Much of this can be found in ubuntu-cve/README.

  1. Install the necessary software:

    $ sudo apt-get install python-configobj python-yaml python-genshi python-progressbar git rsync libfile-rsyncp-perl w3m
  2. Download the ubuntu-cve-tracker branch:

    $ mkdir ~/bzr-pulls
    $ cd ~/bzr-pulls
    $ bzr checkout lp:ubuntu-cve-tracker
    $ bzr checkout lp:usn-tool
  3. Add the UCT environment variable to your startup scripts (eg ~/.bashrc) and have it point to the ubuntu-cve-tracker branch:

    export UCT="$HOME/bzr-pulls/ubuntu-cve-tracker"
  4. Create $HOME/.ubuntu-cve-tracker.conf to have something like:

    # python-launchpad-bugs authentication cookies file (sis-changes)
    # path to Debian "security-tracker" GIT tree (check-cves)
    # get from
    # path to archive-layout mirror of supported architectures
    # sis-generate-usn, packages-mirror)
    # same as packages_mirror, but for Debian testing repository
    # same as packages_mirror, but for the partner repository
    # path to usn-tool bzr tree, used to manipulate USN databases
    # and for templates (sis-generate-usn)
    # path to copy of master USN database, used when creating
    # a template for a USN (sis-generate-usn)
    # path to individual USN pickle database output when generating a single USN
    # database before merging into the master USN database (sis-generate-usn)
    # path to git tree for the USN website which will be updated with new markdown
    # as USNs are published
    # where to get the MITRE CVE and NVD databases (check-cves)
  5. Populate the required data into the packages_mirror and partner_mirror directories:

    cd $UCT;./scripts/packages_mirror
  6. Populate the required data into the secure_testing directory:

    $ cd ~/bzr_pulls
    $ git clone
  7. Pull down an initial copy of the database.pickle database:

    cd $UCT; ./scripts/fetch-db database.pickle.bz2



check-cves is the tool to update the CVE database with new entries.


check-cves needs the archive layout mirrors to contain up-to-date information; the ${UCT}/scripts/packages-mirror script will do this for you.


To use manually, run like this:

$ cd $UCT ; bzr up
$ ./scripts/check-cves
$ ./scripts/check-cves
$ ./scripts/check-cves <file>


$ wget -N
$ bzr up
$ ./scripts/check-cves ./allitems.xml
$ for i in $(seq 2004 $(date +%Y)) recent; do wget --quiet -N$i.xml; done
$ ./scripts/check-cves ./nvdcve-2*.xml

The Ubuntu Security team does certain triage actions depending on the day of the week, and the process_cves script will guide you through these and call check-cves with appropriate arguments. Eg:

$ bzr up
$ ./scripts/process_cves
$ ./scripts/process_cves Mon
$ ./scripts/process_cves Tue

Please see the TRIAGING section in ubuntu-cve/README for more information.

Embargoed Items

Embargoed items are supported in the following scripts in all the scripts except If no CVE has been assigned yet, an embargoed item should be prefixed with 'EMB-', followed by any combination of alphanumerics and dashes. Eg: EMB-xorg-2007-0001 EMB-foo

To include embargoed items simply create a symlink from 'embargoed' to the directory holding embargoed items. ubuntu-cve-tracker will not use 'embargoed' unless it is a symlink.

Pre-commit Syntax Checking

To perform pre-commit syntax checking, this little hack should allow for it:

$ mkdir -p ~/.bazaar/plugins/hooks
$ cat > ~/.bazaar/plugins/hooks/ <<EOM
from bzrlib.branch import Branch

def run_tests(local, master, old_revno, old_revid, new_revno, new_revid, seven, eight):
    #print local, master, old_revno, old_revid, new_revno, new_revid, seven, eight
    import os
    if 'ubuntu-cve-tracker' in master.base and not os.environ.has_key('UCT_IGNORE_CHECK_SYNTAX'):
        import subprocess
        print ''
        rc =['./scripts/check-syntax','--verbose'])
        if rc != 0:
            import sys

Branch.hooks.install_named_hook('pre_commit', run_tests, 'CVE Tracker tests')

With the above, check-syntax is always run before a commmit, or to avoid check-syntax, you can run: UCT_IGNORE_CHECK_SYNTAX=1 bzr ci

Other commands

Below are various tools to help maintain and manipulate UCT. All commands assume you are in the top-level directory of UCT (ie cd $UCT).

Please see the UBUNTU-CVE Commands section in ubuntu-cve/README for more information.


SecurityTeam/UbuntuCVETracker (last edited 2018-02-08 21:22:24 by tyhicks)