A Tool, for indicating if there is a CVE related to an openwrt package. cve-indicator uses the cve-search database API to fulfil his tasks.
- For the installation is needed:
- pip3
- pipenv
- git
Installation procedure:
$ apt-get install python3-pip
$ apt-get install git
$ pip3 install pipenv
$ git clone git@github.com:kkreitmair/cve-indicator.git
$ cd cve-indicator
$ pipenv installEnter the tool environment with the command pipenv shell. After this, the following commands are available.
Usage commandline tool:
$ cve-indicator gen-list <project> <path>
$ cve-indicator get-cves <path to gen-list report> [--api_url API_URL]
$ cve-indicator gen-rprt <path to get-cves report>Currently only the project openwrt is supported. Path specifies the directory of the finished openwrt build, where all Manifestfiles are included. The command will search in the given directory for Manifestfiles. In this files it searches for the Entries Package, Version and CPE-ID. With this information it genarates a report in JSON format. This report is used by the command get-cves or if you wish by a other tool.
This command needs a API URL specified. This can happen through giving it with the --api_url parameter or over the config file in yaml format.
Example of an config file under ~/.config/cve-indicator.yml:
get-cves:
api_url: http://cve.circl.lu/api/cvefor/Currently only the API of cve-search is supported. You can use the official service of cve-search or host your own instance. For further information about self hosting read the project documentation of cve-search project .
Throught the command, the tool will make for every package in the report of gen-list a API-call to the specified url. cve-indicator will use the results of the response to generate a report, also in JSON format.
This command can be used to create a human readable HTML report out of the report of the second command.
