In the open source software (OSS) ecosystem, there exists a complex software supply chain, where developers upstream and downstream widely borrow and reuse code. This results in the widespread occurrence of recurring defects, missing fixes, and propagation issues. These are collectively referred to as cognate defects, and their scale and threats have not received extensive attention and systematic research. Software composition analysis and code clone detection methods are unable to cover the various variant issues in the supply chain scenario, while code static analysis, or static application security testing (SAST) techniques struggle to target specific defects. In this paper, we propose a novel technique for detecting cognate defects in OSS through the automatic generation of SAST rules. Specifically, it extracts key syntax and semantic information from pre- and post-patch versions of code through structural comparison and control flow to data flow analysis, and generates rules that matches these key elements. We have implemented a prototype tool called Patch2QL and applied it to fundamental OSS in C/C++. In experiments, we discovered 7 new vulnerabilities with medium to critical severity in the most popular upstream software, as well as numerous potential security issues. When analyzing downstream projects in the supply chain, we found a significant number of representative cognate defects, clarifying the threat posed by this issue. Additionally, compared to general-purpose SAST and signature-based mechanisms, the generated rules perform better at discover all variants of cognate defects.

翻译：在开源软件（OSS）生态系统中，存在复杂的软件供应链，上游与下游开发者广泛借鉴和复用代码。这导致重复缺陷、缺失修复及传播问题普遍存在。这些统称为同源缺陷，其规模与威胁尚未得到充分关注和系统性研究。软件成分分析与代码克隆检测方法无法覆盖供应链场景中的各类变体问题，而代码静态分析（即静态应用安全测试，SAST）技术难以精准定位特定缺陷。本文提出一种通过自动生成SAST规则来检测开源软件同源缺陷的新技术。具体而言，该方法通过结构比较以及控制流到数据流的分析，从补丁前后版本的代码中提取关键语法与语义信息，并生成匹配这些关键要素的规则。我们实现了名为Patch2QL的原型工具，并将其应用于C/C++基础开源软件中。实验中，我们在最热门的上游软件中发现了7个中高危级别的新漏洞，以及大量潜在安全问题。在分析供应链下游项目时，我们发现了大量典型同源缺陷，明确了该问题构成的威胁。此外，与通用SAST及基于签名的机制相比，生成的规则在发现同源缺陷所有变体方面表现更优。