Conversation
Edited 3 months ago

I wanted to know simple daily Linux kernel CVE statistics just for fun, so wrote a script[1] and plotted the output.

$ ./vulns_stat.sh ./vulns/ 30 | ../gnuplot/plot.py --data_fmt table --type labeled-lines --xtics_rotate -90 cve_stat_30_days.png

[1] https://github.com/sjp38/lazybox/blob/master/cve_stat/vulns_stat.sh

#linux #kernel #cve #stat

3
8
13

@sj I can see it hasn't slowed down any! :)

1
0
1

@sj wow. so, that's 450 security bugs in one month? 😳 😳 😳 😳 . can you confirm pls? what kernel?

1
0
0
@Issa I cannot confirm since my script may have bugs ;) What the script argues is that about 450 (exact number is 440) security bugs for upstream-supporting Linux kernels are identified and got their official identifiers (CVE) within last 30 days.
2
0
0
@Issa For more context, I believe this great LWN article could be very helpful: https://lwn.net/Articles/961978/
0
0
0
@authentic_sammj I have no opinion but only a humble script :)
0
0
1

@sj am really shocked with no of bugs. linux is still far from being secure. but patching such high number is good & inevitable . what was the kernel that you scanned?

1
0
0
@Issa I didn't scan any kernel. Instead, I scanned others' kernel scan results :) You could use the source of the script for detail.
0
0
1

@sj this is why stopped tagging scores in Feb?

1
0
0
@spmatich IIRC, the Linux CNA team mentioned they will not give CVSS to new CVEs. I guess that's the reason. I don't find the link, though.
1
1
0

@sj @spmatich I don’t know if this *the* link, but it’s a link from synopsys a security product vendor. The post specifically links kernel CVE changes to NVD changes. So it seems at least some vendors have the position that the two events, Linux kernel having its own CNA team, and NVD stopped tagging CVSS, are correlated somehow

https://community.synopsys.com/s/question/0D5Uh000007i8czKAA/black-duck-nvd-and-linux-kernel-cve-process

0
0
1