Git Vuln Finder finds potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically in the output.
Requirements
jq (sudo apt install jq)
Also Read – Dsync : IDAPython Plugin That Synchronizes Disassembler & Decompiler Views
Installation
Use it as a library
git-vuln-finder can be install with poetry. If you don’t have poetry installed, you can do the following curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python
.
$ poetry install git-vuln-finder
$ poetry shell
Use it as a command line tool
$ pipx install git-vuln-finder
$ git-vuln-finder –help
You can also use pip.
pipx
installs scripts (system wide available) provided by Python packages
into separate virtualenvs to shield them from your system and each other.
Usage
Patterns
git-vuln-finder comes with 3 default patterns which can be selected to find the potential vulnerabilities described in the commit messages such as:
vulnpatterns
is a generic vulnerability pattern especially targeting web application and generic security commit message. Based on an academic paper.cryptopatterns
is a vulnerability pattern for cryptographic errors mentioned in commit messages.cpatterns
is a set of standard vulnerability patterns see for C/C++-like languages.