Discover CVEs for software.
- Use case 1) as a Funtoo Linux user I want to have awareness about CVEs on my system
- Use case 2) as user I want to list CVEs for given package
- Use case 3) as a Gentoo Linux user I want to have awareness about CVEs on my system
- Use case 4) as a Funtoo Linux maintainer I want to scan all packages in kit for CVEs
- Use case 5) as a Funtoo Linux maintainer I want to scan all meta-repo for CVEs
- Use case 6) as a Funtoo Linux user I want to list bug tracker security vulnerability tickets that are not fixed
- Use case 7) as a Funtoo Linux user I want to know if there is already a
ticket for CVE detected by
vulner
For better user experience consider using API keys:
More details in COOKBOOK.md
Running vulner scan doesn't guarantee that all CVEs present on your system will be
detected. It tries to map packages installed by the portage to a set of known
NVD CPEs. It is possible that not all packages will be successfully tagged.
For more info about false negatives and false positives check docs/CAVEATS.md
Check out docs/COOKBOOK.md
Check this example: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=openssh
Notice how easy is to list all CVEs for given CPE. Using CPEs allows you to have reliable vulnerability tracker.
You can find ebuild in ebuilds/ (it's also available in funtoo security-kit) ...
... or you can use make
make install./scripts/check-runtime-deps.sh
vulner --help
RUST_LOG=debug vulner sync
RUST_LOG=info vulner scan -o ~/vulner/scan-resultsBecause of reasons described in 0001-runtime-python-dependencies.md ADR.
