strong_vuln
_patterns
(?i)(denial.o f .service |\bXX E\b|remote.code.execution|\bopen.redirect|OSVDB|\bvuln|\bCVE\b
|\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x − f rame − options|attack|cross.site |exploit|directory.
traversal |\bRCE\b|\bdos\b|\bXSRF \b|clickjack|session.fixation|hijack|advisory|insecure |security
|\bcross − oriдin\b|unauthori[z|s]ed |in finite.loop)
medium_vuln
_patterns
(?i)(authenticat(e |ion)|brute f orce |bypass|constant.time |crack|credential|\bDoS\b|expos(e |inд)|hack
|harden|injection|lockout|over flow|password |\bPoC\b|proo f.o f .concept|poison|privelaдe |\b(in)?secur
(e |ity)|(de )?serializ|spoo f |timinд|traversal)
- https://csce.ucmss.com/cr/books/2017/LFS/CSREA2017/ICA2077.pdf (mainly using CVE referenced in the commit message) - archive (http://archive.is/xep9o)
- https://asankhaya.github.io/pdf/automated-identification-of-security-issues-from-commit-messages-and-bug-reports.pdf (2 main regexps)