Giter Club home page Giter Club logo

cve-check-tool's Introduction

cve-check-tool

Build Status Coverage Status

cve-check-tool, as its name suggests, is a tool for checking known (public) CVEs. The tool will identify potentially vunlnerable software packages within Linux distributions through version matching. Where possible it will also seek to determine (through a distribution implemention) if a vulnerability has been addressed by way of a patch.

CVEs are only ever potential - due to the various policies of various distributions, and indeed semantics in versioning within various projects, it is expected that the tool may generate false positives.

The tool is designed to integrate with a locally cached copy of the National Vulnerability Database, which should be updated every 3-4 hours. Correctly integrated within the workflow of a distribution, and indeed with the correct bug report tool, this yields a minimum 4 hour turnaround on all disclosed CVEs (non-embargoed)

Data Usage

cve-check-tool downloads the NVD in its entirety, from 2002 until the current moment. The decompressed XML database is in excess of 550MB, so this should be taken into account before running the tool. From then on, only the changed database segments are fetched. Therefore it is advisable to use cve-check-tool on a machine that has sufficient space and internet connection.

On a fairly modern machine, it should only take around 10 seconds to consume the databases. Note however that when the tool runs, it will use a lot of resources to ensure it is fast (it needs to go through over 7 million lines of XML, for one.)

CLI usage:

Most common usage, automatically determine package type and scan for the packages in the given package list file:

cve-check-tool ../packages

Recurse a directory structure, with the predetermined type of eopkg:

cve-check-tool -t eopkg .

Check a single RPM source package, ignoring patched issues:

cve-check-tool -n readline.spec

Flags can be combined, check -h for details. An example to recurse all directories, finding .spec RPM files, and ignoring patched issues:

cve-check-tool -n -t rpm .

License

cve-check-tool is available under the terms of the GNU General Public License, Version 2. Please check the LICENSE file for further details.

Copyright (C) 2015 Intel Corporation

cve-check-tool's People

Contributors

johnwhiteman avatar ikeydoherty avatar fenrus75 avatar kraj avatar pohly avatar petermarko avatar tudorciochina avatar

Watchers

James Cloos avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.