DEV.co
Open-Source Security · ossf

cve-bin-tool

CVE Binary Tool is an open-source Python utility for scanning software binaries and bill-of-materials (SBOM) files against known vulnerabilities from NVD, Red Hat, OSV, and other sources. It can auto-detect components in binaries, generate SBOMs, and produce reports in multiple formats for CI/CD integration.

Source: GitHub — github.com/ossf/cve-bin-tool
1.7k
GitHub stars
636
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryossf/cve-bin-tool
Ownerossf
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars1.7k
Forks636
Open issues209
Latest releasev3.4 (2024-09-17)
Last updated2026-07-08
Sourcehttps://github.com/ossf/cve-bin-tool

What cve-bin-tool is

The tool operates in two modes: binary scanning (448 checkers for components like OpenSSL, libpng, libxml2) and component-list scanning (SBOM/CSV/package lists). It downloads CVE data daily from multiple sources, matches discovered or provided components against vulnerability databases, and generates reports with optional triage and VEX output. Built in Python with CLI interface; supports offline operation.

Quickstart

Get the cve-bin-tool source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ossf/cve-bin-tool.gitcd cve-bin-tool# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Supply chain vulnerability discovery in CI/CD

Integrate into build pipelines to automatically scan dependencies and binaries on each commit, providing early warning of known vulnerabilities before deployment.

SBOM-driven compliance scanning

Scan existing SBOMs (SPDX, CycloneDX, SWID) for vulnerabilities without re-analysis; useful for validating third-party software or auditing organizational inventory.

Automated component detection and vulnerability tracking

Generate SBOMs from builds and track vulnerability status over time using triage features; maintains historical context for security posture analysis.

Implementation considerations

  • GPL-3.0 license requires open-source release of modifications; assess internal policy before integrating into proprietary tools or workflows.
  • First run downloads large CVE datasets (time-dependent on network); plan initial setup and consider caching data for CI/CD performance.
  • Binary scanning accuracy depends on component signature availability (448 checkers); may miss obscure or heavily patched binaries.
  • Requires system libraries for file extraction (Linux/Windows); additional dependencies beyond pip may be needed.
  • NVD API reliability issues mentioned in docs; tool uses cveb.in mirror by default, but custom NVD_API_KEY support available.

When to avoid it — and what to weigh

  • Real-time vulnerability alerting required — Tool downloads CVE data once per day by default; not designed for immediate zero-day response or minute-level alert subscriptions.
  • Closed-source or proprietary component analysis — Binary checkers target common open-source components; does not provide generic binary reverse engineering or proprietary software vulnerability assessment.
  • GPL-3.0 license incompatible with your codebase — Tool is licensed under GPL-3.0, which requires derivative works to be open source; not suitable for closed-source applications that link or embed it.
  • Offline-only environments without pre-cached data — Initial run requires downloading vulnerability data from online sources; subsequent runs can operate offline, but first-time setup needs internet access.

License & commercial use

GNU General Public License v3.0 (GPL-3.0). This is a strong copyleft license: any modifications or derivative works must be released under GPL-3.0 and made available as source code. Permits commercial use and internal modification, but does not permit closed-source distribution of modified versions.

Tool itself is free and open source. Commercial use is permitted (scanning proprietary software for internal security assessment). However, if you modify the tool and distribute those modifications (including as part of a commercial product), you must release them as open source under GPL-3.0. Deployment in commercial SaaS, closed-source security products, or proprietary CI/CD platforms requires legal review. Redistribution must include source code.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Tool itself is designed for vulnerability scanning; not a cryptographic library or network service. No claims about tool hardening can be verified from provided data. OpenSSF Scorecard badge suggests security review. Relies on external CVE data sources (NVD, Red Hat, OSV, etc.); accuracy depends on upstream data freshness and correctness. No details on how tool validates or sanitizes malformed binaries or SBOM inputs provided. GPL-3.0 license allows community audit but requires source review for production use.

Alternatives to consider

Trivy (Aqua Security)

Purpose-built container and artifact scanner; integrates deeper with container registries and CI/CD pipelines; Apache-2.0 licensed (permissive). Wider adoption in DevOps environments.

OWASP Dependency-Check

Focuses on dependency scanning (Maven, npm, etc.) rather than binary analysis; large community; Apache-2.0 licensed. Lighter weight for language-specific projects.

Snyk CLI

Commercial platform with free tier; integrated vulnerability intelligence and remediation guidance; primary focus on dependencies and container images; closed-source SaaS backend.

Software development agency

Build on cve-bin-tool with DEV.co software developers

Install CVE Binary Tool via pip to start scanning your binaries and SBOMs for known vulnerabilities. Integrate into CI/CD for continuous security posture visibility.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cve-bin-tool FAQ

Can I use this in a commercial product if I don't modify it?
Yes. You may use the unmodified tool to scan your software for vulnerabilities internally or as part of a commercial service. If you modify the tool or bundle it with proprietary code, license review is required.
How does binary scanning work? Will it find vulnerabilities in my custom binaries?
It uses 448 checkers that look for signatures of known open-source components (OpenSSL, libpng, libxml2, etc.). It does not reverse-engineer or analyze custom code; it matches binary signatures against a known-component database.
Does it require internet access?
First run downloads CVE data; subsequent scans can run offline. By default, data refreshes once per day. Pre-download data for air-gapped environments.
What SBOM formats are supported?
Input: SPDX, CycloneDX, SWID. Output (generation): SPDX and CycloneDX. Does not include license information in generated SBOMs.

Software developers & web developers for hire

Need help beyond evaluating cve-bin-tool? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Secure Your Supply Chain with Automated Vulnerability Scanning

Install CVE Binary Tool via pip to start scanning your binaries and SBOMs for known vulnerabilities. Integrate into CI/CD for continuous security posture visibility.