Sign me up Login

Details about package cve-bin-tool

Name:	cve-bin-tool
Uploader:	Eugene Kaddo <arduinum628@gmail.com> (Debian QA page)
Description:	cve-bin-tool - CVE Binary Tool - scan binaries for known vulnerabilities

Package uploads

Upload #3

Information

Version:	3.4+dfsg-1
Uploaded:	2026-04-21 17:53
Source package:	cve-bin-tool_3.4+dfsg-1.dsc
Distribution:	unstable
Section:	python
Priority:	optional
Homepage:	https://github.com/intel/cve-bin-tool
Closes bugs:	#1034575

Changelog

 cve-bin-tool (3.4+dfsg-1) unstable; urgency=medium
 .
   * Initial upload. (Closes: #1034575)
   * Imported upstream version 3.4
   * Built for internal use and preparation for Debian contribution
   * No changes to upstream code; OSV data source is disabled via configuration
     (requires gsutil which is not shipped in Debian)
   * Backported upstream fix from cve-bin-tool commit e21e691
     (https://github.com/ossf/cve-bin-tool/commit/e21e691d5b7f579c7e2f3e534ac8cfb4fea6b97f)
     - Changed metric IDs in cvedb to constants
     - Original author: weichslgartner
     - This patch is applied to 3.4, upstream fix was in 3.4.1rc
   * Repack upstream tarball to remove non-source files:
     - remove prebuilt JavaScript files (bootstrap.js, plotly.js)
     - remove generated HTML reports
     - remove test artifacts containing prebuilt binaries

QA information

–
Package uses debhelper-compat

Debhelper compatibility level 13
–
Watch file is not present
–
Package is not native

Format: 3.0 (quilt)
–
"Maintainer" email is the same as the uploader
–
Package has lintian informational tags
cve-bin-tool source
- I debian-watch-file-is-missing
- I missing-explanation-for-repacked-upstream-tarball
  - [debian/copyright:1]
- I override_dh_auto_test-does-not-check-DEB_BUILD_OPTIONS
  - [debian/rules:12]
- I quilt-patch-missing-description
  - [debian/patches/disable-osv-by-default.patch]
  - [debian/patches/fix-cvedb.patch]
  - [debian/patches/hide-osv-help.patch]
  - [debian/patches/hide-osv-text-logger-1.patch]
- P trailing-whitespace
  - [debian/changelog:13]
  - [debian/changelog:14]
  - [debian/changelog:15]
- X upstream-metadata-file-is-missing
- X very-long-line-length-in-source-file
  - 1090 > 512 [fuzz/generated/cyclonedx_pb2.py:15]
  - 1535 > 512 [test/sbom/spdx_test.spdx.rdf:3549]
  - 17439 > 512 [test/condensed-downloads/gnome-shell-41.2-1.fc35.x86_64.rpm:7]
  - 194423 > 512 [cve_bin_tool/output_engine/html_reports/css/bootstrap.css:6]
  - 2735 > 512 [fuzz/generated/composer_lock_pb2.py:16]
  - 2870 > 512 [test/condensed-downloads/dovecot-core_2.3.13+dfsg1-1ubuntu1_amd64.deb:10698]
  - 542 > 512 [fuzz/generated/intermediate_report_pb2.py:17]
  - 55202 > 512 [test/condensed-downloads/dovecot-2.3.14-1.fc34.i686.rpm:343]
  - 566 > 512 [CONTRIBUTING.md:359]
  - 577 > 512 [fuzz/generated/package_resolved_pb2.py:13]
  - 588 > 512 [doc/triaging_process.md:256]
  - 599 > 512 [cve_bin_tool/checkers/README.md:74]
  - 604 > 512 [test/assets/test.ipk:3]
  - 621 > 512 [fuzz/generated/pkg_info_pb2.py:16]
  - 62301 > 512 [test/assets/test.apk:2075]
  - 628 > 512 [fuzz/generated/pubspec_lock_pb2.py:21]
  - 699 > 512 [fuzz/generated/cargo_lock_pb2.py:17]
  - 706 > 512 [fuzz/generated/cpanfile_pb2.py:16]
  - 711 > 512 [test/sbom/spdx_test.spdx:244]
  - 737 > 512 [README.md:13]
  - 765 > 512 [fuzz/generated/go_mod_pb2.py:16]
  - 792 > 512 [fuzz/generated/renv_lock_pb2.py:16]
  - 843 > 512 [doc/MANUAL.md:570]
  - 856 > 512 [fuzz/generated/package_lock_pb2.py:15]
  - 896 > 512 [fuzz/generated/gemfile_lock_pb2.py:16]
  - 927 > 512 [fuzz/generated/cve_data_pb2.py:15]
  - 935 > 512 [fuzz/generated/pom_xml_pb2.py:20]
  - 967 > 512 [cve_bin_tool/schemas/pom.xsd:1535]
–
Package closes ITP bug
- cve-bin-tool:
  - #1034575 (Wishlist, ITP): ITP: cve-bin-tool -- The CVE Binary Tool is a free, open source tool to help you find known vulnerabilities in software, using data from the National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs).
–
No VCS field present
–
Package is not in Debian
–
d/copyright is in DEP5 format

