search

sjvermeu / cvechecker

Command-line utility to scan the system and report on potential vulnerabilities, based on public CVE data
GNU General Public License v3.0
258 stars 68 forks source link

Help needed to understand why no CVE vulnerabilities are reported #64

Closed HenrikBach1 closed 3 years ago

HenrikBach1 commented 3 years ago

Hi

I need help to understand why the cvechecker -rC command isn't reporting any vulnerabilities. I know that the bzip/bzip2 or better yet coreutils 8.30 application has reported CVE (https://www.cvedetails.com/version/390343/Bzip-Bzip2--.html and https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-5075/year-2020/opdos-1/GNU-Coreutils.html):

root@db5702bad469:/projects/cvechecker/cvechecker-2021-05-08-master-build/cvechecker-master/execution# cvech
ecker -b scanlist-ubuntu-20.04 
Searching for known software titles...
 - Found match for /usr/lib/x86_64-linux-gnu/libpthread-2.31.so:        cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/findmnt:    cpe:2.3:a:linux:util-linux:2.21:*:*:*:*:*:*:*
 - Found match for /usr/bin/sha512sum:  cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/csplit:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/unlink:     cpe:2.3:a:gnu:coreutils:5.7:*:*:*:*:*:*:*
 - Found match for /usr/bin/znew:       cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/whoami:     cpe:2.3:a:gnu:coreutils:5.7:*:*:*:*:*:*:*
 - Found match for /usr/bin/dir:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/pwd:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/gzip:       cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/mv: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/echo:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/tty:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/xargs:      cpe:2.3:a:gnu:findutils:4.7.0:*:*:*:*:*:*:*
 - Found match for /usr/bin/printf:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/basename:   cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/lsattr:     cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
 - Found match for /usr/bin/zforce:     cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/zmore:      cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/sha384sum:  cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/iconv:      cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/fmt:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/id: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/cksum:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/chown:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/getent:     cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/expand:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/cut:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/logname:    cpe:2.3:a:gnu:coreutils:5.7:*:*:*:*:*:*:*
 - Found match for /usr/bin/du: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/zdiff:      cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/cp: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/fold:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/truncate:   cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/head:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/factor:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/od: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/uname:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/link:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/split:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/sha256sum:  cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/chattr:     cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
 - Found match for /usr/bin/expr:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/chmod:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/mkfifo:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/uniq:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/unexpand:   cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/yes:        cpe:2.3:a:gnu:coreutils:5.6:*:*:*:*:*:*:*
 - Found match for /usr/bin/rmdir:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/zgrep:      cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/dircolors:  cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/find:       cpe:2.3:a:gnu:findutils:4.7.0:*:*:*:*:*:*:*
 - Found match for /usr/bin/pr: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/ptx:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/base64:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/getconf:    cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/groups:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/sha224sum:  cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/mktemp:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/nohup:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/cat:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/ls: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/nl: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/printenv:   cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/dd: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/tac:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/pathchk:    cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/localedef:  cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/localedef:  cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/install:    cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/mknod:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/mkdir:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/hostid:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/who:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/tr: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/stat:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/vdir:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/comm:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/tee:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/sha1sum:    cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/gzexe:      cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/users:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/uncompress: cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/false:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/join:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/arch:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/zcat:       cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/chcon:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/bzip2recover:       cpe:2.3:a:bzip:bzip2:1.0.8:*:*:*:*:*:*:*
 - Found match for /usr/bin/chgrp:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/rm: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/date:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/ln: cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/bash:       cpe:2.3:a:bash:bash:5.0.17:*:*:*:*:*:*:*
 - Found match for /usr/bin/tsort:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/sync:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/gunzip:     cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/env:        cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/locale:     cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/pinky:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/true:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/zcmp:       cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/runcon:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/shuf:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/zless:      cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*
 - Found match for /usr/bin/touch:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/touch:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/paste:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/shred:      cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/md5sum:     cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/readlink:   cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/nice:       cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/bin/gpgconf:    cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/gpg-zip:    cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/zipinfo:    cpe:2.3:a:info-zip:zip:5.9:*:*:*:*:*:*:*
 - Found match for /usr/bin/unzipsfx:   cpe:2.3:a:info-zip:unzip:2.3:*:*:*:*:*:*:*
 - Found match for /usr/bin/zipsplit:   cpe:2.3:a:info-zip:zip:3.0:*:*:*:*:*:*:*
 - Found match for /usr/bin/symcryptrun:        cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/gpg-agent:  cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/openssl:    cpe:2.3:a:openssl:openssl:1.1.1f:*:*:*:*:*:*:*
 - Found match for /usr/bin/gpg-connect-agent:  cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/sprof:      cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/gpgsm:      cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/m4: cpe:2.3:a:gnu:m4:1.4.18:*:*:*:*:*:*:*
 - Found match for /usr/bin/pinentry-curses:    cpe:2.3:a:gentoo:app-crypt_pinentry:1.1.0:*:*:*:*:*:*:*
 - Found match for /usr/bin/wget:       cpe:2.3:a:gnu:wget:1.2.11:*:*:*:*:*:*:*
 - Found match for /usr/bin/wget:       cpe:2.3:a:wget:wget:1.2.11:*:*:*:*:*:*:*
 - Found match for /usr/bin/make:       cpe:2.3:a:gnu:make:4.2.1:*:*:*:*:*:*:*
 - Found match for /usr/bin/zipnote:    cpe:2.3:a:info-zip:zip:3.0:*:*:*:*:*:*:*
 - Found match for /usr/bin/gencat:     cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/kbxutil:    cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/rpcgen:     cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/bin/zipcloak:   cpe:2.3:a:info-zip:zip:5.8:*:*:*:*:*:*:*
 - Found match for /usr/bin/perlivp:    cpe:2.3:a:perl:perl:5.30.0:*:*:*:*:*:*:*
 - Found match for /usr/bin/zip:        cpe:2.3:a:info-zip:zip:3.0:*:*:*:*:*:*:*
 - Found match for /usr/bin/watchgnupg: cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/gpgsplit:   cpe:2.3:a:gnupg:gnupg:2.2.19:*:*:*:*:*:*:*
 - Found match for /usr/bin/unzip:      cpe:2.3:a:info-zip:unzip:1.0:*:*:*:*:*:*:*
 - Found match for /usr/sbin/ldconfig.real:     cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/sbin/e2fsck:    cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
 - Found match for /usr/sbin/mke2fs:    cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
 - Found match for /usr/sbin/e2image:   cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
 - Found match for /usr/sbin/rmt-tar:   cpe:2.3:a:gnu:tar:1.30:*:*:*:*:*:*:*
 - Found match for /usr/sbin/tune2fs:   cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
 - Found match for /usr/sbin/iconvconfig:       cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/sbin/iconvconfig:       cpe:2.3:a:gnu:glibc:2.31:*:*:*:*:*:*:*
 - Found match for /usr/sbin/dumpe2fs:  cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
 - Found match for /usr/sbin/debugfs:   cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
 - Found match for /usr/sbin/chroot:    cpe:2.3:a:gnu:coreutils:8.30:*:*:*:*:*:*:*
 - Found match for /usr/sbin/resize2fs: cpe:2.3:a:ext2_filesystems_utilities:e2fsprogs:1.45.5:*:*:*:*:*:*:*
root@db5702bad469:/projects/cvechecker/cvechecker-2021-05-08-master-build/cvechecker-master/execution# cvech
ecker -rC
Outputversion,File,CPE,CVE,CVSS,Matchtype,Hostname,Userkey
root@db5702bad469:/projects/cvechecker/cvechecker-2021-05-08-master-build/cvechecker-master/execution# cvechecker -rS
Detected vendor="gnu", product="glibc", version="2.31", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/sbin/iconvconfig
  - /usr/sbin/ldconfig.real
  - /usr/bin/rpcgen
  - /usr/bin/gencat
  - /usr/bin/sprof
  - /usr/bin/locale
  - /usr/bin/localedef
  - /usr/bin/getconf
  - /usr/bin/getent
  - /usr/bin/iconv
  - /usr/lib/x86_64-linux-gnu/libpthread-2.31.so

Detected vendor="gnu", product="coreutils", version="8.30", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/sbin/chroot
  - /usr/bin/nice
  - /usr/bin/readlink
  - /usr/bin/md5sum
  - /usr/bin/shred
  - /usr/bin/paste
  - /usr/bin/touch
  - /usr/bin/shuf
  - /usr/bin/runcon
  - /usr/bin/true
  - /usr/bin/pinky
  - /usr/bin/env
  - /usr/bin/sync
  - /usr/bin/tsort
  - /usr/bin/ln
  - /usr/bin/date
  - /usr/bin/rm
  - /usr/bin/chgrp
  - /usr/bin/chcon
  - /usr/bin/arch
  - /usr/bin/join
  - /usr/bin/false
  - /usr/bin/users
  - /usr/bin/sha1sum
  - /usr/bin/tee
  - /usr/bin/comm
  - /usr/bin/vdir
  - /usr/bin/stat
  - /usr/bin/tr
  - /usr/bin/who
  - /usr/bin/hostid
  - /usr/bin/mkdir
  - /usr/bin/mknod
  - /usr/bin/install
  - /usr/bin/pathchk
  - /usr/bin/tac
  - /usr/bin/dd
  - /usr/bin/printenv
  - /usr/bin/nl
  - /usr/bin/ls
  - /usr/bin/cat
  - /usr/bin/nohup
  - /usr/bin/mktemp
  - /usr/bin/sha224sum
  - /usr/bin/groups
  - /usr/bin/base64
  - /usr/bin/ptx
  - /usr/bin/pr
  - /usr/bin/dircolors
  - /usr/bin/rmdir
  - /usr/bin/unexpand
  - /usr/bin/uniq
  - /usr/bin/mkfifo
  - /usr/bin/chmod
  - /usr/bin/expr
  - /usr/bin/sha256sum
  - /usr/bin/split
  - /usr/bin/link
  - /usr/bin/uname
  - /usr/bin/od
  - /usr/bin/factor
  - /usr/bin/head
  - /usr/bin/truncate
  - /usr/bin/fold
  - /usr/bin/cp
  - /usr/bin/du
  - /usr/bin/cut
  - /usr/bin/expand
  - /usr/bin/chown
  - /usr/bin/cksum
  - /usr/bin/id
  - /usr/bin/fmt
  - /usr/bin/sha384sum
  - /usr/bin/basename
  - /usr/bin/printf
  - /usr/bin/tty
  - /usr/bin/echo
  - /usr/bin/mv
  - /usr/bin/pwd
  - /usr/bin/dir
  - /usr/bin/csplit
  - /usr/bin/sha512sum

Detected vendor="gnu", product="coreutils", version="5.7", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/logname
  - /usr/bin/whoami
  - /usr/bin/unlink

Detected vendor="gnu", product="gzip", version="1.10", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/zless
  - /usr/bin/zcmp
  - /usr/bin/gunzip
  - /usr/bin/zcat
  - /usr/bin/uncompress
  - /usr/bin/gzexe
  - /usr/bin/zgrep
  - /usr/bin/zdiff
  - /usr/bin/zmore
  - /usr/bin/zforce
  - /usr/bin/gzip
  - /usr/bin/znew

Detected vendor="gnu", product="findutils", version="4.7.0", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/find
  - /usr/bin/xargs

Detected vendor="gnu", product="coreutils", version="5.6", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/yes

Detected vendor="gnu", product="m4", version="1.4.18", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/m4

Detected vendor="gnu", product="make", version="4.2.1", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/make

Detected vendor="gnu", product="tar", version="1.30", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/sbin/rmt-tar

Detected vendor="bzip", product="bzip2", version="1.0.8", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/bzip2recover

Detected vendor="bash", product="bash", version="5.0.17", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/bash

Detected vendor="wget", product="wget", version="1.2.11", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/wget

Detected vendor="perl", product="perl", version="5.30.0", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/perlivp

Detected vendor="linux", product="util-linux", version="2.21", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/findmnt

Detected vendor="gnupg", product="gnupg", version="2.2.19", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/gpgsplit
  - /usr/bin/watchgnupg
  - /usr/bin/kbxutil
  - /usr/bin/gpgsm
  - /usr/bin/gpg-connect-agent
  - /usr/bin/gpg-agent
  - /usr/bin/symcryptrun
  - /usr/bin/gpg-zip
  - /usr/bin/gpgconf

Detected vendor="gentoo", product="app-crypt_pinentry", version="1.1.0", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/pinentry-curses

