Browse documentation
How vulnerability scanning works
JOATOS's vulnerability scanning is inventory-driven: it matches the software your hosts report against known CVEs. You don't run intrusive network scans — findings come from the inventory you already collect.
Where the data comes from
- CVE data is kept in a local mirror of the NVD (NIST National Vulnerability Database), backfilled and synced daily.
- OS packages on Linux hosts are additionally checked against OSV (distro-native advisories), which understands distribution backports — where a fix ships in a distro's package revision without an upstream version bump.
- Your inventory comes from what you already collect: the endpoint agent, SSH on Linux servers, and SNMP firmware on network devices.
How matching works
For each installed product and version, JOATOS:
- Resolves the package to a CPE (the standard vendor/product identifier).
- Looks up CVEs whose affected version ranges include your installed version.
- For Debian/Ubuntu packages, checks the matching OSV advisory so distro backports are handled correctly.
Each match becomes a finding tied to a specific host, with a confidence rating (High / Medium / Low) reflecting how precisely the version matched.
Findings resolve themselves
A finding auto-resolves when the underlying inventory changes — when the software is updated past the affected version, or removed from the host. You don't have to close findings manually as you patch; the next correlation reflects the new state.
Running a scan
Correlation runs automatically as inventory updates. To re-run it on demand, use Scan vulnerabilities on the Vulnerabilities page — this re-correlates your current inventory against the mirror and reports how many products, CVEs, and findings resulted.
Notes & tips
- Because findings are inventory-driven, accurate, current inventory is the key to accurate findings — keep agents healthy and scans running.
- Firmware findings for network devices come from what the device reports over SNMP.