Create gh-pages branch via GitHub

<!DOCTYPE html>

<html lang="en-us">

  <head>

    <meta charset="UTF-8">

    <title>Cve-search by cve-search</title>

    <meta name="viewport" content="width=device-width, initial-scale=1">

    <link rel="stylesheet" type="text/css" href="stylesheets/normalize.css" media="screen">

    <link href='https://fonts.googleapis.com/css?family=Open+Sans:400,700' rel='stylesheet' type='text/css'>

    <link rel="stylesheet" type="text/css" href="stylesheets/stylesheet.css" media="screen">

    <link rel="stylesheet" type="text/css" href="stylesheets/github-light.css" media="screen">

  </head>

  <body>

    <section class="page-header">

      <h1 class="project-name">Cve-search</h1>

      <h2 class="project-tagline">cve-search - a tool to perform local searches for known vulnerabilities</h2>

      <a href="https://github.com/cve-search/cve-search" class="btn">View on GitHub</a>

      <a href="https://github.com/cve-search/cve-search/zipball/master" class="btn">Download .zip</a>

      <a href="https://github.com/cve-search/cve-search/tarball/master" class="btn">Download .tar.gz</a>

    </section>

    <section class="main-content">

      <h1>

<a id="cve-search" class="anchor" href="#cve-search" aria-hidden="true"><span class="octicon octicon-link"></span></a>cve-search</h1>

<p><img src="https://avatars3.githubusercontent.com/u/15033728?v=3&amp;s=200" alt="cve-search logo"></p>

<p>cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and

CPE (Common Platform Enumeration) into a MongoDB to facilitate search

and processing of CVEs.</p>

<p>The main objective of the software is to avoid doing direct and public lookup

into the public CVE databases. This is usually faster to do local lookups and

limits your sensitive queries via the Internet.</p>

<p>cve-search includes a back-end to store vulnerabilities and related information,

an intuitive web interface for search and managing vulnerabilities,

a series of tools to query the system and a web API interface.</p>

<p>cve-search is used by many organizations including the <a href="https://cve.circl.lu/">public CVE services of CIRCL</a>.</p>

<h2>

<a id="requirements" class="anchor" href="#requirements" aria-hidden="true"><span class="octicon octicon-link"></span></a>Requirements</h2>

<ul>

<li>Python3.2 or later</li>

<li>MongoDB 2.2 or later</li>

<li>redis server</li>

<li>Pip3

<ul>

<li>PyMongo</li>

<li>Flask</li>

<li>Flask-PyMongo</li>

<li>Flask-Login</li>

<li>Tornado</li>

<li>Whoosh</li>

<li>Redis</li>

<li>Python-dateUtil</li>

<li>passlib</li>

<li>feedformater (for RSS and Atom dump_last) <a href="http://code.google.com/p/feedformatter/">http://code.google.com/p/feedformatter/</a>

</li>

<li>Whoosh <a href="http://packages.python.org/Whoosh/">http://packages.python.org/Whoosh/</a> (If you're planning to use the Full-text indexer)</li>

</ul>

</li>

</ul>

<p>The requirements can be installed with pip:</p>

<pre><code>sudo pip3 install -r requirements.txt

</code></pre>

<h2>

<a id="installation-of-mongodb" class="anchor" href="#installation-of-mongodb" aria-hidden="true"><span class="octicon octicon-link"></span></a>Installation of MongoDB</h2>

<p>First, you'll need to have a Python 3 installation (3.2 or 3.3 preferred).

Then you need to install MongoDB (2.2) from source (this should also work

with any standard packages from your favorite distribution). Don't forget

to install the headers for development while installing MongoDB.

You can go to <a href="http://docs.mongodb.org/manual/installation/">http://docs.mongodb.org/manual/installation/</a> for to get the

packages for your distribution, or <a href="http://www.mongodb.org/downloads">http://www.mongodb.org/downloads</a> for

the source code.</p>

<h2>

<a id="populating-the-database" class="anchor" href="#populating-the-database" aria-hidden="true"><span class="octicon octicon-link"></span></a>Populating the database</h2>

<p>For the initial run, you need to populate the CVE database by running:</p>

<pre><code>./db_mgmt.py -p

./db_mgmt_cpe_dictionary.py

./db_updater.py -c

</code></pre>

<p>It will fetch all the existing XML files from the Common Vulnerabilities

and Exposures database and the Common Platform Enumeration.</p>

<p>A more detailed documentation can be found in the Documentations folder of the project.</p>

<h2>

<a id="databases-and-collections" class="anchor" href="#databases-and-collections" aria-hidden="true"><span class="octicon octicon-link"></span></a>Databases and collections</h2>

<p>The MongoDB database is called cvedb and there are 11 collections:</p>

<ul>

<li>cves (Common Vulnerabilities and Exposure items) - source NVD NIST</li>

<li>cpe (Common Platform Enumeration items) - source NVD NIST</li>

<li>vendor (Official Vendor Statements on CVE Vulnerabilities) - source NVD NIST</li>

<li>cwe (Common Weakness Enumeration items) - source NVD NIST</li>

<li>capec (Common Attack Pattern Enumeration and Classification) - source NVD NIST</li>

<li>ranking (ranking rules per group) - local cve-search</li>

<li>d2sec (Exploitation reference from D2 Elliot Web Exploitation Framework) - source d2sec.com</li>

<li>

<a href="https://github.com/toolswatch/vFeed">vFeed</a> (cross-references to CVE ids (e.g. OVAL, OpenVAS, ...)) - source <a href="https://github.com/toolswatch/vFeed">vFeed</a>

</li>

<li>ms - (Microsoft Bulletin (Security Vulnerabilities and Bulletin)) - source <a href="http://www.microsoft.com/en-us/download/details.aspx?id=36982">Microsoft</a>

</li>

<li>exploitdb (Offensive Security - Exploit Database) - source <a href="https://github.com/offensive-security/exploit-database">offensive security</a>

</li>

<li>info (metadata of each collection like last-modified) - local cve-search</li>

</ul>

<p>The Redis database has 3 databases:</p>

<ul>

<li>10: The cpe (Common Platform Enumeration) cache - source MongoDB cvedb collection cpe</li>

<li>11: The notification database - source cve-search</li>

<li>12: The NIST reference databased is a cross-reference database to CVE ids against various vendors ID - source NVD NIST</li>

</ul>

<h2>

<a id="updating-the-database" class="anchor" href="#updating-the-database" aria-hidden="true"><span class="octicon octicon-link"></span></a>Updating the database</h2>

<p>An updater script helps to start the db_mgmt_*  </p>

<pre><code>./db_updater.py -v

</code></pre>

<p>You can run it in a crontab, logging is done in syslog by default.</p>

<h2>

<a id="repopulating-the-database" class="anchor" href="#repopulating-the-database" aria-hidden="true"><span class="octicon octicon-link"></span></a>Repopulating the database</h2>

<p>To easily drop and re-populate all the databases</p>

<pre><code>./db_updater.py -v -f

</code></pre>

<p>This will drop all the existing external sources and reimport everything. This operation can take some time

and it's usually only required when new attributes parsing are added in cve-search.</p>

<h2>

<a id="usage" class="anchor" href="#usage" aria-hidden="true"><span class="octicon octicon-link"></span></a>Usage</h2>

<p>You can search the database using search.py</p>

<pre><code>./search.py -p cisco:ios:12.4

./search.py -p cisco:ios:12.4 -o json

./search.py -f nagios -n

./search.py -p microsoft:windows_7 -o html

</code></pre>

<p>If you want to search all the WebEx vulnerabilities and only printing the official

references from the supplier.</p>

<pre><code>./search.py -p webex: -o csv  -v "cisco"

</code></pre>

<p>You can also dump the JSON for a specific CVE ID.</p>

<pre><code>./search.py -c CVE-2010-3333

</code></pre>

<p>Or you can use the XMPP bot</p>

<pre><code>./search_xmpp.py -j mybot@jabber.org -p strongpassword

</code></pre>

<p>Or dump the last 2 CVE entries in RSS or Atom format</p>

<pre><code>./dump_last.py -f atom -l 2

</code></pre>

<p>Or you can use the webinterface.</p>

<pre><code>./web/index.py

</code></pre>

<h2>

<a id="usage-of-the-ranking-database" class="anchor" href="#usage-of-the-ranking-database" aria-hidden="true"><span class="octicon octicon-link"></span></a>Usage of the ranking database</h2>

<p>There is a ranking database allowing to rank software vulnerabilities based on

their common platform enumeration name. The ranking can be done per organization

or department within your organization or any meaningful name for you.</p>

<p>As an example, you can add a partial CPE name like "sap:netweaver" which is very

critical for your accounting department.</p>

<pre><code>./python3.3 db_ranking.py  -c "sap:netweaver" -g "accounting" -r 3

</code></pre>

<p>and then you can lookup the ranking (-r option) for a specific CVE-ID:</p>

<pre><code>./python3.3 search.py -c CVE-2012-4341  -r  -n

</code></pre>

<h2>

<a id="advanced-usage" class="anchor" href="#advanced-usage" aria-hidden="true"><span class="octicon octicon-link"></span></a>Advanced usage</h2>

<p>As cve-search is based on a set of tools, it can be used and combined with standard Unix tools. If you ever wonder what are the top vendors using the term "unknown" for their vulnerabilities:</p>

<pre><code>python3 search_fulltext.py -q unknown -f | jq -r '. | .vulnerable_configuration[0]' | cut -f3 -d: | sort  | uniq -c  | sort -nr | head -10

1500 oracle

381 sun

372 hp

232 google

208 ibm

126 mozilla

103 microsoft

100 adobe

 78 apple

 68 linux

</code></pre>

<p>You can compare CVSS (Common Vulnerability Scoring System ) values of some products based on their CPE name. Like comparing oracle:java versus sun:jre and using R to make some statistics about their CVSS values:</p>

<pre><code>python3 search.py -p oracle:java -o json  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'

Min. 1st Qu.  Median    Mean 3rd Qu.    Max.

1.800   5.350   9.300   7.832  10.000  10.000

python3 search.py -p sun:jre -o json  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'

Min. 1st Qu.  Median    Mean 3rd Qu.    Max.

0.000   5.000   7.500   7.333  10.000  10.000

</code></pre>

<h2>

<a id="fulltext-indexing" class="anchor" href="#fulltext-indexing" aria-hidden="true"><span class="octicon octicon-link"></span></a>Fulltext indexing</h2>

<p>If you want to index all the CVEs from your current MongoDB collection:</p>

<pre><code>./python3.3 db_fulltext.py

</code></pre>

<p>and you query the fulltext index (to get a list of matching CVE-ID):</p>

<pre><code>./python3.3 search_fulltext.py -q NFS -q Linux

</code></pre>

<p>or to query the fulltext index and output the JSON object for each CVE-ID:</p>

<pre><code>./python3.3 search_fulltext.py -q NFS -q Linux -j

</code></pre>

<h2>

<a id="fulltext-visualization" class="anchor" href="#fulltext-visualization" aria-hidden="true"><span class="octicon octicon-link"></span></a>Fulltext visualization</h2>

<p>The fulltext indexer visualization is using the fulltext indexes to build

a list of the most common keywords used in CVE. <a href="http://nltk.org/">NLTK</a> is

required to generate the keywords with the most common English

stopwords and lemmatize the output. <a href="http://nltk.org/nltk3-alpha/">NTLK for Python 3</a>

exists but you need to use the alpha version of NLTK.</p>

<pre><code>./python3.3 search_fulltext.py  -g -s &gt;cve.json

</code></pre>

<p><img src="https://farm9.staticflickr.com/8109/8603509755_c7690c2de4_n.jpg" alt="cve-search visualization" title="CVE Keywords Visualization Using Data From cve-search"></p>

<p>You can see a visualization on the <a href="http://www.foo.be/cve/">demo site</a>.</p>

<h2>

<a id="web-interface" class="anchor" href="#web-interface" aria-hidden="true"><span class="octicon octicon-link"></span></a>Web interface</h2>

<p>The web interface is a minimal interface to see the last CVE entries and

query a specific CVE. You'll need flask in order to run the website and <a href="http://flask-pymongo.readthedocs.org/en/latest/">Flask-PyMongo</a>. To start

the web interface:</p>

<pre><code>cd ./web

./python3.3 index.py

</code></pre>

<p>Then you can connect on <a href="http://127.0.0.1:5000/">http://127.0.0.1:5000/</a> to browser the last CVE.</p>

<h2>

<a id="web-api-interface" class="anchor" href="#web-api-interface" aria-hidden="true"><span class="octicon octicon-link"></span></a>Web API interface</h2>

<p>The web interface includes a minimal JSON API to get CVE by ID, by vendor or product.

A public version of the API is also accessible on <a href="https://cve.circl.lu/">cve.circl.lu</a>.</p>

<p>List the know vendors in JSON</p>

<pre><code>curl http://127.0.0.1:5000/api/browse/

</code></pre>

<p>Dump the product of a specific vendor in JSON</p>

<pre><code>curl  http://127.0.0.1:5000/api/browse/zyxel 

{

  "product": [

    "n300_netusb_nbg-419n",

    "n300_netusb_nbg-419n_firmware",

    "p-660h-61",

    "p-660h-63",

    "p-660h-67",

    "p-660h-d1",

    "p-660h-d3",

    "p-660h-t1",

    "p-660h-t3",

    "p-660hw",

    "p-660hw_d1",

    "p-660hw_d3",

    "p-660hw_t3"

  ],

  "vendor": "zyxel"

