cve-bin-tool
by ossf
The CVE Binary Tool scans binaries and software component lists to identify known vulnerabilities using multiple vulnerability databases.
The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
Primary Use Case
This tool is primarily used by security professionals and DevSecOps teams to automate vulnerability detection in software binaries and component inventories. It enables continuous integration pipelines to regularly scan for known CVEs, providing early warnings about vulnerable components in the software supply chain.
- Scans binaries for over 426 common vulnerable open source components
- Supports scanning of component lists and Software Bill of Materials (SBOM) in various formats
- Aggregates vulnerability data from multiple sources including NVD, Redhat, OSV, Gitlab Advisory Database, and Curl
- Automates daily updates of vulnerability databases
- Integrates with continuous integration systems for regular vulnerability scanning
- Can auto-detect components and generate SBOMs
- Provides triage and annotation options for vulnerability reports
Installation
- Ensure Python is installed on your system
- Install the tool via pip: pip install cve-bin-tool
- Verify installation by running: cve-bin-tool --help
Usage
>_ cve-bin-tool <binary_or_component_list>Scans the specified binary or component list file for known vulnerabilities.
>_ cve-bin-tool --sbom <sbom_file>Reads an existing Software Bill of Materials (SBOM) file and reports known vulnerabilities.
>_ cve-bin-tool --updateManually triggers an update of the vulnerability databases from all sources.
- Integrate CVE Binary Tool into CI/CD pipelines for automated and continuous vulnerability scanning of software components.
- Use the tool's SBOM generation capabilities to improve software supply chain transparency and compliance.
- Leverage triage and annotation features to prioritize remediation efforts and reduce alert fatigue.
- Combine with runtime monitoring tools to correlate detected vulnerabilities with active exploitation attempts.
- Employ in purple team exercises to simulate vulnerability discovery and remediation workflows, enhancing collaboration between offensive and defensive teams.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about cve-bin-tool. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
trivy
aquasecurity/trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
nuclei
projectdiscovery/nuclei
Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
lynis
CISOfy/lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
vuls
future-architect/vuls
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
oss-fuzz
google/oss-fuzz
OSS-Fuzz - continuous fuzzing for open source software.
nuclei-templates
projectdiscovery/nuclei-templates
Community curated list of templates for the nuclei engine to find security vulnerabilities.