A low-level, security-focused tool to enumerate system libraries via pkg-config and correlate them with public vulnerabilities (CVE) from the NVD.
π₯ Designed for developers, AppSec engineers, and systems programmers who want visibility into native dependencies.
Master Librarian inspects local C/C++ libraries using pkg-config, extracts metadata, and queries the NVD API to identify known vulnerabilities.
It provides:
- π¦ system-wide library discovery
- π CVE correlation via NVD
- π‘οΈ hardened Rust implementation (no unsafe, input validation)
- β‘ parallel NVD queries with configurable thread pool
- π§ͺ improved false-positive reduction in CVE matching
- π rate-limited requests for cleaner API usage
- π§Ύ JSON export for machine-readable processing
- π¨ colored severity output (terminal)
- π structured CSV export
- Uses
pkg-configto enumerate installed libraries - Extracts:
- versions
- linked libs
- include paths
- deduplicates aliases and overlaps
- Queries the NVD (National Vulnerability Database)
- Matches packages using normalized lookup terms
- Deduplicates CVEs across multiple aliases
| Severity | Color |
|---|---|
| LOW | π‘ Yellow |
| MEDIUM | π Orange |
| HIGH | π΄ Red |
| CRITICAL | π΄ Blinking Red |
- RFC-compliant CSV (via
csvcrate) - Safe escaping
- Includes:
- package metadata
- CVE ID
- severity
- description
Master Librarian uses a parallel request model to improve scanning speed while still allowing conservative request pacing.
- powered by Rayon
- configurable with
--threads - useful when scanning many local libraries
- configurable with
--rate-limit-ms - helps avoid aggressive request bursts
- useful for more stable NVD querying behavior
This design allows the tool to be both:
- fast on larger systems
- controlled in environments where request pacing matters
- strict input validation (pkg names)
- no shell injection
- no unsafe Rust
- bounded network timeouts
- deduplication to avoid noisy results
git clone https://github.com/Orangewarrior/master_librarian_rust
cd master_librarian_rust
cargo build --release./target/release/master_librarian_rust --type txt --limit 10./target/release/master_librarian_rust --type txt --limit 10 --threads 8 --rate-limit-ms 250
./target/release/master_librarian_rust --type json --limit 10 --threads 8 --rate-limit-ms 250 --json-output report.json
./target/release/master_librarian_rust --type csv --limit 10 --threads 8 --rate-limit-ms 250 --csv-output report.csvMaster Librarian v0.4
Tool to search public vulnerabilities on local libraries
by Orangewarrior
Output mode: text
Limit per package: 10
Worker threads: 8
Rate limit: 250 ms
systemd 249 (version 249)
CVE: CVE-2026-29111
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-29111
Date: 2026-03-23T22:16:26.267
Description: systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.
Severity V2: NULL
Severity V3: MEDIUM
ssl 3.5.4 (version 3.5.4) [libs: ssl, crypto]
CVE: CVE-2015-3455
URL: https://nvd.nist.gov/vuln/detail/CVE-2015-3455
Date: 2015-05-18
Description: ...
Severity V2: LOW
Severity V3: NULL
-
Factory Pattern
- CLI parsing
- Output formatter
-
Builder Pattern
- application assembly
-
Modules:
pkgconfigβ system discoverynvdβ API clientformatterβ output layermodelsβ domain typesappβ orchestration
This tool was built to:
- understand native dependency exposure
- explore low-level system introspection
- bridge Dev + AppSec workflows
It is especially useful for:
- Linux environments
- C/C++ heavy systems
- auditing legacy stacks
Tools such as Trivy, Grype, and similar scanners operate using a fundamentally different model.
These tools typically:
- analyze:
- containers
- filesystems
- SBOMs
- package manager databases (apt, rpm, npm, etc.)
- rely on:
- pre-built vulnerability databases
- package metadata (not runtime resolution)
π They do NOT inspect native libraries via pkg-config.
This tool takes a different path:
- uses
pkg-configto enumerate real, installed native libraries - extracts:
- actual linked libraries (
-l) - include paths
- resolved versions
- actual linked libraries (
- queries the NVD API in real time
- correlates vulnerabilities directly with:
- system-level C/C++ dependencies
Many environments rely heavily on:
- system libraries
- manually compiled dependencies
- non-package-managed software
In these cases:
- traditional scanners may miss exposure
- dependencies resolved at runtime may not appear in SBOMs
| Feature | Master Librarian | Trivy / Grype |
|---|---|---|
| pkg-config integration | β | β |
| native C/C++ libs discovery | β | β |
| SBOM-based scanning | β | β |
| container scanning | β | β |
| runtime system introspection | β | β |
Master Librarian is best understood as a native library introspection tool with vulnerability correlation, rather than a traditional vulnerability scanner.
- depends on
pkg-config - relies on keyword matching (not perfect)
- package naming in native ecosystems is often inconsistent
- internet access is required for live NVD queries
- parallel requests should be tuned carefully with
--threadsand--rate-limit-ms
Orangewarrior
- local CVE cache
- severity filtering
- parallel queries
- SBOM export (CycloneDX / SPDX)
- integration with container scanning