{"id":16167718,"url":"https://github.com/jlleitschuh/bulk-security-pr-generator","last_synced_at":"2025-07-16T12:05:55.503Z","repository":{"id":144935701,"uuid":"238720007","full_name":"JLLeitschuh/bulk-security-pr-generator","owner":"JLLeitschuh","description":"Generate thousands of pull requests to fix widespread security vulnerabilities across GitHub.","archived":false,"fork":false,"pushed_at":"2025-02-07T03:28:27.000Z","size":3100,"stargazers_count":34,"open_issues_count":4,"forks_count":14,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-16T01:23:38.365Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JLLeitschuh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-06T15:28:00.000Z","updated_at":"2024-10-01T22:14:09.000Z","dependencies_parsed_at":"2024-06-11T16:59:45.394Z","dependency_job_id":"befdfbd3-d432-45f5-95b3-1360360a153c","html_url":"https://github.com/JLLeitschuh/bulk-security-pr-generator","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/JLLeitschuh/bulk-security-pr-generator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLLeitschuh%2Fbulk-security-pr-generator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLLeitschuh%2Fbulk-security-pr-generator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLLeitschuh%2Fbulk-security-pr-generator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLLeitschuh%2Fbulk-security-pr-generator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JLLeitschuh","download_url":"https://codeload.github.com/JLLeitschuh/bulk-security-pr-generator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLLeitschuh%2Fbulk-security-pr-generator/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265508247,"owners_count":23779103,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-10T03:09:12.164Z","updated_at":"2025-07-16T12:05:50.441Z","avatar_url":"https://github.com/JLLeitschuh.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Bulk Security Pull Request Generator\n\nUsed to generate bulk pull requests (PRs) against projects to fix security vulnerabilities.\n\nThese 'bulk fixes' are done as a part of the new [GitHub Security Lab](https://securitylab.github.com/) Bug Bounty Program.\n\nData is sourced from queries on [lgtm.com](https://lgtm.com) and used to create bulk pull-requests to fix these security\nvulnerabilities.\n\n### Features\n\n - Built-in crash recovery -- Saves state during execution to allow recovering from a crash\n - Records metrics -- Files fixed, Number of Fixes, PR URLs\n - Fast -- Asynchronous IO using python async API\n\n### To Implement\n\n - Commit messages follow the [SECOM](https://tqrg.github.io/sec-commits/) standard.\n\n## Project 1: HTTPS Everywhere to Resolve Dependencies in Maven POM Files Everywhere! \n\n[![mitm_build](https://user-images.githubusercontent.com/1323708/59226671-90645200-8ba1-11e9-8ab3-39292bef99e9.jpeg)](https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link\u0026sk=3c99970c55a899ad9ef41f126efcde0e)\n\n[Want to take over the Java ecosystem? All you need is a MITM!](https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link\u0026sk=3c99970c55a899ad9ef41f126efcde0e)\n\nThis project has been used to generate PRs that automatically fix a security vulnerability in Maven POM files that\nare using HTTP instead of HTTPS to resolve dependencies.\n\n**Pull Requests Generated: 1,596**\n\n\n## Project 1.5: Prevent `rhostname` array overflow\n\nGitHub Security Lab's [pwntester](https://github.com/pwntester) leveraged this project to generate pull requests to fix an array overflow. This is a variant of [CVE-2020-8597](https://nvd.nist.gov/vuln/detail/CVE-2020-8597).\n\nYou can read in more detail about this vulnerability in [CERT Advisory VU#782301](https://kb.cert.org/vuls/id/782301/).\n\nThe vulnerability occurs because, given that `vallen` was checked to be less than len, it can never be the case that `vallen \u003e= len + sizeof(rhostname)`. Therefore, `rhostname` never gets trimmed and the `rhostname` array may overflow.\n\n**Pull Requests Generated: [1,885](https://github.com/search?o=desc\u0026q=author%3Aghsecuritylab+\u0026s=comments\u0026type=Issues)**\n\n## Project 2: CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in RandomUtil\n\nIn 2019, I discovered a vulnerability in the [JHipster](https://www.jhipster.tech/) code generator where it was\ngenerating vulnerable implementations of a class called `RandomUtil.java`.\n  \nUsing one password reset token from these apps combined with the POC below, an attacker can determine all future password\nreset tokens to be generated by these vulnerable servers.\nThis would allow an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.\n\n[POC code](http://web.archive.org/web/20191126104359/https://medium.com/@alex91ar/the-java-soothsayer-a-practical-application-for-insecure-randomness-c67b0cd148cd) has existed since March 3rd, 2018 for taking one RNG value generated by `RandomStringUtils` and reversing it to generate all of the past/future RNG values.\n\nThe fix was generated for each vulnerable file, preserving the original style of the file, by the [Rewrite project](https://github.com/openrewrite/rewrite).\nSee the specific code for this fix [here](https://github.com/moderneinc/jhipster-cwe-338).\n\n**Pull Requests Generated: 3,880**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjlleitschuh%2Fbulk-security-pr-generator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjlleitschuh%2Fbulk-security-pr-generator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjlleitschuh%2Fbulk-security-pr-generator/lists"}