Open Source Summit Japan 2022

In the embedded Linux industry, "CPE search" methods are widely selected to fix security issues in their products. They search for CVEs by each package-version pair in their SBOMs and apply the security patches. However, this approach often becomes problematic because of an unexpectedly large CVE list of an outdated kernel with many false positives. Typical reasons why false positives reported are: (1) CPE information in the CVE database is too rough; and (2) the product is not affected by a CVE because the vulnerable code is never compiled with a given configuration. In most cases, more than half of the false positives could be reduced with the help of data from Ubuntu CVE Tracker, which describes the proper commit range that contains vulnerable code. An additional ~10% false positives could be reduced by examining whether a commit with vulnerable code is compiled or not with consideration of ".config". Firstly, Takuma Kawai will describe a classic way to track security issues widely chosen in their industry and its problems. Then he explains a more accurate algorithm using commit ids to identify the vulnerable version range, replacing the classical method. Finally, he presents a new method, which reduces ~10% more false positives in combination with other methods.