chg: [doc] update the READM for the v1.0 release

This commit is contained in:
Alexandre Dulaunoy 2019-12-24 17:28:51 +01:00
parent 5fd66b8dc6
commit 098921df31
Signed by: adulau
GPG key ID: 09E2CD4944E6CBCD

View file

@ -8,11 +8,12 @@ in the output.
- Python 3.6 - Python 3.6
- GitPython - GitPython
- langdetect
# Usage # Usage
~~~bash ~~~bash
usage: finder.py [-h] [-v] [-r R] [-o O] [-s S] [-p P] usage: finder.py [-h] [-v] [-r R] [-o O] [-s S] [-p P] [-c] [-t]
Finding potential software vulnerabilities from git commit messages. Finding potential software vulnerabilities from git commit messages.
@ -25,6 +26,9 @@ optional arguments:
-p P Matching pattern to use: [vulnpatterns, cryptopatterns, -p P Matching pattern to use: [vulnpatterns, cryptopatterns,
cpatterns] - the pattern 'all' is used to match all the patterns cpatterns] - the pattern 'all' is used to match all the patterns
at once. at once.
-c output only a list of the CVE pattern found in commit messages
(disable by default)
-t Include tags matching a specific commit
More info: https://github.com/cve-search/git-vuln-finder More info: https://github.com/cve-search/git-vuln-finder
~~~ ~~~
@ -42,8 +46,9 @@ git-vuln-finder comes with 3 default patterns which can be selected to find the
~~~bash ~~~bash
python3 finder.py -r /home/adulau/git/curl | jq . python3 finder.py -r /home/adulau/git/curl | jq .
... ...
"6df916d751e72fc9a1febc07bb59c4ddd886c043": { "6df916d751e72fc9a1febc07bb59c4ddd886c043": {
"message": "loadlibrary: Only load system DLLs from the system directory\n\nInspiration provided by: Daniel Stenberg and Ray Satiro\n\nBug: https://curl.haxx.se/docs/adv_20160530.html\n\nRef: Windows DLL hijacking with curl, CVE-2016-4802\n", "message": "loadlibrary: Only load system DLLs from the system directory\n\nInspiration provided by: Daniel Stenberg and Ray Satiro\n\nBug: https://curl.haxx.se/docs/adv_20160530.html\n\nRef: Windows DLL hijacking with curl, CVE-2016-4802\n",
"language": "en",
"commit-id": "6df916d751e72fc9a1febc07bb59c4ddd886c043", "commit-id": "6df916d751e72fc9a1febc07bb59c4ddd886c043",
"summary": "loadlibrary: Only load system DLLs from the system directory", "summary": "loadlibrary: Only load system DLLs from the system directory",
"stats": { "stats": {
@ -60,11 +65,20 @@ python3 finder.py -r /home/adulau/git/curl | jq .
"master" "master"
], ],
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|xframeoptions|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcrossorigin\b|unauthori[z|s]ed |infinite loop)", "pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|xframeoptions|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcrossorigin\b|unauthori[z|s]ed |infinite loop)",
"pattern-matches": "hijack", "pattern-matches": [
"state": "under-review" "hijack"
],
"origin": "git@github.com:curl/curl.git",
"origin-github-api": "https://api.github.com/repos/curl/curl/commits/6df916d751e72fc9a1febc07bb59c4ddd886c043",
"tags": [],
"cve": [
"CVE-2016-4802"
],
"state": "cve-assigned"
}, },
"c2b3f264cb5210f82bdc84a3b89250a611b68dd3": { "c2b3f264cb5210f82bdc84a3b89250a611b68dd3": {
"message": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses\n\nPreviously, connections were closed immediately before the user had a\nchance to extract the socket when the proxy required Negotiate\nauthentication.\n\nThis regression was brought in with the security fix in commit\n79b9d5f1a42578f\n\nCloses #655\n", "message": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses\n\nPreviously, connections were closed immediately before the user had a\nchance to extract the socket when the proxy required Negotiate\nauthentication.\n\nThis regression was brought in with the security fix in commit\n79b9d5f1a42578f\n\nCloses #655\n",
"language": "en",
"commit-id": "c2b3f264cb5210f82bdc84a3b89250a611b68dd3", "commit-id": "c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
"summary": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses", "summary": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses",
"stats": { "stats": {
@ -81,7 +95,12 @@ python3 finder.py -r /home/adulau/git/curl | jq .
"master" "master"
], ],
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|xframeoptions|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcrossorigin\b|unauthori[z|s]ed |infinite loop)", "pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|xframeoptions|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcrossorigin\b|unauthori[z|s]ed |infinite loop)",
"pattern-matches": "security ", "pattern-matches": [
"security "
],
"origin": "git@github.com:curl/curl.git",
"origin-github-api": "https://api.github.com/repos/curl/curl/commits/c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
"tags": [],
"state": "under-review" "state": "under-review"
}, },
... ...
@ -132,6 +151,11 @@ This software is free software and licensed under the AGPL version 3.
Copyright (c) 2019 Alexandre Dulaunoy - https://github.com/adulau/ Copyright (c) 2019 Alexandre Dulaunoy - https://github.com/adulau/
# Acknowledgment
- Thanks to [Jean-Louis Huynen](https://github.com/gallypette) for the discussions about the crypto vulnerability pattern
- Thanks to [Sebastien Tricaud](https://github.com/stricaud) for the discussions regarding native language and commit messages
# References # References
- [Notes](https://gist.github.com/adulau/dce5a6ca5c65017869bb01dfee576303#file-finding-vuln-git-commit-messages-md) - [Notes](https://gist.github.com/adulau/dce5a6ca5c65017869bb01dfee576303#file-finding-vuln-git-commit-messages-md)