soxoj/CommiPiste: self-hosted tool for developers and homelabbers

Find the exact version and CVEs of open-source web software just from the static files.
Idea by paranoid android.

commit (Git commit) + piste (French for "track")

Why

Knowing the precise commit beats a version string: CVE-affected code "leaks" a few releases up and down a version range, so the commit tells you whether a given fix is actually present. CommiPiste is for authorized security testing and perimeter asset inventory — it only requests public static files and never exploits anything.

How it works

Open-source apps serve static files (JS, CSS, icons) straight from their source tree.

CommiPiste:

• builds a signature database of every release's files (keyed by git blob OID, taken for free from git ls-tree)

• then downloads those files from a target

• reproduces the same OIDs from the bytes

• matches them back to a single commit.

• More on how it works

Quickstart

pip install -e .                              # needs Python ≥ 3.11 and a `git` binary
CommiPiste scan https://mantisbt.org/bugs     # first run auto-downloads the signature DB

The first scan pulls a prebuilt signature database automatically, then identifies the software and prints the version/commit plus known CVEs.

On MantisBT's own public bug tracker, for example, it pins MantisBT 2.28.3 and surfaces its vulnerabilities — see an example HTML report.

A few more examples:

CommiPiste scan https://mantisbt.org/bugs --verbose # show matching process
CommiPiste scan https://mantisbt.org/bugs --json    # machine-readable
CommiPiste scan https://mantisbt.org/bugs --no-cve  # version only, fully offline
CommiPiste scan https://mantisbt.org/bugs --report out.html  # interactive HTML report
CommiPiste scan --targets hosts.txt                 # batch

Autoindex new software

The bundled database covers 200+ platforms. To fingerprint software it doesn't know yet, point --autoindex at the project's git repo — CommiPiste clones it, indexes its release tags, and then identifies the running version, all in one command:

CommiPiste scan https://demo.bookstackapp.com --autoindex \
  --repo https://github.com/BookStackApp/BookStack

• Public dirs are auto-detected: it probes the repo's top-level directories against the names already common across the registry (js, themes, css, public, assets, …). Override with --public dist,css if the guess misses.

• Optional flags: --name (defaults to the repo name), --cpe cpe:2.3:a:vendor:product (enables CVE lookup for the matched version).

• It's remembered. The project is saved to your local registry (~/.CommiPiste/registry/), so later runs need neither flag — a plain scan <url> detects it by fingerprint:

  CommiPiste scan https://demo.bookstackapp.com   # detected, no --autoindex needed
  

Autoindexed projects survive a database update: after interactive-update downloads a fresh DB, any local project missing from it is re-indexed automatically.

Documentation

• Install & full CLI / library usage
• The signature database (auto-download, building it)
• How it works · Architecture & internals
• What can / can't be fingerprinted
• Vulnerability lookup (NVD + OSV)
• Active probing (SPA / bundled apps)
• Troubleshooting
• Supported software list
• Testing

Related research

Prior and adjacent work on web-application fingerprinting:

• Understanding and Improving Web Application Fingerprinting (WASABO) — USENIX
• WAFP — Web Application Fingerprinting
• Sucuri — Fingerprinting Web Apps
• WhatWeb — Morning Star Security