Description
archeogit blame does not consider the relevance of a file in contributing to a vulnerability when attempting to identify the commits that likely contributed to the vulnerability. The implementation is based on the assumption that any file involved in the commit that fixed a vulnerability is relevant to the vulnerability. However, the assumption is violated when files like test cases or change logs are updated when fixing the vulnerability. There is no need to subject these irrelevant files to the algorithm that identifies commits that likely contributed to the vulnerability because these irrelevant files likely have nothing to do with resolving the vulnerability itself.
Examples
The following examples help illustrate the issue.
- apache/struts@d934c6e is reported to have fixed CVE-2013-2115 in Apache Struts. The commit modified the four files enumerated below two of which are test files which, by their nature, are unlikely to have contributed to the vulnerability. As a result, these files must not be considered when attempting to identify vulnerability contributing commits given a vulnerability fixing commit.
core/src/main/java/org/apache/struts2/views/util/DefaultUrlHelper.javacore/src/test/java/org/apache/struts2/views/jsp/URLTagTest.javacore/src/test/java/org/apache/struts2/views/util/DefaultUrlHelperTest.javaxwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
- apache/httpd@2fa69ec is reported to have fixed CVE-2013-2115 in Apache httpd. The commit modified the two files enumerated below, one of which is a plaintext files used as a log of changes in the project which , by its nature, is unlikely to have contributed to the vulnerability. As a result, this file must not be considered when attempting to identify vulnerability contributing commits given a vulnerability fixing commit.
modules/cache/cache_util.cCHANGES
Proposal
The proposed solution is to (a) develop an approach to accurately identify the irrelevant files affected by a vulnerability fixing commit and (b) ignore them when attempting to identify the vulnerability contributing commits.
Description
archeogit blamedoes not consider the relevance of a file in contributing to a vulnerability when attempting to identify the commits that likely contributed to the vulnerability. The implementation is based on the assumption that any file involved in the commit that fixed a vulnerability is relevant to the vulnerability. However, the assumption is violated when files like test cases or change logs are updated when fixing the vulnerability. There is no need to subject these irrelevant files to the algorithm that identifies commits that likely contributed to the vulnerability because these irrelevant files likely have nothing to do with resolving the vulnerability itself.Examples
The following examples help illustrate the issue.
core/src/main/java/org/apache/struts2/views/util/DefaultUrlHelper.javacore/src/test/java/org/apache/struts2/views/jsp/URLTagTest.javacore/src/test/java/org/apache/struts2/views/util/DefaultUrlHelperTest.javaxwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.javamodules/cache/cache_util.cCHANGESProposal
The proposed solution is to (a) develop an approach to accurately identify the irrelevant files affected by a vulnerability fixing commit and (b) ignore them when attempting to identify the vulnerability contributing commits.