Link to results: https://docs.google.com/spreadsheets/d/1K8dc6SrSEoqqh46cFisZM1tiN4CigaXsqkCKfCM8UTs/edit#gid=228743971
We first show the work done month over month. This is followed by the cumulative results. Finally we show language specific breakdown of the cumulative results.
| Month | Dec 2023 | Jan 2024 |
|---|---|---|
| Projects analyzed | 328 | 300 |
| Projects with no bugs | 293 | 279 |
| Total bugs filed | 56 | 13 |
| Security/Reliability bugs filed | 15 | 8 |
| Bugs with a fix suggestion | 50 | 10 |
| Bugs with a PoC exploit | 4 | 1 |
| Fixes merged by maintainers | 27 | 10 |
| Security/Reliability fixes merged | 6 | 6 |
| Fixes ignored by maintainers | 1 | 1 |
| Reports still open | 28 | 2 |
| Month | Dec 2023 | Jan 2024 |
|---|---|---|
| Weak Crypto | 8 | 8 |
| Data Race | 2 | 5 |
| XSS | 5 | 5 |
| Log Injection | 4 | 4 |
| Insecure Deserialization | 2 | 2 |
| Inappropriate umask | 1 | 1 |
| Open Redirect | 0 | 1 |
| Security Misconfiguration | 1 | 1 |
| Sensitive Data Leak | 1 | 1 |
| SSRF | 1 | 1 |
| TOTAL | 25 | 29 |
- A high severity bug is any one of the following: (1) An injection related bug, (2) a weak cryptography related bug, (3) an access control related bug (4) a security or a reliability bug that is typically of medium priority but has been categorized as a high prioriy bug because it is found in a popular project (100+ forks).
| Month | Aug 2023 | Sep 2023 | Oct 2023 | Nov 2023 | Dec 2023 | Jan 2024 |
|---|---|---|---|---|---|---|
| Projects analyzed | 132 | 458 | 809 | 1,079 | 1,407 | 1,707 |
| Projects with no bugs | 98 | 398 | 718 | 938 | 1,231 | 1,510 |
| Total bugs filed | 33 | 75 | 113 | 168 | 224 | 237 |
| Security/Reliability bugs filed | 12 | 23 | 43 | 79 | 94 | 102 |
| Total high severity bugs filed* | - | - | - | - | 25 | 29 |
| Bugs with a fix suggestion | 26 | 64 | 94 | 140 | 190 | 200 |
| Bugs with a PoC exploit | 6 | 13 | 18 | 22 | 26 | 27 |
| Fixes merged by maintainers | 15 (45%) | 38 (51%) | 54 (48%) | 76 (45.3%) | 103 (46%) | 113 (47.7%) |
| Security/Reliability fixes merged | Not measured | Not measured | 13 (30%) | 25 (31.6%) | 31 (32.9%) | 37 (36.2%) |
| Fixes ignored by maintainers | Not measured | 8 (11%) | 7 (6%) | 9 (5.3%) | 10 (4.5%) | 11 (4.6%) |
| Reports still open | Not measured | 29 (39%) | 52 (46%) | 83 (49.4%) | 111 (49.5%) | 113 (47.7%) |
| Language | Python | Java | Go | TOTAL |
|---|---|---|---|---|
| # of total projects analyzed | 1,396 | 189 | 122 | 1,707 |
| # of total zerofix projects | 1,234 | 169 | 107 | 1,510 |
| # of total bugs filed | 195 | 22 | 20 | 237 |
| # of total security/reliablity bugs filed | 80 | 12 | 10 | 102 |
| # of total bugs with fix suggestion | 178 | 6 | 16 | 200 |
| # of total POC exploit | 22 | 5 | 0 | 27 |
| # of total merged fixes | 98 | 5 | 10 | 113 |
| # of total merged security/reliability fixes | 28 | 3 | 6 | 37 |
| # of total ignored/rejected fixes | 10 | 1 | 0 | 11 |
| # of total open fixes | 87 | 16 | 10 | 113 |
From February, we will be mostly concentrating on bugs in Python applications. We have created a list of the top 10,000 Python projects in the PyPI repository based on the number of downloads over the last one year period. We will concentrate on the last five release branches of each of the projects. That gives us about 50,000 target projects. The results will be updated to the Google sheet file as usual. At the same time, we are exploring options to generate attestations regarding the scan and the findings. More details will be available in the February report.
The total number of bugs filed rediced in January is lower than the bugs filed before. This is because we have stopped reporting logical bugs and low severity security bugs. This change in scope happened after getting feedback from the Alpha-Omega stakeholders.