Checkmk CVE Scanner

Checkmk Dev&Exchange Community Project Announcements
1

Checkmk CVE Scanner v4.0

Motivation:
Automated synchronization of SW inventory data with the NVD via API - Checkmk

Today, I would like to introduce my CVE Scanner for Checkmk.

CMK-exchange/cmk_cve_scanner at main Β· bh2005/CMK-exchange

The tool runs directly on the Checkmk server and reads inventory data directly from the local filesystem. This means zero HTTP overhead, no need for an API user, and native multi-site support. It correlates your inventory against several major CVE databases:

Data Sources Comparison

Source Batch Support? Rate Limit Strengths
OSV.dev :white_check_mark: 100 per batch None Native Debian/Ubuntu support, GHSA, very comprehensive
OSS Index :white_check_mark: 128 per batch ~64/h (anon), more w/ account PURL-based, excellent library coverage
CISA KEV :white_check_mark: JSON Feed None Flags actively exploited vulnerabilities
NVD :cross_mark: Single query 6s / 0.7s with Key Targeted lookups via mapping (~10% of packages)

Recommendation: OSV + OSS Index + CISA KEV are sufficient for most environments.
NVD is optional and is only queried for packages with a pre-defined mapping to reduce API load.

Includes: Local caching and automated reports (JSON/CSV).

  • Zero-API Footprint: Accesses site data via /omd/sites/.../var/check_mk/inventory/.
  • Intelligent Caching: Minimizes API calls by storing scan results locally.
  • Smart Mapping: Translates OS package names to NVD-compliant product names to reduce false negatives.

Architecture

/omd/sites/<site>/var/check_mk/inventory/
  β”œβ”€β”€ server01        ← Python-Literal-Format (ast.literal_eval)
  β”œβ”€β”€ server01.gz     ← Compressed variant (automatically detected)
  └── ...
         β”‚
         β–Ό
  CheckmkInventoryReader  ← Generator-based
         β”‚
         β”œβ”€ OsvClient      β†’ OSV.dev querybatch       (100er Batches, no Key)
         β”œβ”€ OssIndexClient β†’ Sonatype OSS Index        (128er Batches, free)
         β”œβ”€ NvdClient      β†’ NVD API 2.0               (only Mapping-packages, ~10%)
         └─ CisaKevClient  β†’ CISA KEV Feed             (noKey, cached)
                  β”‚
                  β–Ό
             ApiCache      ← JSON-Cache (24h TTL, 2nd run: minutes instead of hours)
                  β”‚
                  β–Ό
             CveMerger     ← OSV + OSS + NVD deduplication, highest score wins
                  β”‚
                  β–Ό
          ReportGenerator  β†’ JSON + CSV + Summary

sample CLI output

2026-02-25 14:16:06 [INFO] ============================================================
2026-02-25 14:16:06 [INFO] Checkmk CVE Scanner v3.0 β€” Local Mode
2026-02-25 14:16:06 [INFO]   OMD Root: /omd/sites
2026-02-25 14:16:06 [INFO]   Sites:    test
2026-02-25 14:16:06 [INFO]   Hosts:    alle
2026-02-25 14:16:06 [INFO]   Quellen:  OSV.dev
2026-02-25 14:16:06 [INFO]   Min CVSS: 4.0
2026-02-25 14:16:06 [INFO]   Output:   /var/log/cve_scanner
2026-02-25 14:16:06 [INFO] ============================================================
2026-02-25 14:16:06 [INFO] [test] Lese Inventory fΓΌr 25 Hosts...
2026-02-25 14:16:07 [INFO] [test] β†’ 3213 Software-EintrΓ€ge
2026-02-25 14:16:07 [INFO] Gesamt Software-EintrΓ€ge: 3213
2026-02-25 14:16:07 [INFO] Unique Software/Version: 1693
2026-02-25 14:16:07 [INFO] ───────────────────────────────────────────────────────
2026-02-25 14:16:07 [INFO] OSV.dev Batch-Lookup...
2026-02-25 14:16:07 [INFO]   OSV Batch 1/17: 100 Pakete
2026-02-25 14:16:51 [INFO]   OSV Batch 2/17: 100 Pakete
2026-02-25 14:17:04 [INFO]   OSV Batch 3/17: 100 Pakete
2026-02-25 14:17:08 [INFO]   OSV Batch 4/17: 100 Pakete
2026-02-25 14:17:10 [INFO]   OSV Batch 5/17: 100 Pakete
2026-02-25 14:17:12 [INFO]   OSV Batch 6/17: 100 Pakete
2026-02-25 14:17:12 [INFO]   OSV Batch 7/17: 100 Pakete
2026-02-25 14:17:14 [INFO]   OSV Batch 8/17: 100 Pakete
2026-02-25 14:17:15 [INFO]   OSV Batch 9/17: 100 Pakete
2026-02-25 14:17:21 [INFO]   OSV Batch 10/17: 100 Pakete
2026-02-25 14:17:26 [INFO]   OSV Batch 11/17: 100 Pakete
2026-02-25 14:17:27 [INFO]   OSV Batch 12/17: 100 Pakete
2026-02-25 14:17:30 [INFO]   OSV Batch 13/17: 100 Pakete
2026-02-25 14:17:36 [INFO]   OSV Batch 14/17: 100 Pakete
2026-02-25 14:17:59 [INFO]   OSV Batch 15/17: 100 Pakete
2026-02-25 14:18:06 [INFO]   OSV Batch 16/17: 100 Pakete
2026-02-25 14:19:19 [INFO]   OSV Batch 17/17: 93 Pakete
2026-02-25 14:19:23 [INFO] OSV: 0 Vulnerabilities in 0 Paketen
2026-02-25 14:19:23 [INFO] ───────────────────────────────────────────────────────
2026-02-25 14:19:23 [INFO] Merge NVD + OSV...
2026-02-25 14:19:23 [INFO] JSON Report: /var/log/cve_scanner/cve_report_20260225_131606.json
2026-02-25 14:19:23 [INFO] CSV Report: /var/log/cve_scanner/cve_report_20260225_131606.csv
2026-02-25 14:19:23 [INFO] Summary CSV: /var/log/cve_scanner/cve_summary_20260225_131606.csv

============================================================
SCAN ABGESCHLOSSEN
============================================================
Sites gescannt:     test
Gesamt Findings:    0
Betroffene Hosts:   0

Nach Schweregrad:

Nach Quelle:

Top anfΓ€llige Software:

Reports:
  JSON:    /var/log/cve_scanner/cve_report_20260225_131606.json
  CSV:     /var/log/cve_scanner/cve_report_20260225_131606.csv
  Summary: /var/log/cve_scanner/cve_summary_20260225_131606.csv
============================================================
5 Likes
2

Hi, first of all thanks for the great tool β€” I’ve been testing it on Debian 12 servers and it looks very promising.

I’m seeing quite a few false positives and I believe the root cause is how Debian’s backport patching is handled. Debian fixes CVEs by backporting patches without changing the upstream version number (e.g. openssl 3.0.15-1~deb12u1 has fixes that upstream 3.0.15 doesn’t).

From what I can see in the code, _clean_version() strips the Debian revision suffix before querying NVD and OSS Index, so those sources see just the upstream version and flag CVEs that are actually already patched. On the OSV side, the ecosystem Debian:12 is set correctly, but the queries use binary package names (libssl3) instead of source package names (openssl), which is what OSV indexes for Debian advisories.

Is this a known limitation? Any plans to address it, maybe by cross-referencing the Debian Security Tracker or mapping binary-to-source package names for OSV?

Thanks!

Matteo

1 Like
3

Hi Matthew,

thx for the hint …

not everything is perfect but I`ll working on to be better !

some response like this are very important to improve OSS!!

I`ll check this next week and provide an Update

Greetz Bernd

2 Likes