OpenRefactory thanks Alpha-Omega for supporting the project to report vulnerabilities at scale.
OpenRefactory will work alongside with Alpha-Omega project’s principals to report security vulnerabilities at scale in open source projects and work with the maintainers to get the vulnerabilities fixed:
- OpenRefactory will analyze open source software written in two languages: Java and Python. The goal is to analyze top 10,000 open source projects in these languages with OpenRefactory’s own Intelligent Code Repair (iCR) tool as well as the Omega Analyzer.
- OpenRefactory will concentrate on the following critical security categories: SQL Injection, Cross-Site Scripting (XSS), Command Injection, Path Manipulation, Deserialization, XML External Entity (XXE) Injection. In future, the proposed work will extend into security hardening and other kinds of bugs as well.
- OpenRefactory will use a portal to triage bug reports from their proprietary tool iCR (Intelligent Code Repair) and other tools from the Omega toolchain.
- Reports will include a range of problems which will require manual review.
- OpenRefactory will triage manually and follow the model outbound vulnerability disclosure policy to report the bugs in a responsible manner.
- OpenRefactory will follow the submissions and work with the maintainers to correct the issues.
The following KPIs will be tracked:
- The total number of projects that have ben analyzed
- The total number of issues that have been reported as True Positives
- The number of those reported issues for which exploit code was created
- The number of those reported issues for which fixes have been generated
- How many reports have been accepted?
- How many reports have been rejected?
- The number of "clean" projects where no security issues were uncovered
This engagement started in July 2023. Reports for 2023 are available here: https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2023/OpenRefactory
- January 2024
- February 2024
- March 2024
- April 2024
- May 2024
- June 2024
- July 2024
- August 2024
- September 2024
- October 2024
- November 2024
- Munawar Hafiz - CEO, OpenRefactory
- Ataf Ahmed - Secure Software Engineer, OpenRefactory