Data sources

CVE Scan depends on several third-party data sources:

  • The NIST National Vulnerability Database (NVD)
  • The mainline Linux kernel git repository.
  • The Ubuntu CVE Tracker (UCT) git repository.

These resources need to be reasonably up-to-date to give meaningful results.

These are non-trivial downloads (several GiB). By default the following tree structure will be deployed on your local filesystem:

~/.local/share/cvescan
    ├── linux
    ├── nvd
    └── uct

Downloading and updating your local NVD copy

The CVE Scan program provides the datasources-update command which fetches from the Linux Kernel and Ubuntu CVE Tracker repositories and queries the NVD API to create or update a local copy of the whole NVD database.

Use the following command to download or update your local NVD copy:

cvescan datasources-update nvd

Downloading and updating the UCT repository

The Ubuntu CVE Tracker is available in a Git repository, so it may be cloned and updated in the usual similar way.

It is suggested to use the official reposiroty, not a mirror. Its URI is https://git.launchpad.net/ubuntu-cve-tracker, or alternatively git://git.launchpad.net/ubuntu-cve-tracker.

Run the following command to download your initial copy of the UCT in $uct_dir:

git clone -b master \
  https://git.launchpad.net/ubuntu-cve-tracker \
  $uct_dir

Later on you may update it using on of the following command:

git --git-dir "$uct_dir" pull --ff-only

or

cvescan datasources-update uct

Note

If no repository is found at the CVEScan specified location. cvescan datasources-update uct will perform an initial clone from https://git.launchpad.net/ubuntu-cve-tracker

Downloading and updating the Linux kernel repository

For the Linux kernel repository the steps are similar to the UCT.

To clone the Linux repository in $linux_dir:

git clone https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git $linux_dir

To update it:

git --git-dir "$linux_dir" remote update

or

cvescan datasources-update linux

Note

If no repository is found at the CVEScan specified location. cvescan datasources-update linux will perform an initial clone from https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Periodicity of updates

While the initial download takes some time (approximately 1 hours, depending on the available network bandwidth and various other parameters) the subsequent updates should be relatively quick, assuming they are done regularly.

Since these data sources are modified frequently we advise to run an update of all three before each scan, unless you need a fixed frame of reference for comparing several CVE reports.