MaineK00n
commented
1 month ago I'm sorry for replying so late.
If you are using RedHat, Oracle Linux, Ubuntu, etc., it is a good idea to use the vulnerability information provided by the vendor. Take a look at this tool. https://github.com/vulsio/goval-dictionary
If vulnerability information is not provided by the vendor, you can convert the package name and version to CPE and match it to find the CVE. However, please note that the version described in the NVD may differ from the version of the package provided by the vendor as a backport.
Hey Boss,
Firstly you are my superhero , amazing work
I have a question.
I've built a small script that retrieves all installed Linux packages (RedHat, Oracle Linux, Ubuntu, etc.), along with the package names and versions.
The goal of this script is to identify the CVEs associated with these packages, if available.
From what I understand, I would need to convert the package names and versions to CPE (Common Platform Enumeration), and then use that to fetch the relevant CVEs. Does that sound correct?
Based on your report, which tools or code snippets could assist me in achieving this? Or, do you have any database or CSV file that maps Linux packages and their versions to their corresponding CVEs?