Skip to content

Commit c80e3f3

Browse files
micmarti85micmarti85
authored
Merge pull request #423 from openrefactory/main
Add OpenRefactory September 2024 Report
2 parents 4f7e234 + cda82b6 commit c80e3f3

File tree

2 files changed

+103
-0
lines changed

2 files changed

+103
-0
lines changed

alpha/engagements/2024/OpenRefactory/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ This engagement started in July 2023. Reports for 2023 are available here: https
3737
* [June 2024](update-2024-06.md)
3838
* [July 2024](update-2024-07.md)
3939
* [August 2024](update-2024-08.md)
40+
* [September 2024](update-2024-09.md)
4041

4142
## Primary Contacts
4243

alpha/engagements/2024/OpenRefactory/update-2024-09.md

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
# OpenRefactory Update: September 2024
2+
3+
## Scan Results
4+
Link to results: https://docs.google.com/spreadsheets/d/1K8dc6SrSEoqqh46cFisZM1tiN4CigaXsqkCKfCM8UTs/
5+
6+
We first show the work done month over month. This is followed by the cumulative results. Finally we show language specific breakdown of the cumulative results.
7+
8+
### September
9+
| Month | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 |
10+
|--------------------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|
11+
| Projects analyzed | 328 | 300 | 530 | 780 | 712 | 785 | 1,198 | 896 | 1,206 | 1,296 |
12+
| Projects with no bugs | 293 | 279 | 525 | 776 | 708 | 784 | 1,198 | 896 | 1,198 | 1,286 |
13+
| Total bugs filed | 56 | 13 | 7 | 7 | 4 | 7 | 1 | 0 | 0 | 11 |
14+
| Security/Reliability bugs filed | 15 | 8 | 6 | 5 | 2 | 5 | 2 | 0 | 1 | 6 |
15+
| Bugs with a fix suggestion | 50 | 10 | 2 | 2 | 4 | 0 | 1 | 0 | 19 | 7 |
16+
| Bugs with a PoC exploit | 4 | 1 | 2 | 3 | 0 | 0 | 0 | 0 | 1 | 0 |
17+
| Fixes merged by maintainers | 27 | 10 | 5 | 3 | 4 | 0 | 1 | 1 | 6 | 7 |
18+
| Security/Reliability fixes merged | 6 | 6 | 2 | 1 | 0 | 0 | 0 | 1 | 7 | 1 |
19+
| Fixes ignored by maintainers | 1 | 1 | 1 | 0 | 2 | 0 | 2 | 0 | 6 | 0 |
20+
| Reports still open | 28 | 2 | 1 | 4 | 0 | 7 | 0 | 0 | 0 | 4 |
21+
22+
23+
### High Severity Bugs* (Cumulative)
24+
| Month | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 |
25+
|---------------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|----------|
26+
| Weak Crypto | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 8 | 9 | 12 |
27+
| Data Race | 2 | 5 | 5 | 5 | 6 | 6 | 6 | 6 | 6 | 6 |
28+
| XSS | 5 | 5 | 7 | 8 | 8 | 8 | 8 | 8 | 8 | 8 |
29+
| Log Injection | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 5 | 5 |
30+
| Path Manipulation | 0 | 0 | 3 | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
31+
| Insecure Deserialization | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
32+
| OS Command Injection | 0 | 0 | 0 | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
33+
| Inappropriate umask | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
34+
| Open Redirect | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
35+
| Security Misconfiguration | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
36+
| Sensitive Data Leak | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
37+
| SSRF | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
38+
| Null Dereference | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
39+
| **TOTAL** | 25 | 29 | 34 | 39 | 40 | 40 | 40 | 40 | 42 | 46 |
40+
41+
42+
#### 3 High Severity Bugs
43+
- Weak Crypto 1
44+
(Python) caronc/apprise @ 1.8.0
45+
Reported privately through email to one of the maintainers
46+
https://groups.google.com/a/openrefactory.com/g/vulnerability-reporting/c/p1oOzyXuN6M
47+
48+
- Weak Crypto 2
49+
(Python) thobbs/pure-sasl @ 0.6.2
50+
https://github.com/thobbs/pure-sasl/issues/43
51+
52+
- Weak Crypto 3
53+
(Python) mitya57/secretstorage @ 3.3.3
54+
https://github.com/mitya57/secretstorage/issues/46
55+
56+
