mirror of
https://github.com/adulau/git-vuln-finder.git
synced 2024-11-25 11:37:14 +00:00
chg: [doc] sample CVE id extraction added
This commit is contained in:
parent
846ee3a965
commit
558358c44b
1 changed files with 42 additions and 2 deletions
44
README.md
44
README.md
|
@ -1,11 +1,12 @@
|
||||||
# git-vuln-finder
|
# git-vuln-finder
|
||||||
|
|
||||||
Finding potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding
|
Finding potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding
|
||||||
a software vulnerability. The search is based on a set of regular expressions against the commit messages only.
|
a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically
|
||||||
|
in the output.
|
||||||
|
|
||||||
# Requirements
|
# Requirements
|
||||||
|
|
||||||
- Python 3
|
- Python 3.6
|
||||||
- GitPython
|
- GitPython
|
||||||
|
|
||||||
# Usage
|
# Usage
|
||||||
|
@ -86,6 +87,45 @@ python3 finder.py -r /home/adulau/git/curl | jq .
|
||||||
...
|
...
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
|
- Extracting CVE id(s) from git messages
|
||||||
|
|
||||||
|
~~~json
|
||||||
|
"98d132cf6a879faf0147aa83ea0c07ff326260ed": {
|
||||||
|
"message": "Add a macro for testing assertion in both debug and production builds\n\nIf we have an assert then in a debug build we want an abort() to occur.\nIn a production build we wan
|
||||||
|
t the function to return an error.\n\nThis introduces a new macro to assist with that. The idea is to replace\nexisting use of OPENSSL_assert() with this new macro. The problem with\nOPENSSL
|
||||||
|
_assert() is that it aborts() on an assertion failure in both debug\nand production builds. It should never be a library's decision to abort a\nprocess (we don't get to decide when to kill t
|
||||||
|
he life support machine or\nthe nuclear reactor control system). Additionally if an attacker can\ncause a reachable assert to be hit then this can be a source of DoS attacks\ne.g. see CVE-20
|
||||||
|
17-3733, CVE-2015-0293, CVE-2011-4577 and CVE-2002-1568.\n\nReviewed-by: Tim Hudson <tjh@openssl.org>\n(Merged from https://github.com/openssl/openssl/pull/3496)",
|
||||||
|
"commit-id": "98d132cf6a879faf0147aa83ea0c07ff326260ed",
|
||||||
|
"summary": "Add a macro for testing assertion in both debug and production builds",
|
||||||
|
"stats": {
|
||||||
|
"insertions": 18,
|
||||||
|
"deletions": 0,
|
||||||
|
"lines": 18,
|
||||||
|
"files": 1
|
||||||
|
},
|
||||||
|
"author": "Matt Caswell",
|
||||||
|
"author-email": "matt@openssl.org",
|
||||||
|
"authored_date": 1495182637,
|
||||||
|
"committed_date": 1495457671,
|
||||||
|
"branches": [
|
||||||
|
"master"
|
||||||
|
],
|
||||||
|
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |ex
|
||||||
|
ploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
|
||||||
|
"pattern-matches": [
|
||||||
|
"attack"
|
||||||
|
],
|
||||||
|
"cve": [
|
||||||
|
"CVE-2017-3733",
|
||||||
|
"CVE-2015-0293",
|
||||||
|
"CVE-2011-4577",
|
||||||
|
"CVE-2002-1568"
|
||||||
|
],
|
||||||
|
"state": "cve-assigned"
|
||||||
|
}
|
||||||
|
~~~
|
||||||
|
|
||||||
# License and author(s)
|
# License and author(s)
|
||||||
|
|
||||||
This software is free software and licensed under the AGPL version 3.
|
This software is free software and licensed under the AGPL version 3.
|
||||||
|
|
Loading…
Reference in a new issue