Detected vendor="openssl", product="openssl", version="1.1.1f", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/openssl

Detected vendor="info-zip", product="zip", version="5.9", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/zipinfo

Detected vendor="info-zip", product="unzip", version="2.3", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/unzipsfx

Detected vendor="info-zip", product="zip", version="3.0", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/zip
  - /usr/bin/zipnote
  - /usr/bin/zipsplit

Detected vendor="info-zip", product="zip", version="5.8", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/zipcloak

Detected vendor="info-zip", product="unzip", version="1.0", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/bin/unzip

Detected vendor="ext2_filesystems_utilities", product="e2fsprogs", version="1.45.5", update="", edition="", language="", sw_edition="", target_sw="", target_hw="", other="" on host="db5702bad469", userkey="db5702bad469"
Files that contributed to this detection:
  - /usr/sbin/resize2fs
  - /usr/sbin/debugfs
  - /usr/sbin/dumpe2fs
  - /usr/sbin/tune2fs
  - /usr/sbin/e2image
  - /usr/sbin/mke2fs
  - /usr/sbin/e2fsck
  - /usr/bin/chattr
  - /usr/bin/lsattr

root@db5702bad469:/projects/cvechecker/cvechecker-2021-05-08-master-build/cvechecker-master/execution# cvechecker -rC
Outputversion,File,CPE,CVE,CVSS,Matchtype,Hostname,Userkey
root@db5702bad469:/projects/cvechecker/cvechecker-2021-05-08-master-build/cvechecker-master/execution#

What am I doing wrong?

sjvermeu commented 3 years ago

Hi Henrick

From the output, I notice that cvechecker detects that you have bzip2 version 1.0.8, and coreutils 8.30.

The CVEs for bzip2 and coreutils seem to only focus on lower versions: coreutils up to 8.23 and bzip2 up to 1.0.6. Hence, cvechecker assumes that these vulnerabilities are not applicable to your system (as your system has higher versions installed).

If your system is vulnerable to these CVEs, then cvechecker might have incorrectly identified the installed versions (for either bzip2 or coreutils). But before we look into that, let's first confirm if the detected versions are indeed OK and which CVEs specifically you would expect to still be listed as vulnerabilities on your system.

HenrikBach1 commented 3 years ago

Hi Sven

First of all, I'm trying to learn all this security stuff and the behavior of the cvechecker. So I apologize for my misunderstandings.

Can you please give me some hints to understand the fields of a CVE:

# | Product Type | Vendor | Product | Version | Update | Edition | Language |  
-- | -- | -- | -- | -- | -- | -- | -- | --
1 | Application | GNU | Coreutils | * | * | * | *
-- | -- | -- | -- | -- | -- | -- | -- | --

and 

# | Product Type | Vendor | Product | Version | Update | Edition | Language |  
-- | -- | -- | -- | -- | -- | -- | -- | --
1 | Application | Bzip | Bzip2 | * | * | * | *
2 | Application | Bzip | Bzip2 | 0.9 A | * | * | *
...
-- | -- | -- | -- | -- | -- | -- | -- | --

Especially, how to interpret the rows of the Version field.

sjvermeu commented 3 years ago

Hi Hendrik

No apologies needed, I should've documented it when I was working on it.

The rows themselves are not representing CVEs but CPEs. A CPE is a "Common Platform Enumeration" and is an identifier for an asset (software title, operating system, appliance or something else). These CPEs are used by CVEs to structurally identify for which software a vulnerability is applicable.

For instance, if we take a look at CVE-2017-18018 (https://www.cvedetails.com/cve/CVE-2017-18018/), you will notice "Products affected by CVE-2017-18018" which has the exact structure as you find in the database.

The version field in such a CPE is the version as it is published by the vendor or project. As each project can decide for themselves how to approach versioning, CVE/CPE does not try to standardize here, it just asks for a version.

With the CVE definitions, we then refer to these CPEs to state if something is vulnerable or not. While in the past, CVEs had to explicitly iterate over all the CPEs affected, recent CVE standards allow for expressions (such as "any version less than 0.9 A").

Finally, if you see an asterisk (*) in a field, then it means "any". So a CPE identifier with "*" in the version means "any version of this product".

If you want to go through the nitty gritty details of CPE, you can check out https://nvd.nist.gov/products/cpe.