Upstream Contact: Terri Oda <terri.oda@intel.com>

Licenses: GPL-3+

Comments

This package is part of a set of related packages required for full functionality:

1. python3-lib4sbom https://mentors.debian.net/package/lib4sbom/
2. python3-csaf-tool (depends on lib4vex) https://mentors.debian.net/package/csaf-tool/
3. python3-lib4vex (depends on lib4sbom) https://mentors.debian.net/package/lib4vex/
4. python3-cve-bin-tool (depends on csaf-tool/lib4vex)

All packages are ready for review and build. Please note that they must 
be built in this order due to dependency chain.

Ready Eugene Kaddo at April 21, 2026, 6:09 p.m.

- missing debian/watch. Please add.
- /cve-bin-tool-3.4/test/condensed-downloads/ - Are 500 MB of archives with an unknown license really necessary?

Needs work Alexander Ermakov at April 22, 2026, 2:21 a.m.

d/changelog only:
  * Initial release. (Closes: #1034575)

Needs work Alexander Ermakov at April 22, 2026, 2:24 a.m.

Depends: https://mentors.debian.net/package/python-lib4sbom/

Alexander Ermakov at May 2, 2026, 3:29 a.m.

Upload #2

Information

Version:	3.4+dfsg-1
Uploaded:	2026-04-20 16:08
Source package:	cve-bin-tool_3.4+dfsg-1.dsc
Distribution:	unstable
Section:	python
Priority:	optional
Homepage:	https://github.com/intel/cve-bin-tool
Closes bugs:	#1034575

Changelog

 cve-bin-tool (3.4+dfsg-1) unstable; urgency=medium
 .
   * Initial release (Closes: #1034575)
   * Imported upstream version 3.4
   * Built for internal use and preparation for Debian contribution
   * No changes to upstream code; OSV data source is disabled via configuration
     (requires gsutil which is not shipped in Debian)
   * Backported upstream fix from cve-bin-tool commit e21e691
     (https://github.com/ossf/cve-bin-tool/commit/e21e691d5b7f579c7e2f3e534ac8cfb4fea6b97f)
     - Changed metric IDs in cvedb to constants
     - Original author: weichslgartner
     - This patch is applied to 3.4, upstream fix was in 3.4.1rc
   * Repack upstream tarball to remove non-source files:
     - remove prebuilt JavaScript files (bootstrap.js, plotly.js)
     - remove generated HTML reports
     - remove test artifacts containing prebuilt binaries

QA information

–
Package uses debhelper-compat

Debhelper compatibility level 13
–
Watch file is not present
–
Package is not native

