CVE data in Solaris 11 packages

A while ago Oracle started to integrate the CVE-ID , that patches are fixing, into the Critical Patch Updates (CPU). With this data it’s easy to give an answer, if you have applied the patches to mitigate a certain CVE, or if there a patch available to fix such a CVE

For example to check, which CPUs fix the CVE-2015-0387 you can use this command:

pkg search -r :CVE-2015-0397: | tr -s " " | cut -d  " " -f 4  | sort | uniq

With the next command you check, which CVE are fixed by the critical patch update:

pkg search -r info.cve: | grep "cpu@2017.4" | tr -s  " "  | cut -f 3 | sort | uniq -c | sort

To your local system this kind of information only gets in case you are installing the CPU on your system. To install the latest CPU you just have to enter pkg install solaris-11-cpu. Afterwards you can get to the next CPU by just entering pkg update solaris-11-cpu. Without installing this package, any command searching for CVE stuff will yield no results.
Afterward the installation, you can search for the information for the local state of your system. For example to find out if you have applied the patches to fix a certain CVE you can just use:

pkg search -l CVE-* | tr -s  " " | cut -d " " -f 3 | sort

To check the locally installed CPU package just use this command:

root@nfsclient:~# pkg info -l solaris-11-cpu
             Name: support/critical-patch-update/solaris-11-cpu
          Summary: Oracle Solaris Critical Patch Update 2017.4-1
      Description: This package ensures a system remains up to date with the
                   Oracle Critical Patch Updates for Oracle Solaris
            State: Installed
        Publisher: solaris
          Version: 2017.4
    Build Release: 5.11
           Branch: 1
   Packaging Date: Sat Apr 08 03:04:05 2017
Last Install Time: Thu May 04 21:20:09 2017
             Size: 5.46 kB
             FMRI: pkg://solaris/support/critical-patch-update/solaris-11-cpu@2017.4,5.11-1:20170408T030405Z