Detection Methods and Limitation - Binarly Transparency Platform

Generic Version-Based Detection

The primary approach uses version detection to identify vulnerabilities. While this method can produce false positives due to backported fixes not reflecting version changes, it provides broad coverage.

Ecosystem Filtering

To reduce false positives, ecosystem-specific filtering is implemented for:

Ubuntu systems
Rocky Linux/RedHat systems

This filtering leverages security notices from these distributions to accurately identify patched vulnerabilities, even when version numbers haven’t changed.

Rule-Based Detection

Rule-based detection uses specific patterns and signatures to identify vulnerabilities in code, providing more accurate results than version-based detection alone. This method analyzes actual code implementation rather than relying solely on version numbers. It can detect both known vulnerabilities and potential security weaknesses through pattern matching and semantic analysis. We offer rules from our system but don’t support these types of rules for customers to set.

Deep Dive

​Generic Version-Based Detection

​Ecosystem Filtering

​Rule-Based Detection

Generic Version-Based Detection

Ecosystem Filtering

Rule-Based Detection