The CVE Binary Tool scans binaries and software component lists to identify known vulnerabilities using multiple vulnerability databases.
The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
This tool is primarily used by security professionals and DevSecOps teams to automate vulnerability detection in software binaries and component inventories. It enables continuous integration pipelines to regularly scan for known CVEs, providing early warnings about vulnerable components in the software supply chain.
The tool downloads vulnerability data once per day by default, so initial scans may take longer due to data fetching. It is not officially endorsed by the NVD despite using its API. Integrating this tool into CI/CD pipelines is recommended for continuous vulnerability monitoring. Users should ensure they have network access to update vulnerability feeds regularly.
Ensure Python is installed on your system
Install the tool via pip: pip install cve-bin-tool
Verify installation by running: cve-bin-tool --helpcve-bin-tool <binary_or_component_list>
Scans the specified binary or component list file for known vulnerabilities.
cve-bin-tool --sbom <sbom_file>
Reads an existing Software Bill of Materials (SBOM) file and reports known vulnerabilities.
cve-bin-tool --update
Manually triggers an update of the vulnerability databases from all sources.