Skip to content

Latest commit

 

History

History
87 lines (71 loc) · 8.8 KB

update-2024-07.md

File metadata and controls

87 lines (71 loc) · 8.8 KB
Raw

OpenRefactory Update: July 2024

Scan Results

Link to results: https://docs.google.com/spreadsheets/d/1K8dc6SrSEoqqh46cFisZM1tiN4CigaXsqkCKfCM8UTs/edit#gid=228743971

We first show the work done month over month. This is followed by the cumulative results. Finally we show language specific breakdown of the cumulative results.

July

Month Dec 2023 Jan 2024 Feb 2024 Mar 2024 Apr 2024 May 2024 Jun 2024 Jul 2024
Projects analyzed 328 300 530 780 712 785 1,198 896
Projects with no bugs 293 279 525 776 708 784 1,198 896
Total bugs filed 56 13 7 7 4 7 1 0
Security/Reliability bugs filed 15 8 6 5 2 5 2 0
Bugs with a fix suggestion 50 10 2 2 4 0 1 0
Bugs with a PoC exploit 4 1 2 3 0 0 0 0
Fixes merged by maintainers 27 10 5 3 4 0 1 1
Security/Reliability fixes merged 6 6 2 1 0 0 0 1 *[1]
Fixes ignored by maintainers 1 1 1 0 2 0 2 0
Reports still open 28 2 1 4 0 7 0 0

High Severity Bugs* (Cumulative)

Month Dec 2023 Jan 2024 Feb 2024 Mar 2024 Apr 2024 May 2024 Jun 2024 Jul 2024
Weak Crypto 8 8 8 8 8 8 8 8
Data Race 2 5 5 5 6 6 6 6
XSS 5 5 7 8 8 8 8 8
Log Injection 4 4 4 4 4 4 4 4
Path Manipulation 0 0 3 5 5 5 5 5
Insecure Deserialization 2 2 2 2 2 2 2 2
OS Command Injection 0 0 0 2 2 2 2 2
Inappropriate umask 1 1 1 1 1 1 1 1
Open Redirect 0 1 1 1 1 1 1 1
Security Misconfiguration 1 1 1 1 1 1 1 1
Sensitive Data Leak 1 1 1 1 1 1 1 1
SSRF 1 1 1 1 1 1 1 1
TOTAL 25 29 34 39 40 40 40 40
  • A high severity bug is any one of the following: (1) An injection related bug, (2) a weak cryptography related bug, (3) an access control related bug (4) a security or a reliability bug that is typically of medium priority but has been categorized as a high priority bug because it is found in a popular project (100+ forks).

Cumulative Data

Month Aug 2023 Sep 2023 Oct 2023 Nov 2023 Dec 2023 Jan 2024 Feb 2024 Mar 2024 Apr 2024 May 2024 Jun 2024 Jul 2024
Projects analyzed 132 458 809 1,079 1,407 1,707 2,237 3,017 3,729 4,514 5,712 6,608
Projects with no bugs 98 398 718 938 1,231 1,510 2,035 2,811 3,519 4,303 5,501 6,091
Total bugs filed 33 75 113 168 224 237 244 251 255 262 263 263
Security/Reliability bugs filed 12 23 43 79 94 102 108 113 115 120 122 *[1] 122
Total high severity bugs filed* - - - - 25 29 34 39 40 40 40 40
Bugs with a fix suggestion 26 64 94 140 190 200 202 204 208 208 209 209
Bugs with a PoC exploit 6 13 18 22 26 27 29 32 32 32 32 32
Fixes merged by maintainers 15 (45%) 38 (51%) 54 (48%) 76 (45.3%) 103 (46%) 113 (47.7%) 118 (48.4%) 121 (48.2%) 125 (49.01%) 125 (47.7%) 126 (47.9%) 127 (48.3%)
Security/Reliability fixes merged Not measured Not measured 13 (30%) 25 (31.6%) 31 (32.9%) 37 (36.2%) 39 (36.1%) 40 (35.4%) 40 (34.78%) 40 (33.33%) 40 (32.8%) 41 (33.6%) *[1]
Fixes ignored by maintainers Not measured 8 (11%) 7 (6%) 9 (5.3%) 10 (4.5%) 11 (4.6%) 12 (4.9%) 12 (4.78%) 14 (5.5%) 14 (5.35%) 16 (6.08%) 16 (6.08%)
Reports still open Not measured 29 (39%) 52 (46%) 83 (49.4%) 111 (49.5%) 113 (47.7%) 114 (46.7%) 118 (47.01%) 116 (45.49%) 123 (46.95%) 121 (46%) 120 (45.62%)

Language Specific Data (Cumulative)

Language Python Java Go TOTAL
# of total projects analyzed 6,258 194 156 6,608
# of total zerofix projects 6,091 170 136 6,397
# of total bugs filed 207 28 28 263
# of total security/reliablity bugs filed 90 19 13 122
# of total bugs with fix suggestion 178 7 24 209
# of total POC exploit 26 5 1 32
# of total merged fixes 105 7 15 127
# of total merged security/reliability fixes 30 *[1] 3 8 41
# of total ignored/rejected fixes 12 2 2 16
# of total open fixes 90 19 11 120

Attestations

Link to attestations: https://github.com/OpenRefactory-Inc/attestations. A sample attestation JSON can be found here.

Cumulative Data

Month Mar 2024 Apr 2024 May 2024 Jun 2024 Jul 2024
Total # of Unique Projects 16 282 373 679 867
Total # of Unique Releases/Versions 75 1360 1,779 3,144 3,938
Total # of Generated Attestations 75 738 1,492 2,788 3,770

Note

[1] An mkstemp related bug was filled for project ceph/teuthology on Nov 2023. During that time, the mkstemp related bugs were categorized as security/reliability bugs. Currently, the mkstemp bugs aren't considered security/reliability bugs anymore. As a result, even though the bug is labelled as a security/reliability bug, it isn't considered on the "High Severity Bugs" table.