Changelog

Notable changes to this project will be documented in this file.

[v2.2.1] [2025-07-30]

Fixes

  • Some CVEs do not respect the NVD API 2.0 json schema anymore, as of now a single one, namely CVE-2024-32849. A simple patch was added to ignore malformed CVEs in the matching algorithm.
  • Fixed the NVD connector to handle the recently introduced 429 status code in place of the 403 when hitting the rate limit.

Changes

  • NVD connector rate limiting is now configurable through the configuration file. Furthermore the default rate limiting has been changed from 5 calls in a rolling window of 30 seconds to 5 calls in a rolling window of 35 seconds.

[v2.2.0] [2025-07-29]

New features

  • Added a specialized version scheme handler for mbed_tls.

Changes

  • When scanning an inventory included one of "busybox", "linux_kernel" or "u-boot" without runtime, the user will be suggested with a warning to use the "--keep-package" option and force the package analysis.
  • The default enabled nvd match connectors is now overrideable and won't be enabled if the nvd key is not present in specified config.yml:connectors:match list.
  • Forced anchors in cpe pattern NVD matches algorithm to avoid bad product matching leading to noisy Version Mismatch classifications.
  • Web-UI: Removed version from served ui to avoid confusing version information lag.

Fixes

  • Fixed an error caused by specific special characters in product names. This error was occuring occasionaly when scanning cyclonedx-json inventories generated with third-party tools.
  • NVD API 2.0 request now include zulu time suffixes on date paremeters as required.
  • Porting docker image to cvescan >=2.1.

Known Issues

  • Polars, a dependency introduced since CVEScan 2.0.0, require microprossessors supporting Advanced Vector Extensions (AVX). For compatibility the install.sh --lts-cpu option was introduced to use the polars-lts-cpu package, compiled without AVX.

Removed

  • The nvd-update subcommand has been removed.

[v2.1.0] [2025-06-30]

New Features

  • uct and linux connector now support initial cloning of the UCT and linux-stable repository, respectively from git://git.launchpad.net/ubuntu-cve-tracker and git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git.
  • uct and linux connectors remote setting allows for setting UCT GIT remote URL.
  • Vulnerability items matched from multiple sources will serialize one match rationale per connector

Changes

  • When matching vulnerabilities, default package version handling will perform a sanitation of the version string by removing "v" prefixes and suffixes such as ".imx" if present.

Deprecated

  • All occurence of the --upstream-uri options in CVEScan subcommands have been removed, as the linux-stable datasource is now handled through the linux connector.

Fixes

  • Fixed connector mirror pathes configured through config.yml ignored by the datasources-update command and --snapshot/--restore-snapshot options.
  • LMDB pathes are created if non-existing when pulling or writing NVD mirrors.

[v2.0.0] [2025-06-24]

New Features

  • The datasources-update subcommand will now handle fetching on your linux-upstream, Ubuntu CVE Tracker and NVD local replication.
  • datasources-update --restore-snapshot X.zst will let you initialize your NVD local replication state from a ZStandard archive snapshot.
  • datasources-update --snapshot [X.zst] will let you export a snapshot of you NVD local replicated data to a ZStandard archive snapshot.

Changes

  • The Ubuntu CVE Tracker datasources is now handled through a dedicated uct connector.
  • CVEScan matching algorithm has been refactored and specialized version scheme handling has been implemented for the following products:
    • Asterisk products
    • International Components for Unicode
    • Internet Systems Consortium products: bind, dhcp, ntp
    • sudo
    • json-c
    • libjpeg
    • Linux Kernel
    • openssh
    • openssl
    • speex

Deprecated

  • The nvd-update subcommand has been deprecated, as it has been replaced by the datasources-update subcommand, and will be removed in the future.
  • All occurence of the --uct-dir options in CVEScan subcommands have been removed, as the Ubuntu CVE Tracker datasource is now handled through the uct connector.

Removed

  • NVDQuery has been removed.

[v1.5.1] [2025-06-19]

Fixed

  • Fixed a regression in annotation applications from 1.4.1 to 1.5.0 as cve_products where serialized with vendor information in reports when available.
  • Fixed a logger error occuring in filter-report when patch commit does not exist in upstream linux.
  • Fixed an error occuring in export-csv when encountering ISO8601 date representation with zulu suffix in vulnerability informations.

[v1.5.0] [2025-05-06]

New Features

  • CVEScan now fetches vulnerability from OSV when component purl or commit hash is provided.
  • osv connector advanced_purl_parsing setting allows for mapping purl components to OSV ecosystems and more inclusive matching.
  • Vulnerability sources connectors can now be explicitely enabled for match and fetch steps in config.yml.

Web-UI features

  • Bulk annotation: You can now select multiple vulnerabilities and annotate them simultaneously. Please note that you can only select vulnerabilities that are either all unannotated or all already annotated.
  • Persist the state of expanded/collapsed filters: The state of the filters (expanded/collapsed) is now persisted in the user session.
  • Performance improvements: Reduced the time it takes to load a scan report.

Changes

  • export-report do not fetch from sources anymore, it rather uses the report serialized data.

