Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/falk-werner/cve-check

CVE Checker
https://github.com/falk-werner/cve-check

Last synced: 2 months ago
JSON representation

CVE Checker

Awesome Lists containing this project

README 

        
# CVE-Check



CVE-Check is a simple CVE checker based on [NVD CVE Data Feeds](https://nvd.nist.gov/vuln/data-feeds).

It is intended to perform a quick scan for known vulnerability of certain products.



## Disclaimer



This tool is mean to used as support and not the only mehtod to check agains CVEs.

__Running this tool doesn't guarantee your products are free of CVEs.__



## Quick Start



Before running cve-check, a local CVE database must be created using `cve-check-create-db.py`:



````

> python3 ./cve-check-create-db.py

````



After CVE database is created, you can scan for CVEs using `cve-check.py`:



````

> python3 ./cve-check.py -p openssl

CVE-2021-23839

CVE-2021-23840

CVE-2021-23840

CVE-2021-23841

CVE-2021-23841

CVE-2021-3449

...

````



## Creating local CVE database



````

> python3 ./cve-check-create-db.py

````



Before a scan can be performed, a local CVE database is needed. The purpose of the database is to speed up

scanning. A typical use case is to create the database and scan for various products, e.g. project dependencies

like openssl and or libpng.



The database is created from [NVD CVE Data Feeds](https://nvd.nist.gov/vuln/data-feeds), which tracks all CVEs

since 2002 and are regularly updated.



__Make sure to re-create local CVE database regularly to to keep it up to date.__



| Option     | Example      | Description                                                        |

| ---------- | ------------ | ------------------------------------------------------------------ |

| -f, --file | -f my-cve.db | Optional. Specify filename of local CVE database (Default: cve.db) |



## Scanning for CVEs



````

> python3 ./cve-check.py -p 

````



Once a loacl CVE database is created, you can scan for CVE of a certain product.



| Option        | Example                 | Description                                                                       |

| ------------- | ----------------------- | --------------------------------------------------------------------------------- |

| -p, --product | -p openssl              | Required. Product to scan for. Use * to scan for all products                     |

| --version     | --version 1.1.1         | Optional. Specify version of the product to scan for (Default: *)                 |

| --vendor      | --vendor haxx           | Optional. Specify vendor of the product to scan for (Default: *)                  |

| -f, --file    | -f my-cve.db            | Optional. Specify filename of local CVE database (Default: cve.db)                |

| -i, --ignore  | -i CVE-2021-22897       | Optional. Ignore single CVE. Multiple CVEs can be spefied using -i multiple times |

| --ignore-file | -ignore-file ingore.txt | Optional. Ignore all CVE in file. Each line contains a single CVE.                |

| -v, --verbose | -v                      | Optional. Enable verbose mode. Print additional info per CVE.                     |



### Scan for specific version



````

> python3 ./cve-checl-py -p curl --version 7.76

CVE-2021-22897

CVE-2021-22898

CVE-2021-22901

CVE-2021-22901

CVE-2021-22898

CVE-2021-22897

````



In order to narrow the resulting CVEs it is common to specify the version of the product to scan for.



### Verbose output



````

> python3 ./cve-checl-py -p curl --version 7.76 -v

CVE-2021-22897  haxx    curl    [7.61.0,7.76.1] PATCHED

CVE-2021-22898  haxx    curl    [7.7,7.76.1]    PATCHED

CVE-2021-22901  haxx    curl    [7.75.0,7.76.1] PATCHED

CVE-2021-22901  haxx    curl    [7.75.0,7.76.1] PATCHED

CVE-2021-22898  haxx    curl    [7.7,7.76.1]    PATCHED

CVE-2021-22897  haxx    curl    [7.61.0,7.76.1] PATCHED

````



To print additional information about the resulting CVE the option `-v`is used.



Note that full information about each CVE can be optained at [https://cve.mitre.org/](https://cve.mitre.org/).



### Ignore CVEs



````

> python3 ./cve-checl-py -p curl --version 7.76 -v -i CVE-2021-22897 -i CVE-2021-22898

CVE-2021-22901  haxx    curl    [7.75.0,7.76.1] PATCHED

CVE-2021-22901  haxx    curl    [7.75.0,7.76.1] PATCHED

CVE-2021-22898  haxx    curl    [7.7,7.76.1]    PATCHED

CVE-2021-22897  haxx    curl    [7.61.0,7.76.1] PATCHED

````



Single CVEs can be ignored by using the `-i`option. To ignore multiple CVEs, multiple occurances of `-i` can the provided.



````

> python3 ./cve-checl-py -p curl --version 7.76 -v --ignore-file ignored-cves.txt

CVE-2021-22901  haxx    curl    [7.75.0,7.76.1] PATCHED

CVE-2021-22901  haxx    curl    [7.75.0,7.76.1] PATCHED

CVE-2021-22898  haxx    curl    [7.7,7.76.1]    PATCHED

CVE-2021-22897  haxx    curl    [7.61.0,7.76.1] PATCHED

````



Another option to ignore multiple CVEs is to provide an ignore file using `--ignore-file`. Each line of the file contains of CVE.



## Further Resources



- [https://cve.mitre.org/](https://cve.mitre.org/)

- __NVD CVE Data Feeds__: [https://nvd.nist.gov/vuln/data-feeds](https://nvd.nist.gov/vuln/data-feeds)

- __CPE 2.3 Specification__: [https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf](https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf)