CVE-Check is a simple CVE checker based on NVD CVE Data Feeds. It is intended to perform a quick scan for known vulnerability of certain products.
This tool is mean to used as support and not the only mehtod to check agains CVEs. Running this tool doesn't guarantee your products are free of CVEs.
Before running cve-check, a local CVE database must be created using cve-check-create-db.py:
> python3 ./cve-check-create-db.py
After CVE database is created, you can scan for CVEs using cve-check.py:
> python3 ./cve-check.py -p openssl
CVE-2021-23839
CVE-2021-23840
CVE-2021-23840
CVE-2021-23841
CVE-2021-23841
CVE-2021-3449
...
> python3 ./cve-check-create-db.py
Before a scan can be performed, a local CVE database is needed. The purpose of the database is to speed up scanning. A typical use case is to create the database and scan for various products, e.g. project dependencies like openssl and or libpng.
The database is created from NVD CVE Data Feeds, which tracks all CVEs since 2002 and are regularly updated.
Make sure to re-create local CVE database regularly to to keep it up to date.
| Option | Example | Description |
|---|---|---|
| -f, --file | -f my-cve.db | Optional. Specify filename of local CVE database (Default: cve.db) |
> python3 ./cve-check.py -p <product>
Once a loacl CVE database is created, you can scan for CVE of a certain product.
| Option | Example | Description |
|---|---|---|
| -p, --product | -p openssl | Required. Product to scan for. Use * to scan for all products |
| --version | --version 1.1.1 | Optional. Specify version of the product to scan for (Default: *) |
| --vendor | --vendor haxx | Optional. Specify vendor of the product to scan for (Default: *) |
| -f, --file | -f my-cve.db | Optional. Specify filename of local CVE database (Default: cve.db) |
| -i, --ignore | -i CVE-2021-22897 | Optional. Ignore single CVE. Multiple CVEs can be spefied using -i multiple times |
| --ignore-file | -ignore-file ingore.txt | Optional. Ignore all CVE in file. Each line contains a single CVE. |
| -v, --verbose | -v | Optional. Enable verbose mode. Print additional info per CVE. |
> python3 ./cve-checl-py -p curl --version 7.76
CVE-2021-22897
CVE-2021-22898
CVE-2021-22901
CVE-2021-22901
CVE-2021-22898
CVE-2021-22897
In order to narrow the resulting CVEs it is common to specify the version of the product to scan for.
> python3 ./cve-checl-py -p curl --version 7.76 -v
CVE-2021-22897 haxx curl [7.61.0,7.76.1] PATCHED
CVE-2021-22898 haxx curl [7.7,7.76.1] PATCHED
CVE-2021-22901 haxx curl [7.75.0,7.76.1] PATCHED
CVE-2021-22901 haxx curl [7.75.0,7.76.1] PATCHED
CVE-2021-22898 haxx curl [7.7,7.76.1] PATCHED
CVE-2021-22897 haxx curl [7.61.0,7.76.1] PATCHED
To print additional information about the resulting CVE the option -vis used.
Note that full information about each CVE can be optained at https://cve.mitre.org/.
> python3 ./cve-checl-py -p curl --version 7.76 -v -i CVE-2021-22897 -i CVE-2021-22898
CVE-2021-22901 haxx curl [7.75.0,7.76.1] PATCHED
CVE-2021-22901 haxx curl [7.75.0,7.76.1] PATCHED
CVE-2021-22898 haxx curl [7.7,7.76.1] PATCHED
CVE-2021-22897 haxx curl [7.61.0,7.76.1] PATCHED
Single CVEs can be ignored by using the -ioption. To ignore multiple CVEs, multiple occurances of -i can the provided.
> python3 ./cve-checl-py -p curl --version 7.76 -v --ignore-file ignored-cves.txt
CVE-2021-22901 haxx curl [7.75.0,7.76.1] PATCHED
CVE-2021-22901 haxx curl [7.75.0,7.76.1] PATCHED
CVE-2021-22898 haxx curl [7.7,7.76.1] PATCHED
CVE-2021-22897 haxx curl [7.61.0,7.76.1] PATCHED
Another option to ignore multiple CVEs is to provide an ignore file using --ignore-file. Each line of the file contains of CVE.
- https://cve.mitre.org/
- NVD CVE Data Feeds: https://nvd.nist.gov/vuln/data-feeds
- CPE 2.3 Specification: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf