yvc -- a software package vulnerability check

yvc compares the given package name against the list of known vulnerabilities and reports any security issues. This output contains the name and version of the package, the type of vulnerability, and a URL for further information for each vulnerable package.

yvc was conceptually based on NetBSD's audit-packages program and was written by Jan Schaumann in 2008 while working at Yahoo! Inc. Yahoo! open sourced the tool in the hopes that it will be useful to other people -- unless otherwise noted, all files are released under the terms of a 3-clause BSD license as noted in the file LICENSE.

The 'y' in yvc can stand for a number of things. Make up your own.

The sources to yvc can be found at GitHub: http://github.com/jschauma/yvc.


Vulnerability lists

The following lists of known vulnerabilities are available:


Common usage

It is recommended for users of this package to run the fetch-vlist periodically from cron. It is also recommended to run the yvc command regularly from cron. An example crontab would look like this:

0 3 * * * /usr/local/bin/fetch-vlist
0 4 * * * rpm -qa | /usr/local/bin/yvc

Of course you can also invoke yvc manually. See the examples in the manual page for details.

Manual pages