Google presented a new open project Vanir, which aims to develop a static analyzer for automatically identifying patches that have not been applied to the code to eliminate vulnerabilities. Vanir utilizes a signature base with information about well-known vulnerabilities and patches to address these vulnerabilities. This database has been in place since July 2020 and covers projects related to the Android platform, including the Linux kernel. Currently, Vanir supports code written in C, C++, and Java, with the code itself written in C++ and Python under the BSD license.
The project consists of two main components – the signature generator and the missing patch detector. The generator creates a signature for identifying missing patches based on vulnerability descriptions in the osv format and links to patches or communities that address the vulnerabilities. While currently supporting commits in repositories like Googlesource.com and Git.codelinaro.org, additional service support can easily be added by connecting the relevant code.
The detector analyzes code in a specified repository to identify missing corrections outlined in the signatures within it. On a modern PC with a 16-core CPU, scanning the Android platform’s original code tree takes approximately 10-20 minutes. The output is a report listing potentially incorrect vulnerabilities, links to the code positions, CVE identifiers, and patches.
The advantages of using these tools include:
- The ability to identify vulnerabilities in third-party branches, code modifications, and borrowed code not directly related to the main project. This can be especially useful for checking the use of patches in different variants of the Android platform developed by device manufacturers.