Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Patch2QL: Discover Cognate Defects in Open Source Software Supply Chain With Auto-generated Static Analysis Rules

Fuwei Wang, Yongzhi Liu, Zhiqiang Dong

TL;DR

This paper addresses cognate defects in OSS supply chains by proposing Patch2QL, a pipeline that automatically generates CodeQL SAST rules from pre- and post-patch code to capture the root causes and contexts of defects. By extracting and comparing ASTs, transforming editscripts into context-rich queries, and applying regression testing, Patch2QL detects both syntactic and semantic cognate defects across upstream and downstream projects. The prototype applied to C/C++ OSS demonstrates a recall of $68.0\%$ overall and identifies $7$ new vulnerabilities, outperforming general-purpose SAST and signature-based approaches in detecting cognate defects. The work provides practical contributions, including open-source Rule sets, and highlights the significance of cognate defect detection for improving OSS security in complex supply chains.

Abstract

In the open source software (OSS) ecosystem, there exists a complex software supply chain, where developers upstream and downstream widely borrow and reuse code. This results in the widespread occurrence of recurring defects, missing fixes, and propagation issues. These are collectively referred to as cognate defects, and their scale and threats have not received extensive attention and systematic research. Software composition analysis and code clone detection methods are unable to cover the various variant issues in the supply chain scenario, while code static analysis, or static application security testing (SAST) techniques struggle to target specific defects. In this paper, we propose a novel technique for detecting cognate defects in OSS through the automatic generation of SAST rules. Specifically, it extracts key syntax and semantic information from pre- and post-patch versions of code through structural comparison and control flow to data flow analysis, and generates rules that matches these key elements. We have implemented a prototype tool called Patch2QL and applied it to fundamental OSS in C/C++. In experiments, we discovered 7 new vulnerabilities with medium to critical severity in the most popular upstream software, as well as numerous potential security issues. When analyzing downstream projects in the supply chain, we found a significant number of representative cognate defects, clarifying the threat posed by this issue. Additionally, compared to general-purpose SAST and signature-based mechanisms, the generated rules perform better at discover all variants of cognate defects.

Patch2QL: Discover Cognate Defects in Open Source Software Supply Chain With Auto-generated Static Analysis Rules

TL;DR

This paper addresses cognate defects in OSS supply chains by proposing Patch2QL, a pipeline that automatically generates CodeQL SAST rules from pre- and post-patch code to capture the root causes and contexts of defects. By extracting and comparing ASTs, transforming editscripts into context-rich queries, and applying regression testing, Patch2QL detects both syntactic and semantic cognate defects across upstream and downstream projects. The prototype applied to C/C++ OSS demonstrates a recall of overall and identifies new vulnerabilities, outperforming general-purpose SAST and signature-based approaches in detecting cognate defects. The work provides practical contributions, including open-source Rule sets, and highlights the significance of cognate defect detection for improving OSS security in complex supply chains.

Abstract

In the open source software (OSS) ecosystem, there exists a complex software supply chain, where developers upstream and downstream widely borrow and reuse code. This results in the widespread occurrence of recurring defects, missing fixes, and propagation issues. These are collectively referred to as cognate defects, and their scale and threats have not received extensive attention and systematic research. Software composition analysis and code clone detection methods are unable to cover the various variant issues in the supply chain scenario, while code static analysis, or static application security testing (SAST) techniques struggle to target specific defects. In this paper, we propose a novel technique for detecting cognate defects in OSS through the automatic generation of SAST rules. Specifically, it extracts key syntax and semantic information from pre- and post-patch versions of code through structural comparison and control flow to data flow analysis, and generates rules that matches these key elements. We have implemented a prototype tool called Patch2QL and applied it to fundamental OSS in C/C++. In experiments, we discovered 7 new vulnerabilities with medium to critical severity in the most popular upstream software, as well as numerous potential security issues. When analyzing downstream projects in the supply chain, we found a significant number of representative cognate defects, clarifying the threat posed by this issue. Additionally, compared to general-purpose SAST and signature-based mechanisms, the generated rules perform better at discover all variants of cognate defects.
Paper Structure (26 sections, 3 figures, 11 tables, 1 algorithm)

This paper contains 26 sections, 3 figures, 11 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Scope of the Problem
  3. Roles in OSS supply chain
  4. Cognate defects threat model
  5. Burden of OSS in C/C++
  6. System Overview
  7. Motivation
  8. Architecture
  9. Process the patch and locate function pairs
  10. Make structural comparison between ASTs
  11. Transform editscript into rules
  12. Refine & generalize raw QL rules
  13. Regression tests
  14. Key Techniques
  15. Customized matching method for EditScript algorithm
  16. ...and 11 more sections

Figures (3)

  • Figure 1: The core actions, prerequisites and application of Patch2QL.
  • Figure 2: An example raw QL predicate.
  • Figure 3: A pair of ASTs of pre- and post-patched functions