Link Search Menu Expand Document

Overview on automated linux package vulnerability scanning

I got some really helpful comments on my recent post Scan Linux for Vulnerable Packages. The suggestions on how to do it on Debian and Redhat made me wonder: which distributions provide tools and what are they capable of? So the goal is to check wether each distribution has a way to automatically check for vulnerable packages that need upgrades. Below you find an overview of the tools I've found and the distributions that might not have a good solution yet.
DebiandebsecansuperbEasy to use. Maintained by the Debian testing team. Lists packages, CVE numbers and details.
UbuntudebsecanuselessThey just packaged the Debian scanner without providing a database for it! And since 2008 there is a bug about it being 100% useless.
CentOS Fedora Redhat"yum list-security"goodProvides package name and CVE number. Note: On older systems there is only "yum list updates".
OpenSuSE"zypper list-patches"okProvides packages names with security relevant updates. You need to filter the list yourself or use the "--cve" switch to limit to CVEs only.
SLES"rug lu"okProvides packages names with security relevant updates. Similar to zypper you need to do the filtering yourself.
Gentooglsa-checkbadThere is a dedicated scanner, but no documentation.
FreeBSDPortauditsuperbNo Linux? Still a nice solution... Lists vulnerable ports and vulnerability details.
I know I didn't cover all Linux distributions and I rely on your comments for details I've missed. Ubuntu doesn't look good here, but maybe there will be some solution one day :-)