I wonder if they're using OpenSCAP for this. It's an XML document that (at least) Red Hat and Microsoft publish which contains the lists of known good hashes for every file we publish, and also a set of rules for common vulnerabilities (things like "if a directory is public writable, flag an error" -- but lots of them, and more complex). Also CVE data is published in a machine-readable format.<p>Here's the data that Red Hat publishes:
<a href="https://www.redhat.com/security/data/oval/" rel="nofollow">https://www.redhat.com/security/data/oval/</a><p>I'll pimp my own experiments scanning offline guests using SCAP:<p><a href="https://rwmj.wordpress.com/2013/05/16/scanning-offline-guests-using-openscap-and-guestmount/#content" rel="nofollow">https://rwmj.wordpress.com/2013/05/16/scanning-offline-guest...</a>