aboutsummaryrefslogtreecommitdiff
path: root/system/cve-check-tool/README
diff options
context:
space:
mode:
Diffstat (limited to 'system/cve-check-tool/README')
-rw-r--r--system/cve-check-tool/README20
1 files changed, 20 insertions, 0 deletions
diff --git a/system/cve-check-tool/README b/system/cve-check-tool/README
new file mode 100644
index 0000000000000..a86ae9575cd1e
--- /dev/null
+++ b/system/cve-check-tool/README
@@ -0,0 +1,20 @@
+cve-check-tool is a tool for checking known (public) CVEs. The tool will
+identify potentially vunlnerable software packages within Linux
+distributions through version matching.
+
+CVEs are only ever potential - due to the various policies of various
+distributions, and indeed semantics in versioning within various
+projects, it is expected that the tool may generate false positives.
+
+The tool is designed to integrate with a locally cached copy of the
+National Vulnerability Database. cve-check-tool downloads the NVD in its
+entirety, from 2002 until the current moment. The decompressed XML
+database is in excess of 550MB, so this should be taken into account
+before running the tool.
+
+Make package list from package database:
+ ( cd /var/log/packages/ ; ls | rev | cut -d- -f3- | \
+ sed -e s/-/,/ -e s/^/,,/ | rev > /var/log/pkgs.csv )
+
+Check packages via CVEs database:
+ cve-check-tool -uNc /var/log/pkgs.csv
generated by cgit v1.2.3 (git 2.26.2) at 2025-01-19 14:42:51 +0000