{"id":41574271,"url":"https://github.com/evdenis/cvehound","last_synced_at":"2026-01-24T08:11:06.228Z","repository":{"id":37879137,"uuid":"323983930","full_name":"evdenis/cvehound","owner":"evdenis","description":"Check linux sources dump for known CVEs.","archived":false,"fork":false,"pushed_at":"2025-12-16T03:37:39.000Z","size":13884,"stargazers_count":133,"open_issues_count":9,"forks_count":16,"subscribers_count":6,"default_branch":"master","last_synced_at":"2026-01-07T18:04:19.922Z","etag":null,"topics":["coccinelle","cve","cve-scanning","kernel","linux"],"latest_commit_sha":null,"homepage":"","language":"SmPL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/evdenis.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"patreon":"efremov","liberapay":"efremov"}},"created_at":"2020-12-23T19:20:11.000Z","updated_at":"2025-12-16T03:37:36.000Z","dependencies_parsed_at":"2023-12-28T12:54:23.107Z","dependency_job_id":"e5a9c4c4-8174-4e94-9ddd-b42ffdf77443","html_url":"https://github.com/evdenis/cvehound","commit_stats":{"total_commits":802,"total_committers":7,"mean_commits":"114.57142857142857","dds":0.02244389027431426,"last_synced_commit":"484af3abd3b668920e66360d39c1178e17d15e3d"},"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/evdenis/cvehound","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evdenis%2Fcvehound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evdenis%2Fcvehound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evdenis%2Fcvehound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evdenis%2Fcvehound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/evdenis","download_url":"https://codeload.github.com/evdenis/cvehound/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evdenis%2Fcvehound/sbom","scorecard":{"id":385998,"data":{"date":"2025-08-11","repo":{"name":"github.com/evdenis/cvehound","commit":"2a2642c8efe42b591eed9c6105ad0d6b48d5d2c4"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.4,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/publish.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/evdenis/cvehound/test.yml/master?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:24","Warn: pipCommand not pinned by hash: .github/workflows/test.yml:132","Warn: pipCommand not pinned by hash: .github/workflows/test.yml:133","Warn: pipCommand not pinned by hash: .github/workflows/test.yml:134","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   5 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 1 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T16:37:22.752Z","repository_id":37879137,"created_at":"2025-08-18T16:37:22.752Z","updated_at":"2025-08-18T16:37:22.752Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28720454,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-24T05:53:42.649Z","status":"ssl_error","status_checked_at":"2026-01-24T05:53:41.698Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["coccinelle","cve","cve-scanning","kernel","linux"],"created_at":"2026-01-24T08:11:05.679Z","updated_at":"2026-01-24T08:11:06.219Z","avatar_url":"https://github.com/evdenis.png","language":"SmPL","funding_links":["https://patreon.com/efremov","https://liberapay.com/efremov"],"categories":[],"sub_categories":[],"readme":"[![GitHub Actions status](https://github.com/evdenis/cvehound/workflows/test/badge.svg)](https://github.com/evdenis/cvehound/actions?query=workflow%3Atest)\n[![Supported Versions of Python](https://img.shields.io/pypi/pyversions/cvehound.svg)](https://pypi.org/project/cvehound)\n[![PyPI package version](https://img.shields.io/pypi/v/cvehound.svg)](https://pypi.org/project/cvehound)\n\n# CVEhound\n\nCVEhound is a tool for checking Linux sources for known CVEs.\nThe tool is based on [coccinelle](https://coccinelle.gitlabpages.inria.fr/website/)\nrules and grep patterns. The tool checks sources for vulnerable\ncode patterns of known CVEs and missing fixes for them.\n\n- **What:** The tool tries to find \"unfixed\" code of known CVEs;\n- **How:** The tool uses [coccinelle/grep](cvehound/cve) rules with patterns that helps to detect known CVE bugs or their fixes. Thus, sources are checked either for a presence of \"unfixed\" code pieces (e.g. [CVE-2020-12912](cvehound/cve/CVE-2020-12912.cocci)), or for an absence of a fix (e.g. [CVE-2020-26088](cvehound/cve/CVE-2020-26088.cocci));\n- **Why:** If you have a git log then it's easier to check what CVEs are fixed based on a git history. However, many vendors (samsung, huawei, various iot, routers manufacturers) publish kernel sources as archives without a development log. In most cases their kernels are based on LTS kernels, but versions are far from upstream. Linux version string from Makefile will only give you information about what CVEs were fixed by kernel developers up to this version. It will not help you to understand what fixes were backported by a vendor itself. In this case it's possible to apply the tool and check \"missing\" CVE fixes.\n\n### CVEHound: Audit Kernel Sources for Missing CVE Fixes\n\n[Linux Security Summit 2021 Presentation (EN)](docs/LSS2021_CVEhound_en.pdf)\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.youtube.com/watch?v=jIDnVeZNUA8\"\u003e\n    \u003cimg src=\"https://img.youtube.com/vi/jIDnVeZNUA8/0.jpg\" alt=\"Linux Security Summit 2021 Presentation\"/\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n[ZeroNights 2021 Presentation (RU)](docs/ZN2021_CVEhound_ru.pdf)\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.youtube.com/watch?v=-QwLkpYzQIk\"\u003e\n    \u003cimg src=\"https://img.youtube.com/vi/-QwLkpYzQIk/0.jpg\" alt=\"ZeroNights 2021 Presentation\"/\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n### Found issues in stable trees\n\n - CVE-2020-27825 fix [missing backports](https://lkml.org/lkml/2021/1/21/1278) for [5.4, 4.19, 4.14, 4.9, 4.4 kernels](https://www.spinics.net/lists/stable/msg440412.html)\n - CVE-2021-4149 fix [missing backports](https://lore.kernel.org/stable/d1a3f31f-2205-6dce-0f33-6611972e48cd@gmx.com/T/#t) to [4.19, 4.14, 4.9 kernels](https://lore.kernel.org/stable/20220309064748.160978-1-denis.e.efremov@oracle.com/)\n - CVE-2022-26490 fix [missing backports](https://lore.kernel.org/all/20220321174006.47972-1-denis.e.efremov@oracle.com/)\n - CVE-2023-1989 fix missing backports for [6.1, 5.15, 5.10, 5.4, 4.19, 4.14 kernels](https://lore.kernel.org/stable/20230902102200.24474-1-efremov@linux.com/)\n - Similar to CVE-2021-28660 [fix in r8188eu driver](https://lore.kernel.org/all/20220518070052.108287-1-denis.e.efremov@oracle.com/#r)\n - Similar to CVE-2021-28660 [fix in rtl8723bs driver](https://lore.kernel.org/all/20220520035730.5533-1-efremov@linux.com/)\n - Similar to CVE-2022-26490 [fix](https://lore.kernel.org/all/20221122004246.4186422-4-mfaltesek@google.com/) in [st-nci driver](https://lore.kernel.org/all/fc85ff14-70d6-0c3e-247d-eda2284a5f6b@oracle.com/)\n - Security [regression CVE-2020-10781](https://lkml.org/lkml/2023/4/17/744)\n - See [tests exceptions](https://github.com/evdenis/cvehound/blob/master/tests/test_01_on_branch.py#L7) for more examples\n\n## Prerequisites\n\n- Python 3 (\u003e=3.11)\n- pip (Python package manager)\n- grep with pcre support (-P flag)\n- coccinelle (\u003e= 1.0.7)\n\nInstall prerequisites:\n``` shell\n# Ubuntu, coccinelle uses libpython2.7 internally\n# Seems like some ppas mark libpython dependency as optional\n$ sudo add-apt-repository ppa:npalix/coccinelle\n$ sudo apt install python3-pip coccinelle libpython2.7\n\n# Fedora\n$ sudo dnf install python3-pip coccinelle\n\n# macOS\n$ brew install coccinelle\n```\n\n## Installation\n\nTo install the latest stable version just run the following command:\n\n``` shell\n$ python3 -m pip install --user cvehound\n```\n\nFor development purposes you may install cvehound in \"editable\" mode\ndirectly from the repository (clone it on your computer beforehand):\n\n``` shell\n$ pip install -e .\n```\n\nTo update the cve rules from github repository:\n\n``` shell\n$ cvehound_update_rules\n```\n\n## How to use\n\nThe simplest way to start using CVEhound is to run the following command:\n\n``` shell\n$ cvehound --kernel ~/linux\nFound: CVE-2020-27830\nFound: CVE-2020-27152\nFound: CVE-2020-29371\nFound: CVE-2020-26088\n```\n\nwhere *dir* should point to the Linux kernel sources. CVEhound will check the\nsources for all cve patterns that you can find in [cve dir](/cvehound/cve/).\nTo check the sources for particular CVEs one can use:\n\n``` shell\n$ cvehound --kernel ./linux --kernel-config --cve CVE-2020-27194 CVE-2020-29371\nChecking: CVE-2020-27194\nFound: CVE-2020-27194\nMSG: bpf: Fix scalar32_min_max_or bounds tracking\nCWE: Improper Restriction of Operations within the Bounds of a Memory Buffer\nFIX DATE: 2020-10-08 09:02:53\nhttps://www.linuxkernelcves.com/cves/CVE-2020-27194\nAffected Files:\n - linux/kernel/bpf/verifier.c: CONFIG_BPF \u0026 CONFIG_BPF_SYSCALL\n   linux/.config: affected\nConfig: ./linux/.config affected\n\nChecking: CVE-2020-29371\nFound: CVE-2020-29371\nMSG: romfs: fix uninitialized memory leak in romfs_dev_read()\nCWE: Use of Uninitialized Resource\nFIX DATE: 2020-08-21 16:52:53\nhttps://www.linuxkernelcves.com/cves/CVE-2020-29371\nAffected Files:\n - linux/fs/romfs/storage.c: CONFIG_ROMFS_FS\n   linux/.config: not affected\nConfig: ./linux/.config not affected\n```\n\nOther args:\n - `--report` - will produce json file with found CVEs\n   Most of the metainformation in the generated report is taken from linuxkernelcves.com\n - `--kernel-config` or `--kernel-config \u003cfile\u003e` - will infer the kernel configuration required to\n   build the affected code (based on Kbuild/Makefiles, ifdefs are not checked) and\n   check kernel .config file if there is one\n - `--files`, `--cwe` - will limit the scope of checked cves to the kernel files of\n   interest or specific CWE classes\n - `--exploit` - check only for CVEs that are known to be exploitable (according to\n   the FSTEC BDU database)\n\n## Contributing\n\n### Development Setup\n\n``` shell\n# Clone and install in editable mode\n$ git clone https://github.com/evdenis/cvehound.git\n$ cd cvehound\n$ pip install -e '.[tests]'\n\n# Install pre-commit hooks\n$ pip install pre-commit\n$ pre-commit install\n\n# Run linting and type checking\n$ pre-commit run --all-files\n```\n\nThe project uses:\n- **ruff** for linting and formatting\n- **mypy** for static type checking (strict mode)\n- **pre-commit** for automated code quality checks\n\n### Writing CVE Detection Rules\n\nIf you'd like to contribute new CVE detection rules, please see our comprehensive guides:\n\n- **[Writing Coccinelle Detection Rules for CVE Patterns](docs/WRITING_RULES.md)** - Complete guide with step-by-step instructions, patterns, and examples\n- **[Coccinelle CVE Detection Cheat Sheet](docs/COCCINELLE_CHEATSHEET.md)** - Quick reference for common patterns\n- **[AI Agent Guide](docs/AI_AGENT_GUIDE.md)** - Systematic approach for AI agents writing CVE rules\n\nTemplates:\n- `contrib/template.cocci` - Enhanced template with examples and comments\n- `contrib/blank.cocci` - Minimal template for new rules\n\n## License\n\nPython code is licensed under GPLv3. All rules in cvehound/cve folder are licensed under GPLv2.\n\n## Acknowledgements\n\nI would like to thank the following projects and people behind them:\n - [coccinelle](https://coccinelle.gitlabpages.inria.fr/website/) for the program matching engine\n - [linuxkernelcves.com](https://linuxkernelcves.com/) for information about Linux CVEs\n - [undertaker](https://vamos.informatik.uni-erlangen.de/trac/undertaker) for mapping kernel configs to .c files\n - [sympy](https://www.sympy.org/) for the symbolic logic solver\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevdenis%2Fcvehound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevdenis%2Fcvehound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevdenis%2Fcvehound/lists"}