[OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports
grygorii tertychnyi
gtertych at cisco.com
Mon Aug 6 07:24:34 UTC 2018
On 08/04/2018 05:16 PM, akuster808 wrote:
>
> On 08/03/2018 03:37 PM, Grygorii Tertychnyi (gtertych) via
> Openembedded-core wrote:
>> cvert-kernel - generate CVE report for the Linux kernel.
>> NVD entries for the Linux kernel is almost always outdated.
>> For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065
>> is shown as matched for "versions up to (including) 4.15.7",
>> however the patch 57ebd808a97d has been back ported for 4.14.
>> cvert-kernel script checks NVD Resource entries for the patch URLs
>> and looking for the commits in the local git tree.
>>
>> cvert-foss - generate CVE report for the list of packages.
>> It analyzes the whole image manifest to align with the complex
>> CPE configurations.
>>
>> cvert-update - only update NVD feeds and store CVE blob locally.
>> CVE blob is a pickled representation of the cve_struct dictionary.
>>
>> cvert.py - python module used by all cvert-* scripts.
>> Uses NVD JSON Vulnerability Feeds https://nvd.nist.gov/vuln/data-feeds#JSON_FEED
>>
>> Signed-off-by: grygorii tertychnyi <gtertych at cisco.com>
>
> This looks existing. I will give a try this weekend.
>
> Is this what was talked about at the last OEDeM ?
Thanks Armin.
Yes, we talked about this on the last year's meeting.
More information about the Openembedded-core
mailing list