Git Vuln Finder finds potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically in the output.
jq (sudo apt install jq)
Use it as a library
git-vuln-finder can be install with poetry. If you don’t have poetry installed, you can do the following
curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python.
$ poetry install git-vuln-finder
$ poetry shell
Use it as a command line tool
$ pipx install git-vuln-finder
$ git-vuln-finder –help
You can also use pip.
pipx installs scripts (system wide available) provided by Python packages
into separate virtualenvs to shield them from your system and each other.
git-vuln-finder comes with 3 default patterns which can be selected to find the potential vulnerabilities described in the commit messages such as:
vulnpatternsis a generic vulnerability pattern especially targeting web application and generic security commit message. Based on an academic paper.
cryptopatternsis a vulnerability pattern for cryptographic errors mentioned in commit messages.
cpatternsis a set of standard vulnerability patterns see for C/C++-like languages.