On Fri, Aug 03, 2018 at 10:37:05PM +0000, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote: > cvert-kernel - generate CVE report for the Linux kernel. > NVD entries for the Linux kernel is almost always outdated. > For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065 > is shown as matched for "versions up to (including) 4.15.7", > however the patch 57ebd808a97d has been back ported for 4.14. > cvert-kernel script checks NVD Resource entries for the patch URLs > and looking for the commits in the local git tree.
This is an interesting approach. For the kernel I've been using information not from NVD but from https://github.com/nluedtke/linux_kernel_cves/ As an example, all CVE fixed in 4.14 kernel series point releases AND all non-fixed CVE are listed in: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt I have not tried to automate this, but I do find the information there much better than NVD. -Mikko -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
