cve check tool

Original Automated CVE Checking Tool

clearlinux
207
78
C

cve-check-tool

Build Status
Coverage Status

cve-check-tool, as its name suggests, is a tool for checking known
(public) CVEs. The tool will identify potentially vunlnerable software
packages within Linux distributions through version matching. Where
possible it will also seek to determine (through a distribution
implemention) if a vulnerability has been addressed by way of a patch.

CVEs are only ever potential - due to the various policies of various
distributions, and indeed semantics in versioning within various projects,
it is expected that the tool may generate false positives.

The tool is designed to integrate with a locally cached copy of the
National Vulnerability Database, which should be updated every 3-4
hours. Correctly integrated within the workflow of a distribution,
and indeed with the correct bug report tool, this yields a minimum
4 hour turnaround on all disclosed CVEs (non-embargoed)

Data Usage

cve-check-tool downloads the NVD in its entirety, from 2002 until the
current moment. The decompressed XML database is in excess of 550MB,
so this should be taken into account before running the tool. From then
on, only the changed database segments are fetched. Therefore it is
advisable to use cve-check-tool on a machine that has sufficient space
and internet connection.

On a fairly modern machine, it should only take around 10 seconds to
consume the databases. Note however that when the tool runs, it will
use a lot of resources to ensure it is fast (it needs to go through over
7 million lines of XML, for one.)

CLI usage:

Most common usage, automatically determine package type and scan for the
packages in the given package list file:

cve-check-tool ../packages

Recurse a directory structure, with the predetermined type of eopkg:

cve-check-tool -t eopkg .

Check a single RPM source package, ignoring patched issues:

cve-check-tool -n readline.spec

Flags can be combined, check -h for details. An example to recurse all
directories, finding .spec RPM files, and ignoring patched issues:

cve-check-tool -n -t rpm .

License

cve-check-tool is available under the terms of the GNU General Public License,
Version 2. Please check the LICENSE file for further details.

Copyright © 2015 Intel Corporation