The security/cvechecker port

cvechecker-4.0p0 – local CVE checker tool (cvsweb github mirror)


The goal of cvechecker is to report about possible vulnerabilities on
your system, by scanning the installed software and matching the results
with the CVE database. Indeed, this is not a bullet-proof method and you
will most likely have many false positives (vulnerability is fixed with
a revision-release, but the tool isn't able to detect the revision
itself), yet it is still better than nothing, especially if you are
running a distribution with little security coverage.
WWW: https://github.com/sjvermeu/cvechecker


| Running ${PKGSTEM} on OpenBSD

Initial Configuration

The user running cvechecker(1) must be part of the _cvechecker group:
    # usermod -G _cvechecker 

Edit ${SYSCONFDIR}/cvechecker.conf to your particular setup.

Then the database initialization is done by running:
    $ cvechecker -i
(this step is required for both MariaDB and SQLite).

At last, the CVE data needs to be put into the database:
    $ pullcves pull
Note that the first time this command is run, it will take a long time.
Subsequent calls to pullcves(1) will only update the current year and
will be much faster. It is advised to run this command regularly to make
sure the local CVE database is up to date with upstream.

Getting started with cvechecker

cvechecker(1) will scan a list of files and check whether there is a
corresponding CVE according to its version. For example, to check
binaries from installed packages(7):
    $ find ${LOCALBASE}/{bin,libexec,sbin} -type f -perm -o+x > scanlist.txt
    $ cvechecker -b scanlist.txt
    $ cvechecker -r


The OpenBSD ports mailing-list


security sysutils

Library dependencies

Build dependencies

Run dependencies