cve-hash-generator
Finds an identifiable hash value for each version of GitLab vulnerable to a specific CVE by the defined semantic version range. Example: https://gitlab.com/gitlab-org/cves/-/blob/9e9a08f61709c8016039468c90e1880715d173e7/2021/CVE-2021-22205.json#L19-29.
Running The Tool
Prerequisites
This tool requires that docker be installed along with docker-compose on the machine executing the binary. A paid license for docker is recommended due to the number of image downloads necessary in some cases. This tool requires connection to a mongodb instance of your choice. A docker-compose.yml file exists for convenience.
Usage
- Clone the repository.
- Type
make build
. The process may take a couple of minutes. - Change the password in the docker-compose.yml file in the root of the repository. There are three occurances of the password, which need to match.
- Change directories with
cd ./bin
. - Edit the
.env
file in the./bin
directory to set the environment variable "MONGODB_URI" to an appropriate connection string. Example:MONGODB_URI="mongodb://root:<MY_SECURE_PASSWORD>@localhost:27017/"
. <MY_SECURE_PASSWORD> should match the password you used in the docker-compose.yml file. - Run:
docker-compose up -d
to launch the mongodb instance and mongo express viewer. NOTE: this app requires a mongodb instance, whether in docker or elsewhere. - Launch the mongo express viewer if you like at: http://localhost:8081/
- Run the tool with
./cve-hash-harvester --mongoCollection <CVE_ID> --vulnerableConstraints <semver_range1> --vulnerableConstraints <semver_range2> ...
- Example to generate hashes for CVE-2021-22205:
./cve-hash-harvester -m CVE-2021-22205 -v ">=11.9, <13.8.8" -v ">=13.9, <13.9.6" -v ">=13.10, <13.10.3"
Contributing
This project uses AngularJS commit message formatting to support automatic semantic versioning releases using semantic-release. For an MR to be accepted, each commit message must follow this format.
- Clone the project. Run
git checkout -b <my-awesome-updates>
. - Run
make .init
to initialize the local dev environment - Run
make .test
to run the tests - Run
make build
to produce binaries - Commit your changes using the commit message formatting mentioned above.