From 0b31bc36b2b5ea628604e57c3e0cf6e759e88f1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bonhomme?= <cedric@cedricbonhomme.org>
Date: Fri, 3 Jan 2020 16:07:40 +0100
Subject: [PATCH] added pyproject.toml file

---
 git_vuln_finder/__init__.py                   |   6 +
 .../__pycache__/__init__.cpython-38.pyc       | Bin 0 -> 342 bytes
 .../__pycache__/finder.cpython-38.pyc         | Bin 0 -> 3427 bytes
 git_vuln_finder/finder.py                     | 164 ++++++++++
 git_vuln_finder/patterns/en/medium/c          |   4 +
 git_vuln_finder/patterns/en/medium/c.prefix   |   1 +
 git_vuln_finder/patterns/en/medium/c.suffix   |   1 +
 git_vuln_finder/patterns/en/medium/crypto     |  55 ++++
 .../patterns/en/medium/crypto.prefix          |   1 +
 .../patterns/en/medium/crypto.suffix          |   1 +
 git_vuln_finder/patterns/en/medium/vuln       |  30 ++
 .../patterns/en/medium/vuln.prefix            |   1 +
 .../patterns/en/medium/vuln.suffix            |   1 +
 poetry.lock                                   | 290 ++++++++++++++++++
 pyproject.toml                                |  59 ++++
 15 files changed, 614 insertions(+)
 create mode 100644 git_vuln_finder/__init__.py
 create mode 100644 git_vuln_finder/__pycache__/__init__.cpython-38.pyc
 create mode 100644 git_vuln_finder/__pycache__/finder.cpython-38.pyc
 create mode 100644 git_vuln_finder/finder.py
 create mode 100644 git_vuln_finder/patterns/en/medium/c
 create mode 100644 git_vuln_finder/patterns/en/medium/c.prefix
 create mode 100644 git_vuln_finder/patterns/en/medium/c.suffix
 create mode 100644 git_vuln_finder/patterns/en/medium/crypto
 create mode 100644 git_vuln_finder/patterns/en/medium/crypto.prefix
 create mode 100644 git_vuln_finder/patterns/en/medium/crypto.suffix
 create mode 100644 git_vuln_finder/patterns/en/medium/vuln
 create mode 100644 git_vuln_finder/patterns/en/medium/vuln.prefix
 create mode 100644 git_vuln_finder/patterns/en/medium/vuln.suffix
 create mode 100644 poetry.lock
 create mode 100644 pyproject.toml

diff --git a/git_vuln_finder/__init__.py b/git_vuln_finder/__init__.py
new file mode 100644
index 0000000..646d685
--- /dev/null
+++ b/git_vuln_finder/__init__.py
@@ -0,0 +1,6 @@
+
+from git_vuln_finder.finder import build_pattern
+from git_vuln_finder.finder import get_patterns
+from git_vuln_finder.finder import find_vuln
+from git_vuln_finder.finder import summary
+from git_vuln_finder.finder import extract_cve
diff --git a/git_vuln_finder/__pycache__/__init__.cpython-38.pyc b/git_vuln_finder/__pycache__/__init__.cpython-38.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..e53df7ed0268c75da6f6a5ff6cd0a14e0c253bea
GIT binary patch
literal 342
zcmYk0OAf*y5Qd>|AB{Wj(1q;*G{zI?!nk1}sRfm!R70uJBY7pauDpUPXWEz)GXH%4
z05k03ct~K)H<SGb@*7QmIbc>0HHsjDmPAuVDY66XFsEe~*kx|Z9<ax}mVIEK`M|-J
zBq7cq34O(fMwNnJb8DrkpfEm3`?odt!BJI$-<lE+!@AKrHxIy(yjznOmKQg<P69SP
zDcfG-_&}PpO9uaKToez*M+rcl#DvHw-$i!5XqgpK7*%A@31fysXI&fg{q7m(s)7<v
Vua8%>&==8^a*4C*2xLsV{R4jtRi^*|

literal 0
HcmV?d00001

diff --git a/git_vuln_finder/__pycache__/finder.cpython-38.pyc b/git_vuln_finder/__pycache__/finder.cpython-38.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..7837370a66c8681f2d6c1069e58db3b59ba91165
GIT binary patch
literal 3427
zcmZ`+&2JmI6({Fg<B{wr&WF=tYb=TYN-Mj&Xpz(~+D-G(ZM*9hNxHjLlNH7yEsZVB
z$Q;Uvl~GY3+hc(}_0k@sV}bq+{VRGRdh02-J^RxB$Qdh6fQ~#Q-<$VHzQ^}|kN$1F
z9uhn+K41OvUsnkEk0vfY4v3HN<`NAfj1Ebs>}iJ@+Ui)Qw>!4!osMIAx8tI>hTh2U
zc$6@^6EKIlUy)9Y2M3gS%>RmZLbk?gEW~JqU1AZdV-&FlTZLSm(Z{6Ke2taKUW+P^
zamjmfdSh$5pUCdXWSDjjl9X|=J&vX1BF%eL3s;YaUcdM7=Knw=NdXI9Su@J4nKiv>
zX!}~pvkR-R=X61ClbIe_3qr}~B#kI~N`6OD>kCrQxxFCw$+PvD19@leEC_S18J*)_
z7TOc;pR5f%11)E$R`IG;Txhw=RowrxiUqs<Jw=5gXa3e$@Pp*V87*G_7Y`Wu<N%D8
ztDJ1iQ{@OAGv)S%S<Y2W6T>9sx$;CVMKW%Aov88;+%@FNIv6Wk@E4t0Idd1Zqg6V!
za%M38PQ)d6>}+Rykd63uk28_<wA=OD)~;_?u7CF^O7_<HRMqz<$&hucwKw!B+(biY
zNF8d?295CZsAomAiBVu(<cZ6WeCs&tVCY~q$GL}tPRNW(GN%Pu(EH?T`s~hAduGjS
zeKd1Rl0$nzXKvw`Z#QOM;msXJ7c{?RM%IFghsU=HOS%Plg<#ePx772ejl!RM40D(;
zSa*o@k3#Xsx5B|^4h}mgeCDFB72YhIMg=VbP%8+YZ$m49);~+F1OZe8yHzkv*GkEv
zR!MJG(%)Q^-XKM7sj>b>qX<i_<6EWH*Hqju^<)h;!TM{YK-j&avq*;Xl_FZui`sh5
z<6B?gJ#G{_(Y!t3!o4EUjm~?alj*f?T9LA{TshC<;gNFl@i39f&iPmcJZ1UwL=Kca
zL?n8GkFpc4!q4L2gg+1>6Ds%>KQ$wBqRJ9n`Mqp3MkKcCo%(s^>M$9o;G9HIXPHzE
zOGK_*9ky8Bh|mM&re@>}<Fwxia(==^B2PPOm2$TiOWx1KsiLu1)rRO$E}JGsD(Z82
z9+vrs;N*AE5Jcrw#9>I+5uMjfgf<YJ0S%~w*o+Xd4RF`cHqozR)TEo1XhHX3&(>2^
zkM`pddBz}s2Ed*}1mDaqY%wS-@rkq;&;&^1FofcQO7{@q_GgO{X=&MuG;`ii2z#d>
z1+a9NK-*vFv4^qq7|2|{K#%F_r?Kn}HV?8%%62wi&dhNFMjh?Vsoie3m4|~E;Vj*e
z7HtK}%Xut%1Lco+p2vNz+_6Yfsl0<sKt{QJkxhUe`6=Kfmw;ZOJj2UduJ|4-Rep5}
zD!{Si`x=wzNaKxs_ZVs#Dh!N2fnt6Y4S|;({B9U8JMcVcOZ*sL&LY^sMO*Nbgg@{3
zTDp2PGH90@WO&aq$lw>qO8|UuNRa`x0>$a5CdP%W4`2@0Bl{&rwst<VkxO9_f^v}Y
z)>CV?GK-1`axUb)l+N5`F7uE>_AFw+g#!76xqZ-K>aYN_f-3wYPyD6u^>~9Y<n=r#
zuo4A2rGG&7n=d#j>}n|$?h<6I+2@kCVq`F1HB)5ha7ot<y>b{WISs?99|E;1oz;r7
zy5y`G&f1c`Wavvvy17gG)gJZk@%4PJ3zihtVROm93>jxht%I_c)D=)6Q0Z@l-ZwEG
zx%$=$*C63S;@|S}e7y)3^w5`Ajy%J;@`eWlJl}`bsNwrJMQzEuZg`gP*v67~W0$0j
z!n;UouN3})F0J3%n}#S`gUS9D65x#Ph;>BI8Qq?`Ti}1!px?ATkaC>wY;VWoM6)aL
zZNbM`zWs8h|H}N))U*ka%}gZyB;A~(M``vvRl&Z9)82sRVhanXKm*nUX*I2titU6c
zKc9?7F~G{rWh{|a@k9<XF^$T;%|~%ERP~bLtjhpys!{68ik_ZBUpwbRT#-1Nu2yN-
zHmR*|1LfYPm&(3fTGWPd%8_wDS9b4&Pa`z#IM0)Q%5kUATjH&&YK6a$BJRm9K9{xt
zMN%fN!7TBfw$08b`{D<B<PG?Xd=SHsF>WVJh1%-!>Lz}w<v-F=uFPaS6nFL5N#hZq
z##kzTrbToniyxV9+TA6xc-ZDB9=GZhSvuE<iTheMG*?1nu&QgDx@MfDeHE1s>l%a9
z#yFEal}S7_@WVyCpP;5CaFZ`eN%0Ufb}DCeOJ{ZAtWJ=Lephd}gR9m!GsAa~&6wGP
ze*Opz2{fXGx{9D}0NHfgv>hv?*YU2IN}_9t{;lEHFdSWNJiNMX0ueo;M{8EYD(BaQ
z`TWu7r%Sd$K<z<EUg_HrE};x9ZbG>5;#P#hQI(*b!p1eWfl@-}xFczdI=)%h7fOh=
zH@$xEvj^?pf6)H$*;DrNgYW-v);9g^S<BP)Uz(#A-@$q+{Ke1re*Ngdy}OSeC|}1$
zJRB-JX6(E!)DSvdQ;a%+8S41CtySsCyZ-wa?7!m8*U%8-1$}3%s)7F6q7Pfn-rhs8
zqlt#V|1Rf&h_h18VV<Qzmv-gJ(=j4Ie5xf-8;Gj^=I)ax4<7A3?qcw<xt5q3Zpus<
wqI!u7n=<!@rq&I1M;V(8`A>As$v4sH>%sXivK>3vh~5vI=6?oC&cZwY14^t@_y7O^

literal 0
HcmV?d00001

diff --git a/git_vuln_finder/finder.py b/git_vuln_finder/finder.py
new file mode 100644
index 0000000..184adc2
--- /dev/null
+++ b/git_vuln_finder/finder.py
@@ -0,0 +1,164 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Finding potential software vulnerabilities from git commit messages
+#
+# Software is free software released under the "GNU Affero General Public License v3.0"
+#
+# This software is part of cve-search.org
+#
+# Copyright (c) 2019 Alexandre Dulaunoy - a@foo.be
+
+
+import os
+import re
+import git
+import json
+import sys
+import typing
+from langdetect import detect as langdetect
+
+
+PATTERNS_PATH="./git_vuln_finder/patterns"
+
+
+def build_pattern(pattern_file):
+    fp = open(pattern_file, "r")
+    rex = ""
+    try:
+        prefix_fp = open(pattern_file + ".prefix", "r")
+        rex += prefix_fp.read()
+        prefix_fp.close()
+    except:
+        pass
+
+    for line in fp.readlines():
+        rex += line.rstrip() + "|"
+    rex = rex[:-1] # We remove the extra '|
+    fp.close()
+
+    try:
+        suffix_fp = open(pattern_file + ".suffix", "r")
+        rex += suffix_fp.read()
+        suffix_fp.close()
+    except:
+        pass
+
+    return rex
+
+
+def get_patterns(patterns_path=PATTERNS_PATH):
+    patterns = {}
+    for root, dirs, files in os.walk(patterns_path):
+        path = root.split(os.sep)
+        for f in files:
+            if f.endswith(".prefix") or f.endswith(".suffix"):
+                continue
+            npath = root[len(patterns_path):].split(os.sep)
+            try:
+                npath.remove('')
+            except ValueError:
+                pass
+
+            lang = npath[0]
+            severity = npath[1]
+            pattern_category = f
+
+            try: # FIXME: Is there a better way?
+                a = patterns[lang]
+            except KeyError:
+                patterns[lang] = {}
+            try:
+                a = patterns[lang][severity]
+            except KeyError:
+                patterns[lang][severity] = {}
+            try:
+                a = patterns[lang][severity][pattern_category]
+            except KeyError:
+                rex = build_pattern(root + os.sep + f)
+                patterns[lang][severity][pattern_category] = re.compile(rex)
+
+    return patterns
+
+
+def find_vuln(commit, pattern, versbose=False):
+    m = pattern.search(commit.message)
+    if m:
+        if versbose:
+            print("Match found: {}".format(m.group(0)), file=sys.stderr)
+            print(commit.message, file=sys.stderr)
+            print("---", file=sys.stderr)
+        ret = {}
+        ret['commit'] = commit
+        ret['match'] = m.groups()
+        return ret
+    else:
+        return None
+
+
+def summary(commit,
+            branch,
+            pattern,
+            origin=None,
+            vuln_match=None,
+            tags_matching=False,
+            commit_state="under-review"
+):
+    potential_vulnerabilities = {}
+    rcommit = commit
+    cve = extract_cve(rcommit.message)
+    if origin is not None:
+        origin = origin
+        if origin.find('github.com'):
+            origin_github_api = origin.split(':')[1]
+            (org_name, repo_name) = origin_github_api.split('/', 1)
+            if repo_name.find('.git$'):
+                repo_name = re.sub(r".git$","", repo_name)
+            origin_github_api = 'https://api.github.com/repos/{}/{}/commits/{}'.format(org_name, repo_name, rcommit.hexsha)
+
+    else:
+        origin = 'git origin unknown'
+    # deduplication if similar commits on different branches
+    if rcommit.hexsha in potential_vulnerabilities:
+       potential_vulnerabilities[rcommit.hexsha]['branches'].append(branch)
+    else:
+        potential_vulnerabilities[rcommit.hexsha] = {}
+        potential_vulnerabilities[rcommit.hexsha]['message'] = rcommit.message
+        potential_vulnerabilities[rcommit.hexsha]['language'] = langdetect(rcommit.message)
+        potential_vulnerabilities[rcommit.hexsha]['commit-id'] = rcommit.hexsha
+        potential_vulnerabilities[rcommit.hexsha]['summary'] = rcommit.summary
+        potential_vulnerabilities[rcommit.hexsha]['stats'] = rcommit.stats.total
+        potential_vulnerabilities[rcommit.hexsha]['author'] = rcommit.author.name
+        potential_vulnerabilities[rcommit.hexsha]['author-email'] = rcommit.author.email
+        potential_vulnerabilities[rcommit.hexsha]['authored_date'] = rcommit.authored_date
+        potential_vulnerabilities[rcommit.hexsha]['committed_date'] = rcommit.committed_date
+        potential_vulnerabilities[rcommit.hexsha]['branches'] = []
+        potential_vulnerabilities[rcommit.hexsha]['branches'].append(branch)
+        potential_vulnerabilities[rcommit.hexsha]['pattern-selected'] = pattern.pattern
+        potential_vulnerabilities[rcommit.hexsha]['pattern-matches'] = vuln_match
+        potential_vulnerabilities[rcommit.hexsha]['origin'] = origin
+        if origin_github_api:
+            potential_vulnerabilities[commit.hexsha]['origin-github-api'] = origin_github_api
+        potential_vulnerabilities[rcommit.hexsha]['tags'] = []
+        if tags_matching:
+            if repo.commit(rcommit).hexsha in tagmap:
+                potential_vulnerabilities[rcommit.hexsha]['tags'] = tagmap[repo.commit(rcommit).hexsha]
+        if cve: potential_vulnerabilities[rcommit.hexsha]['cve'] = cve
+        if cve:
+            potential_vulnerabilities[rcommit.hexsha]['state'] = "cve-assigned"
+        else:
+            potential_vulnerabilities[rcommit.hexsha]['state'] = commit_state
+
+    return rcommit.hexsha, potential_vulnerabilities
+
+
+def extract_cve(commit):
+    cve_found = set()
+    cve_find = re.compile(r'CVE-[1-2]\d{1,4}-\d{1,7}', re.IGNORECASE)
+    m = cve_find.findall(commit)
+    if m:
+        for v in m:
+            cve_found.add(v)
+        return m
+    else:
+        return None
diff --git a/git_vuln_finder/patterns/en/medium/c b/git_vuln_finder/patterns/en/medium/c
new file mode 100644
index 0000000..42d4a36
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/c
@@ -0,0 +1,4 @@
+double[-| ]free
+buffer overflow
+double free
+race[-| ]condition
diff --git a/git_vuln_finder/patterns/en/medium/c.prefix b/git_vuln_finder/patterns/en/medium/c.prefix
new file mode 100644
index 0000000..4a45df8
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/c.prefix
@@ -0,0 +1 @@
+(?i)(
\ No newline at end of file
diff --git a/git_vuln_finder/patterns/en/medium/c.suffix b/git_vuln_finder/patterns/en/medium/c.suffix
new file mode 100644
index 0000000..e8a0f87
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/c.suffix
@@ -0,0 +1 @@
+)
\ No newline at end of file
diff --git a/git_vuln_finder/patterns/en/medium/crypto b/git_vuln_finder/patterns/en/medium/crypto
new file mode 100644
index 0000000..b24e6c2
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/crypto
@@ -0,0 +1,55 @@
+assessment
+lack of
+bad
+vulnerable
+missing
+unproper
+unsuitable
+breakable
+broken
+weak
+incorrect
+replace
+assessment
+pen([\s-]?)test
+pentest
+penetration([\s-]?)test
+report
+vulnerablity
+replace
+fix
+issue
+fixes
+add
+remove
+check){s1,}
+ (crypto
+cryptographic
+cryptography
+encipherement
+encryption
+ciphers
+cipher
+AES
+DES
+3DES
+cipher
+GPG
+PGP
+OpenSSL
+SSH
+wireguard
+VPN
+CBC
+ECB
+CTR
+key[.|,|\s]
+private([\s-]?)key
+public([\s-]?)key size
+length
+strenght
+generation
+randomness
+entropy
+prng
+rng
diff --git a/git_vuln_finder/patterns/en/medium/crypto.prefix b/git_vuln_finder/patterns/en/medium/crypto.prefix
new file mode 100644
index 0000000..f5b5f62
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/crypto.prefix
@@ -0,0 +1 @@
+.*(
\ No newline at end of file
diff --git a/git_vuln_finder/patterns/en/medium/crypto.suffix b/git_vuln_finder/patterns/en/medium/crypto.suffix
new file mode 100644
index 0000000..12953cd
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/crypto.suffix
@@ -0,0 +1 @@
+){1,}
\ No newline at end of file
diff --git a/git_vuln_finder/patterns/en/medium/vuln b/git_vuln_finder/patterns/en/medium/vuln
new file mode 100644
index 0000000..db3ca53
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/vuln
@@ -0,0 +1,30 @@
+denial of service 
+\bXXE\b
+remote code execution
+\bopen redirect
+OSVDB
+\bvuln
+\bCVE\b
+\bXSS\b
+\bReDoS\b
+\bNVD\b
+malicious
+x−frame−options
+attack
+cross site 
+exploit
+malicious
+directory traversal 
+\bRCE\b
+\bdos\b
+\bXSRF \b
+\bXSS\b
+clickjack
+session.fixation
+hijack
+\badvisory
+\binsecure 
+security 
+\bcross−origin\b
+unauthori[z|s]ed 
+infinite loop
\ No newline at end of file
diff --git a/git_vuln_finder/patterns/en/medium/vuln.prefix b/git_vuln_finder/patterns/en/medium/vuln.prefix
new file mode 100644
index 0000000..4a45df8
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/vuln.prefix
@@ -0,0 +1 @@
+(?i)(
\ No newline at end of file
diff --git a/git_vuln_finder/patterns/en/medium/vuln.suffix b/git_vuln_finder/patterns/en/medium/vuln.suffix
new file mode 100644
index 0000000..e8a0f87
--- /dev/null
+++ b/git_vuln_finder/patterns/en/medium/vuln.suffix
@@ -0,0 +1 @@
+)
\ No newline at end of file
diff --git a/poetry.lock b/poetry.lock
new file mode 100644
index 0000000..02cd4ef
--- /dev/null
+++ b/poetry.lock
@@ -0,0 +1,290 @@
+[[package]]
+category = "dev"
+description = "Code coverage measurement for Python"
+name = "coverage"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4"
+version = "5.0.1"
+
+[package.extras]
+toml = ["toml"]
+
+[[package]]
+category = "dev"
+description = "Discover and load entry points from installed packages."
+name = "entrypoints"
+optional = false
+python-versions = ">=2.7"
+version = "0.3"
+
+[[package]]
+category = "dev"
+description = "the modular source code checker: pep8, pyflakes and co"
+name = "flake8"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+version = "3.7.9"
+
+[package.dependencies]
+entrypoints = ">=0.3.0,<0.4.0"
+mccabe = ">=0.6.0,<0.7.0"
+pycodestyle = ">=2.5.0,<2.6.0"
+pyflakes = ">=2.1.0,<2.2.0"
+
+[[package]]
+category = "main"
+description = "Git Object Database"
+name = "gitdb2"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+version = "2.0.6"
+
+[package.dependencies]
+smmap2 = ">=2.0.0"
+
+[[package]]
+category = "main"
+description = "Python Git Library"
+name = "gitpython"
+optional = false
+python-versions = ">=3.0, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+version = "3.0.5"
+
+[package.dependencies]
+gitdb2 = ">=2.0.0"
+
+[[package]]
+category = "main"
+description = "Language detection library ported from Google's language-detection."
+name = "langdetect"
+optional = false
+python-versions = "*"
+version = "1.0.7"
+
+[package.dependencies]
+six = "*"
+
+[[package]]
+category = "dev"
+description = "McCabe checker, plugin for flake8"
+name = "mccabe"
+optional = false
+python-versions = "*"
+version = "0.6.1"
+
+[[package]]
+category = "dev"
+description = "Optional static typing for Python"
+name = "mypy"
+optional = false
+python-versions = ">=3.5"
+version = "0.750"
+
+[package.dependencies]
+mypy-extensions = ">=0.4.0,<0.5.0"
+typed-ast = ">=1.4.0,<1.5.0"
+typing-extensions = ">=3.7.4"
+
+[package.extras]
+dmypy = ["psutil (>=4.0)"]
+
+[[package]]
+category = "dev"
+description = "Experimental type system extensions for programs checked with the mypy typechecker."
+name = "mypy-extensions"
+optional = false
+python-versions = "*"
+version = "0.4.3"
+
+[[package]]
+category = "dev"
+description = "unittest2 with plugins, the succesor to nose"
+name = "nose2"
+optional = false
+python-versions = "*"
+version = "0.9.1"
+
+[package.dependencies]
+coverage = ">=4.4.1"
+six = ">=1.7"
+
+[package.extras]
+coverage_plugin = ["coverage (>=4.4.1)"]
+doc = ["Sphinx (>=1.6.5)", "sphinx-rtd-theme", "mock"]
+
+[[package]]
+category = "dev"
+description = "Python style guide checker"
+name = "pycodestyle"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+version = "2.5.0"
+
+[[package]]
+category = "dev"
+description = "passive checker of Python programs"
+name = "pyflakes"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+version = "2.1.1"
+
+[[package]]
+category = "main"
+description = "Python 2 and 3 compatibility utilities"
+name = "six"
+optional = false
+python-versions = ">=2.6, !=3.0.*, !=3.1.*"
+version = "1.13.0"
+
+[[package]]
+category = "main"
+description = "A pure Python implementation of a sliding window memory map manager"
+name = "smmap2"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+version = "2.0.5"
+
+[[package]]
+category = "dev"
+description = "a fork of Python 2 and 3 ast modules with type comment support"
+name = "typed-ast"
+optional = false
+python-versions = "*"
+version = "1.4.0"
+
+[[package]]
+category = "dev"
+description = "Backported and Experimental Type Hints for Python 3.5+"
+name = "typing-extensions"
+optional = false
+python-versions = "*"
+version = "3.7.4.1"
+
+[metadata]
+content-hash = "4fd05852a9f3844298b1c0dbc4ab61ddbb77f4a42602c42982e19e531a7883d6"
+python-versions = "^3.6"
+
+[metadata.files]
+coverage = [
+    {file = "coverage-5.0.1-cp27-cp27m-macosx_10_12_x86_64.whl", hash = "sha256:c90bda74e16bcd03861b09b1d37c0a4158feda5d5a036bb2d6e58de6ff65793e"},
+    {file = "coverage-5.0.1-cp27-cp27m-macosx_10_13_intel.whl", hash = "sha256:bb3d29df5d07d5399d58a394d0ef50adf303ab4fbf66dfd25b9ef258effcb692"},
+    {file = "coverage-5.0.1-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:1ca43dbd739c0fc30b0a3637a003a0d2c7edc1dd618359d58cc1e211742f8bd1"},
+    {file = "coverage-5.0.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:591506e088901bdc25620c37aec885e82cc896528f28c57e113751e3471fc314"},
+    {file = "coverage-5.0.1-cp27-cp27m-win32.whl", hash = "sha256:a50b0888d8a021a3342d36a6086501e30de7d840ab68fca44913e97d14487dc1"},
+    {file = "coverage-5.0.1-cp27-cp27m-win_amd64.whl", hash = "sha256:c792d3707a86c01c02607ae74364854220fb3e82735f631cd0a345dea6b4cee5"},
+    {file = "coverage-5.0.1-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:f425f50a6dd807cb9043d15a4fcfba3b5874a54d9587ccbb748899f70dc18c47"},
+    {file = "coverage-5.0.1-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:25b8f60b5c7da71e64c18888f3067d5b6f1334b9681876b2fb41eea26de881ae"},
+    {file = "coverage-5.0.1-cp35-cp35m-macosx_10_12_x86_64.whl", hash = "sha256:7362a7f829feda10c7265b553455de596b83d1623b3d436b6d3c51c688c57bf6"},
+    {file = "coverage-5.0.1-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:fcd4459fe35a400b8f416bc57906862693c9f88b66dc925e7f2a933e77f6b18b"},
+    {file = "coverage-5.0.1-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:40fbfd6b044c9db13aeec1daf5887d322c710d811f944011757526ef6e323fd9"},
+    {file = "coverage-5.0.1-cp35-cp35m-win32.whl", hash = "sha256:7f2675750c50151f806070ec11258edf4c328340916c53bac0adbc465abd6b1e"},
+    {file = "coverage-5.0.1-cp35-cp35m-win_amd64.whl", hash = "sha256:24bcfa86fd9ce86b73a8368383c39d919c497a06eebb888b6f0c12f13e920b1a"},
+    {file = "coverage-5.0.1-cp36-cp36m-macosx_10_13_x86_64.whl", hash = "sha256:eeafb646f374988c22c8e6da5ab9fb81367ecfe81c70c292623373d2a021b1a1"},
+    {file = "coverage-5.0.1-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:2ca2cd5264e84b2cafc73f0045437f70c6378c0d7dbcddc9ee3fe192c1e29e5d"},
+    {file = "coverage-5.0.1-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:2cc707fc9aad2592fc686d63ef72dc0031fc98b6fb921d2f5395d9ab84fbc3ef"},
+    {file = "coverage-5.0.1-cp36-cp36m-win32.whl", hash = "sha256:04b961862334687549eb91cd5178a6fbe977ad365bddc7c60f2227f2f9880cf4"},
+    {file = "coverage-5.0.1-cp36-cp36m-win_amd64.whl", hash = "sha256:232f0b52a5b978288f0bbc282a6c03fe48cd19a04202df44309919c142b3bb9c"},
+    {file = "coverage-5.0.1-cp37-cp37m-macosx_10_13_x86_64.whl", hash = "sha256:cfce79ce41cc1a1dc7fc85bb41eeeb32d34a4cf39a645c717c0550287e30ff06"},
+    {file = "coverage-5.0.1-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:46c9c6a1d1190c0b75ec7c0f339088309952b82ae8d67a79ff1319eb4e749b96"},
+    {file = "coverage-5.0.1-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:1cbb88b34187bdb841f2599770b7e6ff8e259dc3bb64fc7893acf44998acf5f8"},
+    {file = "coverage-5.0.1-cp37-cp37m-win32.whl", hash = "sha256:ff3936dd5feaefb4f91c8c1f50a06c588b5dc69fba4f7d9c79a6617ad80bb7df"},
+    {file = "coverage-5.0.1-cp37-cp37m-win_amd64.whl", hash = "sha256:65bead1ac8c8930cf92a1ccaedcce19a57298547d5d1db5c9d4d068a0675c38b"},
+    {file = "coverage-5.0.1-cp38-cp38-macosx_10_13_x86_64.whl", hash = "sha256:348630edea485f4228233c2f310a598abf8afa5f8c716c02a9698089687b6085"},
+    {file = "coverage-5.0.1-cp38-cp38-manylinux1_i686.whl", hash = "sha256:960d7f42277391e8b1c0b0ae427a214e1b31a1278de6b73f8807b20c2e913bba"},
+    {file = "coverage-5.0.1-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:0101888bd1592a20ccadae081ba10e8b204d20235d18d05c6f7d5e904a38fc10"},
+    {file = "coverage-5.0.1-cp38-cp38m-win32.whl", hash = "sha256:c0fff2733f7c2950f58a4fd09b5db257b00c6fec57bf3f68c5bae004d804b407"},
+    {file = "coverage-5.0.1-cp38-cp38m-win_amd64.whl", hash = "sha256:5f622f19abda4e934938e24f1d67599249abc201844933a6f01aaa8663094489"},
+    {file = "coverage-5.0.1-cp39-cp39m-win32.whl", hash = "sha256:2714160a63da18aed9340c70ed514973971ee7e665e6b336917ff4cca81a25b1"},
+    {file = "coverage-5.0.1-cp39-cp39m-win_amd64.whl", hash = "sha256:b7dbc5e8c39ea3ad3db22715f1b5401cd698a621218680c6daf42c2f9d36e205"},
+    {file = "coverage-5.0.1.tar.gz", hash = "sha256:5ac71bba1e07eab403b082c4428f868c1c9e26a21041436b4905c4c3d4e49b08"},
+]
+entrypoints = [
+    {file = "entrypoints-0.3-py2.py3-none-any.whl", hash = "sha256:589f874b313739ad35be6e0cd7efde2a4e9b6fea91edcc34e58ecbb8dbe56d19"},
+    {file = "entrypoints-0.3.tar.gz", hash = "sha256:c70dd71abe5a8c85e55e12c19bd91ccfeec11a6e99044204511f9ed547d48451"},
+]
+flake8 = [
+    {file = "flake8-3.7.9-py2.py3-none-any.whl", hash = "sha256:49356e766643ad15072a789a20915d3c91dc89fd313ccd71802303fd67e4deca"},
+    {file = "flake8-3.7.9.tar.gz", hash = "sha256:45681a117ecc81e870cbf1262835ae4af5e7a8b08e40b944a8a6e6b895914cfb"},
+]
+gitdb2 = [
+    {file = "gitdb2-2.0.6-py2.py3-none-any.whl", hash = "sha256:96bbb507d765a7f51eb802554a9cfe194a174582f772e0d89f4e87288c288b7b"},
+    {file = "gitdb2-2.0.6.tar.gz", hash = "sha256:1b6df1433567a51a4a9c1a5a0de977aa351a405cc56d7d35f3388bad1f630350"},
+]
+gitpython = [
+    {file = "GitPython-3.0.5-py3-none-any.whl", hash = "sha256:c155c6a2653593ccb300462f6ef533583a913e17857cfef8fc617c246b6dc245"},
+    {file = "GitPython-3.0.5.tar.gz", hash = "sha256:9c2398ffc3dcb3c40b27324b316f08a4f93ad646d5a6328cafbb871aa79f5e42"},
+]
+langdetect = [
+    {file = "langdetect-1.0.7.zip", hash = "sha256:91a170d5f0ade380db809b3ba67f08e95fe6c6c8641f96d67a51ff7e98a9bf30"},
+]
+mccabe = [
+    {file = "mccabe-0.6.1-py2.py3-none-any.whl", hash = "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42"},
+    {file = "mccabe-0.6.1.tar.gz", hash = "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f"},
+]
+mypy = [
+    {file = "mypy-0.750-cp35-cp35m-macosx_10_6_x86_64.whl", hash = "sha256:de9ec8dba773b78c49e7bec9a35c9b6fc5235682ad1fc2105752ae7c22f4b931"},
+    {file = "mypy-0.750-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:3294821b5840d51a3cd7a2bb63b40fc3f901f6a3cfb3c6046570749c4c7ef279"},
+    {file = "mypy-0.750-cp35-cp35m-win_amd64.whl", hash = "sha256:6992133c95a2847d309b4b0c899d7054adc60481df6f6b52bb7dee3d5fd157f7"},
+    {file = "mypy-0.750-cp36-cp36m-macosx_10_6_x86_64.whl", hash = "sha256:41696a7d912ce16fdc7c141d87e8db5144d4be664a0c699a2b417d393994b0c2"},
+    {file = "mypy-0.750-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:c87ac7233c629f305602f563db07f5221950fe34fe30af072ac838fa85395f78"},
+    {file = "mypy-0.750-cp36-cp36m-win_amd64.whl", hash = "sha256:83fa87f556e60782c0fc3df1b37b7b4a840314ba1ac27f3e1a1e10cb37c89c17"},
+    {file = "mypy-0.750-cp37-cp37m-macosx_10_6_x86_64.whl", hash = "sha256:30e123b24931f02c5d99307406658ac8f9cd6746f0d45a3dcac2fe5fbdd60939"},
+    {file = "mypy-0.750-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:02d9bdd3398b636723ecb6c5cfe9773025a9ab7f34612c1cde5c7f2292e2d768"},
+    {file = "mypy-0.750-cp37-cp37m-win_amd64.whl", hash = "sha256:088f758a50af31cf8b42688118077292370c90c89232c783ba7979f39ea16646"},
+    {file = "mypy-0.750-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:4f42675fa278f3913340bb8c3371d191319704437758d7c4a8440346c293ecb2"},
+    {file = "mypy-0.750-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:f385a0accf353ca1bca4bbf473b9d83ed18d923fdb809d3a70a385da23e25b6a"},
+    {file = "mypy-0.750-cp38-cp38-win_amd64.whl", hash = "sha256:54d205ccce6ed930a8a2ccf48404896d456e8b87812e491cb907a355b1a9c640"},
+    {file = "mypy-0.750-py3-none-any.whl", hash = "sha256:28e9fbc96d13397a7ddb7fad7b14f373f91b5cff538e0772e77c270468df083c"},
+    {file = "mypy-0.750.tar.gz", hash = "sha256:6ecbd0e8e371333027abca0922b0c2c632a5b4739a0c61ffbd0733391e39144c"},
+]
+mypy-extensions = [
+    {file = "mypy_extensions-0.4.3-py2.py3-none-any.whl", hash = "sha256:090fedd75945a69ae91ce1303b5824f428daf5a028d2f6ab8a299250a846f15d"},
+    {file = "mypy_extensions-0.4.3.tar.gz", hash = "sha256:2d82818f5bb3e369420cb3c4060a7970edba416647068eb4c5343488a6c604a8"},
+]
+nose2 = [
+    {file = "nose2-0.9.1-py2.py3-none-any.whl", hash = "sha256:31d8beb00aed3ccc6efb1742bb90227d883e471715188249f594310676e0ef0e"},
+    {file = "nose2-0.9.1.tar.gz", hash = "sha256:0ede156fd7974fa40893edeca0b709f402c0ccacd7b81b22e76f73c116d1b999"},
+]
+pycodestyle = [
+    {file = "pycodestyle-2.5.0-py2.py3-none-any.whl", hash = "sha256:95a2219d12372f05704562a14ec30bc76b05a5b297b21a5dfe3f6fac3491ae56"},
+    {file = "pycodestyle-2.5.0.tar.gz", hash = "sha256:e40a936c9a450ad81df37f549d676d127b1b66000a6c500caa2b085bc0ca976c"},
+]
+pyflakes = [
+    {file = "pyflakes-2.1.1-py2.py3-none-any.whl", hash = "sha256:17dbeb2e3f4d772725c777fabc446d5634d1038f234e77343108ce445ea69ce0"},
+    {file = "pyflakes-2.1.1.tar.gz", hash = "sha256:d976835886f8c5b31d47970ed689944a0262b5f3afa00a5a7b4dc81e5449f8a2"},
+]
+six = [
+    {file = "six-1.13.0-py2.py3-none-any.whl", hash = "sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd"},
+    {file = "six-1.13.0.tar.gz", hash = "sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66"},
+]
+smmap2 = [
+    {file = "smmap2-2.0.5-py2.py3-none-any.whl", hash = "sha256:0555a7bf4df71d1ef4218e4807bbf9b201f910174e6e08af2e138d4e517b4dde"},
+    {file = "smmap2-2.0.5.tar.gz", hash = "sha256:29a9ffa0497e7f2be94ca0ed1ca1aa3cd4cf25a1f6b4f5f87f74b46ed91d609a"},
+]
+typed-ast = [
+    {file = "typed_ast-1.4.0-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:262c247a82d005e43b5b7f69aff746370538e176131c32dda9cb0f324d27141e"},
+    {file = "typed_ast-1.4.0-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:71211d26ffd12d63a83e079ff258ac9d56a1376a25bc80b1cdcdf601b855b90b"},
+    {file = "typed_ast-1.4.0-cp35-cp35m-win32.whl", hash = "sha256:630968c5cdee51a11c05a30453f8cd65e0cc1d2ad0d9192819df9978984529f4"},
+    {file = "typed_ast-1.4.0-cp35-cp35m-win_amd64.whl", hash = "sha256:ffde2fbfad571af120fcbfbbc61c72469e72f550d676c3342492a9dfdefb8f12"},
+    {file = "typed_ast-1.4.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:4e0b70c6fc4d010f8107726af5fd37921b666f5b31d9331f0bd24ad9a088e631"},
+    {file = "typed_ast-1.4.0-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:bc6c7d3fa1325a0c6613512a093bc2a2a15aeec350451cbdf9e1d4bffe3e3233"},
+    {file = "typed_ast-1.4.0-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:cc34a6f5b426748a507dd5d1de4c1978f2eb5626d51326e43280941206c209e1"},
+    {file = "typed_ast-1.4.0-cp36-cp36m-win32.whl", hash = "sha256:d896919306dd0aa22d0132f62a1b78d11aaf4c9fc5b3410d3c666b818191630a"},
+    {file = "typed_ast-1.4.0-cp36-cp36m-win_amd64.whl", hash = "sha256:354c16e5babd09f5cb0ee000d54cfa38401d8b8891eefa878ac772f827181a3c"},
+    {file = "typed_ast-1.4.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:95bd11af7eafc16e829af2d3df510cecfd4387f6453355188342c3e79a2ec87a"},
+    {file = "typed_ast-1.4.0-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:18511a0b3e7922276346bcb47e2ef9f38fb90fd31cb9223eed42c85d1312344e"},
+    {file = "typed_ast-1.4.0-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:d7c45933b1bdfaf9f36c579671fec15d25b06c8398f113dab64c18ed1adda01d"},
+    {file = "typed_ast-1.4.0-cp37-cp37m-win32.whl", hash = "sha256:d755f03c1e4a51e9b24d899561fec4ccaf51f210d52abdf8c07ee2849b212a36"},
+    {file = "typed_ast-1.4.0-cp37-cp37m-win_amd64.whl", hash = "sha256:2b907eb046d049bcd9892e3076c7a6456c93a25bebfe554e931620c90e6a25b0"},
+    {file = "typed_ast-1.4.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:fdc1c9bbf79510b76408840e009ed65958feba92a88833cdceecff93ae8fff66"},
+    {file = "typed_ast-1.4.0-cp38-cp38-manylinux1_i686.whl", hash = "sha256:7954560051331d003b4e2b3eb822d9dd2e376fa4f6d98fee32f452f52dd6ebb2"},
+    {file = "typed_ast-1.4.0-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:48e5b1e71f25cfdef98b013263a88d7145879fbb2d5185f2a0c79fa7ebbeae47"},
+    {file = "typed_ast-1.4.0-cp38-cp38-win32.whl", hash = "sha256:1170afa46a3799e18b4c977777ce137bb53c7485379d9706af8a59f2ea1aa161"},
+    {file = "typed_ast-1.4.0-cp38-cp38-win_amd64.whl", hash = "sha256:838997f4310012cf2e1ad3803bce2f3402e9ffb71ded61b5ee22617b3a7f6b6e"},
+    {file = "typed_ast-1.4.0.tar.gz", hash = "sha256:66480f95b8167c9c5c5c87f32cf437d585937970f3fc24386f313a4c97b44e34"},
+]
+typing-extensions = [
+    {file = "typing_extensions-3.7.4.1-py2-none-any.whl", hash = "sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d"},
+    {file = "typing_extensions-3.7.4.1-py3-none-any.whl", hash = "sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575"},
+    {file = "typing_extensions-3.7.4.1.tar.gz", hash = "sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2"},
+]
diff --git a/pyproject.toml b/pyproject.toml
new file mode 100644
index 0000000..d68b00e
--- /dev/null
+++ b/pyproject.toml
@@ -0,0 +1,59 @@
+[tool.poetry]
+name = "git-vuln-finder"
+version = "1.0.0"
+description = "Finding potential software vulnerabilities from git commit messages."
+authors = [
+    "Alexandre Dulaunoy <a@foo.be>"
+]
+license = "GPL-3.0-or-later"
+
+readme = "README.md"
+
+homepage = "https://github.com/cve-search/git-vuln-finder"
+repository = "https://github.com/cve-search/git-vuln-finder"
+documentation = ""
+
+keywords = [
+    "git",
+    "cve",
+    "scanner",
+    "cve-search",
+    "cve-scanning",
+    "software-vulnerability",
+    "software-vulnerabilities"
+]
+
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "Intended Audience :: Science/Research",
+    "Topic :: Security",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3.7",
+    "Programming Language :: Python :: 3.8",
+    "License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)"
+]
+
+include = [
+    "AUTHORS",
+    "COPYING",
+    "bin/*"
+]
+
+[tool.poetry.scripts]
+finder = "bin.finder:main"
+
+[tool.poetry.dependencies]
+python = "^3.6"
+langdetect = "^1.0.7"
+gitpython = "^3.0.5"
+
+[tool.poetry.dev-dependencies]
+mypy = "^0.750"
+flake8 = "^3.7.9"
+nose2 = "^0.9.1"
+
+[build-system]
+requires = ["poetry>=0.12"]
+build-backend = "poetry.masonry.api"