Skip to content

Latest commit

 

History

History
51 lines (36 loc) · 3.1 KB

File metadata and controls

51 lines (36 loc) · 3.1 KB

Alpha Engagement: OpenRefactory

OpenRefactory thanks Alpha-Omega for supporting the project to report vulnerabilities at scale.

OpenRefactory will work alongside with Alpha-Omega project’s principals to report security vulnerabilities at scale in open source projects and work with the maintainers to get the vulnerabilities fixed:

  1. OpenRefactory will analyze open source software written in two languages: Java and Python. The goal is to analyze top 10,000 open source projects in these languages with OpenRefactory’s own Intelligent Code Repair (iCR) tool as well as the Omega Analyzer.
  2. OpenRefactory will concentrate on the following critical security categories: SQL Injection, Cross-Site Scripting (XSS), Command Injection, Path Manipulation, Deserialization, XML External Entity (XXE) Injection. In future, the proposed work will extend into security hardening and other kinds of bugs as well.
  3. OpenRefactory will use a portal to triage bug reports from their proprietary tool iCR (Intelligent Code Repair) and other tools from the Omega toolchain.
  4. Reports will include a range of problems which will require manual review.
  5. OpenRefactory will triage manually and follow the model outbound vulnerability disclosure policy to report the bugs in a responsible manner.
  6. OpenRefactory will follow the submissions and work with the maintainers to correct the issues.

The following KPIs will be tracked:

  • The total number of projects that have ben analyzed
  • The total number of issues that have been reported as True Positives
  • The number of those reported issues for which exploit code was created
  • The number of those reported issues for which fixes have been generated
  • How many reports have been accepted?
  • How many reports have been rejected?
  • The number of "clean" projects where no security issues were uncovered

Timeline

This engagement started in July 2023. Reports for 2023 are available here: https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2023/OpenRefactory

Monthly Updates

Primary Contacts

  • Munawar Hafiz - CEO, OpenRefactory
  • Ataf Ahmed - Secure Software Engineer, OpenRefactory

Announcements / News