From 335bdff4cba075e922e1ceb51d18a30446ef9f7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bonhomme?= Date: Mon, 6 Jan 2020 07:50:21 +0100 Subject: [PATCH] reformat a tiny with black --- bin/finder.py | 90 ++++++++++++++++++------------ git_vuln_finder/__init__.py | 1 - git_vuln_finder/pattern.py | 10 ++-- git_vuln_finder/vulnerability.py | 94 ++++++++++++++++++-------------- 4 files changed, 113 insertions(+), 82 deletions(-) diff --git a/bin/finder.py b/bin/finder.py index bbefd76..db065db 100644 --- a/bin/finder.py +++ b/bin/finder.py @@ -16,34 +16,44 @@ import sys import argparse import typing -from git_vuln_finder import ( - get_patterns, - find_vuln, - summary -) +from git_vuln_finder import get_patterns, find_vuln, summary def main(): """Point of entry for the script. """ # Parsing arguments - parser = argparse.ArgumentParser(description = "Finding potential software vulnerabilities from git commit messages.", epilog = "More info: https://github.com/cve-search/git-vuln-finder") + parser = argparse.ArgumentParser( + description="Finding potential software vulnerabilities from git commit messages.", + epilog="More info: https://github.com/cve-search/git-vuln-finder", + ) parser.add_argument("-v", help="increase output verbosity", action="store_true") parser.add_argument("-r", type=str, help="git repository to analyse") parser.add_argument("-o", type=str, help="Output format: [json]", default="json") - parser.add_argument("-s", type=str, help="State of the commit found", default="under-review") - parser.add_argument("-p", type=str, help="Matching pattern to use: [vulnpatterns, cryptopatterns, cpatterns] - the pattern 'all' is used to match all the patterns at once.", default="vulnpatterns") - parser.add_argument("-c", help="output only a list of the CVE pattern found in commit messages (disable by default)", action="store_true") - parser.add_argument("-t", help="Include tags matching a specific commit", action="store_true") + parser.add_argument( + "-s", type=str, help="State of the commit found", default="under-review" + ) + parser.add_argument( + "-p", + type=str, + help="Matching pattern to use: [vulnpatterns, cryptopatterns, cpatterns] - the pattern 'all' is used to match all the patterns at once.", + default="vulnpatterns", + ) + parser.add_argument( + "-c", + help="output only a list of the CVE pattern found in commit messages (disable by default)", + action="store_true", + ) + parser.add_argument( + "-t", help="Include tags matching a specific commit", action="store_true" + ) args = parser.parse_args() - patterns = get_patterns() vulnpatterns = patterns["en"]["medium"]["vuln"] cryptopatterns = patterns["en"]["medium"]["crypto"] cpatterns = patterns["en"]["medium"]["c"] - if args.p == "vulnpatterns": defaultpattern = vulnpatterns elif args.p == "cryptopatterns": @@ -62,13 +72,11 @@ def main(): else: repo = git.Repo(args.r) - # Initialization of the variables for the results found = 0 all_potential_vulnerabilities = {} cve_found = set() - repo_heads = repo.heads repo_heads_names = [h.name for h in repo_heads] print(repo_heads_names, file=sys.stderr) @@ -85,32 +93,36 @@ def main(): if isinstance(defaultpattern, typing.Pattern): ret = find_vuln(commit, pattern=defaultpattern, verbose=args.v) if ret: - rcommit = ret['commit'] - _, potential_vulnerabilities = summary(repo, - rcommit, - branch, - tagmap, - defaultpattern, - origin=origin, - vuln_match=ret['match'], - tags_matching=args.t, - commit_state=args.s) + rcommit = ret["commit"] + _, potential_vulnerabilities = summary( + repo, + rcommit, + branch, + tagmap, + defaultpattern, + origin=origin, + vuln_match=ret["match"], + tags_matching=args.t, + commit_state=args.s, + ) all_potential_vulnerabilities.update(potential_vulnerabilities) found += 1 elif isinstance(defaultpattern, list): for p in defaultpattern: ret = find_vuln(commit, pattern=p, verbose=args.v) if ret: - rcommit = ret['commit'] - _, potential_vulnerabilities = summary(repo, - rcommit, - branch, - tagmap, - p, - origin=origin, - vuln_match=ret['match'], - tags_matching=args.t, - commit_state=args.s) + rcommit = ret["commit"] + _, potential_vulnerabilities = summary( + repo, + rcommit, + branch, + tagmap, + p, + origin=origin, + vuln_match=ret["match"], + tags_matching=args.t, + commit_state=args.s, + ) all_potential_vulnerabilities.update(potential_vulnerabilities) found += 1 @@ -119,5 +131,11 @@ def main(): elif args.c: print(json.dumps(list(cve_found))) - print("{} CVE referenced found in commit(s)".format(len(list(cve_found))), file=sys.stderr) - print("Total potential vulnerability found in {} commit(s)".format(found), file=sys.stderr) + print( + "{} CVE referenced found in commit(s)".format(len(list(cve_found))), + file=sys.stderr, + ) + print( + "Total potential vulnerability found in {} commit(s)".format(found), + file=sys.stderr, + ) diff --git a/git_vuln_finder/__init__.py b/git_vuln_finder/__init__.py index 8b18bb6..2bd2216 100644 --- a/git_vuln_finder/__init__.py +++ b/git_vuln_finder/__init__.py @@ -1,4 +1,3 @@ - from git_vuln_finder.pattern import build_pattern from git_vuln_finder.pattern import get_patterns from git_vuln_finder.vulnerability import find_vuln diff --git a/git_vuln_finder/pattern.py b/git_vuln_finder/pattern.py index e853249..8d08d53 100644 --- a/git_vuln_finder/pattern.py +++ b/git_vuln_finder/pattern.py @@ -14,7 +14,7 @@ import os import re -PATTERNS_PATH="./git_vuln_finder/patterns" +PATTERNS_PATH = "./git_vuln_finder/patterns" def build_pattern(pattern_file): @@ -29,7 +29,7 @@ def build_pattern(pattern_file): for line in fp.readlines(): rex += line.rstrip() + "|" - rex = rex[:-1] # We remove the extra '| + rex = rex[:-1] # We remove the extra '| fp.close() try: @@ -49,9 +49,9 @@ def get_patterns(patterns_path=PATTERNS_PATH): for f in files: if f.endswith(".prefix") or f.endswith(".suffix"): continue - npath = root[len(patterns_path):].split(os.sep) + npath = root[len(patterns_path) :].split(os.sep) try: - npath.remove('') + npath.remove("") except ValueError: pass @@ -59,7 +59,7 @@ def get_patterns(patterns_path=PATTERNS_PATH): severity = npath[1] pattern_category = f - try: # FIXME: Is there a better way? + try: # FIXME: Is there a better way? a = patterns[lang] except KeyError: patterns[lang] = {} diff --git a/git_vuln_finder/vulnerability.py b/git_vuln_finder/vulnerability.py index bf2d8a7..d460d50 100644 --- a/git_vuln_finder/vulnerability.py +++ b/git_vuln_finder/vulnerability.py @@ -23,74 +23,88 @@ def find_vuln(commit, pattern, verbose=False): print(commit.message, file=sys.stderr) print("---", file=sys.stderr) ret = {} - ret['commit'] = commit - ret['match'] = m.groups() + ret["commit"] = commit + ret["match"] = m.groups() return ret else: return None -def summary(repo, - commit, - branch, - tagmap, - pattern, - origin=None, - vuln_match=None, - tags_matching=False, - commit_state="under-review" +def summary( + repo, + commit, + branch, + tagmap, + pattern, + origin=None, + vuln_match=None, + tags_matching=False, + commit_state="under-review", ): potential_vulnerabilities = {} rcommit = commit cve = extract_cve(rcommit.message) if origin is not None: origin = origin - if origin.find('github.com'): - origin_github_api = origin.split(':')[1] - (org_name, repo_name) = origin_github_api.split('/', 1) - if repo_name.find('.git$'): - repo_name = re.sub(r".git$","", repo_name) - origin_github_api = 'https://api.github.com/repos/{}/{}/commits/{}'.format(org_name, repo_name, rcommit.hexsha) + if origin.find("github.com"): + origin_github_api = origin.split(":")[1] + (org_name, repo_name) = origin_github_api.split("/", 1) + if repo_name.find(".git$"): + repo_name = re.sub(r".git$", "", repo_name) + origin_github_api = "https://api.github.com/repos/{}/{}/commits/{}".format( + org_name, repo_name, rcommit.hexsha + ) else: - origin = 'git origin unknown' + origin = "git origin unknown" # deduplication if similar commits on different branches if rcommit.hexsha in potential_vulnerabilities: - potential_vulnerabilities[rcommit.hexsha]['branches'].append(branch) + potential_vulnerabilities[rcommit.hexsha]["branches"].append(branch) else: potential_vulnerabilities[rcommit.hexsha] = {} - potential_vulnerabilities[rcommit.hexsha]['message'] = rcommit.message - potential_vulnerabilities[rcommit.hexsha]['language'] = langdetect(rcommit.message) - potential_vulnerabilities[rcommit.hexsha]['commit-id'] = rcommit.hexsha - potential_vulnerabilities[rcommit.hexsha]['summary'] = rcommit.summary - potential_vulnerabilities[rcommit.hexsha]['stats'] = rcommit.stats.total - potential_vulnerabilities[rcommit.hexsha]['author'] = rcommit.author.name - potential_vulnerabilities[rcommit.hexsha]['author-email'] = rcommit.author.email - potential_vulnerabilities[rcommit.hexsha]['authored_date'] = rcommit.authored_date - potential_vulnerabilities[rcommit.hexsha]['committed_date'] = rcommit.committed_date - potential_vulnerabilities[rcommit.hexsha]['branches'] = [] - potential_vulnerabilities[rcommit.hexsha]['branches'].append(branch) - potential_vulnerabilities[rcommit.hexsha]['pattern-selected'] = pattern.pattern - potential_vulnerabilities[rcommit.hexsha]['pattern-matches'] = vuln_match - potential_vulnerabilities[rcommit.hexsha]['origin'] = origin + potential_vulnerabilities[rcommit.hexsha]["message"] = rcommit.message + potential_vulnerabilities[rcommit.hexsha]["language"] = langdetect( + rcommit.message + ) + potential_vulnerabilities[rcommit.hexsha]["commit-id"] = rcommit.hexsha + potential_vulnerabilities[rcommit.hexsha]["summary"] = rcommit.summary + potential_vulnerabilities[rcommit.hexsha]["stats"] = rcommit.stats.total + potential_vulnerabilities[rcommit.hexsha]["author"] = rcommit.author.name + potential_vulnerabilities[rcommit.hexsha]["author-email"] = rcommit.author.email + potential_vulnerabilities[rcommit.hexsha][ + "authored_date" + ] = rcommit.authored_date + potential_vulnerabilities[rcommit.hexsha][ + "committed_date" + ] = rcommit.committed_date + potential_vulnerabilities[rcommit.hexsha]["branches"] = [] + potential_vulnerabilities[rcommit.hexsha]["branches"].append(branch) + potential_vulnerabilities[rcommit.hexsha]["pattern-selected"] = pattern.pattern + potential_vulnerabilities[rcommit.hexsha]["pattern-matches"] = vuln_match + potential_vulnerabilities[rcommit.hexsha]["origin"] = origin if origin_github_api: - potential_vulnerabilities[commit.hexsha]['origin-github-api'] = origin_github_api - potential_vulnerabilities[rcommit.hexsha]['tags'] = [] + potential_vulnerabilities[commit.hexsha][ + "origin-github-api" + ] = origin_github_api + potential_vulnerabilities[rcommit.hexsha]["tags"] = [] if tags_matching: if repo.commit(rcommit).hexsha in tagmap: - potential_vulnerabilities[rcommit.hexsha]['tags'] = tagmap[repo.commit(rcommit).hexsha] - if cve: potential_vulnerabilities[rcommit.hexsha]['cve'] = cve + potential_vulnerabilities[rcommit.hexsha]["tags"] = tagmap[ + repo.commit(rcommit).hexsha + ] if cve: - potential_vulnerabilities[rcommit.hexsha]['state'] = "cve-assigned" + potential_vulnerabilities[rcommit.hexsha]["cve"] = cve + if cve: + potential_vulnerabilities[rcommit.hexsha]["state"] = "cve-assigned" else: - potential_vulnerabilities[rcommit.hexsha]['state'] = commit_state + potential_vulnerabilities[rcommit.hexsha]["state"] = commit_state return rcommit.hexsha, potential_vulnerabilities def extract_cve(commit): cve_found = set() - cve_find = re.compile(r'CVE-[1-2]\d{1,4}-\d{1,7}', re.IGNORECASE) + cve_find = re.compile(r"CVE-[1-2]\d{1,4}-\d{1,7}", re.IGNORECASE) m = cve_find.findall(commit) if m: for v in m: