vulner
Discover CVEs for software.
- Use case 1) as a Funtoo Linux user I want to have awareness about CVEs on my system
- Use case 2) as user I want to list CVEs for given package
- Use case 3) as a Gentoo Linux user I want to have awareness about CVEs on my system
- Use case 4) as a Funtoo Linux maintainer I want to scan all packages in kit for CVEs
- Use case 5) as a Funtoo Linux maintainer I want to scan all meta-repo for CVEs
- Use case 6) as a Funtoo Linux user I want to list bug tracker security vulnerability tickets that are not fixed
- Use case 7) as a Funtoo Linux user I want to know if there is already a
ticket for CVE detected by
vulner
API keys
For better user experience consider using API keys:
More details in COOKBOOK.md
DISCLAIMER
Running vulner scan doesn't guarantee that all CVEs present on your system will be
detected. It tries to map packages installed by the portage to a set of known
NVD CPEs. It is possible that not all packages will be successfully tagged.
For more info about false negatives and false positives check docs/CAVEATS.md
Examples
Check out docs/COOKBOOK.md
CVEs, CPEs, WTFs
Check this example: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=openssh
Notice how easy is to list all CVEs for given CPE. Using CPEs allows you to have reliable vulnerability tracker.
Howto build and install
You can find ebuild in ebuilds/ (it's also available in funtoo security-kit) ...
... or you can use make
Howto run
./scripts/check-runtime-deps.sh vulner --help RUST_LOG=debug vulner sync RUST_LOG=info vulner scan -o ~/vulner/scan-results
Why vulner needs python at runtime?
Because of reasons described in 0001-runtime-python-dependencies.md ADR.