Feature Requests
Sven Vermeulen 2013-09-18The following table lists the feature requests that are currently received but not part of a stable released version.
![]() |
This request is still in draft (meaning it has not been started). Feedback (or perhaps even patches) are greatly appreciated. |
Support a distribution specific check script (most likely using the cvechecker output) that investigates if a vulnerability hasn't been solved by the distribution itself through an applied patch (rather than a version upgrade). The check script itself should be a wrapper that detects on which distribution the script is being ran (/etc/*release) and then calls the script particularly made for that distribution (on a predefined location, say lib/cvechecker/scripts).
The distribution-specific scripts must adhere to a predefined input/output scheme, returncodes and such.
They should support a human-friendly and computer-parsable output.
A sample script is available in the cvechecker distribution, scripts/cvedebian, courtesy of Nigel Horne.
![]() |
This request is still in draft (meaning it has not been started). Feedback (or perhaps even patches) are greatly appreciated. |
Part of keeping a system in a secure state is to make sure that the software installed is not end-of-support or end-of-life. Perhaps this can be included in the information that CVE checker pulls in (or can be fed) so that the reports generated from it can include this information too?
![]() |
This request is still in draft (meaning it has not been started). Feedback (or perhaps even patches) are greatly appreciated. |
Currently, false positives need to be handled by an XML/XSLT hack through the cvereport command. This means that the false positives need to be entered (manually) in an XML file.
It would be nice to update cvechecker itself so that these false positives can be handled from within the tool.
For instance (hypothetical code listing), to ignore a false positive:
$ cvechecker --invalidate --file /usr/bin/sudo --cve CVE-2013-1441
To acknowledge one (i.e. make differentiation in report if it is a new one or not):
$ cvechecker --acknowledge --file /usr/bin/sudo --cve CVE-2013-1441
The output of cvechecker can then be extended with this information (Status: New, Acknowledged or Invalid), perhaps even ignoring the invalid ones.