Regarding to the issue openwrt/packages#6584 on Github, in special the comment of luizluca, there is a wish to have a tool for automated indication if there are CVEs related to a openwrt package.
During my bachelor thesis i wrote the tool cve-indicator (https://github.com/kkreitmair/cve-indicator) to find CVEs related to a package.
The tool reads all CPE-IDs in the manifest files after building the packages. Then it makes API-calls to a CVE database and retrieves the CVEs related to a CPE-ID and merge the results in a report.
The tool can be integrated in to the buildsystem and with some improvements, the tool can be extended to connect for example to github and open an issue.
@diizzy @luizluca
3 Likes