In the open source software (OSS) ecosystem, there exists a complex software supply chain, where developers upstream and downstream widely borrow and reuse code. This results in the widespread occurrence of recurring defects, missing fixes, and propagation issues. These are collectively referred to as cognate defects, and their scale and threats have not received extensive attention and systematic research. Software composition analysis and code clone detection methods are unable to cover the various variant issues in the supply chain scenario, while code static analysis, or static application security testing (SAST) techniques struggle to target specific defects. In this paper, we propose a novel technique for detecting cognate defects in OSS through the automatic generation of SAST rules. Specifically, it extracts key syntax and semantic information from pre- and post-patch versions of code through structural comparison and control flow to data flow analysis, and generates rules that matches these key elements. We have implemented a prototype tool called Patch2QL and applied it to fundamental OSS in C/C++. In experiments, we discovered 7 new vulnerabilities with medium to critical severity in the most popular upstream software, as well as numerous potential security issues. When analyzing downstream projects in the supply chain, we found a significant number of representative cognate defects, clarifying the threat posed by this issue. Additionally, compared to general-purpose SAST and signature-based mechanisms, the generated rules perform better at discover all variants of cognate defects.

翻译：在开源软件生态系统中，存在着复杂的软件供应链——上游与下游开发者广泛借用和复用代码，导致重复缺陷、遗漏修复及传播问题普遍发生。这些现象统称为同源缺陷，其规模和威胁尚未得到广泛关注和系统性研究。软件组成分析与代码克隆检测方法难以覆盖供应链场景中的各类变体问题，而代码静态分析（即静态应用安全测试，SAST）技术则难以精准定位特定缺陷。本文提出一种新技术，通过自动生成SAST规则来检测开源软件中的同源缺陷。具体而言，该方法通过结构比对、控制流到数据流分析，从补丁前与补丁后的代码版本中提取关键语法和语义信息，并生成匹配这些关键要素的规则。我们实现了原型工具Patch2QL，并将其应用于C/C++基础开源软件。实验中，我们在最流行的上游软件中发现了7个中危至危急级别的新漏洞，以及大量潜在安全问题。在分析供应链下游项目时，发现了大量具有代表性的同源缺陷，明确了该问题造成的威胁。此外，与通用SAST及基于签名的机制相比，生成的规则在发现所有同源缺陷变体方面表现更优。