Vulnerability scanning

I'd like to develop a tool, for checking OpenWrt devices for vulnerabilities, so that I can reduce the maintenance burden and only update when necessary.

Before I go further, is anyone else interested in this? If you could reply, to let me know, that would be great.

The main hurdle is where to get the security data from. I see two things available; cvechecker and the advisory page on the wiki. The CVE checker tool looks like it will give a lot of false positives, so I would much prefer to base this tool on more curated data. Is there any parseable version of the OpenWrt advisories page or is it just free form text data? Are there any other sources of security info that I can use?

You can check which is updated with upstream changes.

Thanks for your input, but this is what I was referring to with cvechecker. The uscan page is using cvechecker, under the hood. I will likely integrate with cvechecker directly.

1 Like