[OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports
Mikko.Rapeli at bmw.de
Mikko.Rapeli at bmw.de
Mon Aug 6 06:56:54 UTC 2018
On Fri, Aug 03, 2018 at 10:37:05PM +0000, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote:
> cvert-kernel - generate CVE report for the Linux kernel.
> NVD entries for the Linux kernel is almost always outdated.
> For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065
> is shown as matched for "versions up to (including) 4.15.7",
> however the patch 57ebd808a97d has been back ported for 4.14.
> cvert-kernel script checks NVD Resource entries for the patch URLs
> and looking for the commits in the local git tree.
This is an interesting approach.
For the kernel I've been using information not from NVD but from
https://github.com/nluedtke/linux_kernel_cves/
As an example, all CVE fixed in 4.14 kernel series point releases AND all
non-fixed CVE are listed in:
https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt
I have not tried to automate this, but I do find the information there
much better than NVD.
-Mikko
More information about the Openembedded-core
mailing list