Abstract: A non-transitory computer-readable media, method and server for detecting and addressing vulnerabilities in a third-party code are described. In some examples, a server receives a security advisory that includes a description of a vulnerability and accesses a version control system (VCS) used by a third-party library to determine additional resources related to the vulnerability. The server determines a set of code changes performed by the project maintainers in the VCS, identifies one or more fix commits that address the vulnerability, and identifies one or more functions with the vulnerability that have been changed by the fix commits. The server performs a search for components and component versions that include the one or more functions with the vulnerability and generates an enriched vulnerability description that includes identifiers of package versions that include fixed versions of the one or more functions and vulnerable version of the one or more functions.

Abstract: In some examples, a server injects malicious code into a legitimate software package to create an injected package. The server uses an artificial intelligence to extract a plurality of parts from the injected package and to mutate individual parts of the plurality of parts to create mutated parts. The server assembles the mutated parts to create a mutated malware. A malware scanner determines a risk score associated with the mutated malware. Based at least in part on determining that the score satisfies a predetermined threshold, the server stores the mutated malware in a set of mutated malware and creates at least one additional mutation based on the mutated malware. After determining that a size of the set of mutated malware satisfies a requested size, the malware scanner is modified to increase detection of the malicious code in individual mutated malware in the set of mutated malware.

Abstract: In some examples, a server receives a security advisory that includes a description of a vulnerability and accesses a version control system (VCS) used by a third-party library to determine additional resources related to the vulnerability. The server determines a set of code changes performed by the project maintainers in the VCS, identifies one or more fix commits that address the vulnerability, and identifies one or more functions with the vulnerability that have been changed by the fix commits. The server performs a search for components and component versions that include the one or more functions with the vulnerability and generates an enriched vulnerability description that includes identifiers of package versions that include fixed versions of the one or more functions and vulnerable version of the one or more functions. Project code in a development system is modified to use the fixed versions of the one or more functions.