See for instance https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=Type:Bug,Bug-Security%20proj=libarchive%20type=Bug-Security&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary Most do not have a CVE and things cn be tracked somehow to specific commits with a bit of cross-searching and matching with a project corresponding commit stream and issue tracker searching, for instance Given this https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15431&can=1&q=Type%3ABug%2CBug-Security%20type%3DBug-Security%20proj%3Dlibarchive&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary ... a blame shows that this function `static int run_arm_filter(struct rar5* rar, struct filter_info* flt)` changes in https://github.com/libarchive/libarchive/blame/master/libarchive/archive_read_support_format_rar5.c is fixed by these two commits: - https://github.com/libarchive/libarchive/commit/2331456dc1f83e6b20e656e69fa01b6e30302865 - https://github.com/libarchive/libarchive/commit/2331456dc1f83e6b20e656e69fa01b6e30302865 Based on that a range of vulnerable and fixed versions can be determined and some rule to detect if the source has the issue too. The oss fuzz tracker may have an API of sorts: see https://chromium.googlesource.com/infra/infra/+/master/appengine/monorail
See for instance https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=Type:Bug,Bug-Security%20proj=libarchive%20type=Bug-Security&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary
Most do not have a CVE and things cn be tracked somehow to specific commits with a bit of cross-searching and matching with a project corresponding commit stream and issue tracker searching, for instance
Given this https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15431&can=1&q=Type%3ABug%2CBug-Security%20type%3DBug-Security%20proj%3Dlibarchive&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary
... a blame shows that this function
static int run_arm_filter(struct rar5* rar, struct filter_info* flt)changes in https://github.com/libarchive/libarchive/blame/master/libarchive/archive_read_support_format_rar5.c is fixed by these two commits:Based on that a range of vulnerable and fixed versions can be determined and some rule to detect if the source has the issue too.
The oss fuzz tracker may have an API of sorts: see https://chromium.googlesource.com/infra/infra/+/master/appengine/monorail