search

clearlinux / cve-check-tool

Original Automated CVE Checking Tool
GNU General Public License v2.0
205 stars 78 forks source link

CVE mapping functionality #1

Closed ikeydoherty closed 9 years ago

ikeydoherty commented 9 years ago

Adding this issue for tracking purposes:

We need to use mapping files where provided in place of the obtained package names to ensure maximum coverage. The two required fields map directly to CPE fields.

cve.ini:

vendor = somevendor
product = someproduct

Implementing distributions will have various methods for exposing this file. In the source repository the cve.ini file shall be present in the directory of the packaging files, i.e. *.spec, pspec.xml.

For RPM based distributions making use of source RPM scanning, cve.ini should be incorporated as Source100 in the .spec, ensuring we can extract it from the .src.rpm

ikeydoherty commented 9 years ago

Resolved with -M mapping option (global)