[kotakanbe]

Thanks :)

> * Don't use root where you don't need to - can you parse package lists / vulnerability databases as a normal user?

Yes, Vuls can scan without root on FreeBSD and Amazon Linux. If you know how to scan without root on CentOS, Debian, RHEL, Ubuntu, please let me know. I also do'nt want to use root.

> * Would the design be better inverted? Systems push their list of installed packages / versions to your application to be checked.

Not so easy. The package version, release name is not semantic versioning format.This is a output of show package versions command on Ubuntu.

  locales            2.13+git20120306-21  
  login              1:4.1.5.1-1.1ubuntu7  
  lsb-base           9.20160110
  make               4.1-6
  mawk               1.3.3-17ubuntu2
  mime-support       3.59ubuntu1
  multiarch-support  2.21-0ubuntu5

Impossible!!

[voltagex_]

But how is the command you mention getting that information? Couldn't you parse the package database in the same way?

[kotakanbe]

Vuls parse the changelog of upgradable packages on Ubuntu, Debian, CentOS.

For details, see the flow chart in Scanning Flow section. https://github.com/future-architect/vuls#scanning-flow