everyone.
  • 3. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Agenda ▷ Software Supply Chain Security ▷ The Problem(s) ▷ The VulnerableCode Solution ▷ Demo ▷ Next Steps ▷ References 3
  • 4. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Software Supply Chain Security o Obviously, a huge topic o Linux Foundation / OSSF has identified 3 focus areas: ▪ Securing OSS Production ▪ Improving Vulnerability Discovery & Remediation ▪ Shorten Ecosystem Patching Response Time o nexB focus is on using SCA to identify software vulnerabilities, their impact and remediation
  • 5. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o There is no open code AND open data QUALITY vulnerability DB o Security vendors DO NOT WANT TO SOLVE the problem o Race to the BIGGEST database of @#$!* o Expensive and poor quality o Existing "free" database are problematic with opaque review process The Problem
  • 6. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o DBs are making up packages that do not exist ▪ No big deal, none uses them... but this shatters confidence o DBs invent vulnerable ranges o They do not agree on vulnerable ranges o "Cry wolf" with dubious vulnerabilities o Claim to have "secret" "premium" vulnerabilities o Do not publish their findings upstream at the NVD to share back The Quality Problem
  • 7. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 What I would hope for: a tidy and organized security gate Meanwhile at Security (1) Credit: https://www.flickr.com/photos/oddharmonic/4756905580 " oddharmonic Security at Denver International Airport License: CC-BY-20 https://creativecommons.org/licenses/by/2.0/
  • 8. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 The reality: Meanwhile at Security (2) Credit: Arne Müseler http://arne-mueseler.com/ https://commons.wikimedia.org/wiki/File:Loveparade_2010_duisburg_tunnel_ramp.jpg License: CC-BY-SA-3.0 https://en.wikipedia.org/wiki/en:Creative_Commons From https://en.wikipedia.org/wiki/Love_Parade_disaster On 24 July 2010, a crowd disaster at the 2010 Love Parade electronic dance music festival in Duisburg, North Rhine-Westphalia, Germany, caused the deaths of 21 people from suffocation as attendees sought to escape a ramp leading to the festival area.[1] 652 people were injured.
  • 9. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Our Solution VulnerableCode DB with GUI, API and Vulntotal An below the water line: o Many data sources o Import from upstream! o PURL, package first! o Cleaned, combined and merged o All data licenses are tracked o Smart vulnerable version ranges (Also used in OSV) o Bots to improve the data Credits: MoteOo https://pixabay.com/illustrations/iceberg-above-water-white-cold-3273216/ and openclipart by https://www.openclipart.org/detail/299871/tip-of-the-iceberg License: https://scancode-licensedb.aboutcode.org/pixabay-content.html
  • 10. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Can you prove this is better?
  • 11. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 “In God we trust. All others must bring data.” W. Edwards Deming said:
  • 12. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 VulnTotal: Comparison shopping for VDB o By VulnerableCode team member, Keshav Priyadarshi
  • 13. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 The workflow Scan for packages Package-URL Lookup in VulnerableCode
  • 14. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 VulnerableCode.io Demo o Packages ▪ Affected by ▪ Fixing o Vulnerabilities o VulnTotal
  • 15. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o I created Package URL for VulnerableCode and ScanCode The critical GLUE between all the software supply chain tools o Package URL project: https://github.com/package-url ▪ Spec is at: https://github.com/package-url/purl-spec ▪ Implementations for .NET, Go, Java, JavaScript, PHP, Python, Ruby and Rust o Recent proposal to add purl to NVD: ▪ https://owasp.org/blog/2022/09/13/sbom-forum-recommends-improvements-to-nvd.html Package URL aka. PURL
  • 16. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o If I alone control this data, I am adopting the same flawed ways as others before us. o We need to make this a shared resource for everyone, that's under the shared control of EVERYONE o You can already self-host VulnerableCode o Working next on a new way to federate and decentralize this But wait!
  • 17. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o Collect the fix commits for call graph or dynamic analysis o Design an Advisory clarity score and of their providers o Make VulnTotal work as a browser extension with zero install o More, smarter improvers ▪ Check if package exists, validate all ranges are correct ▪ Mine the graph to establish correlations o Natural language parsing of vulnerability descriptions and advisories o Extract unpublished vulnerabilities from commit histories and trackers o Federated and crowdsourced vulnerability curation o NVDR: Universal non-vulnerable dependency resolvers Next steps
  • 18. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 o By VulnerableCode maintainer, Tushar Goel o If you could blend ▪ Functional dependency constraints ▪ Known vulnerable ranges o And inject these in a package dependency resolver o You get Non Vulnerable Dependency Resolution! o Working PoC implemented in python-inspector tool and paper https://www.tdcommons.org/dpubs_series/5224/ NVDR: keep the barbarians at the gate!
  • 19. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Sustainability ▷ Help us make this work for everyone and for YOU You MUST fund this project to build security commons ▷ We received grants from the European Union through the NGI-0 program and NLnet Contact me at pombredanne@nexb.com
  • 20. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 References o VulnerableCode o ScanCode o Package-URL (purl) o AboutCode
  • 21. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 VulnerableCode o Collect and aggregate vulnerability data from many public sources ▪ Projects, GitHub, Linux Distros, NVD, Package managers and others ▪ Focus on upstream projects (source of the source) o Apply confidence-based system ▪ not all data are equally trusted and of equivalent quality o Find anomalies using correlations and comparisons o Discover relations between vulnerabilities and packages from mining the graph o Public.VulnerableCode.io database o See https://nexb.com/vulnerablecode/ for more information
  • 22. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Package-URL o Package URL project: https://github.com/package-url ▪ Spec is at: https://github.com/package-url/purl-spec ▪ Implementations for .NET, Go, Java, JavaScript, PHP, Python, Ruby and Rust o Recent proposal to add purl to NVD: ▪ https://owasp.org/blog/2022/09/13/sbom-forum-recommends- improvements-to-nvd.html
  • 23. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 ScanCode o Identify FOSS and other third-party components & packages o Detect licenses, copyrights and dependencies o ScanCode Projects include: ▪ ScanCode.io: Server system with customizable pipelines ▪ ScanCode Toolkit: Scanning engine - use as CLI or library ▪ LicenseDB: 2000+ licenses detected by ScanCode ▪ ScanCode Workbench: Desktop app to review Scans o See https://nexb.com/scancode/ for more information
  • 24. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 AboutCode o AboutCode is a virtual org for our collection of FOSS SCA tools ▪ Also, the home for our GSoC projects ▪ And we are on OpenCollective at: https://opencollective.com/aboutcode o Our projects are at: https://github.com/nexB o Documentation for each project is at ReadTheDocs.org o AboutCode home: https://www.aboutcode.org/
  • 25. © 2023 nexB Inc. - Licensed under the CC-BY-SA-4.0 Credits Special thanks to all the people who made and released these excellent free resources: o Presentation template by SlidesCarnival at https://www.slidescarnival.com/ licensed under CC-BY-4.0 https://www.slidescarnival.com/terms-of-use#templates-license o Photographs by Unsplash https://unsplash.com/license licensed under the unsplash license https://scancode- licensedb.aboutcode.org/unsplash.html All the open source software authors that made VulnerableCode, ScanCode and other AboutCode FOSS projects possible