Linux Kernel vulnerability scripting

Weber, Matthew L Collins Matthew.Weber at
Tue Aug 3 20:07:56 UTC 2021


(I didn't want to spam the whole LKML, so I've included the LSM list and top hits with on the scripts and tools folders.)

I'm organizing a project to take some prototype scripting and publicly publish/rewrite.  The script I'd like to add to the kernel code base breaks down a kernel build and identifies the active code (using enabled Kconfig and obj file list).  It then uses the kernel version and queries a public vulnerability database(NIST NVD) to identify possible patches against known vulnerabilities.  The script then attempts to patch the source code to determine which vulnerabilities are still present in the codebase.  The end goal is to help the user understand the state of the active codebase, whereas most tools stop at the kernel version, and then the activity is all manual.  For an example of what the scripting impact could improve, a recent Kernel 4.14.x dump of vulnerabilities had hundreds that needed to be paired down.  Our estimate before tooling put the effort at about 10-15mins a CVE (determine active code, review code paths in suggested patches).  

Is this something that fits within your understanding of the "scripts or tools" included in the kernel codebase?  If so, do scripting-related patches primarily hit the LKML or via subsystem lists related to the topic (I.e., then staging branches via the subsystem for merge).

Thank you for any suggestions of which mailing lists, subsystems, or maintainers I should include on the topic. 

Matthew Weber | Associate Director Software Engineer | Commercial Avionics   (Focused in Open Source products and Cybersecurity)
400 Collins Road NE, Cedar Rapids, Iowa 52498, USA
Tel: +1 319 295 7349 | FAX: +1 319 263 6099 at 

More information about the Linux-security-module-archive mailing list