Skip to content

mrl5/vulner

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

vulner

GitHub commits since latest release (by SemVer) GitHub last commit cargo security audit build status tests status linter status GitHub license

Discover CVEs for software.

  • Use case 1) as a Funtoo Linux user I want to have awareness about CVEs on my system
  • Use case 2) as user I want to list CVEs for given package
  • Use case 3) as a Gentoo Linux user I want to have awareness about CVEs on my system
  • Use case 4) as a Funtoo Linux maintainer I want to scan all packages in kit for CVEs
  • Use case 5) as a Funtoo Linux maintainer I want to scan all meta-repo for CVEs
  • Use case 6) as a Funtoo Linux user I want to list bug tracker security vulnerability tickets that are not fixed
  • Use case 7) as a Funtoo Linux user I want to know if there is already a ticket for CVE detected by vulner

API keys

For better user experience consider using API keys:

More details in COOKBOOK.md

DISCLAIMER

Running vulner scan doesn't guarantee that all CVEs present on your system will be detected. It tries to map packages installed by the portage to a set of known NVD CPEs. It is possible that not all packages will be successfully tagged.

For more info about false negatives and false positives check docs/CAVEATS.md

Examples

Check out docs/COOKBOOK.md

CVEs, CPEs, WTFs

Check this example: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=openssh

Notice how easy is to list all CVEs for given CPE. Using CPEs allows you to have reliable vulnerability tracker.

Howto build and install

You can find ebuild in ebuilds/ (it's also available in funtoo security-kit) ...

... or you can use make

make install

Howto run

./scripts/check-runtime-deps.sh
vulner --help
RUST_LOG=debug vulner sync
RUST_LOG=info vulner scan -o ~/vulner/scan-results

Why vulner needs python at runtime?

Because of reasons described in 0001-runtime-python-dependencies.md ADR.