Fixed

  • Fixed a crash when loading "review"-less annotation logs.

Removed

  • --nvdquery-sock option has been removed as nvdquery interfacing unix socket should be specified through nvd connector settings in YAML configuration file.

[v1.4.1] [2025-04-09]

New features

export-report features

  • Add a --override-vulnerable-manual-assessment option (and a corresponding configuration file entry) to ignore annotation manual assessments, whenever a manual assessment is vulnerable and cvescan automatically assesses non-vulnerability.
  • Add a --match-attack-vector option to filter vulnerabilities based on attack vector. This option can be entered multiple times to create a list of attack vectors to match against. This list will be matched against CVSSv2 "access vector" or CVSSv3 "attack vector" fields. If any of these fields matches any command-line listed attack vector, a vulnerability will be exported.

Fixed

  • Fixed a rare-occuring error caused by collision between cli logging renderables.

[v1.4.0] [2025-02-28]

New Features

  • Add a --config command line option to specify a custom configuration file.
  • If configuration file is not specified on command line, cvescan will look for it in current working directory, then in platform-specific configuration directory (e.g. on Linux ~/.config/cvescan/config.yml).

export-report features

  • Add a couple of options (--filter-score-type and --keep-scores-above) to allow filtering of CVE based on a minimal CVSS v2 or v3 base score.
  • Only supported with CSV export format: possibility to consolidate multiple reports, each with an associated name, employing syntax -i path/to/report_file:report_name.
    • Each report must have a unique name.
    • Naming on command line is however optionnal: -i path/to/report_file is kept as a valid syntax, in which case report_file will be used as report name.
  • When more than one report is passed as argument, an extra column titled Source Report Name is added to output CSV file, repeating originating report name.

Web-UI features

  • Added a feature for reverting & editing changes made in the current session. The session resets whenever the user uploads a new annotations file.
  • Enhance vulnerability description display.
  • Add vulnerabilities sorting information to query params.

Changes

  • CVEScan now relies on platformdirs to select directories to organize the data it relies on:
    • Cache data is stored under in ~/.cache/cvescan/cache/
    • NVD data is under in ~/.local/share/cvescan/nvd
    • Looks for Linux kernel sources under in ~/.local/share/cvescan/linux

Fixed

Web-UI fixes

  • Fixed an issue where the version specificity change dialog does not let you confirm your changes initially.

[v1.3.1] [2024-12-20]

Fixed

  • Fixed a KeyError arising when filter-report with --advanced-filter was unabled to resolve a breaking commit.

[v1.3.0] [2024-12-18]

New Features

  • A new --advanced-filter flag can be explicitely enabled on filter-report and run subcommands. It introduces a new experimental patch detection strategy that allows to remove more false positives than the default "strict" strategy.

Changes

  • CVEScan supports of CycloneDX has been extended to v1.6 JSON schema.
  • Default value for the UCT dir was set to None so it has to be explicitely enabled.
  • Simplified CVEScan docker to ensure proper usage, Warn user if volumes are misconfigured.
  • CVEScan CLI will now know if it's launched in a container and will pick appropriate default values.
  • In addition to the "{basename}.report.json" symlink, both scan-inventory & filter-report write corresponding "{basename}-{command-name}.report.json". filter-report will now infer its input report as "{basename}-scan-inventory.report.json" to avoid confusion in stacking multiple filter assessments in the same report.
  • Allow for expansion of '~' as user home in configuration file.
  • Annotations format was bumped to 2.1.1 to reflect minor changes. The UI will continue to support 2.1.0 inputs while exporting in 2.1.1 format.

[v1.2.0] [2024-12-04]

New Features

  • CVEScan is now dockerized, How to build and use described in the associated documentation.

Changes

  • The CVEScan CLI command serve-ui now has a new flag --host, which helps run CVEScan in a container, defaulting to 127.0.0.1.
  • Annotations format was bumped to 2.1.0 as log entries schema changed and package_version criterion was renamed to version_specific.
  • Kernel configurations based assessments (lkconfig) status "n/a" was renamed to "safe config".

Deprecated

  • Annotations format 2.0.0 has been deprecated.

Fixed

  • CLI nvd-update subcommand NVD_DIR is not required anymore, allowing for config fallback.

[v1.1.0] [2024-11-12]

New Features

  • CVEScan now allows to define multiple annotations for vulnerability / product on the same scope with different version criterions.

Changes

  • Semver versions are built from less strict expressions (e.g. "MAJOR.MINOR", "MAJOR" ...).
  • Matching vulnerability against annotation version criterions now ignores the "prerelease" text, any trailing text prefixed by "-" before "+" metadata in strict semver.
  • In v1.0.0, scans introduced the "product" attribute from "cve_product" in vulnerability records. For normalization and easier match with annotations, the "vendor:" prefix is now removed when present.
  • To allow for easier comparison, vulnerabilities are now sorted by ID in reports.

Fixed

  • In CSV exports, "PatchAvailable" was exported in "PatchApplied" column.
  • Normalizing content of the "ManualAssessment-LastModified" column of CSV exports.

[v1.0.1] [2024-10-10]

Fixed

  • The last top level report filename character was missing when basename was not defined.
  • A typo in package MANIFEST.in was preventing WUI index.html from being copied to the package data.

[v1.0.0] [2024-10-04]

Changes

  • CVEScan CLI was refactored and introduces a dependency on click.
  • CVEScan features are now available through a Python API.
  • CVEScan report where refactored to allow for accurate serialization of vulnerabilities assessments.
  • CVEScan reports now include "runtimes" metadata, which contains informations about the command run and state of the resources (git describe of the UCT repo, stat.mtime of the local msgpack as well as its path and CRC32 of its content).
  • CVEScan annotations where refactored to reflect the newly introduced suggested workflow. Annotation file version was bumped to 2.0.0.
  • The responsibilty for applying manual vulnerability assessments from the annotation file has been shifted from the filter-report subcommand to the export-report subcommand.
  • Installed CVEScan PEP440 compliant package version is now deduced from the git repository state using the last release tag, if there were commits since then the abbreviated commit hash is serialized as well in the version metadata ("version+{metadata}").
  • The run command chains the scan-inventory and filter-report commands but will not perform an export-report anymore.

Deprecated

  • Applying manual vulnerability assessments from the annotation file through the filter-report or run commands has been deprecated and will not be possible in future version of CVEScan. Annotations can be passed to the export-report command.

New Features

  • CVEScan CLI now provides extensive logging in interactive mode, this change introduces a dependency on rich.
  • A lot of default value for CVEScan options were introduced where applicable. Additionaly options are now configurable through a config.yml configuration file while overrideable through the CLI. Those changes improve ease-of-use.
  • scan-inventory & filter-report subcommands will write "{basename}.report.json" symlink pointing to the last written report. This also allows for filter-report and export-report to take this symlink as default input.
  • NVDQuery now returns cpes matches per package, which are serialized in the CVEScan reports.
  • CVEScan version is now accessible through the version/-v/--version subcommand.
  • Kernel options configuration dependent vulnerabilities filtering predicates are now maintained into a dedicated lkconfig.yml configuration file. First the CLI will try to evalute the --lkconfig option, then look for $cwd/lkconfig.yml and finally fallback to the package maintained lkconfig.yml.

Removed

  • csv_report_to_annotations, extract_yaml_annotations and extract_yaml_annotations_from_dir legacy scripts will not be maintained as part of CVEScan anymore.
  • Removed legacy tests fixtures and scripts.

[v0.3.0] [2024-07-01]

Fixed

  • Allow filter-report to match linux kernel with linux vendor id; as in "cve_product": [ "linux:linux_kernel" ].
  • Strings values in kernel src-uris entries are now ignored to avoid filter aborts as head src_uri is expected to be a mapping.
  • NVD CVE API forbids requests with timespan greater than 120 days, if the local msgpack was not updated for 120 days or more, a full replication is performed.

[v0.2.1] [2024-04-30]

New Features

  • Added a --use-upstream-linux-ref optional parameter to the filter-report command, that overrides the git reference from the Yocto SBOM with the Linux kernel repo mirror specified from --upstream-uri with a commit reference . This allows for filtering without access to the kernel source code git history. Using --use-upstream-linux-ref breaks the link with the build kernel, filter-report could rule out vulnerable CVEs..
  • extract_csv_annotations has been renamed to csv_report_to_json_annotations and allows to generate a template annotations file with all CVE marked as vulnerable.
  • NVD database retrieval will now get proxy configuration from standard environment variables.

[v0.2.0] [2023-12-13]

IMPORTANT NOTE: On December 15th, 2023, the NVD will retire data feeds and the 1.0 APIs. As a consequence all earlier versions will stop working.

Changes

  • Data is now fetched from the vulnerability CVE 2.0 API. Some minor syntaxic changes are introduced in the output reports without any information loss.
  • NVD rejected CVEs are now whitelisted based on their CVE 2.0 API "vulnStatus" attribute.

Fixed

  • export-report csv writer now quotes all fields to prevent delimiters in strings being interpreted as such.
  • nvd-update now verifies the passed directory argument before fetching.

New Features

  • When multiple versions of cvss-v3 metrics are available, exported reports will use the most recent version data. i.e. When applicable cvssMetricV31 baseScore and attackVector takes over their cvssMetricV30 counterparts.
  • Added an optional --timeout option to the nvd-update subcommand. Format can either be an integer interpreted as seconds or in a more convenient format e.g. "45m30s" or "1h". If no timeout is defined the update will proceed without time limitation.

[v0.1.1] [2023-11-29]

Fixed

  • Fixed the --vulnerable-only filter not being applied correctly

New Features

  • Added SPDX SBOMs as input.

[v0.1.0] [2023-10-27]

Fixed

  • Plugins not installed with setuptools < 62.3.0 (leading to --inventory-format error)
  • Cannot find local mirror of Linux kernel in DL_DIR/git2 if ssh URI has no @

New Features

  • CVE tagged with " REJECT " in description are reported as non-vulnerable with whitelisted status and description in comment.