VERA is a versatile and scalable tool to find CVEs, made to filter, sort and analyse CVEs reports. Powered by :
- Grype
- CVE Binary Tool (CBT)
- Vanir
- Yocto's built-in cve-check feature
- CVE List V5
- Dask
- pip-audit
- Docker SDK
- Filter and sort reports (Grype, CBT, Vanir, cve-check)
- Offline efficiency to resolve scores and indicators
- Aggregate different reports (e.g, Vanir + CBT)
- Fast checking CVE presence
The built-in CVE scanner can rely on assumptions. You can configure the confidence via -s/--strict and the variable IMPERFECT_MATCH_VERSION_MARGIN.
- Python 3.9+
- Docker
git clone --depth 1 --recurse-submodules -j8 https://github.com/EternalDreamer01/cve-checker.git
pip install -r requirements.txt
# Install Grype
curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin
# Download Android vulnerabilities
gsutil cp gs://osv-vulnerabilities/Android/all.zip && mv all.zip android.zip
# OR
wget -O android.zip https://storage.googleapis.com/osv-vulnerabilities/Android/all.zip
# Optional autocompletion
## Bash
echo "source $PWD/src/autocompletion.sh" >> ~/.bashrc
## ZSH
echo "source $PWD/src/autocompletion.sh" >> ~/.zshrcYou may pull and build tested dockers using the command:
docker compose up --build# Built-in scanner - Docker
./main.py -d ubuntu:22.04 ubuntu:20.04 ...
# External scanner - Docker
./scan.sh grype ubuntu:22.04 ubuntu:20.04 ...
# External scanner - Android device/emulator
./scan.sh cbt./import-image.sh <path-to-image> <image-name>Note: Requires user to be in the group sudo
The result is saved in the file out/os/[OS]/[VERSION]/[STATE].[SCANNER].json. You may inspect the result using:
./parse.sh inspect android/32/raw.vanir.json # Overview
./parse.sh inspect android/32/raw.vanir.json -A # Complete list
./parse.sh inspect android/32 # Default to Vanir (same as above)
./parse.sh inspect android/32 --cbt # Vanir + CBT
./parse.sh inspect android/32 --exploit # Potential online exploits (can take a few minutes)
./parse.sh inspect android/32 --filter-out=dos,stdlib # Exclude DoS (attack type) and stdlib (product)
./parse.sh inspect android/32 --sort=epss # Sort by EPSS
./parse.sh inspect --help # Show helpShow all results in a table:
./parse.sh tableShow one CVE information:
./parse.sh cve CVE-2022-35737 help # Show help
./parse.sh cve CVE-2022-35737 # MITRE format full JSON data
./parse.sh cve CVE-2022-35737 .containers # MITRE format JSON path
./parse.sh cve CVE-2022-35737 description # Description
./parse.sh cve CVE-2022-35737 score # Scores CVSS, EPSS
./parse.sh cve CVE-2022-35737 exploit # Search online exploits or PoC
./parse.sh cve ASB-A-266433089 # Android format support
./parse.sh ASB-A-266433089 # Autodetect CVE argumentCheck whether a function is used by some scripts or binaries/librairies:
./analyse.sh function IMAGE FUNC [DIR]
# e.g
./analyse.sh function ubuntu:20.04 EVP_PKEY_decryptNote: Check for static linking only. Do not check for dynamically loaded, nor copied.
Check whether a CVE appear in changelog for a particular package:
./analyse.sh changelog IMAGE PKG CVE...
# e.g
./analyse.sh changelog ubuntu:20.04 openssl CVE-2024-2511-
Parse and display prerequisites on
inspect: SELinux, symbol -
Add PoC/potential exploit based on the string "PoC" in GitHub/Gitlab issues from references
-
Frameworks to test:
- CUDA 11.4, 11.8, 12.4, latest
- TensorRT: https://hub.docker.com/r/openeuler/tensorrt
- OpenVINO: https://hub.docker.com/r/openvino/ubuntu24_runtime
- OpenCV: https://hub.docker.com/r/gocv/opencv