Hacker News new | ask | show | jobs
by jsulinski 3382 days ago
That's correct, vuls queries the package manager for installed packages, versions, and changelogs. It then compares the CVEs found in the changelogs to NVD.

There are certainly flaws in this approach; it's one of the reasons we intend to support multiple scanners. We started with vuls because clair wasn't released yet and we wanted to support more than containers.
1 comments
wyldfire 3381 days ago
Are there any dynamic scanners that are designed like Vuls or Clair (I'm assuming they're both static)?
link
jsulinski 3380 days ago
I don't fully understand the question.

clair does static analysis

vuls uses a package manager and changelogs

link
wyldfire 3379 days ago
Are there (any) dynamic analysis options available that would give a report similar in scope to clair or vuls?
link