Please note that daysofrisk.pl is deprecated in favor of new security data formats and solutions. You can read more about these in The future of Red Hat security data.
As a Technical Account Manager (TAM) one of the best parts of the job is the regular contact with our customers, talking to them frequently and helping them solve interesting problems.
One of our customers came to me with an interesting challenge. The team creates a new Gold Image every month and they wanted to provide release notes for the image, automatically generating a list of CVEs that had been fixed in this version of the image.
Red Hat publishes release notes for new product versions which include details of CVEs and RHSAs which have been fixed in a release, such as in the recently released Red Hat Enterprise Linux 8.6
The problem with the release notes is that they only cover a specific point of time, and Red Hat releases fixes much more frequently. So, how do we get the information on what has been released between two dates? How can we find out what CVEs have been fixed and what RHSAs have been released between the last time you published an image and now?
This is where daysofrisk.pl comes in.
In this blog, we explore the use of the daysofrisk.pl script provided on the Red Hat Security Data page and show you how you can use it to return a list of CVEs and RHSAs included in a particular Red Hat Product between two specified dates.
Getting started with daysofrisk.pl
The daysofrisk.pl script requires the use of three other .txt files also published on the same page. We will create a directory to hold the script and the required files, use wget
to download the required files from the Red Hat site, and also set the permissions on the script.
mkdir security_review cd security_review wget https://www.redhat.com/security/data/metrics/release_dates.txt https://www.redhat.com/security/data/metrics/rhsamapcpe.txt https://www.redhat.com/security/data/metrics/cve_dates.txt https://www.redhat.com/security/data/metrics/daysofrisk.pl chmod 700 daysofrisk.pl
Now that you have the script and its required working files, we can explore everything that's possible by running:
./daysofrisk.pl --help
This will provide us with a long list of available options.
usage: daysofrisk.pl [OPTIONS] --cpe <product/package to generate stats for> [examples: --cpe all --cpe enterprise_linux --cpe enterprise_linux:3 --cpe enterprise_linux:5::client/firefox --cpe /httpd ] --cpeexclude [product/package to exclude from stats] --severity <all|C|I|M|L|CI|CIM|IL...> [filter severity, 'C'ritical 'I'mportant 'M'oderate 'L'ow] --cvss <range> [filter on CVSSv2 base score, example '6.8'|'0-5'|'8-10'|'high'|...] --cvss3 <range> [filter on CVSSv3 base score, example '6.8'|'0.1-5'|'high'|'critical'|...] --dates [<YYYYMMDD>]-[<YYYYMMDD>] [date range, default is 'all', example '20090101-'|'20080203-20080303'] --datestart [<YYYYMMDD>] [start date, example '20090101'] --dateend [<YYYYMMDD>] [end date, example '20100101'] --xmlsummary <filename> [output the XML summary to this file, default summary.xml] --csv [append results as a comma-separated list] --quiet | verbose [set verbosity level] --help [show this help]
What has been updated between two dates?
Let’s say we wanted to find all the CVEs and RHSAs released between (in this example) April 1st and April 30th, 2022 for Red Hat Enterprise Linux 8. We can do this with the following command:
./daysofrisk.pl --cpe enterprise_linux:8 --datestart 20220401 --dateend 20220430 --xmlsummary rhel-8-report.xml
This command will only take a few seconds to complete and will output a summary of the data:
** Product: Red Hat Enterprise Linux 8 (all packages) ** CPE: redhat:enterprise_linux:8 ** Severity: Critical Important Moderate Low ** Dates: 20220401 - 20220430 (30 days) ** 17 advisories (I=11 L=1 M=5 ) ** 35 vulnerabilities (I=10 L=7 M=18 ) ** Advisory Workload index is 0.40 ** Vulnerability Workload index is 0.46 ** Average is 127 days ** Median is 19 days ** 0% were 0day ** 17% were within 1 day ** 45% were within 7 days ** 45% were within 14 days ** 60% were within 31 days ** 71% were within 90 days
For our use case, what we are more interested in is the generated rhel-8-report.xml. Below is a small snippet of the information contained inside the summary xml file:
<item> <cve>CVE-2022-28286</cve> <severity>L</severity> <source>relationship</source> <reportedon>20220405</reportedon> <cvss3>4.3</cvss3> <fixedby>RHSA-2022:1301</fixedby> <fixedby>RHSA-2022:1287</fixedby> <fixedon>20220408</fixedon> <publicon>20220405</publicon> <daysdiff>3</daysdiff> </item>
The complete file lists every CVE which was fixed between the specified dates, as well as the associated RHSA which fixed it and the date it was fixed for the specified product.
Summary
Here we have covered the basics of the daysofrisk.pl script provided on the Red Hat Security Data page, including how you can use it to return a list of CVEs and RHSAs included in a Red Hat Product between two dates.
If you would like to take this a bit further, it would be possible to use a bash script to automate the download of the required .txt files to ensure each run has up to date data. It would also be possible to enhance the report by using the Red Hat Security Data API to pull in descriptions and titles, rather than just giving us the CVE and RHSA numbers, but that is outside the scope of this article.
執筆者紹介
Working in production technical support for 10 years prior, I joined Red Hat in 2021 as a Technical Account Manager. I have a passion for automation and reporting, and I live in Scotland, UK with my wife Sara and Dog Radar.
類似検索
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit