update-2024-06.md

OpenRefactory Update: June 2024

Scan Results

Link to results: https://docs.google.com/spreadsheets/d/1K8dc6SrSEoqqh46cFisZM1tiN4CigaXsqkCKfCM8UTs/edit#gid=228743971

We first show the work done month over month. This is followed by the cumulative results. Finally we show language specific breakdown of the cumulative results.

June

Month	Dec 2023	Jan 2024	Feb 2024	Mar 2024	Apr 2024	May 2024	Jun 2024
Projects analyzed	328	300	530	780	712	785	1,198
Projects with no bugs	293	279	525	776	708	784	1,198
Total bugs filed	56	13	7	7	4	7	1
Security/Reliability bugs filed	15	8	6	5	2	5	2 *[1]
Bugs with a fix suggestion	50	10	2	2	4	0	1
Bugs with a PoC exploit	4	1	2	3	0	0	0
Fixes merged by maintainers	27	10	5	3	4	0	1
Security/Reliability fixes merged	6	6	2	1	0	0	0
Fixes ignored by maintainers	1	1	1	0	2	0	2
Reports still open	28	2	1	4	0	7	0

High Severity Bugs* (Cumulative)

Month	Dec 2023	Jan 2024	Feb 2024	Mar 2024	Apr 2024	May 2024	Jun 2024
Weak Crypto	8	8	8	8	8	8	8
Data Race	2	5	5	5	6	6	6
XSS	5	5	7	8	8	8	8
Log Injection	4	4	4	4	4	4	4
Path Manipulation	0	0	3	5	5	5	5
Insecure Deserialization	2	2	2	2	2	2	2
OS Command Injection	0	0	0	2	2	2	2
Inappropriate umask	1	1	1	1	1	1	1
Open Redirect	0	1	1	1	1	1	1
Security Misconfiguration	1	1	1	1	1	1	1
Sensitive Data Leak	1	1	1	1	1	1	1
SSRF	1	1	1	1	1	1	1
TOTAL	25	29	34	39	40	40	40

• A high severity bug is any one of the following: (1) An injection related bug, (2) a weak cryptography related bug, (3) an access control related bug (4) a security or a reliability bug that is typically of medium priority but has been categorized as a high priority bug because it is found in a popular project (100+ forks).

Cumulative Data

Month	Aug 2023	Sep 2023	Oct 2023	Nov 2023	Dec 2023	Jan 2024	Feb 2024	Mar 2024	Apr 2024	May 2024	Jun 2024
Projects analyzed	132	458	809	1,079	1,407	1,707	2,237	3,017	3,729	4,514	5,712
Projects with no bugs	98	398	718	938	1,231	1,510	2,035	2,811	3,519	4,303	5,501
Total bugs filed	33	75	113	168	224	237	244	251	255	262	263
Security/Reliability bugs filed	12	23	43	79	94	102	108	113	115	120	122 *[1]
Total high severity bugs filed*	-	-	-	-	25	29	34	39	40	40	40
Bugs with a fix suggestion	26	64	94	140	190	200	202	204	208	208	209
Bugs with a PoC exploit	6	13	18	22	26	27	29	32	32	32	32
Fixes merged by maintainers	15 (45%)	38 (51%)	54 (48%)	76 (45.3%)	103 (46%)	113 (47.7%)	118 (48.4%)	121 (48.2%)	125 (49.01%)	125 (47.7%)	126 (47.9%)
Security/Reliability fixes merged	Not measured	Not measured	13 (30%)	25 (31.6%)	31 (32.9%)	37 (36.2%)	39 (36.1%)	40 (35.4%)	40 (34.78%)	40 (33.33%)	40 (32.8%)
Fixes ignored by maintainers	Not measured	8 (11%)	7 (6%)	9 (5.3%)	10 (4.5%)	11 (4.6%)	12 (4.9%)	12 (4.78%)	14 (5.5%)	14 (5.35%)	16 (6.08%)
Reports still open	Not measured	29 (39%)	52 (46%)	83 (49.4%)	111 (49.5%)	113 (47.7%)	114 (46.7%)	118 (47.01%)	116 (45.49%)	123 (46.95%)	121 (46%)

Language Specific Data (Cumulative)

Language	Python	Java	Go	TOTAL
# of total projects analyzed	5,362	194	156	5,712
# of total zerofix projects	5,195	170	136	5,501
# of total bugs filed	207	28	28	263
# of total security/reliablity bugs filed	90	19	13	122
# of total bugs with fix suggestion	178	7	24	209
# of total POC exploit	26	5	1	32
# of total merged fixes	104	7	15	126
# of total merged security/reliability fixes	29	3	8	40
# of total ignored/rejected fixes	12	2	2	16
# of total open fixes	91	19	11	121

Attestations

Link to attestations: https://github.com/OpenRefactory-Inc/attestations. A sample attestation JSON can be found here.

Cumulative Data

Month	Mar 2024	Apr 2024	May 2024	Jun 2024
Total # of Unique Projects	16	282	373	679
Total # of Unique Releases/Versions	75	1360	1,779	3,144
Total # of Generated Attestations	75	738	1,492	2,788

Note

[1] A bug for project jenkinsci/jenkins was previously mislabelled as a logical bug, whereas this month it was rectified to a Null Dereference type of bug. As a result, the number of "Security/Reliability Bug" has increased but total bug filling hasn't increased due to this. Reference: jenkinsci/jenkins#8580.