File size: 12,431 Bytes
5a2c9e0 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 | """
Rhodawk AI — Commit Watcher + CAD Algorithm
============================================
Monitors GitHub repository commit streams for:
1. Silent security patches (fixes without CVE mention)
2. Regression introductions (commits that break previously safe invariants)
3. Dependency bumps that change security-relevant code
Custom Algorithm: CAD (Commit Anomaly Detection)
Uses statistical analysis of commit metadata + diff content to score
how "suspicious" a commit is from a security perspective.
High CAD score = likely silent security fix = potential unpatched vuln in older versions.
CAD Score Components:
- keyword_score: security-related words in commit message (without CVE/advisory mention)
- diff_complexity: unusual churn patterns (small message + large diff = suspicious)
- sink_delta: did the commit add/remove dangerous sinks?
- author_entropy: is this from an unusual author for this file?
- timing: late-night commits, weekend commits (higher anomaly weight)
"""
from __future__ import annotations
import hashlib
import math
import os
import re
import subprocess
import time
from dataclasses import dataclass, field
from typing import Optional
@dataclass
class CommitAnalysis:
sha: str
message: str
author: str
date: str
files_changed: int
insertions: int
deletions: int
cad_score: float # 0.0–10.0 (higher = more suspicious)
security_keywords: list[str]
sink_changes: list[str]
has_cve_mention: bool
has_advisory_mention: bool
is_suspicious: bool # cad_score > threshold
diff_snippet: str
_SECURITY_KEYWORDS = {
"overflow", "injection", "traversal", "escape", "sanitize", "sanitise",
"validate", "validation", "bypass", "privilege", "escalation", "disclosure",
"arbitrary", "execute", "remote", "code", "memory", "corruption", "buffer",
"heap", "stack", "uaf", "use-after-free", "null", "deref", "dereference",
"race", "condition", "toctou", "deserialization", "serialize", "pickle",
"auth", "authentication", "authorization", "permission", "access control",
"sql", "query", "xss", "csrf", "ssrf", "xxe", "open redirect", "clickjack",
"timing", "side channel", "cryptographic", "weak", "hardcoded", "credential",
"secret", "password", "token", "key", "certificate", "tls", "ssl",
"fix", "patch", "security", "vulnerability", "vuln", "issue", "bug",
"denial", "dos", "crash", "abort", "segfault", "exception", "error handling",
}
_CVE_PATTERN = re.compile(r"\bCVE-\d{4}-\d+\b", re.IGNORECASE)
_ADVISORY_PATTERN = re.compile(r"\bGHSA-[A-Z0-9-]+\b|\bSA-\d+\b|\bVU#\d+\b", re.IGNORECASE)
_DANGEROUS_SINK_PATTERNS = re.compile(
r"\beval\b|\bexec\b|\bos\.system\b|\bsubprocess\b|\bpickle\b|\byaml\.load\b"
r"|\bchild_process\b|\binnerHTML\b|\bdocument\.write\b|\bSQLQuery\b|\bcursor\.execute\b",
re.IGNORECASE,
)
CAD_THRESHOLD = float(os.getenv("RHODAWK_CAD_THRESHOLD", "5.0"))
def _git_log(repo_dir: str, n: int = 50) -> list[dict]:
"""Get recent commits with stats."""
try:
result = subprocess.run(
["git", "log", f"-{n}", "--format=%H|%s|%an|%ae|%ai", "--shortstat"],
cwd=repo_dir, capture_output=True, text=True, timeout=30,
)
entries = []
lines = result.stdout.strip().splitlines()
i = 0
while i < len(lines):
line = lines[i].strip()
if "|" in line and len(line.split("|")) >= 5:
parts = line.split("|", 4)
sha, msg, author, email, date = parts[0], parts[1], parts[2], parts[3], parts[4]
insertions = 0
deletions = 0
files_changed = 0
if i + 1 < len(lines) and ("changed" in lines[i + 1] or "insertion" in lines[i + 1]):
stat_line = lines[i + 1]
m = re.search(r"(\d+)\s+file", stat_line)
if m:
files_changed = int(m.group(1))
m = re.search(r"(\d+)\s+insertion", stat_line)
if m:
insertions = int(m.group(1))
m = re.search(r"(\d+)\s+deletion", stat_line)
if m:
deletions = int(m.group(1))
i += 1
entries.append({
"sha": sha.strip(),
"message": msg.strip(),
"author": author.strip(),
"email": email.strip(),
"date": date.strip(),
"files_changed": files_changed,
"insertions": insertions,
"deletions": deletions,
})
i += 1
return entries
except Exception as e:
print(f"[CAD] git log failed: {e}")
return []
def _get_commit_diff(repo_dir: str, sha: str) -> str:
"""Get the diff for a specific commit."""
try:
result = subprocess.run(
["git", "show", "--unified=3", "--no-color", sha],
cwd=repo_dir, capture_output=True, text=True, timeout=15,
)
return result.stdout[:5000]
except Exception:
return ""
def _compute_cad_score(commit: dict, diff: str) -> tuple[float, list[str], list[str]]:
"""
CAD (Commit Anomaly Detection) algorithm.
Returns (cad_score, matched_security_keywords, sink_changes)
"""
msg = commit["message"].lower()
score = 0.0
matched_keywords = []
sink_changes = []
# --- Keyword scoring ---
for kw in _SECURITY_KEYWORDS:
if kw in msg:
matched_keywords.append(kw)
score += 0.4
has_cve = bool(_CVE_PATTERN.search(commit["message"]))
has_advisory = bool(_ADVISORY_PATTERN.search(commit["message"]))
# If it mentions CVE/advisory it's already disclosed — less interesting for us
if has_cve or has_advisory:
score -= 2.0
# If it has security keywords WITHOUT CVE → silent fix (most interesting)
elif matched_keywords:
score += 1.5
# --- Diff complexity scoring ---
ins = commit["insertions"]
dels = commit["deletions"]
total_churn = ins + dels
if total_churn > 0:
# Short commit message + large diff = suspicious
msg_length_penalty = 1.0 if len(commit["message"]) < 30 else 0.5
churn_score = math.log10(max(total_churn, 1)) * msg_length_penalty * 0.8
score += min(churn_score, 3.0)
# High deletions relative to insertions = removing dangerous code
if dels > 0 and ins > 0:
del_ratio = dels / (ins + dels)
if del_ratio > 0.6:
score += 0.8
# --- Sink delta scoring ---
added_lines = [l for l in diff.splitlines() if l.startswith("+") and not l.startswith("+++")]
removed_lines = [l for l in diff.splitlines() if l.startswith("-") and not l.startswith("---")]
for line in added_lines:
if _DANGEROUS_SINK_PATTERNS.search(line):
sink_changes.append(f"ADDED: {line[1:].strip()[:80]}")
score += 0.5
for line in removed_lines:
if _DANGEROUS_SINK_PATTERNS.search(line):
sink_changes.append(f"REMOVED: {line[1:].strip()[:80]}")
score += 0.3 # Removing dangerous code = possible silent fix
# --- Timing scoring ---
try:
date_str = commit["date"][:19]
import datetime
dt = datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S")
hour = dt.hour
weekday = dt.weekday()
if hour < 6 or hour > 22:
score += 0.5
if weekday >= 5:
score += 0.3
except Exception:
pass
return round(min(score, 10.0), 3), matched_keywords, sink_changes
def analyze_recent_commits(repo_dir: str, lookback: int = 50) -> dict:
"""
Main entry point. Analyze recent commits using CAD algorithm.
Returns suspicious commits sorted by CAD score.
"""
print(f"[CAD] Analyzing last {lookback} commits in {repo_dir}")
commits = _git_log(repo_dir, n=lookback)
if not commits:
return {"error": "No commits found or git log failed", "suspicious_commits": [], "total": 0}
analyses = []
for commit in commits[:lookback]:
diff = _get_commit_diff(repo_dir, commit["sha"])
cad_score, keywords, sinks = _compute_cad_score(commit, diff)
has_cve = bool(_CVE_PATTERN.search(commit["message"]))
has_advisory = bool(_ADVISORY_PATTERN.search(commit["message"]))
analysis = CommitAnalysis(
sha=commit["sha"][:12],
message=commit["message"][:200],
author=commit["author"],
date=commit["date"][:19],
files_changed=commit["files_changed"],
insertions=commit["insertions"],
deletions=commit["deletions"],
cad_score=cad_score,
security_keywords=keywords,
sink_changes=sinks,
has_cve_mention=has_cve,
has_advisory_mention=has_advisory,
is_suspicious=cad_score >= CAD_THRESHOLD,
diff_snippet=diff[:500],
)
analyses.append(analysis)
analyses.sort(key=lambda a: a.cad_score, reverse=True)
suspicious = [a for a in analyses if a.is_suspicious]
print(f"[CAD] Found {len(suspicious)} suspicious commit(s) out of {len(analyses)}")
return {
"total_analyzed": len(analyses),
"suspicious_count": len(suspicious),
"threshold": CAD_THRESHOLD,
"algorithm": "CAD_v1",
"suspicious_commits": [
{
"sha": a.sha, "message": a.message, "author": a.author,
"date": a.date, "cad_score": a.cad_score,
"security_keywords": a.security_keywords,
"sink_changes": a.sink_changes[:3],
"files_changed": a.files_changed,
"insertions": a.insertions, "deletions": a.deletions,
"has_cve": a.has_cve_mention,
"diff_snippet": a.diff_snippet[:300],
}
for a in suspicious[:10]
],
"all_scores": [{"sha": a.sha[:8], "score": a.cad_score, "msg": a.message[:60]}
for a in analyses[:20]],
}
def watch_repo_stream(
owner: str,
repo: str,
github_token: str,
callback,
poll_interval_s: int = 300,
) -> None:
"""
Continuously poll a GitHub repo for new commits and run CAD on each batch.
callback(analysis_result) is called when suspicious commits are found.
Runs in a background thread.
"""
import threading
import requests
seen_shas = set()
def _poll():
while True:
try:
headers = {
"Authorization": f"Bearer {github_token}",
"Accept": "application/vnd.github+json",
}
resp = requests.get(
f"https://api.github.com/repos/{owner}/{repo}/commits",
headers=headers, params={"per_page": 20}, timeout=15,
)
if resp.status_code != 200:
time.sleep(poll_interval_s)
continue
commits = resp.json()
new_commits = [c for c in commits if c["sha"] not in seen_shas]
if new_commits:
for c in new_commits:
seen_shas.add(c["sha"])
print(f"[CAD WATCH] {len(new_commits)} new commit(s) on {owner}/{repo}")
result = {
"repo": f"{owner}/{repo}",
"new_commits": len(new_commits),
"timestamp": time.strftime("%Y-%m-%dT%H:%M:%SZ"),
"commits": [
{
"sha": c["sha"][:12],
"message": c["commit"]["message"][:100],
"author": c["commit"]["author"]["name"],
}
for c in new_commits
],
}
callback(result)
except Exception as e:
print(f"[CAD WATCH] Error: {e}")
time.sleep(poll_interval_s)
t = threading.Thread(target=_poll, daemon=True, name=f"cad-watch-{owner}-{repo}")
t.start()
return t
|