On 08/04/2018 05:16 PM, akuster808 wrote:
On 08/03/2018 03:37 PM, Grygorii Tertychnyi (gtertych) via
Openembedded-core wrote:
cvert-kernel - generate CVE report for the Linux kernel.
NVD entries for the Linux kernel is almost always outdated.
For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065
is shown as matched for "versions up to (including) 4.15.7",
however the patch 57ebd808a97d has been back ported for 4.14.
cvert-kernel script checks NVD Resource entries for the patch URLs
and looking for the commits in the local git tree.
cvert-foss - generate CVE report for the list of packages.
It analyzes the whole image manifest to align with the complex
CPE configurations.
cvert-update - only update NVD feeds and store CVE blob locally.
CVE blob is a pickled representation of the cve_struct dictionary.
cvert.py - python module used by all cvert-* scripts.
Uses NVD JSON Vulnerability Feeds
https://nvd.nist.gov/vuln/data-feeds#JSON_FEED
Signed-off-by: grygorii tertychnyi <gtert...@cisco.com>
This looks existing. I will give a try this weekend.
Is this what was talked about at the last OEDeM ?
Thanks Armin.
Yes, we talked about this on the last year's meeting.
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
