diff --git a/bin/finder.py b/bin/finder.py index d710c56..bbefd76 100644 --- a/bin/finder.py +++ b/bin/finder.py @@ -73,8 +73,8 @@ def main(): repo_heads_names = [h.name for h in repo_heads] print(repo_heads_names, file=sys.stderr) origin = repo.remotes.origin.url + tagmap = {} if args.t: - tagmap = {} for t in repo.tags: tagmap.setdefault(repo.commit(t).hexsha, []).append(str(t)) @@ -86,8 +86,10 @@ def main(): ret = find_vuln(commit, pattern=defaultpattern, verbose=args.v) if ret: rcommit = ret['commit'] - _, potential_vulnerabilities = summary(rcommit, + _, potential_vulnerabilities = summary(repo, + rcommit, branch, + tagmap, defaultpattern, origin=origin, vuln_match=ret['match'], @@ -100,8 +102,10 @@ def main(): ret = find_vuln(commit, pattern=p, verbose=args.v) if ret: rcommit = ret['commit'] - _, potential_vulnerabilities = summary(rcommit, + _, potential_vulnerabilities = summary(repo, + rcommit, branch, + tagmap, p, origin=origin, vuln_match=ret['match'], diff --git a/git_vuln_finder/__init__.py b/git_vuln_finder/__init__.py index 646d685..8b18bb6 100644 --- a/git_vuln_finder/__init__.py +++ b/git_vuln_finder/__init__.py @@ -1,6 +1,6 @@ -from git_vuln_finder.finder import build_pattern -from git_vuln_finder.finder import get_patterns -from git_vuln_finder.finder import find_vuln -from git_vuln_finder.finder import summary -from git_vuln_finder.finder import extract_cve +from git_vuln_finder.pattern import build_pattern +from git_vuln_finder.pattern import get_patterns +from git_vuln_finder.vulnerability import find_vuln +from git_vuln_finder.vulnerability import summary +from git_vuln_finder.vulnerability import extract_cve diff --git a/git_vuln_finder/pattern.py b/git_vuln_finder/pattern.py new file mode 100644 index 0000000..e853249 --- /dev/null +++ b/git_vuln_finder/pattern.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Finding potential software vulnerabilities from git commit messages +# +# Software is free software released under the "GNU Affero General Public License v3.0" +# +# This software is part of cve-search.org +# +# Copyright (c) 2019-2020 Alexandre Dulaunoy - a@foo.be + + +import os +import re + + +PATTERNS_PATH="./git_vuln_finder/patterns" + + +def build_pattern(pattern_file): + fp = open(pattern_file, "r") + rex = "" + try: + prefix_fp = open(pattern_file + ".prefix", "r") + rex += prefix_fp.read() + prefix_fp.close() + except: + pass + + for line in fp.readlines(): + rex += line.rstrip() + "|" + rex = rex[:-1] # We remove the extra '| + fp.close() + + try: + suffix_fp = open(pattern_file + ".suffix", "r") + rex += suffix_fp.read() + suffix_fp.close() + except: + pass + + return rex + + +def get_patterns(patterns_path=PATTERNS_PATH): + patterns = {} + for root, dirs, files in os.walk(patterns_path): + path = root.split(os.sep) + for f in files: + if f.endswith(".prefix") or f.endswith(".suffix"): + continue + npath = root[len(patterns_path):].split(os.sep) + try: + npath.remove('') + except ValueError: + pass + + lang = npath[0] + severity = npath[1] + pattern_category = f + + try: # FIXME: Is there a better way? + a = patterns[lang] + except KeyError: + patterns[lang] = {} + try: + a = patterns[lang][severity] + except KeyError: + patterns[lang][severity] = {} + try: + a = patterns[lang][severity][pattern_category] + except KeyError: + rex = build_pattern(root + os.sep + f) + patterns[lang][severity][pattern_category] = re.compile(rex) + + return patterns diff --git a/git_vuln_finder/finder.py b/git_vuln_finder/vulnerability.py similarity index 69% rename from git_vuln_finder/finder.py rename to git_vuln_finder/vulnerability.py index 3c9be83..bf2d8a7 100644 --- a/git_vuln_finder/finder.py +++ b/git_vuln_finder/vulnerability.py @@ -10,74 +10,11 @@ # Copyright (c) 2019-2020 Alexandre Dulaunoy - a@foo.be -import os import re import sys from langdetect import detect as langdetect -PATTERNS_PATH="./git_vuln_finder/patterns" - - -def build_pattern(pattern_file): - fp = open(pattern_file, "r") - rex = "" - try: - prefix_fp = open(pattern_file + ".prefix", "r") - rex += prefix_fp.read() - prefix_fp.close() - except: - pass - - for line in fp.readlines(): - rex += line.rstrip() + "|" - rex = rex[:-1] # We remove the extra '| - fp.close() - - try: - suffix_fp = open(pattern_file + ".suffix", "r") - rex += suffix_fp.read() - suffix_fp.close() - except: - pass - - return rex - - -def get_patterns(patterns_path=PATTERNS_PATH): - patterns = {} - for root, dirs, files in os.walk(patterns_path): - path = root.split(os.sep) - for f in files: - if f.endswith(".prefix") or f.endswith(".suffix"): - continue - npath = root[len(patterns_path):].split(os.sep) - try: - npath.remove('') - except ValueError: - pass - - lang = npath[0] - severity = npath[1] - pattern_category = f - - try: # FIXME: Is there a better way? - a = patterns[lang] - except KeyError: - patterns[lang] = {} - try: - a = patterns[lang][severity] - except KeyError: - patterns[lang][severity] = {} - try: - a = patterns[lang][severity][pattern_category] - except KeyError: - rex = build_pattern(root + os.sep + f) - patterns[lang][severity][pattern_category] = re.compile(rex) - - return patterns - - def find_vuln(commit, pattern, verbose=False): m = pattern.search(commit.message) if m: @@ -93,8 +30,10 @@ def find_vuln(commit, pattern, verbose=False): return None -def summary(commit, +def summary(repo, + commit, branch, + tagmap, pattern, origin=None, vuln_match=None,