intel/cve-bin-tool

Created Feb 2, 2022 · View the intel/cve-bin-tool repository page

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.

Want this for your repo?

Render a free sample of any GitHub repo in seconds.

Visualize your own →

Contributors

66

Lines of Code

3,655

From

Jan 19, 2019

To

Feb 2, 2022

About intel/cve-bin-tool

The CVE Binary Tool is a free, open-source utility developed under the Open Source Security Foundation that scans software systems to identify known vulnerabilities. It leverages vulnerability data from multiple sources including the National Vulnerability Database, Red Hat advisories, the Open Source Vulnerability Database, GitLab's advisory database, and Curl's vulnerability list. The tool operates in two primary modes: binary scanning to detect vulnerable components within compiled software, and component list scanning that works with various formats including CSV files, Linux package lists, language-specific package managers, and standardized Software Bill of Materials formats like SPDX and CycloneDX.

The tool can detect over 350 common vulnerable open-source libraries such as OpenSSL, libpng, libxml2, and Expat through its 447 binary checkers. It also includes language-specific checkers for Go, Java, JavaScript, Python, Rust, Ruby, and other ecosystems. Beyond vulnerability detection, CVE Binary Tool generates and validates SBOMs, produces Vulnerability Exploitability eXchange files for triage workflows, and outputs reports in multiple formats including JSON, CSV, HTML, and PDF. The tool is designed for integration into continuous integration pipelines to enable automated, regular vulnerability scanning as part of software supply chain security practices.

The project is particularly notable for its flexibility in triage workflows, allowing teams to document why vulnerabilities may not require remediation and reuse triage data across different scans and projects. It supports offline operation once the vulnerability database is downloaded, handles multiple archive formats for extraction, and provides comprehensive configuration options. The tool is written in Python and is available through pip, making it accessible to development teams of various sizes seeking automated vulnerability detection capabilities.

Share this video