cve-check-tool, as its name suggests, is a tool for checking known (public) CVEs. The tool will identify potentially vunlnerable software packages within Linux distributions through version matching. Where possible it will also seek to determine (through a distribution implemention) if a vulnerability has been addressed by way of a patch.
For a further discussion on the base concepts of cve-check-tool
, see
this talk I gave at LinuxCon EU '15
- Dump replicant code and rebase onto libnica, purging GLib too
- Create abstract data source provider type
- Convert NVD into a single data source, reduced priority
- Ensure code-coverage and valgrind check integration
- Completely rework the NVD SQLite database for safety checks and seek speed
- Optimize the DB insert/lookups
- Introduce abstract package scanners. For now these will be source-only. In future we shall support binary scans too, so keep it abstract..
- Re-introduce compatibility with old CLI options or a migration plan.
- Work with
cve-check-tool
users to ensure correct deployment of new release. - Complete all testing
- Send out the new cve-check-tool 6.x
This branch is to be used to reimplement the tool in a more modular and extendible fashion. It does not necessarily mean we need to sport dynamic loading of modules like before, however we should factor for multiple data sources, introspection methods, etc.
Please look to the legacy-tool
branch for the old version of CVE Check Tool
in the mean time, and do not use master
as your source in packaging.
Essentially, the core will be split out from the main binaries, allowing various forms of interaction between various sources, outputs and matchers.
Previously re-implemented portions of code can now be sought from libnica
to provide utilities and data types, as it is well tested and modular of it's
own accord. As a result, it is expected that libnica
will develop new
features in tandem with this branch.
The tool makes use of data sources
to understand vulnerability information,
and how it pertains to product configurations. Currently a single data source
is provided, the NvdDataSource
. This uses data from the National Vulnerability Database
This is implemented internally by consuming the XML feeds provided by the NVD, and converting them into an instantly usable form, by way of an SQLite3 database.
As these data sources are somewhat large, special care is taken when processing the database, such as integrity checks, as well as validity checks on the XML itself. In the instance of any issues, the database is rolled back to the last good transaction, to prevent any corruption.
Note that new CVE data may only overwrite previously stored data if the modification data is newer than the last data imported. Doing so ensures consistency even in the event of non-sequential data imports and subsequent database updates, allowing the database to remain persistent.
cve-check-tool is available under the terms of the GNU General Public License, Version 2 with a linking exception for OpenSSL.
Please check the LICENSE
file for further details.
Copyright (C) 2015-2016 Intel Corporation