GSoC 2025 project idea: improved component identification

[terriko]

• Related GSoC 2025: Start here #4712

cve-bin-tool: improved component identification

Project description

Thanks to GSoC 2025 we've got PURL support to help improve component identification, and a mismatch database that helps us identify and avoid common mistakes made when we use a basic text search to try to find components and accidentally wind up with a component that has the same name but is written in a different language or something. But there's room for more improvements here!

1. Extending the mismatch database to handle certain types of mismatches such as false positive: name collision for python arrow vs rust arrow #3193
2. Adding additional data to our mismatch database
3. Improve handling PURL data from OSV
4. Add a framework for better handling cases where vulnerability data is wrong but will take some time to update. (Especially important as NVD fixes may take months instead of days thanks to their staffing challenges.)
5. Stretch goal: looking at other sources of data we can use to refine results. See feat: Adding alternative vulnerability data sources #4100

Related reading

Skills

• python
• sqlite
• software security: knowledge of how software vulnerabilities are triaged, mitigated and solved would be very helpful here. (you can learn some of this as you go but it's worth doing some background reading to help inform your design choices)

Difficulty level

• medium

Project Length

• 350 hours (e.g. full-time for 10 weeks or part-time for longer)
• It would be possible to do part of this project in a 175 hour project, but we may prefer candidates who have the time to do more assuming similar levels of ability

Mentor

• The primary mentor for this project will depend on what other projects we accept. Please ask all questions on this issue rather than sending email so you can benefit from the expertise of other contributors and mentors. ( Terri's email gets swamped regularly by other work concerns and it's likely she will miss emails send during the GSoC period, but she will answer questions asked in public on this issue or in our gitter chat.)

GSoC Participants Only

This issue is a potential project idea for GSoC 2025, and is reserved for completion by a selected GSoC contributor. Please do not work on it outside of that program. If you'd like to apply to do it through GSoC, please start by reading #4712.

[Gyan-max]

Hi @terriko,
I am interested in contributing to this project as part of GSoC 2025.
I have experience with Python, SQLite, and software security concepts.
Could you guide me on how to get started with small contributions before writing my proposal?
Thanks!

[terriko]

@Gyan-max I'm glad you're interested!

Our new contributors guide is here: https://github.com/intel/cve-bin-tool/blob/main/CONTRIBUTING.md

It starts with the dev environment setup but there's a specific "where should I start?" section here: https://github.com/intel/cve-bin-tool/blob/main/CONTRIBUTING.md#where-should-i-start

I try to flag some easier issues with the "good first issue" tag as I notice or create them. I'll be adding more easy bugs over the coming weeks if I can think of some but you don't need to choose one of those, so if they're all taken freel free to poke around for other ideas!

[Aditi-Pande]

Hello @terriko,

I’m very interested in contributing to this project and would love to offer my help. I believe I can add value by working on extending the mismatch database, as well as helping to create a framework for handling inaccurate vulnerability data.

Here are some of my skills that I believe align well with the project requirements:

1. Python
2. SQLite
3. Software Security
4. Problem-Solving

I would greatly appreciate the opportunity for mentorship during this project to help me grow and ensure that my contributions are aligned with the project's goals. Please let me know if I can provide any additional information.

Looking forward to collaborating!

Best regards,
Aditi Pande

[terriko]

Someone asked privately about what "vulnerability data is wrong" might mean so here's some examples we've seen:

1. Someone put the wrong version range into the NVD data. One common one is that a vuln is supposed to affect everything <3.5 but got mis-entered into the tool so it's <=3.5 and everyone who's using 3.5 is fine but their scans fail.
2. Someone filed a CVE that turned out not to be true.
3. Someone filed a CVE that only occurs only in specific poorly set up environments.
4. Someone has filed a CVE that described an intentional feature of the product that isn't a vulnerability. For example, the one with reportlab that technically affects cve-bin-tool basically says "you can make PDFs contain images" and the answer is "uh, yes?" -- there's no fix for that, only mitigations, but most people ignore the CVE as irrelevant.

For most of these, someone will file a complaint and the NVD data will eventually be updated to fix the issue, which can take weeks or months. Some may never be "fixed" because the upstream project hasn't filed paperwork to get it rejected, but we may want to just ignore as a standard triage indefinitely.

[terriko]

• Adding a link also to feat: Adding alternative vulnerability data sources #4100 above

[vedpawar2254]

Addding a link here so that everyone can checkout what the previous project did and what the future scope is.

[hirpadii07]

Hi! I'm Aditya Hirpara, a GSoC 2025 aspirant. I'm interested in the "Improved Component Identification" project. I've set up the project and started reviewing the current matching logic. I'd like to contribute — could you please suggest a small issue or place to start?