Extracting Vulnerabilities from GitHub Commits

Abstract

Open-source libraries save developers time and effort by providing them access to pre-written functions, objects, and methods. The adoption of such libraries follows the current trend of more widespread use of open-source software and components. However, like proprietary software, open-source software can also suffer from defects that can be exploited by attackers. Many of these vulnerabilities have been identified and documented and are stored in Common Vulnerabilities and Exposures (CVE) databases maintained by entities such as NIST. Developers of these open-source components have a responsibility to inform their users of the vulnerabilities that exist in their releases and of the patches that fix these vulnerabilities. Consistent documentation of CVEs is a prerequisite for mitigating these vulnerabilities, especially if an automated approach is taken. This study investigates how well-documented are the patches both in the CVE database, and within the Github commits of C language open-source libraries. The results show that a significant number of CVEs in the NIST database do not mention the existence of patches and that only a small subset of the libraries looked at document CVEs in their commits. This paper comes to the conclusion that mutually agreed upon standards when it comes to CVE documentation should be adopted by both developers of open-source software and the entities that update and maintain CVE databases.