The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
I just merged #3395 (a gawk checker) and it currently only has a debian-based file test. We try when possible to have tests against multiple linux distributions so that we can tell patterns aren't specific to only one form of packaging, so it would be good to add a second file based test here.
It's also possible that the recently merged checker won't work against anything but debian. If that's the case, please open a PR to add a note in the checker file itself saying something like "At this time, this checker works only against debian-based packages".
cve-bin-tool uses https://www.conventionalcommits.org/ style for commit messages, and we have a test that checks the title of your pull request (PR). A good potential title for this one is in the title of this issue.
You can make an issue auto close by including a comment "fixes #ISSUENUMBER" in your PR comments where ISSUENUMBER is the actual number of the issue. This "links" the issue to the pull request.
Claiming issues:
You do not need to have an issue assigned to you before you work on it. To "claim" an issue either make a linked pull request or comment on the issue saying you'll be working on it.
If someone else has already commented or opened a pull request, assume it is claimed and find another issue to work on.
If it's been more than 1 week without progress, you can ask in a comment if the claimant is still working on it before claiming it yourself (give them at least 3 days to respond before assuming they have moved on).
I just merged #3395 (a gawk checker) and it currently only has a debian-based file test. We try when possible to have tests against multiple linux distributions so that we can tell patterns aren't specific to only one form of packaging, so it would be good to add a second file based test here.
Useful links for writing the test:
It's also possible that the recently merged checker won't work against anything but debian. If that's the case, please open a PR to add a note in the checker file itself saying something like "At this time, this checker works only against debian-based packages".