Video: https://www.youtube.com/watch?v=jIDnVeZNUA8
CVEHound is a tool for checking Linux kernel sources for missing CVE fixes. Usual ways to track CVE fixes are vendor security announcements and a git history of a particular kernel tree. However, many vendors provide sources as tarballs without development history and don't publish enough information about security fixes. Hence, it's not possible to check these releases automatically without manually inspecting sources. CVEHound takes into account only C source code during work. Internally, the tool uses semantic patches (coccinelle patterns) to find missing backports of CVE fixes. This allows the tool to be agnostic from the kernel version and detect a missing fix in a half-open interval starting from the first commit where a bug was introduced and ending with the fix/backport patch. Since the tool uses a source-based approach this allows also to detect partial/broken/missing backports of security fixes. The talk is a tool presentation with a corresponding approach that can be interesting to kernel developers for maintaining kernel trees, certification labs for compliance checking, system administrators, and penetration testers for security audits.