Infer Advisories for Forks from Parent Projects
Problem to solve
Let's assume there is a dependency for which we have some advisories in our database. Let's also assume there exists a fork of said dependency for which we don't have any advisory in our database. There is a good chance that the advisory also applies to the fork, i.e. the fork is vulnerable.
At the moment, Dependency Scanning notifies users of the dependency that there are advisories, while it would not notify users of the fork.
Intended users
Further details
To give a concrete example, see the advisory that was recently published for Puma: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v. Affected versions of Puma are < 4.3.2.
We forked and modified Puma from version 4.3.1 for use in Gitlab. Our fork did not touch the vulnerable code; hence our fork is also vulnerable. Dependency scanning does, however, not report a finding for our Puma fork.
Proposal
Here are two proposals how this problem can be tackled which vary in the degree of automation:
- Semi-automated. Tell the maintainer of the fork that there is a new advisory for the upstream project. Ask the maintainer to confirm if the fork is also affected. If yes, add an advisory for the fork to the database and notify all dependent projects. The benefit of asking the maintainer for confirmation is that it reduces false positive, but at the same time we depend on cooperation.
- Fully automated. If a new advisory is published, check if it applies to forks based on the affected version. This can be done by checking if the version from which the fork was created is in the affected version range. This has the risk of introducing false positives because the fork might have modified the vulnerable code and might not be vulnerable. We might apply code analysis to check if the vulnerable code was modified.
What does success look like, and how can we measure that?
Dependency scanning notifies projects that depend on a fork if an advisory in the fork's upstream project is released.