Skip to content

kovalev0/cve-commit-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
search_cve.py
search_cve.py
 
 
search_cve.sh
search_cve.sh
 
 

Repository files navigation

CVE Commit Scanner for Linux Kernel

Description

CVE Commit Scanner is a utility for analyzing Git commits in the Linux kernel to detect potential security vulnerabilities (CVEs). The scripts extract commit titles and changed files, then pass this data to a Python script that checks against the National Vulnerability Database (NVD) CVE data. If there are CVE mentions or security-related changes in the commit messages, they are logged in a separate file.

The CVE data is sourced from the National Vulnerability Database (NVD), which provides publicly available information on known security vulnerabilities.

Installation

  1. Clone the repository:
	git clone https://github.com/kovalev0/cve-commit-scanner.git
	cd cve-commit-scanner
  1. Ensure that Python 3 is installed on your system.

Usage

Main Commands

  1. Run the script to analyze commits: The script accepts a commit hash and scans all subsequent commits in the repository for CVE vulnerabilities.
	./search_cve.sh <commit_hash>

Where <commit_hash> is the hash of the commit from which to start the scan.

  1. Setting the Range of Years for CVE Search: Define the required range of years for searching the CVE database in the search_cve.py script by modifying the YEAR_START and YEAR_END variables. By default, the values are set to 2022 and 2024 respectively.

Example:

YEAR_START = 2021
YEAR_END = 2024

These variables define the range of years that will be used for downloading and processing CVE data.

  1. CVE Data Storage: After downloading and unpacking the CVE database, the data files are stored in the cve_data directory. This is managed by the DATA_DIR variable in the search_cve.py script.
  2. Results: All CVE matches are saved in the matches.txt file. If the file already exists, a backup is created. The execution log is saved in the search_cve.log file.

Example

	cd /path/to/linux-git/
	cp /path/to/cve-commit-scanner/search_cve.* .
	chmod +x ./search_cve.sh
	./search_cve.sh abc1234

After running this script, all commits with CVE matches will be saved in matches.txt, and the logs will be stored in search_cve.log.

Repository Structure

  • search_cve.sh — the main bash script that processes commits and calls the Python script for CVE searching.
  • search_cve.py — the Python script that searches for CVE mentions in files and commit titles. The year range for CVE search is also configured here.
  • matches.txt — a file containing the results of found matches.
  • search_cve.log — the log file of the script's execution.
  • cve_data/ — the directory where the CVE data is stored after being downloaded and unpacked, managed by the DATA_DIR variable in search_cve.py.

Note

This repository is specifically designed for working with the Linux kernel. It is crucial to thoroughly analyze any found matches to ensure they truly correspond to the analyzed commits. One of the search methods used in this project identifies any changes in files within the affected subsystem, which can lead to false positives. Always verify that the CVE found is directly related to the actual changes in the commit under review.

License

This project is licensed under the GNU General Public License v3.0. See the LICENSE file for details.

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages