github.com/intel/cve-bin-tool ↗
The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
Open this visualization on its own page →
Contributors
66
Lines of Code
3,655
From
2019-01-19
To
2022-02-02
About intel/cve-bin-tool
The CVE Binary Tool is a free, open-source utility developed under the Open Source Security Foundation that scans software systems to identify known vulnerabilities. It leverages vulnerability data from multiple sources including the National Vulnerability Database, Red Hat advisories, the Open Source Vulnerability Database, GitLab's advisory database, and Curl's vulnerability list. The tool operates in two primary modes: binary scanning to detect vulnerable components within compiled software, and component list scanning that works with various formats including CSV files, Linux package lists, language-specific package managers, and standardized Software Bill of Materials formats like SPDX and CycloneDX.
The tool can detect over 350 common vulnerable open-source libraries such as OpenSSL, libpng, libxml2, and Expat through its 447 binary checkers. It also includes language-specific checkers for Go, Java, JavaScript, Python, Rust, Ruby, and other ecosystems. Beyond vulnerability detection, CVE Binary Tool generates and validates SBOMs, produces Vulnerability Exploitability eXchange files for triage workflows, and outputs reports in multiple formats including JSON, CSV, HTML, and PDF. The tool is designed for integration into continuous integration pipelines to enable automated, regular vulnerability scanning as part of software supply chain security practices.
The project is particularly notable for its flexibility in triage workflows, allowing teams to document why vulnerabilities may not require remediation and reuse triage data across different scans and projects. It supports offline operation once the vulnerability database is downloaded, handles multiple archive formats for extraction, and provides comprehensive configuration options. The tool is written in Python and is available through pip, making it accessible to development teams of various sizes seeking automated vulnerability detection capabilities.