Phylum Vulnerability Reachability Project #67
Comments
|
Is this redundant to TAC PR#388? How are we doing with meeting the Sandbox requirements? Specifically having maintainers from multiple organizations? |
|
Yes, this was the first post we were asked to make priori to TAC PR#388. We have not yet found additional maintainers.
From: Ryan Ware ***@***.***>
Date: Tuesday, October 29, 2024 at 8:51 AM
To: ossf/wg-security-tooling ***@***.***>
Cc: Mikala Vidal ***@***.***>, Author ***@***.***>
Subject: Re: [ossf/wg-security-tooling] Phylum Vulnerability Reachability Project (Issue #67)
Is this redundant to TAC PR#388<ossf/tac#388>? How are we doing with meeting the Sandbox requirements<https://github.com/ossf/tac/blob/main/process/project-lifecycle.md#sandbox>? Specifically having maintainers from multiple organizations?
—
Reply to this email directly, view it on GitHub<#67 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BKNOBXNVVYFCINVP7NCCOHLZ56AGHAVCNFSM6AAAAABMIAMO66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBUGEZDMNBSGY>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview:
Phylum has developed a reachability tool to perform call graph analysis in order to identify whether or not a particular vulnerability is reachable. This tool currently works for the Javascript programming language, and is functionally database-agnostic, enabling any vendor to provide their preferred catalogue of findings and prune/annotate false-positives. This is currently the cutting edge of the Software Composition Analysis (SCA) space, and as such, is quickly becoming a necessary feature in order to effectively compete.
Requirements for Implementation:
In order to integrate and utilize this tool, the following steps must be completed:
· Integration with an SCA Capability - Phylum’s vuln-reach tool needs to be integrated with an existing SCA product, and will need to receive the following bits of information:
o Vulnerability information
o Target files & packages to analyze
o Vulnerability location data
· Vulnerability Location Data - Vulnerability location data will need to be provided to match the vulnerability database being utilized. This will enable the vuln reachability tool to connect the two when analyzing a candidate codebase. The location data must be specific to the vulnerability dataset used - Phylum has some tools that can assist in automating this process.
How it Integrates:
The Phylum vuln reachability solution can be integrated in a variety of ways:
· Standalone CLI - a CLI utility to showcase the capability currently exists, and could operate as part of a suite of other tools.
· Library - The tool can also be packaged as a shared library to simplify integration with any product from a client perspective.
The text was updated successfully, but these errors were encountered: