Commit graph

49 commits

Author SHA1 Message Date
Cédric Bonhomme
552937a7bb
Make the whole thing importable in a Python code. 2020-01-06 16:29:30 +01:00
Cédric Bonhomme
73d5349b08
in place merge number of CVE found via summary function 2020-01-06 15:50:50 +01:00
Cédric Bonhomme
1460433429
it should be safe to do that 2020-01-06 08:22:37 +01:00
Cédric Bonhomme
851d8946fd
'# FIXME: Is there a better way?': yes 2020-01-06 08:08:08 +01:00
Cédric Bonhomme
335bdff4cb
reformat a tiny with black 2020-01-06 07:50:21 +01:00
Cédric Bonhomme
a597d1e6fc
fixed problem of definition of tagmap 2020-01-06 07:44:35 +01:00
Cédric Bonhomme
ba558d34e4
typo 2020-01-05 13:08:57 +01:00
Cédric Bonhomme
caed1e9031
deleted useless file 2020-01-04 00:17:21 +01:00
Cédric Bonhomme
031b71a7de
Updated README. 2020-01-04 00:14:44 +01:00
Cédric Bonhomme
c9af36b869
updated gitignore 2020-01-04 00:09:22 +01:00
Cédric Bonhomme
19d4e87430
added .gitignore 2020-01-04 00:08:30 +01:00
Cédric Bonhomme
8e0599ec09
OK, it's for GitHub pages. 2020-01-04 00:07:17 +01:00
Cédric Bonhomme
2fa7b4583e
improved cli. removed useless import 2020-01-03 17:51:55 +01:00
Cédric Bonhomme
fe4a656412
Updated README. 2020-01-03 17:39:56 +01:00
Cédric Bonhomme
dfa15c119d
Renamed command line. 2020-01-03 17:35:04 +01:00
Cédric Bonhomme
0b31bc36b2
added pyproject.toml file 2020-01-03 16:07:40 +01:00
Cédric Bonhomme
dcb0fcc0a5
wip, but seems to be working as a cli 2020-01-03 16:06:33 +01:00
01cedee91d Set theme jekyll-theme-minimal 2019-12-27 11:08:22 +01:00
f845ad059a chg: [doc] logo added 2019-12-26 11:59:52 +01:00
f22077452c new: [logos] git-vuln-finder project has its own logo 2019-12-26 11:57:28 +01:00
e19606ccf6
chg: [doc] How to contribute to the project 2019-12-26 10:34:18 +01:00
58fabc104a
Merge pull request #6 from stricaud/patterns
Adding patterns to be used from external files, done this way:
2019-12-26 10:22:40 +01:00
Sebastien Tricaud
2d1cbc220f Adding patterns to be used from external files, done this way:
* Create a file in patterns/en/medium/ where there is one pattern per line
* If needed append .suffix and .prefix to prepend or append those chars to the regex (exactly those chars, don't add a newline char in the end!)
* Replicate the actual behavior, for now, only medium is being used, but later, we will add more severities and add them into the output information
2019-12-24 11:42:24 -08:00
098921df31
chg: [doc] update the READM for the v1.0 release 2019-12-24 17:28:51 +01:00
5fd66b8dc6
new: [tags] add an option to list the tags associated to the commit 2019-12-24 17:17:21 +01:00
2b5e91187e
Merge pull request #5 from stricaud/langdetect
Added language detection
2019-12-24 16:27:59 +01:00
9c6bccc4ae
new: [github-api] Add the API link to the GitHub commit if the git repository is from GitHub 2019-12-24 16:22:02 +01:00
Sebastien Tricaud
26edaab198 Added language detection 2019-12-24 07:16:28 -08:00
a75ecdbc87
new: [option] -c option added to output only a list of the CVE pattern found in commit messages 2019-12-24 15:38:36 +01:00
558358c44b
chg: [doc] sample CVE id extraction added 2019-12-17 13:51:54 +01:00
846ee3a965
new: [cve] automatic extraction of CVE id from commit message
If one of more CVE id(s) are found in a commit message, those are added
in the finding output.

Example:

  "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba": {
    "message": "Fix an overflow bug in rsaz_512_sqr\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in\nexponentiation with 512-bit moduli. No EC algorithms are affected. Analysis\nsuggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a\nresult of this defect would be very difficult to perform and are not believed\nlikely. Attacks against DH512 are considered just feasible. However, for an\nattack the target would have to re-use the DH512 private key, which is not\nrecommended anyway. Also applications directly using the low level API\nBN_mod_exp may be affected if they use BN_FLG_CONSTTIME.\n\nCVE-2019-1551\n\nReviewed-by: Paul Dale <paul.dale@oracle.com>\nReviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>\n(Merged from https://github.com/openssl/openssl/pull/10574)\n",
    "commit-id": "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba",
    "summary": "Fix an overflow bug in rsaz_512_sqr",
    "stats": {
      "insertions": 197,
      "deletions": 184,
      "lines": 381,
      "files": 1
    },
    "author": "Andy Polyakov",
    "author-email": "appro@openssl.org",
    "authored_date": 1575460101,
    "committed_date": 1575635491,
    "branches": [
      "master"
    ],
    "pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
    "pattern-matches": [
      "attack"
    ],
    "cve": [
      "CVE-2019-1551"
    ],
    "state": "cve-assigned"
  }

The state is also updated to cve-assigned if one or more CVE are present
in the commit message.
2019-12-17 13:37:18 +01:00
cb850efd6a
chg: [cryptopatterns] remove FP with words starting with key like "keyboard" 2019-12-17 11:16:00 +01:00
615027bba2
chg: [patterns] return all the groups matches and non-matches 2019-12-17 11:10:10 +01:00
584670daf7
Merge pull request #3 from gallypette/master
chg: [cryptopatterns] two clowns using a web interface to build regexps
2019-12-17 10:55:43 +01:00
Jean-Louis Huynen
758155806a chg: [cryptopatterns] two clowns using a web interface to build regexps 2019-12-17 10:51:45 +01:00
d9ca07a277
chg: [cryptopattern] some improvements 2019-12-17 10:06:51 +01:00
f3da495533
Merge pull request #2 from gallypette/master
chg: [cryptopatterns] pimped the regex
2019-12-17 09:51:25 +01:00
Jean-Louis Huynen
d0bff5a72b
chg: [cryptopatterns] pimped the regex / tested 2019-12-17 09:37:43 +01:00
Jean-Louis Huynen
71020024dd
chg: [cryptopatterns] pimped the regex 2019-12-17 09:28:55 +01:00
e518fd6690
chg: [doc] updated to match new output 2019-12-17 08:53:13 +01:00
2d087a7b79
new: [pattern] -p all will match all the patterns available and include
the regexp matches in the output
2019-12-17 08:45:28 +01:00
5146633989
chg: [regexp] some more crypto regexps 2019-11-15 15:20:58 +01:00
24555ffa1d
chg: [doc] README fixed 2019-11-15 07:48:32 +01:00
3b9ad5c846
add: [pattern selection] regexp pattern can now be selected - 3 default patterns
A new option -p has been added to select the pattern to use.

-p P        Matching pattern to use: [vulnpatterns, cryptopatterns,
              cpatterns]

The 3 default patterns are the following:

 - A generic "vulnpatterns" which contain mainly web vulnerability and
 common vulnerability messages including CVE numbers.
 - A specific "cryptopatterns" to match potential vulnerabilities
 matching cryptographic functionalities
 - A specific "cpatterns" to match common vulnerabilities in C/C++-like
language.

cryptopatterns and cpatterns still need some more work.
2019-11-15 07:39:19 +01:00
c7de59a011
chg: [re] fixed typo in default regular expression 2019-11-04 07:27:16 +01:00
1abe154272
chg: [finder] add state of the commit found 2019-11-03 21:04:09 +01:00
bcb905cf99
chg: [regexp] fixing incorrect regexp 2019-11-03 20:45:08 +01:00
bbb1c4184b
chg: [doc] clarification 2019-11-03 15:32:57 +01:00
2333b32849
new: [git-vuln-finder] Initial release of git-vuln-finder
Finding potential software vulnerabilities from git commit messages.

First release based on a set of regexp patterns (to be improved).
2019-11-03 15:26:43 +01:00