Did You Forkget It? Detecting One-Day Vulnerabilities in Open-source ForksWith Global History Analysis

TL;DR

This paper introduces a global history analysis method using the Software Heritage archive to detect recent, unpatched vulnerabilities in open-source forks, aiding maintainers in vulnerability management.

Contribution

It presents a novel approach leveraging global commit history to automatically identify one-day vulnerabilities in forks, which was previously a manual process.

Findings

Propagated vulnerability info to 2.2 million forks from 7162 repositories.

Identified 135 high-severity one-day vulnerabilities with 0.69 precision.

Confirmed 9 vulnerabilities through maintainer contact.

Abstract

Tracking vulnerabilities inherited from third-party open-source software is a well-known challenge, often addressed by tracing the threads of dependency information. However, vulnerabilities can also propagate through forking: a code repository forked after the introduction of a vulnerability, but before it is patched, may remain vulnerable long after the vulnerability has been fixed in the initial repository. History analysis approaches are used to track vulnerable software versions at scale. However, such approaches fail to track vulnerabilities in forks, leaving fork maintainers to identify them manually. This paper presents a global history analysis approach to help software developers identify one-day (known but unpatched) vulnerabilities in forked repositories. Leveraging the global graph of public code, as captured by the Software Heritage archive, our approach propagates vulnerability information at the commit level and performs automated impact analysis. Starting from 7162 repositories with vulnerable commits listed in OSV, we propagate vulnerability information to 2.2 million forks. We evaluate our approach by filtering forks with significant user bases whose latest commit is still potentially vulnerable, manually auditing the code, and contacting maintainers for confirmation and responsible disclosure. This process identified 135 high-severity one-day vulnerabilities, achieving a precision of 0.69, with 9 confirmed by maintainers.