Collect all fix commits

[pombredanne]

Solution: How to collect fix commits?

There are many ways listed in this issue by @elanzini and inputs from @copernico:

• VCIO-next: Add support to track fix commits: Include commits and patches that fix a vulnerability #207 (comment)

I would reformulate the sources as

1. Include databases of these fixes, like the Project KB
2. Collect these from data we get in structured advisories and their references
3. Analyse the code, commit histories, issues trackers, mailing lists and structured advisories to collect these.
4. Support fix triage, review and refinement

For now, we will start with 2., meaning that we create an improver that will scout the References to create CodeFix entries. The CodeFix design is at:

• VCIO-next: Add support to track fix commits: Include commits and patches that fix a vulnerability #207

And the issue for the improver is at:

• VCIO-next: Create improver to find fix commits #1696
• Infer Package URL (and fix commits) from references (dupe?) Infer Package URL from references and other references issues for "commitish" URLs  #327

Later, we could also collect explicit data available in some importers (symbols in in Go advisories, commits in GHSA) and also do 1., 3. and 4.

• Collect datasets Collect existing fix commits and patches open datasets #1697
• Extract unpublished vulnerabilities from commit histories and trackers Extract unpublished vulnerabilities from commit histories and trackers #1129
• Implement linked commits Feature implement linked commits #1226

See also:

• RFC: vulnerability reachability RFC: vulnerability reachability #1313