Matching live CVEs to your actual apt packages in ~800 lines of Python 41,000+ CVEs are indexed in the NVD right now. The vast majority do not affect you. The interesting engineering question is: which ones do, and what is the exact one-liner to fix them? I spent a weekend building the matcher. Here is the shape of the problem and the shape of the solution. The matching problem A CVE record from one of the upstream feeds (Ubuntu USN, Debian Security Tracker, Alpine secdb, OSV.dev for the RHEL family, NVD as a fallback) looks roughly like: { "id" : "USN-7100-1" , "summary" : "OpenSSH client vulnerability" , "cves" : [ "CVE-2026-35414" , "CVE-2026-35387" ], "releases" : { "noble" : { "binaries" : { "openssh-client" : "1:9.6p1-3ubuntu13.5" } } }, "published" : "2026-05-09T00:00:00Z" } Enter fullscreen mode Exit fullscreen mode Your server, meanwhile, has a snapshot like: $ dpkg-query -W -f = '${Package}=${Version}\n' | head -3 openssh-client = 1:9.6p1-3ubuntu13.4 openssh-server = 1:9.6p1-3ubuntu13.4…