J
JOATOSIT Operations Platform
Browse documentation

How vulnerability scanning works

Vulnerabilities

JOATOS's vulnerability scanning is inventory-driven: it matches the software your hosts report against known CVEs. You don't run intrusive network scans — findings come from the inventory you already collect.

Where the data comes from

  • CVE data is kept in a local mirror of the NVD (NIST National Vulnerability Database), backfilled and synced daily.
  • OS packages on Linux hosts are additionally checked against OSV (distro-native advisories), which understands distribution backports — where a fix ships in a distro's package revision without an upstream version bump.
  • Your inventory comes from what you already collect: the endpoint agent, SSH on Linux servers, and SNMP firmware on network devices.

How matching works

For each installed product and version, JOATOS:

  1. Resolves the package to a CPE (the standard vendor/product identifier).
  2. Looks up CVEs whose affected version ranges include your installed version.
  3. For Debian/Ubuntu packages, checks the matching OSV advisory so distro backports are handled correctly.

Each match becomes a finding tied to a specific host, with a confidence rating (High / Medium / Low) reflecting how precisely the version matched.

Findings resolve themselves

A finding auto-resolves when the underlying inventory changes — when the software is updated past the affected version, or removed from the host. You don't have to close findings manually as you patch; the next correlation reflects the new state.

Running a scan

Correlation runs automatically as inventory updates. To re-run it on demand, use Scan vulnerabilities on the Vulnerabilities page — this re-correlates your current inventory against the mirror and reports how many products, CVEs, and findings resulted.

Notes & tips

  • Because findings are inventory-driven, accurate, current inventory is the key to accurate findings — keep agents healthy and scans running.
  • Firmware findings for network devices come from what the device reports over SNMP.

Related