sjvermeu / cvechecker

Command-line utility to scan the system and report on potential vulnerabilities, based on public CVE data
GNU General Public License v3.0
258 stars 68 forks source link

cvechecker

The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning a list of installed software and matching results with the CVE database. This is not a bullet-proof method and you will have many false positives (ie: vulnerability is fixed with a revision-release, but the tool isn't able to detect the revision itself), yet it is still better than nothing, especially if you are running a distribution with little security coverage.

Quickstart

  1. Initalize the SQLite3 Database

    # cvechecker -i
  2. Load CVE and version matching rules

    # pullcves pull
  3. Generate List of Files to scan

    $ find / -type f -perm -o+x > scanlist.txt
    $ echo /proc/version >> scanlist.txt
  4. Gather List of Installed Software/Versions

    $ cvechecker -b scanlist.txt
  5. Output Matching CVE Entries

    $ cvechecker -r

More detailed installation information available via the installation docs. The homepage for this project.