[OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports
grygorii tertychnyi
gtertych at cisco.com
Mon Aug 6 08:06:49 UTC 2018
On 08/06/2018 09:56 AM, Mikko.Rapeli at bmw.de wrote:
> On Fri, Aug 03, 2018 at 10:37:05PM +0000, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote:
>> cvert-kernel - generate CVE report for the Linux kernel.
>> NVD entries for the Linux kernel is almost always outdated.
>> For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065
>> is shown as matched for "versions up to (including) 4.15.7",
>> however the patch 57ebd808a97d has been back ported for 4.14.
>> cvert-kernel script checks NVD Resource entries for the patch URLs
>> and looking for the commits in the local git tree.
> This is an interesting approach.
>
> For the kernel I've been using information not from NVD but from
> https://github.com/nluedtke/linux_kernel_cves/
>
> As an example, all CVE fixed in 4.14 kernel series point releases AND all
> non-fixed CVE are listed in:
>
> https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt
>
> I have not tried to automate this, but I do find the information there
> much better than NVD.
Thanks for the links!
I did not know about these, I'll defenetly try it.
> -Mikko
More information about the Openembedded-core
mailing list