http://open-source-security-software.net/project/git-vuln-finder/releases.atomRecent releases for git-vuln-finder2024-11-15T11:26:42.139624+00:00python-feedgengit-vuln-finder v1.0git-vuln-finder v1.02019-12-24T16:39:39+00:00# git-vuln-finder - Finding vulnerabilities in source code repositories by analysing git commit messages
[git-vuln-finder](https://github.com/cve-search/git-vuln-finder) - Finding potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically in the output.
![sample output of git-vuln-finder on the curl git repository](https://user-images.githubusercontent.com/3309/71420192-370ecc80-2674-11ea-9888-0199f552ef1d.png)
# Usage
~~~bash
usage: finder.py [-h] [-v] [-r R] [-o O] [-s S] [-p P] [-c] [-t]
Finding potential software vulnerabilities from git commit messages.
optional arguments:
-h, --help show this help message and exit
-v increase output verbosity
-r R git repository to analyse
-o O Output format: [json]
-s S State of the commit found
-p P Matching pattern to use: [vulnpatterns, cryptopatterns,
cpatterns] - the pattern 'all' is used to match all the patterns
at once.
-c output only a list of the CVE pattern found in commit messages
(disable by default)
-t Include tags matching a specific commit
More info: https://github.com/cve-search/git-vuln-finder
~~~
# Patterns
git-vuln-finder comes with 3 default patterns which can be selected to find the potential vulnerabilities described in the commit messages such as:
- `vulnpatterns` is a generic vulnerability pattern especially targeting web application and generic security commit message. Based on an academic paper.
- `cryptopatterns` is a vulnerability pattern for cryptographic errors mentioned in commit messages.
- `cpatterns` is a set of standard vulnerability patterns see for C/C++-like languages.
## A sample partial output from Curl git repository
~~~bash
python3 finder.py -r /home/adulau/git/curl | jq .
...
"6df916d751e72fc9a1febc07bb59c4ddd886c043": {
"message": "loadlibrary: Only load system DLLs from the system directory\n\nInspiration provided by: Daniel Stenberg and Ray Satiro\n\nBug: https://curl.haxx.se/docs/adv_20160530.html\n\nRef: Windows DLL hijacking with curl, CVE-2016-4802\n",
"language": "en",
"commit-id": "6df916d751e72fc9a1febc07bb59c4ddd886c043",
"summary": "loadlibrary: Only load system DLLs from the system directory",
"stats": {
"insertions": 180,
"deletions": 8,
"lines": 188,
"files": 7
},
"author": "Steve Holme",
"author-email": "steve_holme@hotmail.com",
"authored_date": 1464555460,
"committed_date": 1464588867,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure
|security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
"pattern-matches": [
"hijack"
],
"origin": "git@github.com:curl/curl.git",
"origin-github-api": "https://api.github.com/repos/curl/curl/commits/6df916d751e72fc9a1febc07bb59c4ddd886c043",
"tags": [],
"cve": [
"CVE-2016-4802"
],
"state": "cve-assigned"
},
"c2b3f264cb5210f82bdc84a3b89250a611b68dd3": {
"message": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses\n\nPreviously, connections were closed immediately before the user had a\nchance to extract the socket when the proxy required Negotiate\nauthentication.\n\nThis regression was brought in with the security fix in commit\n79b9d5f1a42578f\n\n
Closes #655\n",
"language": "en",
"commit-id": "c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
"summary": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses",
"stats": {
"insertions": 4,
"deletions": 2,
"lines": 6,
"files": 1
},
"author": "Marcel Raad",
"author-email": "raad@teamviewer.com",
"authored_date": 1455523116,
"committed_date": 1461704516,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure
|security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
"pattern-matches": [
"security "
],
"origin": "git@github.com:curl/curl.git",
"origin-github-api": "https://api.github.com/repos/curl/curl/commits/c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
"tags": [],
"state": "under-review"
},
...
~~~
# License and author(s)
This software is free software and licensed under the AGPL version 3.
Copyright (c) 2019 Alexandre Dulaunoy - https://github.com/adulau/
# Acknowledgment
- Thanks to [Jean-Louis Huynen](https://github.com/gallypette) for the discussions about the crypto vulnerability pattern
- Thanks to [Sebastien Tricaud](https://github.com/stricaud) for the discussions regarding native language and commit messages
# References
- [Notes](https://gist.github.com/adulau/dce5a6ca5c65017869bb01dfee576303#file-finding-vuln-git-commit-messages-md)
- https://csce.ucmss.com/cr/books/2017/LFS/CSREA2017/ICA2077.pdf (mainly using CVE referenced in the commit message) - archive (http://archive.is/xep9o)
- https://asankhaya.github.io/pdf/automated-identification-of-security-issues-from-commit-messages-and-bug-reports.pdf (2 main regexps)
2019-12-24T16:39:39+00:00git-vuln-finder v1.1git-vuln-finder v1.12020-01-07T10:38:00+00:00# git-vuln-finder v1.1 released (Library version added) - Finding vulnerabilities in source code repositories by analysing git commit messages
![git-vuln-finder logo](https://raw.githubusercontent.com/cve-search/git-vuln-finder/f22077452c37e110bff0564e1f7b34637dc726c3/doc/logos/git-vuln-finder-small.png)
Finding potential software vulnerabilities from git commit messages.
The output format is a JSON with the associated commit which could contain a
fix regarding a software vulnerability. The search is based on a set of regular
expressions against the commit messages only. If CVE IDs are present, those are
added automatically in the output.
# Version 1.1
- Thanks to @cedricbonhomme git-vuln-finder can also be used as a Python Library in addition to the command line interface.
For more information, check the [website](https://cve-search.github.io/git-vuln-finder/).
# Contributing
We welcome contributions for the software and especially additional vulnerability patterns. Every contributors will be added in the [AUTHORS file](https://raw.githubusercontent.com/cve-search/git-vuln-finder/master/AUTHORS) and collectively own this open source software. The contributors acknowledge the [Developer Certificate of Origin](https://developercertificate.org/).
2020-01-07T10:38:00+00:00git-vuln-finder v1.2git-vuln-finder v1.22022-01-03T14:19:02+00:00![](https://raw.githubusercontent.com/cve-search/git-vuln-finder/f22077452c37e110bff0564e1f7b34637dc726c3/doc/logos/git-vuln-finder-small.png)
## git-vuln-finder 1.2 released including gharchive support (2022-01-03)
### New
* [poetry] PyMISP deps added. [Alexandre Dulaunoy]
* [test] sample json file - to test MISP interaction. [Alexandre Dulaunoy]
### Changes
* [doc] update README file. [Alexandre Dulaunoy]
* [readme] output with gharchive. [David Cruciani]
* [Readme] add some example for gharchive option. [David Cruciani]
* [doc] pip3 local install. [Alexandre Dulaunoy]
* [doc] fix README for poetry installation. [Alexandre Dulaunoy]
* [python] remove a classification rejected by pypi. [Alexandre Dulaunoy]
### Fix
* [doc] typo fixed. [Alexandre Dulaunoy]
Fix #11
### Other
* Merge pull request #12 from DavidCruciani/gharchive-inclusion. [Alexandre Dulaunoy]
chg: [Readme] add some example for gharchive option
* Merge pull request #10 from DavidCruciani/gharchive-inclusion. [Alexandre Dulaunoy]
gharchive process
* Gharchive process. [David Cruciani]
* Merge pull request #9 from tdunlap607/master. [Alexandre Dulaunoy]
Update PATTERNS_PATH, resolves issue #8
* Update PATTERNS_PATH, resolves issue #8. [tdunlap607]
2022-01-03T14:19:02+00:00git-vuln-finder v1.3git-vuln-finder v1.32022-09-24T06:36:27+00:00
![git-vuln-finder logo](https://raw.githubusercontent.com/cve-search/git-vuln-finder/f22077452c37e110bff0564e1f7b34637dc726c3/doc/logos/git-vuln-finder-small.png)
[git-vuln-finder](https://github.com/cve-search/git-vuln-finder) v1.3 released - bug fixes released.
[git-vuln-finder](https://github.com/cve-search/git-vuln-finder) is a python tool to find potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically in the output.
## v1.3 (2022-09-24)
### Changes
* [doc] usage updated. [Alexandre Dulaunoy]
### Fix
* [patterns] as reported in #16 - a typo of the typo for 'vulnerability' was not in the pattern. [Alexandre Dulaunoy]
### Other
* Merge pull request #15 from cve-search/dependabot/pip/urllib3-1.26.5. [Alexandre Dulaunoy]
build(deps): bump urllib3 from 1.25.10 to 1.26.5
* Build(deps): bump urllib3 from 1.25.10 to 1.26.5. [dependabot[bot]]
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.25.10 to 1.26.5.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.25.10...1.26.5)
---
updated-dependencies:
- dependency-name: urllib3
dependency-type: indirect
...
* Merge pull request #14 from adulau/master. [Alexandre Dulaunoy]
dep updates
* Merge pull request #1 from adulau/dependabot/pip/py-1.10.0. [Alexandre Dulaunoy]
build(deps): bump py from 1.8.1 to 1.10.0
* Build(deps): bump py from 1.8.1 to 1.10.0. [dependabot[bot]]
Bumps [py](https://github.com/pytest-dev/py) from 1.8.1 to 1.10.0.
- [Release notes](https://github.com/pytest-dev/py/releases)
- [Changelog](https://github.com/pytest-dev/py/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/py/compare/1.8.1...1.10.0)
---
updated-dependencies:
- dependency-name: py
dependency-type: indirect
...
* Merge pull request #13 from cydave/master. [Alexandre Dulaunoy]
fix links to patterns
* Fix links to patterns. [dave]
2022-09-24T06:36:27+00:00git-vuln-finder v1.4git-vuln-finder v1.42022-11-27T09:47:57+00:00## git-vuln-finder v1.4 released - bugs fixed for commit messages with undetected language (2022-11-27)
Finding potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically in the output. The input can be any git repositories or a [GH archive source](https://www.gharchive.org/).
### Changes
* [poetry] prepare for v1.4 release. [Alexandre Dulaunoy]
* [doc] clean-up and a note about the GH Archive support. [Alexandre Dulaunoy]
### Fix
* [authors] David added. [Alexandre Dulaunoy]
### Other
* Fix #17 [main] - set language to `unknown` when langdetect cannot detect the language for some reasons like empty commit message or unknown language. [Alexandre Dulaunoy]
Notes: langdetect exception handler seems to be crap and do not use
a Base Exception handler. That's why the catch-all ;-)
* Create codeql.yml. [Alexandre Dulaunoy]
2022-11-27T09:47:57+00:00