Fozar allows you to traverse commits across multiple repositories matching against user supplied regex. It also allows for the user to set exclusions on certain files for them not to be analyzed.
As the tool is written in Golang, it can be used in both Windows and Linux.
git clone https://github.com/blackarrowsec/fozar.git
cd fozar/
go buildLaunch the tool against a directory tree with one or more git repositories on it.
PS C:\Pentest\Tools\fozar> .\fozar.exe -h
_____
| ___|___ ____ __ _ _ __
| |_ / _ \|_ // _` || '__|
| _|| (_) |/ /| (_| || |
|_| \___//___|\__,_||_|
By @30vh1 [https://blackarrow.net] [https://tarlogic.com]
-A int
Following lines to show on match
-B int
Previous lines to show on match
-config string
Yaml config location (default "config/config.yml")
-debug
Print debug information (slower!)
-of string
Filename for the html file output
-ot string
Filename for the Markdown file output
-path string
Folder from which to start searching
There are a couple of scripts under the script/ folder. You can pipe URLs to them in order to download batch repositories.
The scripts will create an output/ folder with the raw repositories under output/raw/ and the actual repositories under output/repo/ (this is the folder which you wanna use Fozar on)
The configuration file config/config.yml keeps two lists of regular expressions. The first one known as rules keeps all the matches you want check against whilst the rules under the avoid section are matched against file names to avoid analyzing them.
rules:
- '[pP][aA][sS][sS][wW][oO][rR][dD]\s*=\s*"' # This is an inline comment
- '"access_token":'
- '[pP][aA][sS][sS]\s+=\s+?"'
- ...
avoid:
- '.exe'
- '.war'
- '.rar'
- ...The HTML report generates an easy on the eye output on HTML format. When selecting this output it is necessary to have the templates/ folder on the same directory from which Fozar is being run.
The text report generates a Markdown file. This output doesn't have any special requirements. A tool such is Typora is highly recommended for the Markdown output visualization.
- Plain Markdown text file
- Interpreted Markdown text file
For getting in touch with the tool you can try the following commands. The output result will be on output/Fozar Report/
- Windows
cat .\scripts\test.txt | .\scripts\bulk_clone.ps1
.\fozar.exe -A 3 -B 3 -config .\config\config.yml -of test.html -path .\output\repo\- Linux
cat ./scripts/test.txt | ./scripts/bulk_clone.sh
./fozar -A 3 -B 3 -config ./config/config.yml -of test.html -path ./output/repo/Marcos Carro (@30vh1) [ www.blackarrow.net - www.tarlogic.com ]
All the code included in this project is licensed under the terms of the GNU AGPLv3 license.
