debsecan is a command line tool in Linux that can be used to scan a Debian-based system for known vulnerabilities. It checks the installed packages against a database of known vulnerabilities and reports any that are found. The vulnerabilities are identified by their Common Vulnerabilities and Exposures (CVE) identifier.
The debsecan command can be used to check the system for vulnerabilities and help the user to decide whether to update or patch the affected packages or not.
debsecan Command Examples
1. List vulnerable installed packages on the current host:
# debsecan
2. List vulnerable installed packages of a specific suite:
# debsecan --suite release_code_name
3. List only fixed vulnerabilities:
# debsecan --suite release_code_name --only-fixed
4. List only fixed vulnerabilities of unstable (“sid”) and mail to root:
# debsecan --suite sid --only-fixed --format report --mailto root --update-history
5. Upgrade vulnerable installed packages:
# sudo apt upgrade $(debsecan --only-fixed --format packages)