Lines Unaffected by Vulnerability Fixing Commit Considered When Identifying Vulnerability Contributing Commits

[nuthanmunaiah]

Description

When a vulnerability fixing commit renames a file in fixing the vulnerability, archeogit blame considers all lines in the renamed file as having changed when attempting to identify vulnerability contributing commits.

Demonstration

apache/struts@85812fb is reported to have fixed CVE-2018-1327 in Apache Struts. As shown below, the fix (85812fb) renamed two files from JacksonLibHandler* to JackonJsonHandler* while modified one line in JacksonJson(Lib)Handler.java and seven lines in JacksonJson(Lib)HandlerTest.java.

$ git show --numstat 85812fb9bbf1dc8358d0352157142ec3131e015b
commit 85812fb9bbf1dc8358d0352157142ec3131e015b
Author: Lukasz Lenart <lukasz.lenart@gmail.com>
Date:   Fri Dec 14 14:58:48 2018 +0100

    [WW-4989] Uses JacksonXML handler a default handler for XML in the REST plugin (#288)

    * WW-4989 Uses Jackson XML handler as a default for XML serialisation

    * WW-4989 Renames class to match the same pattern for XML handler

1       1       plugins/rest/src/main/java/org/apache/struts2/rest/handler/{JacksonLibHandler.java => JacksonJsonHandler.java}
2       2       plugins/rest/src/main/resources/struts-plugin.xml
7       7       plugins/rest/src/test/java/org/apache/struts2/rest/handler/{JacksonLibHandlerTest.java => JacksonJsonHandlerTest.java}

The expectation is for archeogit blame is to consider only those lines that were modified to fix the vulnerability when attempting to identify the commits that likely contributed to the vulnerability. However, as shown in the output below, archeogit blame is considering all lines (65 lines in JacksonJson(Lib)Handler.java and 93 lines in JacksonJson(Lib)HandlerTest.java).

$ archeogit blame /repositories/struts/ 85812fb9bbf1dc8358d0352157142ec3131e015b
2021-03-22 13:26:11,781 - archeogit.utilities - fatal: no such path plugins/rest/src/main/java/org/apache/struts2/rest/handler/JacksonJsonHandler.java in 85812fb9bbf1dc8358d0352157142ec3131e015b^

2021-03-22 13:26:11,832 - archeogit.utilities - fatal: no such path plugins/rest/src/test/java/org/apache/struts2/rest/handler/JacksonJsonHandlerTest.java in 85812fb9bbf1dc8358d0352157142ec3131e015b^


plugins/rest/src/main/java/org/apache/struts2/rest/handler/JacksonJsonHandler.java

| Contributor                              | Frequency |
| ---------------------------------------- | --------- |
plugins/rest/src/main/java/org/apache/struts2/rest/handler/JacksonLibHandler.java

| Contributor                              | Frequency |
| ---------------------------------------- | --------- |
| 077bea8a6fb4065962acea362bc31dba8dcede71 |        55 |
| 0fac53954a5f32f9c75393301d862065695cb508 |         6 |
| 3bd072ca053aed787f3a16865266d8832fcd18b0 |         4 |
plugins/rest/src/main/resources/struts-plugin.xml

| Contributor                              | Frequency |
| ---------------------------------------- | --------- |
| 6229ad7a4726717bf594e9b4e4afa90e1e028829 |         1 |
| 941374ecdb99ccc316f6b527b8df0f1cf2bb80c0 |         1 |
plugins/rest/src/test/java/org/apache/struts2/rest/handler/JacksonJsonHandlerTest.java

| Contributor                              | Frequency |
| ---------------------------------------- | --------- |
plugins/rest/src/test/java/org/apache/struts2/rest/handler/JacksonLibHandlerTest.java

| Contributor                              | Frequency |
| ---------------------------------------- | --------- |
| 077bea8a6fb4065962acea362bc31dba8dcede71 |        88 |
| ee5575d0c6b24b7109b6977542bfcc0fac8f85d3 |         5 |
2021-03-22 13:26:11,855 - archeogit - blame excavation took 0.09 seconds

The likely cause of the bug is the renaming of the file in fixing the vulnerability as indicated by the fatal: no such path ... errors from archeogit blame.