A Claircore-based CVE manager (see also clair-action).
Install Go development tools and libraries (golang) and GNU make.
Run
$ make build
to build the CLI tool.
In order to use the tool for CVE analysis and report generation first the CVE database must be initialized and filled with CVE records.
Run
$ ./cvetool update
to create or update the DB (SQLite).
The --db-path argument is the path to the database location.
Note
If the parameter is omitted the tool creates database for the user in ~/.local/share/cvetool/matcher.db.
The initial update procedure could take up to 30 minutes. Further incremental updates will be significantly faster.
Run
$ ./cvetool scan --root-path=/
to scan the underlying system and generate vulnerabilities report.
The --root-path argument defines root directory of the target file system.
Caution
Currently the tool fails if there is a problem with accessing files (#9). At this moment it is not possible to get a report for the local system.
Run
$ ./cvetool scan --image-path=./rhel-10-ubi.tar
to scan a podman/docker image save ...-compatible .tar image and generate vulnerabilities report.
Run
$ ./cvetool scan --image-ref=registry.access.redhat.com/ubi10/ubi
to pull and scan an image from a repository and generate vulnerabilities report.
The tool does not directly support indexing VM images. But it can work with a mounted file system, e.g. with guestmount.
Run
$ mkdir -p ./rhel10-vm
$ guestmount -a ~/.local/share/gnome-boxes/images/rhel10.0 -i --ro ./rhel10-vm
$ ./cvetool scan --root-path=./rhel10-vm --db-path=./matcher.db
to mount the file system, scan and generate vulnerabilities report.
Default report format is plain, which represents basic information about found vulnerabilities in a human-readable form.
It could be changed with the --format argument. Possible options are 'clair', 'quay' and 'sarif'.
Run the tool with --help argument for detailed information about invocation options.