fedcode-next: Code pipeline and models to continuously automatically collect fix commits

[pombredanne]

We should have a code pipeline and models to continuously automatically collect commits and patches that introduce or fix a vulnerability to support reachability analysis. There is already some base that analyses references. Here we need to dig deeper and scout the commits logs, changelogs and issues logs to discover and bisect if needed to find the subset of of code changes that we care for.

Today we can detect fix commits based some explicit references to commits, these are not always correct. We could validate the fix commits we have already

We have multiples issues that need to be triaged and "defragmented".
We need one issues with only the usable research/projects to:

• fedcode-next: Extract fix commits from the commit logs in search for CVE-related commit messages #2000
• fedcode-next: Extract fix commits from pull requests and issues body or comments in search for CVE-related messages #2002
• fedcode-next: Extract fix commits from the change logs in search for CVE-related change entries #2001
• fedcode-next: Collect fix commits from pre-existing datasets #2003

[ArkaprabhaChakraborty]

Hi @pombredanne! as discussed over the call I want to work on this.

[ArkaprabhaChakraborty]

but before diving into this I want to contribute to a quickie good first issue on the similar track.

[pombredanne]

Some issues of interest:

• Extract unpublished vulnerabilities from commit histories and trackers #1129
• https://github.com/cve-search/git-vuln-finder

[TG1999]

IMO we should treat fix commit data as advisory, but special advisory. As brought up by @keshav-space we can accomodate the changes in impacted package data model as well. Thanks!