- Null Dereference
57+
(Java) spring-projects/spring-framework @ 6.1.12
58+
https://github.com/spring-projects/spring-framework/issues/33609
59+
60+
61+
### Cumulative Data
62+
| Month | Aug 2023 | Sep 2023 | Oct 2023 | Nov 2023 | Dec 2023 | Jan 2024 | Feb 2024 | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 |
63+
|--------------------------------------|--------------|--------------|----------|------------|-------------|------------|-------------|--------------|--------------|--------------|-------------|-----------------|--------------|--------------|
64+
| Projects analyzed | 132 | 458 | 809 | 1,079 | 1,407 | 1,707 | 2,237 | 3,017 | 3,729 | 4,514 | 5,712 | 6,608 | 7,813 | 9109 |
65+
| Projects with no bugs | 98 | 398 | 718 | 938 | 1,231 | 1,510 | 2,035 | 2,811 | 3,519 | 4,303 | 5,501 | 6,091 | 7,595 | 8881 |
66+
| Total bugs filed | 33 | 75 | 113 | 168 | 224 | 237 | 244 | 251 | 255 | 262 | 263 | 263 | 262 | 273 |
67+
| Security/Reliability bugs filed | 12 | 23 | 43 | 79 | 94 | 102 | 108 | 113 | 115 | 120 | 122 | 122 | 123 | 129 |
68+
| Total high severity bugs filed* | - | - | - | - | 25 | 29 | 34 | 39 | 40 | 40 | 40 | 40 | 42 | 46 |
69+
| Bugs with a fix suggestion | 26 | 64 | 94 | 140 | 190 | 200 | 202 | 204 | 208 | 208 | 209 | 209 | 228 | 235 |
70+
| Bugs with a PoC exploit | 6 | 13 | 18 | 22 | 26 | 27 | 29 | 32 | 32 | 32 | 32 | 32 | 33 | 33 |
71+
| Fixes merged by maintainers | 15 (45%) | 38 (51%) | 54 (48%) | 76 (45.3%) | 103 (46%) | 113 (47.7%)| 118 (48.4%) | 121 (48.2%) | 125 (49.01%) | 125 (47.7%) | 126 (47.9%) | 127 (48.3%) | 133 (50.76%) | 140 (51.3%) |
72+
| Security/Reliability fixes merged | Not measured | Not measured | 13 (30%) | 25 (31.6%) | 31 (32.9%) | 37 (36.2%) | 39 (36.1%) | 40 (35.4%) | 40 (34.78%) | 40 (33.33%) | 40 (32.8%) | 41 (33.6%) | 48 (39.02%) | 49 (38%) |
73+
| Fixes ignored by maintainers | Not measured | 8 (11%) | 7 (6%) | 9 (5.3%) | 10 (4.5%) | 11 (4.6%) | 12 (4.9%) | 12 (4.78%) | 14 (5.5%) | 14 (5.35%) | 16 (6.08%) | 16 (6.08%) | 22 (8.4%) | 22 (8.06%) |
74+
| Reports still open | Not measured | 29 (39%) | 52 (46%) | 83 (49.4%) | 111 (49.5%) | 113 (47.7%)| 114 (46.7%) | 118 (47.01%) | 116 (45.49%) | 123 (46.95%) | 121 (46%) | 120 (45.62%) | 107 (40.84%) | 111 (40.66%) |
75+
76+
77+
### Language Specific Data (Cumulative)
78+
| Language | Python | Java | Go | TOTAL |
79+
| ---------------------------------------------- | -------- | ---- | ---- | ----- |
80+
| \# of total projects analyzed | 8,758 | 196 | 155 | 9,109 |
81+
| \# of total zerofix projects | 8,576 | 169 | 136 | 8,881 |
82+
| \# of total bugs filed | 216 | 30 | 27 | 273 |
83+
| \# of total security/reliablity bugs filed | 94 | 22 | 13 | 129 |
84+
| \# of total bugs with fix suggestion | 189 | 23 | 23 | 235 |
85+
| \# of total POC exploit | 27 | 5 | 1 | 33 |
86+
| \# of total merged fixes | 114 | 10 | 16 | 140 |
87+
| \# of total merged security/reliability fixes | 32 | 7 | 10 | 49 |
88+
| \# of total ignored/rejected fixes | 13 | 6 | 3 | 22 |
89+
| \# of total open fixes | 89 | 14 | 8 | 111 |
90+
91+
92+
## Attestations
93+
Link to attestations: https://github.com/OpenRefactory-Inc/attestations. A sample attestation JSON can be found [here](https://github.com/OpenRefactory-Inc/attestations/blob/master/aiohttp/4.0.0a1/2024-04-24/attestation.json).
94+
95+
96+
### Cumulative Data
97+
| Month | Mar 2024 | Apr 2024 | May 2024 | Jun 2024 | Jul 2024 | Aug 2024 | Sep 2024 |
98+
|-------------------------------------|----------|----------|----------|----------|----------|----------|----------|
99+
| Total # of Unique Projects | 16 | 282 | 373 | 679 | 867 | 1,154 | 1,436 |
100+
| Total # of Unique Releases/Versions | 75 | 1360 | 1,779 | 3,144 | 3,938 | 5,259 | 6,361 |
101+
| Total # of Generated Attestations | 75 | 738 | 1,492 | 2,788 | 3,770 | 5,474 | 6,484 |
102+

0 commit comments

Comments
 (0)