}

</code></pre>

<p>Find the associated vulnerabilities to a vendor and a product</p>

<pre><code>curl  http://127.0.0.1:5000/api/search/zyxel/p-660hw

[{"cwe": "CWE-352", "references": ["http://www.exploit-db.com/exploits/33518", "http://secunia.com/advisories/58513", "http://packetstormsecurity.com/files/126812/Zyxel-P-660HW-T1-Cross-Site-Request-Forgery.html", "http://osvdb.org/show/osvdb/107449"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw:_t1:v3"], "Published": "2014-06-16T14:55:09.713-04:00", "id": "CVE-2014-4162", "Modified": "2014-07-17T01:07:29.683-04:00", "cvss": 6.8, "summary": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1."}, {"cwe": "CWE-20", "references": ["http://www.kb.cert.org/vuls/id/893726"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660h-63:-", "cpe:/h:zyxel:p-660h-t1:-", "cpe:/h:zyxel:p-660h-d3:-", "cpe:/h:zyxel:p-660h-t3:v2", "cpe:/h:zyxel:p-660h-t1:v2", "cpe:/h:zyxel:p-660h-d1:-", "cpe:/h:zyxel:p-660h-67:-", "cpe:/h:zyxel:p-660h-61:-", "cpe:/h:zyxel:p-660hw_t3:v2", "cpe:/h:zyxel:p-660hw_t3:-", "cpe:/h:zyxel:p-660hw_d3:-", "cpe:/h:zyxel:p-660hw_d1:v2", "cpe:/h:zyxel:p-660hw_d1:-", "cpe:/h:zyxel:p-660hw:_t1:v2", "cpe:/h:zyxel:p-660hw:_t1:-"], "Published": "2014-04-01T23:58:16.967-04:00", "id": "CVE-2013-3588", "Modified": "2014-04-02T11:29:53.243-04:00", "cvss": 7.8, "summary": "The web management interface on Zyxel P660 devices allows remote attackers to cause a denial of service (reboot) via a flood of TCP SYN packets."}, {"cwe": "CWE-79", "references": ["http://osvdb.org/ref/99/rompager407.pdf", "http://osvdb.org/99694", "http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf"], "vulnerable_configuration": ["cpe:/h:d-link:dsl-2640r:-", "cpe:/h:d-link:dsl-2641r:-", "cpe:/h:huawei:mt882:-", "cpe:/h:sitecom:wl-174:-", "cpe:/h:tp-link:td-8816:-", "cpe:/a:allegrosoft:rompager:4.07", "cpe:/h:zyxel:p-660hw_d1:-"], "Published": "2014-01-16T14:55:04.607-05:00", "id": "CVE-2013-6786", "Modified": "2014-01-17T11:01:47.353-05:00", "cvss": 4.3, "summary": "Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the \"forbidden author header\" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page.  NOTE: there is no CVE for a \"URL redirection\" issue that some sources list separately."}, {"cwe": "CWE-79", "references": ["http://xforce.iss.net/xforce/xfdb/41109", "http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw_t3:v2", "cpe:/h:zyxel:p-660hw:_t1:v2", "cpe:/h:zyxel:p-660hw_d1:v2", "cpe:/h:zyxel:p-660hw_t3:-", "cpe:/h:zyxel:p-660hw:_t1:-", "cpe:/h:zyxel:p-660hw_d3:-", "cpe:/h:zyxel:p-660hw_d1:-"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1257", "Modified": "2012-05-31T00:00:00.000-04:00", "cvss": 4.3, "summary": "Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter."}, {"id": "CVE-2008-1256", "references": ["http://xforce.iss.net/xforce/xfdb/41108", "http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "Modified": "2011-03-07T22:06:25.080-05:00", "cvss": 10.0, "summary": "The ZyXEL P-660HW series router has \"admin\" as its default password, which allows remote attackers to gain administrative access."}, {"cwe": "CWE-264", "references": ["http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/", "http://xforce.iss.net/xforce/xfdb/41114"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1255", "Modified": "2008-09-05T17:37:15.440-04:00", "cvss": 10.0, "summary": "The ZyXEL P-660HW series router maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user."}, {"cwe": "CWE-352", "references": ["http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/", "http://xforce.iss.net/xforce/xfdb/41111"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1254", "Modified": "2008-09-05T17:37:15.287-04:00", "cvss": 6.8, "summary": "Multiple cross-site request forgery (CSRF) vulnerabilities on the ZyXEL P-660HW series router allow remote attackers to (1) change DNS servers and (2) add keywords to the \"bannedlist\" via unspecified vectors."}]

</code></pre>

<h2>

<a id="software-using-cve-search" class="anchor" href="#software-using-cve-search" aria-hidden="true"><span class="octicon octicon-link"></span></a>Software using cve-search</h2>

<ul>

<li>

<a href="https://www.github.com/CIRCL/cve-portal">cve-portal</a> which is a CVE notification portal</li>

<li>

<a href="https://www.github.com/NorthernSec/cve-search-mt">cve-search-mt</a> which is a set of management tools for CVE-Search</li>

<li>

<a href="https://www.github.com/NorthernSec/cve-scan">cve-scan</a> which is a NMap CVE system scanner</li>

</ul>

<h2>

<a id="license" class="anchor" href="#license" aria-hidden="true"><span class="octicon octicon-link"></span></a>License</h2>

<p>cve-search is free software released under the "Modified BSD license"</p>

<pre><code>Copyright (c) 2012 Wim Remes - https://github.com/wimremes/

Copyright (c) 2012-2015 Alexandre Dulaunoy - https://github.com/adulau/

Copyright (c) 2015 Pieter-Jan Moreels - https://github.com/pidgeyl/

</code></pre>

      <footer class="site-footer">

        <span class="site-footer-owner"><a href="https://github.com/cve-search/cve-search">Cve-search</a> is maintained by <a href="https://github.com/cve-search">cve-search</a>.</span>

        <span class="site-footer-credits">This page was generated by <a href="https://pages.github.com">GitHub Pages</a> using the <a href="https://github.com/jasonlong/cayman-theme">Cayman theme</a> by <a href="https://twitter.com/jasonlong">Jason Long</a>.</span>

      </footer>

    </section>

  </body>

</html>

/*

   Copyright 2014 GitHub Inc.

   Licensed under the Apache License, Version 2.0 (the "License");

   you may not use this file except in compliance with the License.

   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software

   distributed under the License is distributed on an "AS IS" BASIS,

   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

   See the License for the specific language governing permissions and

   limitations under the License.

*/

.pl-c /* comment */ {

  color: #969896;

}

.pl-c1      /* constant, markup.raw, meta.diff.header, meta.module-reference, meta.property-name, support, support.constant, support.variable, variable.other.constant */,

.pl-s .pl-v /* string variable */ {

  color: #0086b3;

}

.pl-e  /* entity */,

.pl-en /* entity.name */ {

  color: #795da3;

}

.pl-s .pl-s1 /* string source */,

.pl-smi      /* storage.modifier.import, storage.modifier.package, storage.type.java, variable.other, variable.parameter.function */ {

  color: #333;

}

.pl-ent /* entity.name.tag */ {

  color: #63a35c;

}

.pl-k /* keyword, storage, storage.type */ {

  color: #a71d5d;

}

.pl-pds              /* punctuation.definition.string, string.regexp.character-class */,

.pl-s                /* string */,

.pl-s .pl-pse .pl-s1 /* string punctuation.section.embedded source */,

.pl-sr               /* string.regexp */,

.pl-sr .pl-cce       /* string.regexp constant.character.escape */,

.pl-sr .pl-sra       /* string.regexp string.regexp.arbitrary-repitition */,

.pl-sr .pl-sre       /* string.regexp source.ruby.embedded */ {

  color: #183691;

}

.pl-v /* variable */ {

  color: #ed6a43;

}

.pl-id /* invalid.deprecated */ {

  color: #b52a1d;

}

.pl-ii /* invalid.illegal */ {

  background-color: #b52a1d;

  color: #f8f8f8;

}

.pl-sr .pl-cce /* string.regexp constant.character.escape */ {

  color: #63a35c;

  font-weight: bold;

}

.pl-ml /* markup.list */ {

  color: #693a17;

}

.pl-mh        /* markup.heading */,

.pl-mh .pl-en /* markup.heading entity.name */,

.pl-ms        /* meta.separator */ {

  color: #1d3e81;

  font-weight: bold;

}

.pl-mq /* markup.quote */ {

  color: #008080;

}

.pl-mi /* markup.italic */ {

  color: #333;

  font-style: italic;

}

.pl-mb /* markup.bold */ {

  color: #333;

  font-weight: bold;

}

.pl-md /* markup.deleted, meta.diff.header.from-file */ {

  background-color: #ffecec;

  color: #bd2c00;

}

.pl-mi1 /* markup.inserted, meta.diff.header.to-file */ {

  background-color: #eaffea;

  color: #55a532;

}

.pl-mdr /* meta.diff.range */ {

  color: #795da3;

  font-weight: bold;

}

.pl-mo /* meta.output */ {

  color: #1d3e81;

}