This week, I implemented several new checkers for the tool. Since I have implemented some checkers before, this is not difficult. The best way to implement checkers is to look up the NVD database first, from their you could find the vendor name, library name, versions... Therefore, the rest of the process is to look into the archive (released packages) and come up with regex to match and guess the version.
When I was looking the source code of scan_file, I got a question: what would be the difference between "is" and "contains". Then I found that if the name of the file is "xxx package", then the value is "is", if the name is in some lines of the file, then the value would be "contains". But I'm still wondering why we need to distinguish between them.
Another question is that the scan process is inefficient, that's why we need multi-thread stuff.