Home

Welcome to the hemlock wiki!

Team Hemlock

David Reid (UTK), Chris Bogart (CMU), Adam Tutko (UTK), Kalvin (U Alberta)

Hemlock: a highly poisonous plant

How widespread are cloned files that contain known vulnerabilities?

Find some popular repos with known vulnerabilities.
Find projects that have reused those vulnerable files.
Trace version history across repositories. See if any version has known vulnerabilities or bugs
Determine if the vulnerability is exploitable in the given project (maybe future work)

research into vulnerability databases --> how can we connect them to World of Code
- repository names in github?
- commit shas?
- file names? Line numbers?
- versioning
- do we know a fixed version of the project? -- if so, then previous version(s) are bad
- If you google this: site:https://cve.mitre.org/ CONFIRM:https://github.com you get links to github issues on CVE
Compression algorithm with a fix that's been copied widely: https://nvd.nist.gov/vuln/data-feeds#JSON_FEED
pursue in parallel: track down this example vulnerability in WoC while extracting more from CVE database

Potential finalized methodology

Get commits from CVE list and/or commit messages (how to identify commit message as fix?)
Check if the commit has a single blob
Trace blobs

For checkpoint 1:
- present this page
- Pose question: Which version (R or S?) of WoC data to use
For checkpoint 2:
- collect some example vulnerabilties from CVE
- figure how to scrape cve for json files
- look into how to get list of blob SHA1s that are the file history via commit chain OR use blob -> parent blob
- get history of commit messages to search for CVE
For checkpoint 3:
- Get clarification on b2ob mappings
- Go over example code
- Explain the plan for next checkpoint (Finding vulnerable/safe projects using head blobs)