Hi Bob and all!
I had an idea for a utility to make it easier to check a system is up-to-date with patches. I assumed that someone else must have had the idea already, but I couldn't find it on the web so I wrote the utility myself.
The vulnerability file should contain lines like
openssh VERSION=8.3.0p2 RELEASE=98
where the uppercase keywords correspond to rpm query tags.
I like the idea... Perhaps it would be usefull to insert some more infos into the vulnerability file, like "SEVERITY=x" [x=1..10] and "INFO='Remote Root Exploit'". If the vul-file would be maintained up-to-date, it would be easily possible to check the system everyday per cron-entry. Does your program only complain about the specified rpm-version or about any version up to this one? Perhaps it would be better to split the field VERSION in FROM_VERSION and TO_VERSION to cover a range of vulnerable rpm-versions easily?! -- MfG, Chr. Erpelding ce-data Datentechnik