diff --git a/README.md b/README.md index 73b8afd..c1d67bb 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,43 @@ Python 3.8.0 (default, Dec 11 2019, 21:43:13) Type "help", "copyright", "credits" or "license" for more information. >>> from git_vuln_finder import find >>> all_potential_vulnerabilities, all_cve_found, found = find("~/git/curl") + +>>> [commit for commit, summary in all_potential_vulnerabilities.items() if summary['state'] == 'cve-assigned'] +['9069838b30fb3b48af0123e39f664cea683254a5', 'facb0e4662415b5f28163e853dc6742ac5fafb3d', +... snap ... + '8a75dbeb2305297640453029b7905ef51b87e8dd', '1dc43de0dccc2ea7da6dddb7b98f8d7dcf323914', '192c4f788d48f82c03e9cef40013f34370e90737', '2eb8dcf26cb37f09cffe26909a646e702dbcab66', 'fa1ae0abcde5df8d0b3283299e3f246bedf7692c', 'c11c30a8c8d727dcf5634fa0cc6ee0b4b77ddc3d', '75ca568fa1c19de4c5358fed246686de8467c238', 'a20daf90e358c1476a325ea665d533f7a27e3364', '042cc1f69ec0878f542667cb684378869f859911'] + >>> print(json.dumps(all_potential_vulnerabilities['9069838b30fb3b48af0123e39f664cea683254a5'], sort_keys=True, indent=4, separators=(",", ": "))) + { + "author": "Daniel Stenberg", + "author-email": "daniel@haxx.se", + "authored_date": 1567544372, + "branches": [ + "master" + ], + "commit-id": "9069838b30fb3b48af0123e39f664cea683254a5", + "committed_date": 1568009674, + "cve": [ + "CVE-2019-5481", + "CVE-2019-5481" + ], + "language": "en", + "message": "security:read_data fix bad realloc()\n\n... that could end up a double-free\n\nCVE-2019-5481\nBug: https://curl.haxx.se/docs/CVE-2019-5481.html\n", + "origin": "https://github.com/curl/curl.git", + "origin-github-api": "https://api.github.com/repos///github.com/curl/curl/commits/9069838b30fb3b48af0123e39f664cea683254a5", + "pattern-matches": [ + "double-free" + ], + "pattern-selected": "(?i)(double[-| ]free|buffer overflow|double free|race[-| ]condition)", + "state": "cve-assigned", + "stats": { + "deletions": 4, + "files": 1, + "insertions": 2, + "lines": 6 + }, + "summary": "security:read_data fix bad realloc()", + "tags": [] + } ~~~ @@ -181,22 +218,33 @@ ploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack } ~~~ + +#Running the tests + +~~~bash +$ pytest +~~~ + + # License and author(s) This software is free software and licensed under the AGPL version 3. Copyright (c) 2019-2020 Alexandre Dulaunoy - https://github.com/adulau/ + # Acknowledgment - Thanks to [Jean-Louis Huynen](https://github.com/gallypette) for the discussions about the crypto vulnerability patterns. - Thanks to [Sebastien Tricaud](https://github.com/stricaud) for the discussions regarding native language, commit messages and external patterns. + # Contributing We welcome contributions for the software and especially additional vulnerability patterns. Every contributors will be added in the [AUTHORS file](./AUTHORS) and collectively own this open source software. The contributors acknowledge the [Developer Certificate of Origin](https://developercertificate.org/). + # References - [Notes](https://gist.github.com/adulau/dce5a6ca5c65017869bb01dfee576303#file-finding-vuln-git-commit-messages-md) diff --git a/pyproject.toml b/pyproject.toml index 0401c82..d98e39f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -24,15 +24,17 @@ keywords = [ ] classifiers = [ - "Development Status :: 5 - Production/Stable", + "Development Status :: 4 - Beta Copy", "Environment :: Console", "Intended Audience :: Developers", + "Intended Audience :: Information Technology", "Intended Audience :: Science/Research", "Topic :: Security", "Operating System :: OS Independent", + "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", - "License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)" + "License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)" ] include = [