APT CVE checker script

apt-cve-checker.sh

#!/bin/bash
# A minimal CVE checker script for apt
# License: GPL-3.0
while read package version; do
  offset=$(apt changelog ${package} 2>/dev/null | grep -n '(${version})' | cut -d ':' -f 1)
  cves=$(apt changelog ${package} 2>/dev/null | head -${offset} | grep -o 'CVE-[0-9]\+-[0-9]\+')
  [[ ! -z "$cves" ]] && echo ${package} ${cves} || echo "x: ${package} ${version}"
done <<< $(apt list --upgradable 2> /dev/null | sed -e 's|/.*from:||g' -e 's|\]$||g' | tail +2)

This is minimal bash script which utilizes the apt changelog to give you a brieve summary which CVE's could be mitigated by updating your system. Make sure your package information is up-to-date by running sudo apt update beforehand.

Example output:

$ sudo apt update >/dev/null 2>&1 && ./apt-cve-checker.sh | sort
apache2 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943
apache2-bin CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943
apache2-data CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943
apache2-utils CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943
x: containerd.io 1.4.12-1

A line starting with x indicates that the update available for the given package has no information about available CVE's. Caution: This also happens if the changelog cannot be fetched.

This script was tested on Debian 11 and only served the purpose of simplifying the CVE listing during audit reports.