Skip to content
/ vulner Public

Discover CVEs for packages installed by the portage

License

Notifications You must be signed in to change notification settings

mrl5/vulner

Repository files navigation

vulner

GitHub commits since latest release (by SemVer) GitHub last commit cargo security audit build status tests status linter status GitHub license

Discover CVEs for software.

  • Use case 1) as a Funtoo Linux user I want to have awareness about CVEs on my system
  • Use case 2) as user I want to list CVEs for given package
  • Use case 3) as a Gentoo Linux user I want to have awareness about CVEs on my system
  • Use case 4) as a Funtoo Linux maintainer I want to scan all packages in kit for CVEs
  • Use case 5) as a Funtoo Linux maintainer I want to scan all meta-repo for CVEs
  • Use case 6) as a Funtoo Linux user I want to list bug tracker security vulnerability tickets that are not fixed
  • Use case 7) as a Funtoo Linux user I want to know if there is already a ticket for CVE detected by vulner

API keys

For better user experience consider using API keys:

More details in COOKBOOK.md

DISCLAIMER

Running vulner scan doesn't guarantee that all CVEs present on your system will be detected. It tries to map packages installed by the portage to a set of known NVD CPEs. It is possible that not all packages will be successfully tagged.

For more info about false negatives and false positives check docs/CAVEATS.md

Examples

Check out docs/COOKBOOK.md

CVEs, CPEs, WTFs

Check this example: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=openssh

Notice how easy is to list all CVEs for given CPE. Using CPEs allows you to have reliable vulnerability tracker.

Howto build and install

You can find ebuild in ebuilds/ (it's also available in funtoo security-kit) ...

... or you can use make

make install

Howto run

./scripts/check-runtime-deps.sh
vulner --help
RUST_LOG=debug vulner sync
RUST_LOG=info vulner scan -o ~/vulner/scan-results

Why vulner needs python at runtime?

Because of reasons described in 0001-runtime-python-dependencies.md ADR.