kotakanbe
commented
7 years ago In the current implementation, when scanning Debian, Vuls parses Changelog of an update-able package, so it can not detect CVE-ID that has not been modified yet.
Is there any possibility to extract all possibly vulnerable packages of the OS or are there any plans in the future?
Yes, I am planning to investigate debsecan. http://www.enyo.de/fw/software/debsecan/
mrauh
jrw171819
I just installed vuls and tested it with an outdated Debian VM. Looking at the source code I assume vuls parses the upgradable packages of (in my case) Debian Jessie and writes them together with the other information to the json file. This works fine!
However, my workflow is to track all relevant CVEs of all installed software on the server, especially of the software where there are no fixes available yet. In my case, if I upgrade all packages in the VM via “apt upgrade”, vuls reports “No unsecure packages”. But e.g. CVE-2016-7167 (https://security-tracker.debian.org/tracker/CVE-2016-7167) is still vulnerable, because there is no fix yet.
Is there any possibility to extract all possibly vulnerable packages of the OS or are there any plans in the future?