cvechecker
local CVE checker tool
WWW CVSWeb GITHub-
Package versioncvechecker-4.0p0
-
MaintainerThe OpenBSD ports mailing-list
The goal of cvechecker is to report about possible vulnerabilities on
your system, by scanning the installed software and matching the results
with the CVE database. Indeed, this is not a bullet-proof method and you
will most likely have many false positives (vulnerability is fixed with
a revision-release, but the tool isn't able to detect the revision
itself), yet it is still better than nothing, especially if you are
running a distribution with little security coverage.
+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------
Initial Configuration
=====================
The user running cvechecker(1) must be part of the _cvechecker group:
# usermod -G _cvechecker <username>
Edit ${SYSCONFDIR}/cvechecker.conf to your particular setup.
Then the database initialization is done by running:
$ cvechecker -i
(this step is required for both MariaDB and SQLite).
At last, the CVE data needs to be put into the database:
$ pullcves pull
Note that the first time this command is run, it will take a long time.
Subsequent calls to pullcves(1) will only update the current year and
will be much faster. It is advised to run this command regularly to make
sure the local CVE database is up to date with upstream.
Getting started with cvechecker
===============================
cvechecker(1) will scan a list of files and check whether there is a
corresponding CVE according to its version. For example, to check
binaries from installed packages(7):
$ find ${LOCALBASE}/{bin,libexec,sbin} -type f -perm -o+x > scanlist.txt
$ cvechecker -b scanlist.txt
$ cvechecker -r
- devel/argp-standalone
- devel/metaauto
- devel/autoconf/2.69
- devel/metaauto
- devel/automake/1.16
- devel/libtool
- net/wget
- sysutils/coreutils
- textproc/jq
- textproc/libxslt