generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: OpenRefactory, Inc <[email protected]>
- Loading branch information
1 parent
d9e57ce
commit 3d6b8d6
Showing
2 changed files
with
105 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
# OpenRefactory Update: November 2024 | ||
|
||
## Scan Results | ||
Link to results: https://docs.google.com/spreadsheets/d/1K8dc6SrSEoqqh46cFisZM1tiN4CigaXsqkCKfCM8UTs/ | ||
|
||
We first show the work done month over month. This is followed by the cumulative results. Finally we show language specific breakdown of the cumulative results. | ||
|
||
|
||
|
||
### November | ||
| Month | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | | ||
|--------------------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------| | ||
| Projects analyzed | 328 | 300 | 530 | 780 | 712 | 785 | 1,198 | 896 | 1,206 | 1,296 | 51 | 597 | | ||
| Projects with no bugs | 293 | 279 | 525 | 776 | 708 | 784 | 1,198 | 896 | 1,198 | 1,286 | 37 | 595 | | ||
| Total bugs filed | 56 | 13 | 7 | 7 | 4 | 7 | 1 | 0 | 0 | 11 | 17 | 3 | | ||
| Security/Reliability bugs filed | 15 | 8 | 6 | 5 | 2 | 5 | 2 | 0 | 1 | 6 | 6 | 3 | | ||
| Bugs with a fix suggestion | 50 | 10 | 2 | 2 | 4 | 0 | 1 | 0 | 19 | 7 | 4 | 3 | | ||
| Bugs with a PoC exploit | 4 | 1 | 2 | 3 | 0 | 0 | 0 | 0 | 1 | 0 | 2 | 0 | | ||
| Fixes merged by maintainers | 27 | 10 | 5 | 3 | 4 | 0 | 1 | 1 | 6 | 7 | 5 | 2 | | ||
| Security/Reliability fixes merged | 6 | 6 | 2 | 1 | 0 | 0 | 0 | 1 | 7 | 1 | 3 | 2 | | ||
| Fixes ignored by maintainers | 1 | 1 | 1 | 0 | 2 | 0 | 2 | 0 | 6 | 0 | 6 | 0 | | ||
| Reports still open | 28 | 2 | 1 | 4 | 0 | 7 | 0 | 0 | 0 | 4 | 6 | 1 | | ||
|
||
|
||
|
||
### High Severity Bugs (Cumulative) | ||
| Month | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | | ||
|---------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------| | ||
| Weak Crypto | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 9 | 12 | 12 | 12 | | ||
| Data Race | 2 | 5 | 5 | 5 | 6 | 6 | 6 | 6 | 6 | 6 | 6 | 6 | | ||
| XSS | 5 | 5 | 7 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | | ||
| Log Injection | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 5 | 5 | 5 | 5 | | ||
| Path Manipulation | 0 | 0 | 3 | 5 | 5 | 5 | 5 | 5 | 5 | 5 | 6 | 6 | | ||
| Insecure Deserialization | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 3 | 3 | | ||
| OS Command Injection | 0 | 0 | 0 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | | ||
| Inappropriate umask | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | | ||
| Open Redirect | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | | ||
| Security Misconfiguration | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 2 | 2 | | ||
| Sensitive Data Leak | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | | ||
| SSRF | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | | ||
| Null Dereference | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 1 | | ||
| XXE | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 2 | | ||
| Deadlock | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | | ||
| Channel Blocking | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | | ||
| **TOTAL** | 25 | 29 | 34 | 39 | 40 | 40 | 40 | 40 | 42 | 46 | 51 | 53 | | ||
|
||
|
||
|
||
#### 2 High Severity Bugs | ||
- Deadlock | ||
(Go) uber/cadence @ 1.12.13 | ||
https://github.com/cadence-workflow/cadence/issues/6492 | ||
|
||
- Channel Blocking | ||
(Go) googleapis/google-cloud-go @ 1.69.0 | ||
https://github.com/googleapis/google-cloud-go/issues/11126 | ||
|
||
|
||
|
||
### Cumulative Data | ||
| Month | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | | ||
|--------------------------------------|------------|-------------|--------------|--------------|--------------|-------------|-----------------|--------------|--------------|--------------|--------------| | ||
| Projects analyzed | 1,707 | 2,237 | 3,017 | 3,729 | 4,514 | 5,712 | 6,608 | 7,813 | 9,109 | 9,160 | 9,757 | | ||
| Projects with no bugs | 1,510 | 2,035 | 2,811 | 3,519 | 4,303 | 5,501 | 6,091 | 7,595 | 8,881 | 8,918 | 9,513 | | ||
| Total bugs filed | 237 | 244 | 251 | 255 | 262 | 263 | 263 | 262 | 273 | 290 | 293 | | ||
| Security/Reliability bugs filed | 102 | 108 | 113 | 115 | 120 | 122 | 122 | 123 | 129 | 135 | 138 | | ||
| Total high severity bugs filed | 29 | 34 | 39 | 40 | 40 | 40 | 40 | 42 | 46 | 51 | 53 | | ||
| Bugs with a fix suggestion | 200 | 202 | 204 | 208 | 208 | 209 | 209 | 228 | 235 | 239 | 242 | | ||
| Bugs with a PoC exploit | 27 | 29 | 32 | 32 | 32 | 32 | 32 | 33 | 33 | 35 | 35 | | ||
| Fixes merged by maintainers | 113 (47.7%)| 118 (48.4%) | 121 (48.2%) | 125 (49.01%) | 125 (47.7%) | 126 (47.9%) | 127 (48.3%) | 133 (50.76%) | 140 (51.3%) | 145 (50%) | 147 (50.17%) | | ||
| Security/Reliability fixes merged | 37 (36.2%) | 39 (36.1%) | 40 (35.4%) | 40 (34.78%) | 40 (33.33%) | 40 (32.8%) | 41 (33.6%) | 48 (39.02%) | 49 (38%) | 52 (38.5%) | 54 (39.13%) | | ||
| Fixes ignored by maintainers | 11 (4.6%) | 12 (4.9%) | 12 (4.78%) | 14 (5.5%) | 14 (5.35%) | 16 (6.08%) | 16 (6.08%) | 22 (8.4%) | 22 (8.06%) | 28 (9.65%) | 28 (9.55%) | | ||
| Reports still open | 113 (47.7%)| 114 (46.7%) | 118 (47.01%) | 116 (45.49%) | 123 (46.95%) | 121 (46%) | 120 (45.62%) | 107 (40.84%) | 111 (40.66%) | 117 (40.34%) | 118 (40.27%) | | ||
|
||
|
||
|
||
### Language Specific Data (Cumulative) | ||
| Language | Python | Java | Go | TOTAL | | ||
| ---------------------------------------------- | -------- | ---- | ---- | ----- | | ||
| \# of total projects analyzed | 9,330 | 216 | 211 | 9,757 | | ||
| \# of total zerofix projects | 9,148 | 175 | 190 | 9,513 | | ||
| \# of total bugs filed | 216 | 48 | 29 | 293 | | ||
| \# of total security/reliablity bugs filed | 94 | 29 | 15 | 138 | | ||
| \# of total bugs with fix suggestion | 189 | 28 | 25 | 242 | | ||
| \# of total POC exploit | 27 | 7 | 1 | 35 | | ||
| \# of total merged fixes | 115 | 14 | 18 | 147 | | ||
| \# of total merged security/reliability fixes | 32 | 10 | 12 | 54 | | ||
| \# of total ignored/rejected fixes | 14 | 11 | 3 | 28 | | ||
| \# of total open fixes | 87 | 23 | 8 | 118 | | ||
|
||
|
||
|
||
## Attestations | ||
Link to attestations: https://github.com/OpenRefactory-Inc/attestations. A sample attestation JSON can be found [here](https://github.com/OpenRefactory-Inc/attestations/blob/master/aiohttp/4.0.0a1/2024-04-24/attestation.json). | ||
|
||
|
||
|
||
### Cumulative Data | ||
| Month | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | | ||
|-------------------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------| | ||
| Total # of Unique Projects | 16 | 282 | 373 | 679 | 867 | 1,154 | 1,436 | 1,436 | 1,626 | | ||
| Total # of Unique Releases/Versions | 75 | 1360 | 1,779 | 3,144 | 3,938 | 5,259 | 6,361 | 6,361 | 7,023 | | ||
| Total # of Generated Attestations | 75 | 738 | 1,492 | 2,788 | 3,770 | 5,474 | 6,484 | 6,484 | 7,277 | | ||
|