Skip to content
Command-line utility to scan the system and report on potential vulnerabilities, based on public CVE data
Branch: master
Clone or download
sjvermeu Merge pull request #40 from airbjorn/master
wget: modified behavior and added checking in scripts/pullcves
Latest commit 1e751b9 Jan 9, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
conf Drop old .svn directories Jul 7, 2014
scripts keep possibility to define own wget command including options Jan 9, 2019
.gitignore Add tags as ignored file Mar 1, 2017
.travis.yml Add travis build testing Aug 17, 2015
AUTHORS Importing from previous source repository Jul 21, 2011
COPYING Importing from previous source repository Jul 21, 2011
ChangeLog Last addition to Changelog, now use git commit log Apr 8, 2017
INSTALL Importing from previous source repository Jul 21, 2011
LICENSE Rename README to Aug 17, 2015
NEWS Update URLs in (install and homepage) Sep 15, 2016
RELEASE Add snippet about userguide update Mar 1, 2017
TODO Some CVEs are published with no version information in CPE. Also impr… Aug 17, 2013
bad-versions.dat Add extremely long content match field Aug 15, 2013
configure Add configure Aug 17, 2015
depcomp Update depcomp Aug 17, 2015
install-sh Refresh install-sh Aug 17, 2015
missing Hardlink update Aug 17, 2015
versions.dat Bug #10 - Add match for p* on visudo Sep 17, 2013


The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning a list of installed software and matching results with the CVE database. This is not a bullet-proof method and you will have many false positives (ie: vulnerability is fixed with a revision-release, but the tool isn't able to detect the revision itself), yet it is still better than nothing, especially if you are running a distribution with little security coverage.


  1. Initalize the SQLite3 Database
    ~# cvechecker -i

  2. Load CVE and version matching rules
    ~$ pullcves pull

  3. Generate List of Files to scan
    ~$ find / -type f -perm -o+x > scanlist.txt ~$ echo "/proc/version" >> scanlist.txt

  4. Gather List of Installed Software/Versions
    ~$ cvechecker -b scanlist.txt

  5. Output Matching CVE Entries
    ~$ cvechecker -r

More detailed installation information available via the installation docs.
The homepage for this project.

You can’t perform that action at this time.