-
Notifications
You must be signed in to change notification settings - Fork 75
GSoC 2016 Ideas
##Google Summer of Code 2016: Project Proposals
2016 is the first year OSS Index will be applying to participate in the Google Summer of Code program. This page contains the projects and ideas we are interested in having students work with us on.
###About the org Security auditing is the primary focus of our organization and our software. Our strategic objective is to provide a complete end-to-end security auditing solution for developers that can detect security vulnerabilities at all levels of the application development process. Logically there are two major components or layers: the back-end or server or API component, and the front-end or client or auditor component. For brevity we'll refer to the back-end as simply OSS Index.
OSS Index uses Java code to index a wide range of security lists and feeds from National Vulnerability Database Vulnerabilities feeds to security feeds for operating system distributions like Debian Linux and server applications like Drupal.
The data is extracted from the feeds and loaded into a SQL database. The REST API then responds to queries for this data by the different front-end applications like DevAudit. The front-end tools query the OSS Index API using a standard query format. The job of the back-end Java code is to do text-mining, parsing, and extraction of the relevant security information from the very large set disparate sources.
Our proposed projects for Google Summer of Code 2016 are for the 2 major components of our system:
- Security feed data collectors for our back-end.
- Client front-ends.
Security feed data collectors are written in Java. They read feeds and extract specific data of interest:
- Vulnerability title
- Date
- Description
- Product/package name
- [Optional] Applicable CVE(s)
Data will be submitted to the database through a special-purpose API.
Security data feeds come in many forms. Some are RSS feeds, others are email lists, while others are HTML web pages that require scraping. Feeds may be in easy to parse forms like XML, while others are semi-formal text documents that require special parsing. HTML feeds are often a combination of the two.
Useful libraries that can assist with the project(s) include the following, however there is little restriction to the libraries actually used:
- org.jsoup » jsoup : HTML parser
- javax.xml.xpath : XML document navigation
- com.google.code.gson » gson : JSON serialization/deserialization
- org.apache.httpcomponents » httpclient : HTTP Client
- com.rometools » rome : RSS and Atom Utilities
DevAudit is a command line tool written in C# that runs both on Windows and Linux (on mono). It scans the following platforms looking for package dependencies, and identifies known vulnerabilities in the OSS Index database for the identified packages. Supported platforms include:
- MSI: Programs installed through standard Microsoft Installers
- Chocolatey: is a Machine Package Manager, somewhat like apt-get, but built with Windows in mind.
- OneGet (PackageManagement): Unified interface to package management systems
- NuGet: the package manager for the Microsoft development platform
- Bower: A package management system for client-side programming on the World Wide Web.
- Composer: PHP package management
- Drupal: Drupal 8 modules
- DPKG: Debian and Ubuntu packages
- More on the way!
The goal of these projects are to provide user-friendly front ends to the DevAudit command, hiding operation details. Suggested front ends include:
- WinAudit: A Windows GUI front end [C#]
- LinAudit: A Linux GUI front end [C#]
- MonoDevelop: Create MonoDevelop Add-ins [C#]
- Other IDEs: Add extensions to other IDEs [Language is IDE specific, but will depend on mentor knowledge]