From 3d6b8d63dff91bebd67399abe85352f8a400cab5 Mon Sep 17 00:00:00 2001 From: "OpenRefactory, Inc" <56681071+openrefactory@users.noreply.github.com> Date: Tue, 3 Dec 2024 08:51:45 -0800 Subject: [PATCH] OpenRefactory November 2024 Report. Signed-off-by: OpenRefactory, Inc <56681071+openrefactory@users.noreply.github.com> --- .../engagements/2024/OpenRefactory/README.md | 1 + .../2024/OpenRefactory/update-2024-11.md | 104 ++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 alpha/engagements/2024/OpenRefactory/update-2024-11.md diff --git a/alpha/engagements/2024/OpenRefactory/README.md b/alpha/engagements/2024/OpenRefactory/README.md index 000450b7..953fce4b 100644 --- a/alpha/engagements/2024/OpenRefactory/README.md +++ b/alpha/engagements/2024/OpenRefactory/README.md @@ -39,6 +39,7 @@ This engagement started in July 2023. Reports for 2023 are available here: https * [August 2024](update-2024-08.md) * [September 2024](update-2024-09.md) * [October 2024](update-2024-10.md) +* [November 2024](update-2024-11.md) ## Primary Contacts diff --git a/alpha/engagements/2024/OpenRefactory/update-2024-11.md b/alpha/engagements/2024/OpenRefactory/update-2024-11.md new file mode 100644 index 00000000..757592cd --- /dev/null +++ b/alpha/engagements/2024/OpenRefactory/update-2024-11.md @@ -0,0 +1,104 @@ +# OpenRefactory Update: November 2024 + +## Scan Results +Link to results: https://docs.google.com/spreadsheets/d/1K8dc6SrSEoqqh46cFisZM1tiN4CigaXsqkCKfCM8UTs/ + +We first show the work done month over month. This is followed by the cumulative results. Finally we show language specific breakdown of the cumulative results. + + + +### November +| Month | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | +|--------------------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------| +| Projects analyzed | 328 | 300 | 530 | 780 | 712 | 785 | 1,198 | 896 | 1,206 | 1,296 | 51 | 597 | +| Projects with no bugs | 293 | 279 | 525 | 776 | 708 | 784 | 1,198 | 896 | 1,198 | 1,286 | 37 | 595 | +| Total bugs filed | 56 | 13 | 7 | 7 | 4 | 7 | 1 | 0 | 0 | 11 | 17 | 3 | +| Security/Reliability bugs filed | 15 | 8 | 6 | 5 | 2 | 5 | 2 | 0 | 1 | 6 | 6 | 3 | +| Bugs with a fix suggestion | 50 | 10 | 2 | 2 | 4 | 0 | 1 | 0 | 19 | 7 | 4 | 3 | +| Bugs with a PoC exploit | 4 | 1 | 2 | 3 | 0 | 0 | 0 | 0 | 1 | 0 | 2 | 0 | +| Fixes merged by maintainers | 27 | 10 | 5 | 3 | 4 | 0 | 1 | 1 | 6 | 7 | 5 | 2 | +| Security/Reliability fixes merged | 6 | 6 | 2 | 1 | 0 | 0 | 0 | 1 | 7 | 1 | 3 | 2 | +| Fixes ignored by maintainers | 1 | 1 | 1 | 0 | 2 | 0 | 2 | 0 | 6 | 0 | 6 | 0 | +| Reports still open | 28 | 2 | 1 | 4 | 0 | 7 | 0 | 0 | 0 | 4 | 6 | 1 | + + + +### High Severity Bugs (Cumulative) +| Month | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | +|---------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------| +| Weak Crypto | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 9 | 12 | 12 | 12 | +| Data Race | 2 | 5 | 5 | 5 | 6 | 6 | 6 | 6 | 6 | 6 | 6 | 6 | +| XSS | 5 | 5 | 7 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | +| Log Injection | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 5 | 5 | 5 | 5 | +| Path Manipulation | 0 | 0 | 3 | 5 | 5 | 5 | 5 | 5 | 5 | 5 | 6 | 6 | +| Insecure Deserialization | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 3 | 3 | +| OS Command Injection | 0 | 0 | 0 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | +| Inappropriate umask | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | +| Open Redirect | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | +| Security Misconfiguration | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 2 | 2 | +| Sensitive Data Leak | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | +| SSRF | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | +| Null Dereference | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 1 | +| XXE | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 2 | +| Deadlock | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | +| Channel Blocking | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | +| **TOTAL** | 25 | 29 | 34 | 39 | 40 | 40 | 40 | 40 | 42 | 46 | 51 | 53 | + + + +#### 2 High Severity Bugs +- Deadlock + (Go) uber/cadence @ 1.12.13 + https://github.com/cadence-workflow/cadence/issues/6492 + +- Channel Blocking + (Go) googleapis/google-cloud-go @ 1.69.0 + https://github.com/googleapis/google-cloud-go/issues/11126 + + + +### Cumulative Data +| Month | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | +|--------------------------------------|------------|-------------|--------------|--------------|--------------|-------------|-----------------|--------------|--------------|--------------|--------------| +| Projects analyzed | 1,707 | 2,237 | 3,017 | 3,729 | 4,514 | 5,712 | 6,608 | 7,813 | 9,109 | 9,160 | 9,757 | +| Projects with no bugs | 1,510 | 2,035 | 2,811 | 3,519 | 4,303 | 5,501 | 6,091 | 7,595 | 8,881 | 8,918 | 9,513 | +| Total bugs filed | 237 | 244 | 251 | 255 | 262 | 263 | 263 | 262 | 273 | 290 | 293 | +| Security/Reliability bugs filed | 102 | 108 | 113 | 115 | 120 | 122 | 122 | 123 | 129 | 135 | 138 | +| Total high severity bugs filed | 29 | 34 | 39 | 40 | 40 | 40 | 40 | 42 | 46 | 51 | 53 | +| Bugs with a fix suggestion | 200 | 202 | 204 | 208 | 208 | 209 | 209 | 228 | 235 | 239 | 242 | +| Bugs with a PoC exploit | 27 | 29 | 32 | 32 | 32 | 32 | 32 | 33 | 33 | 35 | 35 | +| Fixes merged by maintainers | 113 (47.7%)| 118 (48.4%) | 121 (48.2%) | 125 (49.01%) | 125 (47.7%) | 126 (47.9%) | 127 (48.3%) | 133 (50.76%) | 140 (51.3%) | 145 (50%) | 147 (50.17%) | +| Security/Reliability fixes merged | 37 (36.2%) | 39 (36.1%) | 40 (35.4%) | 40 (34.78%) | 40 (33.33%) | 40 (32.8%) | 41 (33.6%) | 48 (39.02%) | 49 (38%) | 52 (38.5%) | 54 (39.13%) | +| Fixes ignored by maintainers | 11 (4.6%) | 12 (4.9%) | 12 (4.78%) | 14 (5.5%) | 14 (5.35%) | 16 (6.08%) | 16 (6.08%) | 22 (8.4%) | 22 (8.06%) | 28 (9.65%) | 28 (9.55%) | +| Reports still open | 113 (47.7%)| 114 (46.7%) | 118 (47.01%) | 116 (45.49%) | 123 (46.95%) | 121 (46%) | 120 (45.62%) | 107 (40.84%) | 111 (40.66%) | 117 (40.34%) | 118 (40.27%) | + + + +### Language Specific Data (Cumulative) +| Language | Python | Java | Go | TOTAL | +| ---------------------------------------------- | -------- | ---- | ---- | ----- | +| \# of total projects analyzed | 9,330 | 216 | 211 | 9,757 | +| \# of total zerofix projects | 9,148 | 175 | 190 | 9,513 | +| \# of total bugs filed | 216 | 48 | 29 | 293 | +| \# of total security/reliablity bugs filed | 94 | 29 | 15 | 138 | +| \# of total bugs with fix suggestion | 189 | 28 | 25 | 242 | +| \# of total POC exploit | 27 | 7 | 1 | 35 | +| \# of total merged fixes | 115 | 14 | 18 | 147 | +| \# of total merged security/reliability fixes | 32 | 10 | 12 | 54 | +| \# of total ignored/rejected fixes | 14 | 11 | 3 | 28 | +| \# of total open fixes | 87 | 23 | 8 | 118 | + + + +## Attestations +Link to attestations: https://github.com/OpenRefactory-Inc/attestations. A sample attestation JSON can be found [here](https://github.com/OpenRefactory-Inc/attestations/blob/master/aiohttp/4.0.0a1/2024-04-24/attestation.json). + + + +### Cumulative Data +| Month | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 | Oct 2024 | Nov 2024 | +|-------------------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------| +| Total # of Unique Projects | 16 | 282 | 373 | 679 | 867 | 1,154 | 1,436 | 1,436 | 1,626 | +| Total # of Unique Releases/Versions | 75 | 1360 | 1,779 | 3,144 | 3,938 | 5,259 | 6,361 | 6,361 | 7,023 | +| Total # of Generated Attestations | 75 | 738 | 1,492 | 2,788 | 3,770 | 5,474 | 6,484 | 6,484 | 7,277 | +