Table of Contents

CVEChecker

The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning a list of installed software and matching results with the CVE database. This is not a bullet-proof method and you will have many false positives (ie: vulnerability is fixed with a revision-release, but the tool isn't able to detect the revision itself), yet it is still better than nothing, especially if you are running a distribution with little security coverage.

https://github.com/sjvermeu/cvechecker

Installation

Clone the git repository

git clone git://github.com/sjvermeu/cvechecker.git
cd cvechecker

The following packages are needed:

apt-get install sqlite3 libconfig-dev libsqlite3-dev autoconf xsltproc libbsd-dev

Install CVEChecker

autoreconf --force --install 
#select sqlite3 or mysql
./configure --enable-sqlite3 --enable-mysql
make
make install
make postinstall

Initialize the sqlite3 database

cvechecker -i

Update the CVE feed

pullcves pull

Installguide for other OS:
https://github.com/sjvermeu/cvechecker/wiki/Installation

Configuration

You can find configs at the following path

/usr/local/var/cvechecker/
/usr/share/cvechecker

${HOME}/.cvechecker.rc
/usr/local/etc/cvechecker.conf 
/etc/cvechecker.conf

Usage

FIXME

https://rawgit.com/sjvermeu/cvechecker/master/docs/userguide.html

Gather installed software (exclude non software paths like logfiles or windows mounts…)

find / -path /var/spool/icinga2/perfdata -prune -o -path /backup -prune -o -path /marktplatz -prune -o -path /mnt -prune -o -path /media -prune -o -type f -perm -o+x > scanlist.txt
echo "/proc/version" >> scanlist.txt

Import installed software into CVEChecker

cvechecker -b scanlist.txt

Match software with CVEs

cvechecker -r -C > CVEs.csv