CVE Tool

A Claircore-based CVE manager (see also clair-action).

Build

Install Go development tools and libraries (goland) and GNU make. Run

$ make build

to build the CLI tool.

Run

Update (or Initialize) the Database

In order to use the tool for CVE analysis and report generation first the CVE database must be initialized and filled with CVE records.

Run

$ ./cvetool update --db-path=./matcher.db

to create or update the DB (SQLite).

The --db-path argument is the path to the database location.

Important

If the parameter is omitted the tool creates ephemeral (in-memory) database, which will be discarded after the tool finishes its job.

The initial update procedure could take up to 30 minutes. Further incremental updates will be significantly faster.

Scan Local System

Run

$ ./cvetool report --root-path=/ --db-path=./matcher.db

to scan the underlying system and generate vulnerabilities report.

The --root-path argument defines root directory of the target file system.

Caution

Currently the tool fails if there is a problem with accessing files (#9). At this moment it is not possible to get a report for the local system.

Scan a Container Image

Run

$ ./cvetool report --image-path=./rhel-10-ubi.tar --db-path=./matcher.db

to scan a podman/docker image save ...-compatible .tar image and generate vulnerabilities report.

Caution

Currently the tool fails to process contemporary images with layer.tar symlinks (#18). At this moment it is not possible to get a report for a container image.

Scan a Remote Container Image

Run

$ ./cvetool report --image-ref=registry.access.redhat.com/ubi10/ubi --db-path=./matcher.db

to pull and scan an image from a repository and generate vulnerabilities report.

Scan a Virtual Machine Image

The tool does not directly support indexing VM images. But it can work with a mounted file system, e.g. with guestmount.

Run

$ mkdir -p ./rhel10-vm
$ guestmount -a ~/.local/share/gnome-boxes/images/rhel10.0 -i --ro ./rhel10-vm
$ ./cvetool report --root-path=./rhel10-vm --db-path=./matcher.db

to mount the file system, scan and generate vulnerabilities report.

Report Formats

Default report format is plain, which represents basic information about found vulnerabilities in a human-readable form. It could be changed with the --format argument. Possible options are 'clair', 'quay' and 'sarif'.

Help

Run the tool with --help argument for detailed information about invocation options.

Name		Name	Last commit message	Last commit date
Latest commit History 230 Commits
.github		.github
cmd/cvetool		cmd/cvetool
datastore		datastore
image		image
migrations		migrations
output		output
.editorconfig		.editorconfig
.gitignore		.gitignore
DCO		DCO
LICENSE		LICENSE
Makefile		Makefile
NOTICE		NOTICE
README.md		README.md
go.mod		go.mod
go.sum		go.sum

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

CVE Tool

Build

Run

Update (or Initialize) the Database

Scan Local System

Scan a Container Image

Scan a Remote Container Image

Scan a Virtual Machine Image

Report Formats

Help

About

Uh oh!

Releases

Packages

Contributors 3

Uh oh!

Languages

License

ComplianceAsCode/cvetool

Folders and files

Latest commit

History

Repository files navigation

CVE Tool

Build

Run

Update (or Initialize) the Database

Scan Local System

Scan a Container Image

Scan a Remote Container Image

Scan a Virtual Machine Image

Report Formats

Help

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Contributors 3

Uh oh!

Languages

Packages