Git Vuln Finder : Finding Potential Software Vulnerabilities From Git Commit Messages

Git Vuln Finder finds potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically in the output.

Requirements

jq (sudo apt install jq)

Also Read – Dsync : IDAPython Plugin That Synchronizes Disassembler & Decompiler Views

Installation

Use it as a library

git-vuln-finder can be install with poetry. If you don’t have poetry installed, you can do the following curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python.

$ poetry install git-vuln-finder
$ poetry shell

Use it as a command line tool

$ pipx install git-vuln-finder
$ git-vuln-finder –help

You can also use pip. pipx installs scripts (system wide available) provided by Python packages into separate virtualenvs to shield them from your system and each other.

Usage

Patterns

git-vuln-finder comes with 3 default patterns which can be selected to find the potential vulnerabilities described in the commit messages such as:

  • vulnpatterns is a generic vulnerability pattern especially targeting web application and generic security commit message. Based on an academic paper.
  • cryptopatterns is a vulnerability pattern for cryptographic errors mentioned in commit messages.
  • cpatterns is a set of standard vulnerability patterns see for C/C++-like languages.