That part of the PCI guidelines is to ensure you are proactive with monitoring new security vulnerabilities. Ideally you would sign up to/actively monitor a discussion group that reports security vulnerabilities that are found.
As a new vulnerability is listed you need to make a judgement call on how seriously that might impact the security of you app, and where necessary, assign a priority for remediating that vulnerability.
You may be able to run a tool to find historical vulnerabilities, but to pass this point of the PCI guidelines you need to be proactive with new security issues. Monitoring a list is ideal.