Created
February 20, 2017 23:07
-
-
Save DanBeard/adbc03b9e724639a7f0c06f70221a631 to your computer and use it in GitHub Desktop.
Example using libscanner on a yocto image
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # download the latest NVD xml DB | |
| ./download_xml.sh | |
| ... | |
| ... | |
| --2017-02-20 14:57:57-- https://nvd.nist.gov/download/nvdcve-2017.xml.gz | |
| Resolving nvd.nist.gov (nvd.nist.gov)... 129.6.13.177, 2610:20:6005:13::177 | |
| Connecting to nvd.nist.gov (nvd.nist.gov)|129.6.13.177|:443... connected. | |
| HTTP request sent, awaiting response... 200 OK | |
| Length: 68023 (66K) [application/x-gzip] | |
| Saving to: ‘nvdcve-2017.xml.gz’ | |
| nvdcve-2017.xml.gz 100%[===================>] 66.43K 389KB/s in 0.2s | |
| ... | |
| # Find your installed-packages.txt from your yocto build. For information on that see: http://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#understanding-what-the-build-history-contains | |
| # For a visual representation of the discovered CVEs paste the content of installed-packages.txt to http://devicevulnerabilitychecker.com | |
| # to integrate it as part of your CI system see below | |
| # Run the scanner on your installed-packages.txt | |
| ./cli.py --format yocto "path/to/installed-packages.txt" dbs/ > cve_test.xml | |
| # cve_test will now include a list of 'unit tests' in XUnit format that fail for every cve not ignored | |
| tail cve_test.xml | |
| <failure> Medium (6.8) - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. | |
| CVE Published on: 2016-07-23 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5131 </failure> | |
| </testcase> | |
| <testcase id="CVE-2016-9318" name="CVE-2016-9318" classname="libxml2 - 2.9.4" time="0"> | |
| <failure> Medium (6.8) - libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. | |
| CVE Published on: 2016-11-15 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9318 </failure> | |
| </testcase> | |
| </testsuite> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment