When running Eclipse Steady internally at SAP, serving thousands of distinct teams and conducting 250k+ scans per month, we spent a substantial amount of time mining source code repositories and curating a knowledge base of so called fix-commits (which are the commits that fix known vulnerabilities). Such information is the fuel of Eclipse Steady and it needs to be continuously harvested.
Given the increasing size of open-source ecosystems and the pace at which new vulnerabilities affecting open-source software are discovered, the current human-intensive approach is not adequate and cannot scale. We have observed, over the past few years, a growing interest in the industry that led to several commercial offerings to emerge, each of which has its own proprietary vulnerability knowledge base. Not only the proprietary nature of these knowledge bases hinders further development of open-source tools that could push the state of the art in vulnerability detection and mitigation, but they have the same scalability and coverage issues that we have experienced ourselves.
Ultimately, the fact that data about open-source software is not open appears somewhat paradoxical.
To overcome these issues, we propose a different way of collecting and publishing vulnerability data: a way that is based on a collaborative and distributed approach. In this talk we present a simple, machine- and human-readable format to represent vulnerabilities, capturing essential information such as which commits in which repository fixed a given vulnerability. This format is accompanied by a tool to create, publish and consume data from distinct independent sources, allowing clients to aggregate different sources defining customized policies to reconcile conflicting information.
By attending this presentation you will hear what we learned in the path from coming up with the idea of Eclipse Steady to rolling it out in a large enterprise; you will learn why the open availability of accurate, low-level vulnerability information is key and why achieving that is difficult. Hopefully, we will convince you that a collaborative, distributed approach is the way to go, explaining why it makes sense both for the open-source community and the software industry as a whole.
Finally, we hope that by the end of the talk you will want to try and adopt Eclipse Steady in your own projects!