adulau/git-vuln-finder
1
0
Fork 0
mirror of https://github.com/adulau/git-vuln-finder.git synced 2024-11-21 17:47:06 +00:00
Code Issues Projects Releases Packages Wiki Activity
122 commits 1 branch 2 tags 386 KiB
Commit graph

30 commits

Author SHA1 Message Date
David Cruciani
cefa47ae23 gharchive process 2021-12-20 14:54:59 +01:00
Cédric Bonhomme
a98bc11227
added comments 2020-01-06 22:33:21 +01:00
Cédric Bonhomme
df6c4c163e
moved find function used for the cli in a file run.py 2020-01-06 22:30:14 +01:00
Cédric Bonhomme
552937a7bb
Make the whole thing importable in a Python code. 2020-01-06 16:29:30 +01:00
Cédric Bonhomme
73d5349b08
in place merge number of CVE found via summary function 2020-01-06 15:50:50 +01:00
Cédric Bonhomme
335bdff4cb
reformat a tiny with black 2020-01-06 07:50:21 +01:00
Cédric Bonhomme
a597d1e6fc
fixed problem of definition of tagmap 2020-01-06 07:44:35 +01:00
Cédric Bonhomme
ba558d34e4
typo 2020-01-05 13:08:57 +01:00
Cédric Bonhomme
2fa7b4583e
improved cli. removed useless import 2020-01-03 17:51:55 +01:00
Cédric Bonhomme
dcb0fcc0a5
wip, but seems to be working as a cli 2020-01-03 16:06:33 +01:00
Sebastien Tricaud
2d1cbc220f Adding patterns to be used from external files, done this way: 
* Create a file in patterns/en/medium/ where there is one pattern per line
* If needed append .suffix and .prefix to prepend or append those chars to the regex (exactly those chars, don't add a newline char in the end!)
* Replicate the actual behavior, for now, only medium is being used, but later, we will add more severities and add them into the output information
 2019-12-24 11:42:24 -08:00
Alexandre Dulaunoy
5fd66b8dc6
new: [tags] add an option to list the tags associated to the commit 2019-12-24 17:17:21 +01:00
Alexandre Dulaunoy
2b5e91187e
Merge pull request #5 from stricaud/langdetect 
Added language detection
 2019-12-24 16:27:59 +01:00
Alexandre Dulaunoy
9c6bccc4ae
new: [github-api] Add the API link to the GitHub commit if the git repository is from GitHub 2019-12-24 16:22:02 +01:00
Sebastien Tricaud
26edaab198 Added language detection 2019-12-24 07:16:28 -08:00
Alexandre Dulaunoy
a75ecdbc87
new: [option] -c option added to output only a list of the CVE pattern found in commit messages 2019-12-24 15:38:36 +01:00
Alexandre Dulaunoy
846ee3a965
new: [cve] automatic extraction of CVE id from commit message 
If one of more CVE id(s) are found in a commit message, those are added
in the finding output.

Example:

  "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba": {
    "message": "Fix an overflow bug in rsaz_512_sqr\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in\nexponentiation with 512-bit moduli. No EC algorithms are affected. Analysis\nsuggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a\nresult of this defect would be very difficult to perform and are not believed\nlikely. Attacks against DH512 are considered just feasible. However, for an\nattack the target would have to re-use the DH512 private key, which is not\nrecommended anyway. Also applications directly using the low level API\nBN_mod_exp may be affected if they use BN_FLG_CONSTTIME.\n\nCVE-2019-1551\n\nReviewed-by: Paul Dale <paul.dale@oracle.com>\nReviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>\n(Merged from https://github.com/openssl/openssl/pull/10574)\n",
    "commit-id": "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba",
    "summary": "Fix an overflow bug in rsaz_512_sqr",
    "stats": {
      "insertions": 197,
      "deletions": 184,
      "lines": 381,
      "files": 1
    },
    "author": "Andy Polyakov",
    "author-email": "appro@openssl.org",
    "authored_date": 1575460101,
    "committed_date": 1575635491,
    "branches": [
      "master"
    ],
    "pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
    "pattern-matches": [
      "attack"
    ],
    "cve": [
      "CVE-2019-1551"
    ],
    "state": "cve-assigned"
  }

The state is also updated to cve-assigned if one or more CVE are present
in the commit message.
 2019-12-17 13:37:18 +01:00
Alexandre Dulaunoy
cb850efd6a
chg: [cryptopatterns] remove FP with words starting with key like "keyboard" 2019-12-17 11:16:00 +01:00
Alexandre Dulaunoy
615027bba2
chg: [patterns] return all the groups matches and non-matches 2019-12-17 11:10:10 +01:00
Jean-Louis Huynen
758155806a chg: [cryptopatterns] two clowns using a web interface to build regexps 2019-12-17 10:51:45 +01:00
Alexandre Dulaunoy
d9ca07a277
chg: [cryptopattern] some improvements 2019-12-17 10:06:51 +01:00
Jean-Louis Huynen
d0bff5a72b
chg: [cryptopatterns] pimped the regex / tested 2019-12-17 09:37:43 +01:00
Jean-Louis Huynen
71020024dd
chg: [cryptopatterns] pimped the regex 2019-12-17 09:28:55 +01:00
Alexandre Dulaunoy
2d087a7b79
new: [pattern] -p all will match all the patterns available and include 
the regexp matches in the output
 2019-12-17 08:45:28 +01:00
Alexandre Dulaunoy
5146633989
chg: [regexp] some more crypto regexps 2019-11-15 15:20:58 +01:00
Alexandre Dulaunoy
3b9ad5c846
add: [pattern selection] regexp pattern can now be selected - 3 default patterns 
A new option -p has been added to select the pattern to use.

-p P        Matching pattern to use: [vulnpatterns, cryptopatterns,
              cpatterns]

The 3 default patterns are the following:

 - A generic "vulnpatterns" which contain mainly web vulnerability and
 common vulnerability messages including CVE numbers.
 - A specific "cryptopatterns" to match potential vulnerabilities
 matching cryptographic functionalities
 - A specific "cpatterns" to match common vulnerabilities in C/C++-like
language.

cryptopatterns and cpatterns still need some more work.
 2019-11-15 07:39:19 +01:00
Alexandre Dulaunoy
c7de59a011
chg: [re] fixed typo in default regular expression 2019-11-04 07:27:16 +01:00
Alexandre Dulaunoy
1abe154272
chg: [finder] add state of the commit found 2019-11-03 21:04:09 +01:00
Alexandre Dulaunoy
bcb905cf99
chg: [regexp] fixing incorrect regexp 2019-11-03 20:45:08 +01:00
Alexandre Dulaunoy
2333b32849
new: [git-vuln-finder] Initial release of git-vuln-finder 
Finding potential software vulnerabilities from git commit messages.

First release based on a set of regexp patterns (to be improved).
 2019-11-03 15:26:43 +01:00