purl2sym
FOSS code symbols indexing system
Identifying corresponding source code compiled in natively compiled binaries is complex and important – only by knowing the code origin can one know if the code is subject to known vulnerabilities or licensing issues. In IoT and embedded devices, most of the code is composed of natively compiled binaries, with a significant Android-based ecosystem using Java with specific constraints: multiple programming languages (Java and Kotlin) and bytecode-compiled binaries. Many devices also embed secondary code (typically for admin and UI), such as Lua, JavaScript, Python, or PHP.
To help with identification of binaries, it is important to aggregate collection of identifiers and symbols from FOSS code and index them to easily retrieve the data in efficient detection engines, based on automations and binary scanners. These symbols or identifiers are essential to software identification tools such as BANG that can match symbols in source and binaries and determine the corresponding source code for a given binary code input.
purl2sym is a new data collection and indexing system to collect code symbols from FOSS source packages (and binaries in the future) and store them for reuse in other software analysis processes.
- The project's own website: https://www.aboutcode.org/
Run by AboutCode
This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.