Format: 3.0 (quilt)
–
"Maintainer" email is the same as the uploader
–
Package has lintian informational tags
cve-bin-tool source
- I debian-watch-file-is-missing
- I missing-explanation-for-repacked-upstream-tarball
  - [debian/copyright:1]
- I override_dh_auto_test-does-not-check-DEB_BUILD_OPTIONS
  - [debian/rules:12]
- I quilt-patch-missing-description
  - [debian/patches/disable-osv-by-default.patch]
  - [debian/patches/fix-cvedb.patch]
  - [debian/patches/hide-osv-help.patch]
  - [debian/patches/hide-osv-text-logger-1.patch]
- P trailing-whitespace
  - [debian/changelog:13]
  - [debian/changelog:14]
  - [debian/changelog:15]
- X upstream-metadata-file-is-missing
- X very-long-line-length-in-source-file
  - 1090 > 512 [fuzz/generated/cyclonedx_pb2.py:15]
  - 1535 > 512 [test/sbom/spdx_test.spdx.rdf:3549]
  - 17439 > 512 [test/condensed-downloads/gnome-shell-41.2-1.fc35.x86_64.rpm:7]
  - 194423 > 512 [cve_bin_tool/output_engine/html_reports/css/bootstrap.css:6]
  - 2735 > 512 [fuzz/generated/composer_lock_pb2.py:16]
  - 2870 > 512 [test/condensed-downloads/dovecot-core_2.3.13+dfsg1-1ubuntu1_amd64.deb:10698]
  - 542 > 512 [fuzz/generated/intermediate_report_pb2.py:17]
  - 55202 > 512 [test/condensed-downloads/dovecot-2.3.14-1.fc34.i686.rpm:343]
  - 566 > 512 [CONTRIBUTING.md:359]
  - 577 > 512 [fuzz/generated/package_resolved_pb2.py:13]
  - 588 > 512 [doc/triaging_process.md:256]
  - 599 > 512 [cve_bin_tool/checkers/README.md:74]
  - 604 > 512 [test/assets/test.ipk:3]
  - 621 > 512 [fuzz/generated/pkg_info_pb2.py:16]
  - 62301 > 512 [test/assets/test.apk:2075]
  - 628 > 512 [fuzz/generated/pubspec_lock_pb2.py:21]
  - 699 > 512 [fuzz/generated/cargo_lock_pb2.py:17]
  - 706 > 512 [fuzz/generated/cpanfile_pb2.py:16]
  - 711 > 512 [test/sbom/spdx_test.spdx:244]
  - 737 > 512 [README.md:13]
  - 765 > 512 [fuzz/generated/go_mod_pb2.py:16]
  - 792 > 512 [fuzz/generated/renv_lock_pb2.py:16]
  - 843 > 512 [doc/MANUAL.md:570]
  - 856 > 512 [fuzz/generated/package_lock_pb2.py:15]
  - 896 > 512 [fuzz/generated/gemfile_lock_pb2.py:16]
  - 927 > 512 [fuzz/generated/cve_data_pb2.py:15]
  - 935 > 512 [fuzz/generated/pom_xml_pb2.py:20]
  - 967 > 512 [cve_bin_tool/schemas/pom.xsd:1535]
–
Package closes ITP bug
- cve-bin-tool:
  - #1034575 (Wishlist, ITP): ITP: cve-bin-tool -- The CVE Binary Tool is a free, open source tool to help you find known vulnerabilities in software, using data from the National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs).
–
No VCS field present
–
Package is not in Debian
–
d/copyright is in DEP5 format

Upstream Contact: Terri Oda <terri.oda@intel.com>

Licenses: GPL-3+

Comments

d/changelog
first upload should be version-1 with initial upload. (closes: #itpbugnumber)

Needs work Alexander Ermakov at April 21, 2026, 2:38 a.m.

Thank you for the review.

Fixed in the latest upload:

debian/changelog: use "Initial upload. (Closes: #1034575)" as suggested

Ready Eugene Kaddo at April 21, 2026, 6:12 p.m.

Upload #1

Information

Version:	3.4-1
Uploaded:	2026-04-14 15:23
Source package:	cve-bin-tool_3.4-1.dsc
Distribution:	unstable
Section:	python
Priority:	optional
Homepage:	https://github.com/intel/cve-bin-tool
Closes bugs:	#1034575

Changelog

 cve-bin-tool (3.4-1) unstable; urgency=medium
 .
   * Initial release (Closes: #1034575)
   * Imported upstream version 3.4
   * Built for internal use and preparation for Debian contribution
   * No changes to upstream code; OSV data source is disabled via configuration
     (requires gsutil which is not shipped in Debian)
   * Backported upstream fix from cve-bin-tool commit e21e691
     (https://github.com/ossf/cve-bin-tool/commit/e21e691d5b7f579c7e2f3e534ac8cfb4fea6b97f)
     - Changed metric IDs in cvedb to constants
     - Original author: weichslgartner
     - This patch is applied to 3.4, upstream fix was in 3.4.1rc

QA information

–
Package uses debhelper-compat

Debhelper compatibility level 13
–
Watch file is not present
–
Package is not native

Format: 3.0 (quilt)
–
"Maintainer" email is the same as the uploader
–
Package has lintian errors
cve-bin-tool source
- E source-is-missing
  - [cve_bin_tool/output_engine/html_reports/Example/example.html]
  - [cve_bin_tool/output_engine/html_reports/js/bootstrap.js]
  - [cve_bin_tool/output_engine/html_reports/js/plotly.js]
  - [test/sample_report/html_report.html]
- W source-contains-prebuilt-windows-binary
  - [test/assets/test-curl-7.34.0.out]
  - [test/assets/test-kerberos-5-1.15.1.out]
- I debian-watch-file-is-missing
- I override_dh_auto_test-does-not-check-DEB_BUILD_OPTIONS
  - [debian/rules:12]
- I quilt-patch-missing-description
  - [debian/patches/disable-osv-by-default.patch]
  - [debian/patches/fix-cvedb.patch]
  - [debian/patches/hide-osv-help.patch]
  - [debian/patches/hide-osv-text-logger-1.patch]
- P source-contains-prebuilt-javascript-object
  - [cve_bin_tool/output_engine/html_reports/js/bootstrap.js]
  - [cve_bin_tool/output_engine/html_reports/js/plotly.js]
- X upstream-metadata-file-is-missing
- X very-long-line-length-in-source-file
  - 1090 > 512 [fuzz/generated/cyclonedx_pb2.py:15]
  - 1535 > 512 [test/sbom/spdx_test.spdx.rdf:3549]
  - 17439 > 512 [test/condensed-downloads/gnome-shell-41.2-1.fc35.x86_64.rpm:7]
  - 194423 > 512 [cve_bin_tool/output_engine/html_reports/css/bootstrap.css:6]
  - 2735 > 512 [fuzz/generated/composer_lock_pb2.py:16]
  - 2870 > 512 [test/condensed-downloads/dovecot-core_2.3.13+dfsg1-1ubuntu1_amd64.deb:10698]
  - 3597878 > 512 [cve_bin_tool/output_engine/html_reports/js/plotly.js:8]
  - 3597888 > 512 [cve_bin_tool/output_engine/html_reports/Example/example.html:18]
  - 542 > 512 [fuzz/generated/intermediate_report_pb2.py:17]
  - 55202 > 512 [test/condensed-downloads/dovecot-2.3.14-1.fc34.i686.rpm:343]
  - 566 > 512 [CONTRIBUTING.md:359]
  - 577 > 512 [fuzz/generated/package_resolved_pb2.py:13]
  - 588 > 512 [doc/triaging_process.md:256]
  - 599 > 512 [cve_bin_tool/checkers/README.md:74]
  - 60299 > 512 [cve_bin_tool/output_engine/html_reports/js/bootstrap.js:6]
  - 604 > 512 [test/assets/test.ipk:3]
  - 621 > 512 [fuzz/generated/pkg_info_pb2.py:16]
  - 62301 > 512 [test/assets/test.apk:2075]
  - 628 > 512 [fuzz/generated/pubspec_lock_pb2.py:21]
  - 699 > 512 [fuzz/generated/cargo_lock_pb2.py:17]
  - 706 > 512 [fuzz/generated/cpanfile_pb2.py:16]
  - 711 > 512 [test/sbom/spdx_test.spdx:244]
  - 737 > 512 [README.md:13]
  - 765 > 512 [fuzz/generated/go_mod_pb2.py:16]
  - 7883 > 512 [test/assets/test-curl-7.34.0.out:95]
  - 792 > 512 [fuzz/generated/renv_lock_pb2.py:16]
  - 8192 > 512 [test/sample_report/html_report.html:259]
  - 843 > 512 [doc/MANUAL.md:570]
  - 856 > 512 [fuzz/generated/package_lock_pb2.py:15]
  - 8903 > 512 [test/assets/test-kerberos-5-1.15.1.out:79]
  - 896 > 512 [fuzz/generated/gemfile_lock_pb2.py:16]
  - 927 > 512 [fuzz/generated/cve_data_pb2.py:15]
  - 935 > 512 [fuzz/generated/pom_xml_pb2.py:20]
  - 967 > 512 [cve_bin_tool/schemas/pom.xsd:1113]
–
Package closes ITP bug
- cve-bin-tool:
  - #1034575 (Wishlist, ITP): ITP: cve-bin-tool -- The CVE Binary Tool is a free, open source tool to help you find known vulnerabilities in software, using data from the National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs).
–
No VCS field present
–
Package is not in Debian
–
d/copyright is in DEP5 format

Upstream Contact: Terri Oda <terri.oda@intel.com>

Licenses: GPL-3+

Comments

No comments

Upstream Contact:	Terri Oda <terri.oda@intel.com>
Licenses:	GPL-3+