vulner

Discover CVEs for software.

• Use case 1) as a Funtoo Linux user I want to have awareness about CVEs on my system
• Use case 2) as user I want to list CVEs for given package
• Use case 3) as a Gentoo Linux user I want to have awareness about CVEs on my system
• Use case 4) as a Funtoo Linux maintainer I want to scan all packages in kit for CVEs
• Use case 5) as a Funtoo Linux maintainer I want to scan all meta-repo for CVEs
• Use case 6) as a Funtoo Linux user I want to list bug tracker security vulnerability tickets that are not fixed
• Use case 7) as a Funtoo Linux user I want to know if there is already a ticket for CVE detected by vulner

API keys

For better user experience consider using API keys:

• NVD API Key

More details in COOKBOOK.md

DISCLAIMER

Running vulner scan doesn't guarantee that all CVEs present on your system will be detected. It tries to map packages installed by the portage to a set of known NVD CPEs. It is possible that not all packages will be successfully tagged.

For more info about false negatives and false positives check docs/CAVEATS.md

Examples

Check out docs/COOKBOOK.md

CVEs, CPEs, WTFs

Check this example: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=openssh

Notice how easy is to list all CVEs for given CPE. Using CPEs allows you to have reliable vulnerability tracker.

Howto build and install

You can find ebuild in ebuilds/ (it's also available in funtoo security-kit) ...

... or you can use make

make install

Howto run

./scripts/check-runtime-deps.sh
vulner --help
RUST_LOG=debug vulner sync
RUST_LOG=info vulner scan -o ~/vulner/scan-results

Why vulner needs python at runtime?

Because of reasons described in 0001-runtime-python-dependencies.md ADR.