J
JOATOSIT Operations Platform
Browse documentation

Viewing vulnerabilities by package

โ†ฉ Vulnerabilities

The Vulnerabilities page is your org-wide view of open findings, correlated from reported software inventory against the NVD mirror. This article covers reading and filtering it.

The summary

At the top, four cards show open-finding counts by severity โ€” Critical, High, Medium, Low โ€” and a line summarises open findings ยท distinct CVEs ยท hosts affected. Panels highlight the most widespread CVEs and the most exposed hosts. Select a severity card to filter to it.

Grouped vs Flat

A toggle switches how findings are listed:

  • Grouped (default) โ€” one collapsible row per affected package. The header shows the worst severity, the product name, a breakdown (e.g. 1 Critical, 2 High), the number of hosts affected, and the total CVE count. Expand a package to see each CVE, its CVSS score, the affected host, and the installed version.
  • Flat โ€” one row per individual finding, with columns for Severity, CVE, Confidence, CVSS, Host, Product, Version, and First seen.

Grouped is best for "which software is exposing us"; Flat is best for scanning every finding.

Filtering

  • Search across CVE ID, product name, and hostname.
  • Filter by severity.
  • CVE IDs link out to the full entry on the NVD website; hosts link to their detail page.

Acting on findings

  • Scan vulnerabilities (top-right) re-correlates inventory on demand.
  • Create tasks for all turns the currently filtered findings into remediation tasks in one action (priorities and due dates are set from severity).
  • Individual findings can be turned into a single task or suppressed โ€” see Investigating a CVE.

Suppression rules

Durable suppression rules hide matching findings you've accepted or judged false positives. They appear in a panel at the bottom showing each rule's CVE and/or product, scope (a specific host or all hosts), and reason. Removing a rule restores the findings it hid.

Suppressing is durable โ€” the finding stays hidden until you remove the rule. This is different from a one-off dismiss, which can reappear on the next scan.

Notes & tips

  • Severity here uses Critical / High / Medium / Low (with None/Unknown for unscored CVEs).
  • Start with the Grouped view and the Critical card to triage the highest-impact software first.

Related