diff --git a/plugins/system/debsecan b/plugins/system/debsecan
index 3fbb58cf..ae8e93e5 100755
--- a/plugins/system/debsecan
+++ b/plugins/system/debsecan
@@ -48,8 +48,8 @@ if [ ! -x /usr/bin/debsecan ]; then
 fi
 
 # Determine suite from filename...
-SUITE=`echo $0 | sed 's/.*_//'`
-if [ ${SUITE} = ${0} ]; then
+SUITE=$(echo "$0" | sed 's/.*_//')
+if [ "${SUITE}" = "${0}" ]; then
 	# ...or fall back onto configuration in environment
 	SUITE=${suite:-sid}
 fi
@@ -58,7 +58,6 @@ FIXEDCRIT=${fixed_critical:-1000}
 REMOTEWARN=${remote_warning:-1}
 REMOTECRIT=${remote_critical:-10}
 
-CVERE="\(\(CVE\|TMP\)[-0-9A-Fa-f]\+\)"
 if [ "$1" = "config" ] ; then
   cat <<EOF_
 graph_title DebSecan : vulnerabilities for ${SUITE}
@@ -76,7 +75,7 @@ remote.info The number of remotely exploitable CVEs with any priority
 remote.warning ${REMOTEWARN}
 remote.critical ${REMOTECRIT}
 high.label high
-high.colour F70000
+high.colour FF5500
 high.type GAUGE
 high.draw AREASTACK
 high.min 0
@@ -110,40 +109,38 @@ EOF_
   exit 0
 fi
 
+ALL=$(debsecan --suite "${SUITE}" 2> /dev/null)
+REMOTE=$(echo "$ALL" | grep 'remotely')
+NONREMOTE=$(echo "$ALL" | grep -v 'remotely')
+
+HIGH=$(echo "${NONREMOTE}" | grep 'high urgency')
+MEDIUM=$(echo "${NONREMOTE}" | grep 'medium urgency')
+LOW=$(echo "${NONREMOTE}" | grep 'low urgency')
+OTHER=$(echo "${NONREMOTE}" | grep -v 'urgency')
+FIXED=$(echo "${ALL}" | grep '(fixed')
+
+remote_count=$(echo "${REMOTE}" | wc -l)
+high_count=$(echo "${HIGH}" | wc -l)
+medium_count=$(echo "${MEDIUM}" | wc -l)
+low_count=$(echo "${LOW}" | wc -l)
+other_count=$(echo "${OTHER}" | wc -l)
+fixed_count=$(echo "${FIXED}" | wc -l)
+
 CVECOUNTRE="s/^ *\([0-9]\+\) \+\([^ ]\+\)/\2 (\1)/"
 
-OUT=`mktemp -t debsecan.XXXXXX`
-REMOTE=`mktemp -t debsecan.XXXXXX`
-HIGH=`mktemp -t debsecan.XXXXXX`
-MEDIUM=`mktemp -t debsecan.XXXXXX`
-LOW=`mktemp -t debsecan.XXXXXX`
-OTHER=`mktemp -t debsecan.XXXXXX`
-FIXED=`mktemp -t debsecan.XXXXXX`
-debsecan --suite ${SUITE} 2> /dev/null > ${OUT}
-grep 'remotely' ${OUT} > ${REMOTE}
-grep 'high urgency' ${OUT} | grep -v 'remotely' > ${HIGH}
-grep 'medium urgency' ${OUT} | grep -v 'remotely' > ${MEDIUM}
-grep 'low urgency)' ${OUT} | grep -v 'remotely' > ${LOW}
-grep '(fixed' ${OUT} > ${FIXED}
-
-high=`cat ${HIGH} | wc -l`
-remote=`cat ${REMOTE} | wc -l`
-medium=`cat ${MEDIUM} | wc -l`
-low=`cat ${LOW} | wc -l`
-other=`cat ${OTHER} | wc -l`
-fixed=`cat ${FIXED} | wc -l`
-
+# shellcheck disable=SC2005 disable=SC2046
+# The nested $(echo ...)s are needed to yet the newlines
 cat <<EOF
-remote.value $remote
-remote.extinfo `echo $(cut -f 2 -d" " ${REMOTE} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-high.value $high
-high.extinfo `echo $(cut -f 2 -d" " ${HIGH} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-medium.value $medium
-medium.extinfo `echo $(cut -f 2 -d" " ${MEDIUM} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-low.value $low
-low.extinfo `echo $(cut -f 2 -d" " ${LOW} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-other.value $other
-other.extinfo `echo $(cut -f 2 -d" " ${OTHER} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
-fixed.value $fixed
-fixed.extinfo `echo $(cut -f 2 -d" " ${FIXED} | uniq -c | sort -nr | sed  "${CVECOUNTRE}")`
+remote.value $remote_count
+remote.extinfo $(echo $(echo "${REMOTE}" | cut -f 2 -d " "| uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+high.value $high_count
+high.extinfo $(echo $(echo "${HIGH}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+medium.value $medium_count
+medium.extinfo $(echo $(echo "${MEDIUM}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+low.value $low_count
+low.extinfo $(echo $(echo "${LOW}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+other.value $other_count
+other.extinfo $(echo $(echo "${OTHER}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
+fixed.value $fixed_count
+fixed.extinfo $(echo $(echo "${FIXED}" | cut -f 2 -d " " | uniq -c | sort -nr | sed "${CVECOUNTRE}"))
 EOF