Scaling the Security Researcher to Eliminate OSS Security Vulnerabilities Once and For All - Jonathan Leitschuh, Open Source Security Foundation
Hundreds of thousands of human hours are invested every year in finding security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new. We’ve known about them for years, but they’re everywhere! The scale of GitHub & tools like CodeQL (GitHub's code query language) enable scanning of vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, and would be a burden on volunteer OSS maintainers. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request. When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real-world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.
