mirror of
https://github.com/adulau/git-vuln-finder.git
synced 2024-11-22 10:07:11 +00:00
chg: [doc] update the READM for the v1.0 release
This commit is contained in:
parent
5fd66b8dc6
commit
098921df31
GPG key ID:
09E2CD4944E6CBCD
1 changed files with 29 additions and 5 deletions
32
README.md
32
README.md
|
|
@ -8,11 +8,12 @@ in the output.
|
||||||
|
|
||||||
- Python 3.6
|
- Python 3.6
|
||||||
- GitPython
|
- GitPython
|
||||||
|
- langdetect
|
||||||
|
|
||||||
# Usage
|
# Usage
|
||||||
|
|
||||||
~~~bash
|
~~~bash
|
||||||
usage: finder.py [-h] [-v] [-r R] [-o O] [-s S] [-p P]
|
usage: finder.py [-h] [-v] [-r R] [-o O] [-s S] [-p P] [-c] [-t]
|
||||||
|
|
||||||
Finding potential software vulnerabilities from git commit messages.
|
Finding potential software vulnerabilities from git commit messages.
|
||||||
|
|
||||||
|
|
@ -25,6 +26,9 @@ optional arguments:
|
||||||
-p P Matching pattern to use: [vulnpatterns, cryptopatterns,
|
-p P Matching pattern to use: [vulnpatterns, cryptopatterns,
|
||||||
cpatterns] - the pattern 'all' is used to match all the patterns
|
cpatterns] - the pattern 'all' is used to match all the patterns
|
||||||
at once.
|
at once.
|
||||||
|
-c output only a list of the CVE pattern found in commit messages
|
||||||
|
(disable by default)
|
||||||
|
-t Include tags matching a specific commit
|
||||||
|
|
||||||
More info: https://github.com/cve-search/git-vuln-finder
|
More info: https://github.com/cve-search/git-vuln-finder
|
||||||
~~~
|
~~~
|
||||||
|
|
@ -44,6 +48,7 @@ python3 finder.py -r /home/adulau/git/curl | jq .
|
||||||
...
|
...
|
||||||
"6df916d751e72fc9a1febc07bb59c4ddd886c043": {
|
"6df916d751e72fc9a1febc07bb59c4ddd886c043": {
|
||||||
"message": "loadlibrary: Only load system DLLs from the system directory\n\nInspiration provided by: Daniel Stenberg and Ray Satiro\n\nBug: https://curl.haxx.se/docs/adv_20160530.html\n\nRef: Windows DLL hijacking with curl, CVE-2016-4802\n",
|
"message": "loadlibrary: Only load system DLLs from the system directory\n\nInspiration provided by: Daniel Stenberg and Ray Satiro\n\nBug: https://curl.haxx.se/docs/adv_20160530.html\n\nRef: Windows DLL hijacking with curl, CVE-2016-4802\n",
|
||||||
|
"language": "en",
|
||||||
"commit-id": "6df916d751e72fc9a1febc07bb59c4ddd886c043",
|
"commit-id": "6df916d751e72fc9a1febc07bb59c4ddd886c043",
|
||||||
"summary": "loadlibrary: Only load system DLLs from the system directory",
|
"summary": "loadlibrary: Only load system DLLs from the system directory",
|
||||||
"stats": {
|
"stats": {
|
||||||
|
|
@ -60,11 +65,20 @@ python3 finder.py -r /home/adulau/git/curl | jq .
|
||||||
"master"
|
"master"
|
||||||
],
|
],
|
||||||
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
|
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
|
||||||
"pattern-matches": "hijack",
|
"pattern-matches": [
|
||||||
"state": "under-review"
|
"hijack"
|
||||||
|
],
|
||||||
|
"origin": "git@github.com:curl/curl.git",
|
||||||
|
"origin-github-api": "https://api.github.com/repos/curl/curl/commits/6df916d751e72fc9a1febc07bb59c4ddd886c043",
|
||||||
|
"tags": [],
|
||||||
|
"cve": [
|
||||||
|
"CVE-2016-4802"
|
||||||
|
],
|
||||||
|
"state": "cve-assigned"
|
||||||
},
|
},
|
||||||
"c2b3f264cb5210f82bdc84a3b89250a611b68dd3": {
|
"c2b3f264cb5210f82bdc84a3b89250a611b68dd3": {
|
||||||
"message": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses\n\nPreviously, connections were closed immediately before the user had a\nchance to extract the socket when the proxy required Negotiate\nauthentication.\n\nThis regression was brought in with the security fix in commit\n79b9d5f1a42578f\n\nCloses #655\n",
|
"message": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses\n\nPreviously, connections were closed immediately before the user had a\nchance to extract the socket when the proxy required Negotiate\nauthentication.\n\nThis regression was brought in with the security fix in commit\n79b9d5f1a42578f\n\nCloses #655\n",
|
||||||
|
"language": "en",
|
||||||
"commit-id": "c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
|
"commit-id": "c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
|
||||||
"summary": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses",
|
"summary": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses",
|
||||||
"stats": {
|
"stats": {
|
||||||
|
|
@ -81,7 +95,12 @@ python3 finder.py -r /home/adulau/git/curl | jq .
|
||||||
"master"
|
"master"
|
||||||
],
|
],
|
||||||
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
|
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
|
||||||
"pattern-matches": "security ",
|
"pattern-matches": [
|
||||||
|
"security "
|
||||||
|
],
|
||||||
|
"origin": "git@github.com:curl/curl.git",
|
||||||
|
"origin-github-api": "https://api.github.com/repos/curl/curl/commits/c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
|
||||||
|
"tags": [],
|
||||||
"state": "under-review"
|
"state": "under-review"
|
||||||
},
|
},
|
||||||
...
|
...
|
||||||
|
|
@ -132,6 +151,11 @@ This software is free software and licensed under the AGPL version 3.
|
||||||
|
|
||||||
Copyright (c) 2019 Alexandre Dulaunoy - https://github.com/adulau/
|
Copyright (c) 2019 Alexandre Dulaunoy - https://github.com/adulau/
|
||||||
|
|
||||||
|
# Acknowledgment
|
||||||
|
|
||||||
|
- Thanks to [Jean-Louis Huynen](https://github.com/gallypette) for the discussions about the crypto vulnerability pattern
|
||||||
|
- Thanks to [Sebastien Tricaud](https://github.com/stricaud) for the discussions regarding native language and commit messages
|
||||||
|
|
||||||
# References
|
# References
|
||||||
|
|
||||||
- [Notes](https://gist.github.com/adulau/dce5a6ca5c65017869bb01dfee576303#file-finding-vuln-git-commit-messages-md)
|
- [Notes](https://gist.github.com/adulau/dce5a6ca5c65017869bb01dfee576303#file-finding-vuln-git-commit-messages-md)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue