CISOfy · Pandapip1 · Jan 26, 2026
diff --git a/include/binaries b/include/binaries
@@ -308,6 +308,7 @@
                             veritysetup)            VERITYSETUPBINARY="${BINARY}";     LogText "  Found known binary: veritysetup (dm-verity setup tool) - ${BINARY}" ;;
                             vgdisplay)              VGDISPLAYBINARY="${BINARY}";       LogText "  Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
                             vmtoolsd)               VMWARETOOLSDBINARY="${BINARY}";    LogText "  Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
+                            vulnix)                 VULNIXBINARY="${BINARY}";          LogText "  Found known binary: vulnix (package audit tool) - ${BINARY}" ;;
                             wc)                     WCBINARY="${BINARY}";              LogText "  Found known binary: wc (word count) - ${BINARY}" ;;
                             wget)                   WGETBINARY="${BINARY}";            WGETVERSION=$(${BINARY} -V 2> /dev/null | grep "^GNU Wget" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${WGETVERSION})" ;;
                             yum)                    YUMBINARY="${BINARY}";             LogText "  Found known binary: yum (package manager) - ${BINARY}" ;;

diff --git a/include/consts b/include/consts
@@ -346,6 +346,7 @@ ETC_PATHS="/etc /usr/local/etc"
     VGDISPLAYBINARY=""
     VMTYPE=""
     VULNERABLE_PACKAGES_FOUND=0
+    VULNIXBINARY=""
     WCBINARY=""
     XARGSBINARY=""
     XBPSBINARY=""

diff --git a/include/tests_ports_packages b/include/tests_ports_packages
@@ -414,6 +414,35 @@ EOF
     fi
 #
 #################################################################################
+#
+    # Test        : PKGS-7329
+    # Description : Check vulnerable packages with vulnix
+    if [ -n "${VULNIXBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no PKGS-7329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying vulnix for vulnerable packages"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        PACKAGE_AUDIT_TOOL_FOUND=1
+        PACKAGE_AUDIT_TOOL="vulnix"
+        FIND=$(${VULNIXBINARY} --system)
+        if [ $? -eq 0 ]; then
+            LogText "Result: No vulnerabilities found with vulnix"
+            Display --indent 2 --text "- Using vulnix to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
+        else
+            Display --indent 2 --text "- Using vulnix to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
+            LogText "Result: Vulnix found one or more installed packages which are vulnerable."
+            ReportWarning "${TEST_NO}" "Found one or more vulnerable packages installed"
+            LogText "List of vulnerable packages/version:"
+            FIND=$(echo "$FIND" | ${SEDBINARY} -n '/^[-]\{5,\}$/ { n; s/-[0-9].*$//; p }' | ${UNIQBINARY})
+            for PKG in ${FIND}; do
+                VULNERABLE_PACKAGES_FOUND=1
+                Report "vulnerable_package[]=${PKG}"
+                LogText "Vulnerable package: ${PKG}"
+                # Decrease hardening points for every found vulnerable package
+                AddHP 1 2
+            done
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : PKGS-7330
     # Description : Check vulnerable packages with Zypper