adulau/git-vuln-finder
1
0
Fork 0
mirror of https://github.com/adulau/git-vuln-finder.git synced 2024-11-21 17:47:06 +00:00
Code Issues Projects Releases Packages Wiki Activity
38 commits 1 branch 2 tags 386 KiB
Commit graph

38 commits

This branch
This branch
All branches
Author SHA1 Message Date
Cédric Bonhomme
8e0599ec09
OK, it's for GitHub pages. 2020-01-04 00:07:17 +01:00
Cédric Bonhomme
2fa7b4583e
improved cli. removed useless import 2020-01-03 17:51:55 +01:00
Cédric Bonhomme
fe4a656412
Updated README. 2020-01-03 17:39:56 +01:00
Cédric Bonhomme
dfa15c119d
Renamed command line. 2020-01-03 17:35:04 +01:00
Cédric Bonhomme
0b31bc36b2
added pyproject.toml file 2020-01-03 16:07:40 +01:00
Cédric Bonhomme
dcb0fcc0a5
wip, but seems to be working as a cli 2020-01-03 16:06:33 +01:00
Alexandre Dulaunoy
01cedee91d Set theme jekyll-theme-minimal 2019-12-27 11:08:22 +01:00
Alexandre Dulaunoy
f845ad059a chg: [doc] logo added 2019-12-26 11:59:52 +01:00
Alexandre Dulaunoy
f22077452c new: [logos] git-vuln-finder project has its own logo 2019-12-26 11:57:28 +01:00
Alexandre Dulaunoy
e19606ccf6
chg: [doc] How to contribute to the project 2019-12-26 10:34:18 +01:00
Alexandre Dulaunoy
58fabc104a
Merge pull request #6 from stricaud/patterns 
Adding patterns to be used from external files, done this way:
 2019-12-26 10:22:40 +01:00
Sebastien Tricaud
2d1cbc220f Adding patterns to be used from external files, done this way: 
* Create a file in patterns/en/medium/ where there is one pattern per line
* If needed append .suffix and .prefix to prepend or append those chars to the regex (exactly those chars, don't add a newline char in the end!)
* Replicate the actual behavior, for now, only medium is being used, but later, we will add more severities and add them into the output information
 2019-12-24 11:42:24 -08:00
Alexandre Dulaunoy
098921df31
chg: [doc] update the READM for the v1.0 release 2019-12-24 17:28:51 +01:00
Alexandre Dulaunoy
5fd66b8dc6
new: [tags] add an option to list the tags associated to the commit 2019-12-24 17:17:21 +01:00
Alexandre Dulaunoy
2b5e91187e
Merge pull request #5 from stricaud/langdetect 
Added language detection
 2019-12-24 16:27:59 +01:00
Alexandre Dulaunoy
9c6bccc4ae
new: [github-api] Add the API link to the GitHub commit if the git repository is from GitHub 2019-12-24 16:22:02 +01:00
Sebastien Tricaud
26edaab198 Added language detection 2019-12-24 07:16:28 -08:00
Alexandre Dulaunoy
a75ecdbc87
new: [option] -c option added to output only a list of the CVE pattern found in commit messages 2019-12-24 15:38:36 +01:00
Alexandre Dulaunoy
558358c44b
chg: [doc] sample CVE id extraction added 2019-12-17 13:51:54 +01:00
Alexandre Dulaunoy
846ee3a965
new: [cve] automatic extraction of CVE id from commit message 
If one of more CVE id(s) are found in a commit message, those are added
in the finding output.

Example:

  "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba": {
    "message": "Fix an overflow bug in rsaz_512_sqr\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in\nexponentiation with 512-bit moduli. No EC algorithms are affected. Analysis\nsuggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a\nresult of this defect would be very difficult to perform and are not believed\nlikely. Attacks against DH512 are considered just feasible. However, for an\nattack the target would have to re-use the DH512 private key, which is not\nrecommended anyway. Also applications directly using the low level API\nBN_mod_exp may be affected if they use BN_FLG_CONSTTIME.\n\nCVE-2019-1551\n\nReviewed-by: Paul Dale <paul.dale@oracle.com>\nReviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>\n(Merged from https://github.com/openssl/openssl/pull/10574)\n",
    "commit-id": "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba",
    "summary": "Fix an overflow bug in rsaz_512_sqr",
    "stats": {
      "insertions": 197,
      "deletions": 184,
      "lines": 381,
      "files": 1
    },
    "author": "Andy Polyakov",
    "author-email": "appro@openssl.org",
    "authored_date": 1575460101,
    "committed_date": 1575635491,
    "branches": [
      "master"
    ],
    "pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
    "pattern-matches": [
      "attack"
    ],
    "cve": [
      "CVE-2019-1551"
    ],
    "state": "cve-assigned"
  }

The state is also updated to cve-assigned if one or more CVE are present
in the commit message.
 2019-12-17 13:37:18 +01:00
Alexandre Dulaunoy
cb850efd6a
chg: [cryptopatterns] remove FP with words starting with key like "keyboard" 2019-12-17 11:16:00 +01:00
Alexandre Dulaunoy
615027bba2
chg: [patterns] return all the groups matches and non-matches 2019-12-17 11:10:10 +01:00
Alexandre Dulaunoy
584670daf7
Merge pull request #3 from gallypette/master 
chg: [cryptopatterns] two clowns using a web interface to build regexps
 2019-12-17 10:55:43 +01:00
Jean-Louis Huynen
758155806a chg: [cryptopatterns] two clowns using a web interface to build regexps 2019-12-17 10:51:45 +01:00
Alexandre Dulaunoy
d9ca07a277
chg: [cryptopattern] some improvements 2019-12-17 10:06:51 +01:00
Alexandre Dulaunoy
f3da495533
Merge pull request #2 from gallypette/master 
chg: [cryptopatterns] pimped the regex
 2019-12-17 09:51:25 +01:00
Jean-Louis Huynen
d0bff5a72b
chg: [cryptopatterns] pimped the regex / tested 2019-12-17 09:37:43 +01:00
Jean-Louis Huynen
71020024dd
chg: [cryptopatterns] pimped the regex 2019-12-17 09:28:55 +01:00
Alexandre Dulaunoy
e518fd6690
chg: [doc] updated to match new output 2019-12-17 08:53:13 +01:00
Alexandre Dulaunoy
2d087a7b79
new: [pattern] -p all will match all the patterns available and include 
the regexp matches in the output
 2019-12-17 08:45:28 +01:00
Alexandre Dulaunoy
5146633989
chg: [regexp] some more crypto regexps 2019-11-15 15:20:58 +01:00
Alexandre Dulaunoy
24555ffa1d
chg: [doc] README fixed 2019-11-15 07:48:32 +01:00
Alexandre Dulaunoy
3b9ad5c846
add: [pattern selection] regexp pattern can now be selected - 3 default patterns 
A new option -p has been added to select the pattern to use.

-p P        Matching pattern to use: [vulnpatterns, cryptopatterns,
              cpatterns]

The 3 default patterns are the following:

 - A generic "vulnpatterns" which contain mainly web vulnerability and
 common vulnerability messages including CVE numbers.
 - A specific "cryptopatterns" to match potential vulnerabilities
 matching cryptographic functionalities
 - A specific "cpatterns" to match common vulnerabilities in C/C++-like
language.

cryptopatterns and cpatterns still need some more work.
 2019-11-15 07:39:19 +01:00
Alexandre Dulaunoy
c7de59a011
chg: [re] fixed typo in default regular expression 2019-11-04 07:27:16 +01:00
Alexandre Dulaunoy
1abe154272
chg: [finder] add state of the commit found 2019-11-03 21:04:09 +01:00
Alexandre Dulaunoy
bcb905cf99
chg: [regexp] fixing incorrect regexp 2019-11-03 20:45:08 +01:00
Alexandre Dulaunoy
bbb1c4184b
chg: [doc] clarification 2019-11-03 15:32:57 +01:00
Alexandre Dulaunoy
2333b32849
new: [git-vuln-finder] Initial release of git-vuln-finder 
Finding potential software vulnerabilities from git commit messages.

First release based on a set of regexp patterns (to be improved).
 2019-11-03 15:26:43 +01:00