Results 1 to 2 of 2

Thread: all CVE status/affected in one list?

  1. #1
    Join Date
    Oct 2019

    all CVE status/affected in one list?

    Is there a way to get the full details on the status of all known CVEs, and which package versions remedy them (if available), in a single machine-parsable list?
    Basically I'm looking for the equivalent of Debian's "" but for Ubuntu.

    The only way I know of getting this mapping for Ubuntu right now is to iterate over all the "" pages, one per CVE, and then scrape the data from each page. However, this is cumbersome, error-prone, slow, needs thousands of calls, and as of recently apparently will block/throttle me if I retrieve them at less than 15 second intervals.

  2. #2
    Join Date
    Jan 2009
    Ubuntu Development Release

    Re: all CVE status/affected in one list?

    The HTML CVE tracker is generated by, and from, the data contained in the Ubuntu CVE Tracker git repo at

    Contained within this repo is the details of each CVE, contained in separate files called CVE-yyyy-nnnn - these are in various subdirectories - 'active' for CVEs which are open, 'retired' for CVEs which have been addressed, and 'ignored' for CVEs which do not apply to Ubuntu etc.

    There are then a bunch of scripts in the 'scripts' subdirectory to parse and output details from the CVE files. Some simple scripts to output status of CVEs for a particular package are 'scripts/pkg_status' and 'scripts/pkg_history' - for each provide a source package name and the first will output pending CVEs whilst the second will output addressed CVEs for the package.

    Finally, perhaps the best resource to use is the OVAL output at - this can be parsed by various tools like openscap etc (this is also generated from the UCT git repo by the scripts/generate-oval script if you want to look into the gritty details).


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts