Created
March 26, 2022 21:24
-
-
Save p-fruck/187328ec1a14f751fd03b5745900d6e9 to your computer and use it in GitHub Desktop.
APT CVE checker script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# A minimal CVE checker script for apt | |
# License: GPL-3.0 | |
while read package version; do | |
offset=$(apt changelog ${package} 2>/dev/null | grep -n '(${version})' | cut -d ':' -f 1) | |
cves=$(apt changelog ${package} 2>/dev/null | head -${offset} | grep -o 'CVE-[0-9]\+-[0-9]\+') | |
[[ ! -z "$cves" ]] && echo ${package} ${cves} || echo "x: ${package} ${version}" | |
done <<< $(apt list --upgradable 2> /dev/null | sed -e 's|/.*from:||g' -e 's|\]$||g' | tail +2) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is minimal bash script which utilizes the
apt changelog
to give you a brieve summary which CVE's could be mitigated by updating your system. Make sure your package information is up-to-date by runningsudo apt update
beforehand.Example output:
A line starting with
x
indicates that the update available for the given package has no information about available CVE's. Caution: This also happens if the changelog cannot be fetched.This script was tested on Debian 11 and only served the purpose of simplifying the CVE listing during audit reports.